1 / 19

Federated Identity Management for Research Collaborations

Federated Identity Management for Research Collaborations. David Kelsey (STFC-RAL) REFEDS, Reykjavik 20 May 2012. Overview. Background – all since TNC2011 Research Communities FIM Workshops Vision and Recommendations Discussion how can we best work together?

nico
Télécharger la présentation

Federated Identity Management for Research Collaborations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federated Identity Management for Research Collaborations David Kelsey (STFC-RAL) REFEDS, Reykjavik20 May 2012

  2. Overview • Background – all since TNC2011 • Research Communities FIM Workshops • Vision and Recommendations • Discussion • how can we best work together? On behalf of all my colleagues • See Bob Jones’ talk TNC2012 (Tuesday at 11:00) • https://tnc2012.terena.org/core/presentation/23 Federated IdM, Kelsey

  3. Background • Issue of IdM raised by IT leaders from EIROforum labs during their IT working group meeting in January 2011 at ESA • CERN, EFDA-JET, EMBL, ESA, ESO, ESRF, EuropeanXFEL and ILL • These laboratories, as well as national and regional research organizations, are facing similar challenges • Scientific data deluge means massive quantities of data • needs to be accessed by expanding user bases in dynamic collaborations across organisational and national boundaries • “Facebook” generation demands all the tools (work & social) integrate smoothly • Also encouraged by EEF and eIRG • Global problem, not just EU • “Science” changed to “Research” to include Humanities Federated IdM, Kelsey

  4. Federated IdM in “Research” • A collaborative effort started in June 2011 • Not just EIROForum. Include many ESFRI projects and providers and infrastructures • Be inclusive • Involves photon & neutron facilities, social science & humanities, high energy physics, climate science, life sciences and fusion energy • Workshops included HTC and HPC infrastructures, TERENA, IGTF and middleware developers • 3 workshops to date (next one in June 2012) • link to Feb 2012 agenda below (others links contained within) https://indico.cern.ch/conferenceDisplay.py?confId=177418 Federated IdM, Kelsey

  5. Workshops (2) • Documented common requirements, a common vision and recommendations • To research communities, identity federations, funding bodies • My own view: An important use case for international federation! • Paper: CERN-OPEN-2012-006: https://cdsweb.cern.ch/record/1442597 Federated IdM, Kelsey

  6. The communities Federated IdM, Kelsey

  7. Common Requirements • User friendliness • Many users use infrequently • Browser and non-browser federated access • Bridging between communities • Multiple technologies and translators • Translation will often need to be dynamic • Open standards and sustainable licenses • For interoperability and sustainability • Different Levels of Assurance • When credentials are translated, LoA provenance to be preserved • Authorisation under community and/or facility control • Externally managed IdPs cannot fulfil this role • Well defined semantically harmonised attributes • For interoperable authorisation • Likely to be very difficult to achieve! Federated IdM, Kelsey

  8. Requirements (2) • Flexible and scalable IdP attribute release policy • Different communities and different SPs need different attributes • Negotiate with IdF not all IdPs – for scaling • Attributes must be able to cross national borders • Data protection considerations • Attribute aggregation for authorisation • Privacy and data protection to be addressed with community-wide individual identities • We need to identify individuals • E.g. ethical committees can require names, addresses, supervisors to grant access Federated IdM, Kelsey

  9. Operational Requirements • Risk analysis • Traceability • Audit trails include IdPs • Security incident response • To include all IdPs and SPs • Transparency of policies • To gain trust of SPs and users • Reliability and resilience • Smooth transition (from today’s production) • Easy integration with local SP • SP likely to want to support multiple AuthN technologies Federated IdM, Kelsey

  10. Common vision statement Acommon policy and trust framework for Identity Management based on existing structures and federations either presently in use by or available to the communities. This framework must provide researchers with unique electronic identities authenticated in multiple administrative domains and across national boundaries that can be used together with community defined attributes to authorize access to digital resources Federated IdM, Kelsey

  11. Recommendations • To Research Communities • Must perform a risk analysis of using federated IdM • Together with technology providers, IdPs and SPs • Perform pilot studies • In collaboration with FIM providers Federated IdM, Kelsey

  12. Recommendations (2) • To technology providers • This includes REFEDS and national federations • Separation of AuthN and AuthZ • As IdP is now separate • Revocation of Credentials • If long-lived • Attribute delegation to the research community • Levels of Assurance • One size does not fit all! • Biomedical has wide range of security requirements Federated IdM, Kelsey

  13. Recommendations (3) • To funding bodies • An agreed funding model • An agreed governance structure Federated IdM, Kelsey

  14. Some difficulties experienced • Humanities – CLARIN • Keen to use national IdM federations (IdFs) • Sparse distribution of users over many institutes • Difficult to influence IdP configuration • CLARIN SPF – currently 10 SPs • Signed contracts with 3 IdFs (SURF, DFN, HAKA) • Require ePPN or ePTID • Recommended attributes contains • cn, mail and o or SchacHomeOrganization • Many IdPs do not release attributes even if the IdF requires them to Federated IdM, Kelsey

  15. Problems (2) • Some IdFs require IdPs to give permission for attributes to be passed on to SPs • This “opt-in” policy does not scale • There are not IdFs everywhere • Therefore need an IdP for the homeless • Life Sciences – ELIXIR • Millions of users • SPs have expressed doubts because not all countries are engaged in IdF • Technical deployment is seen as challenging and they need support • Working with Haka, Kalmar Union and eduGAIN Federated IdM, Kelsey

  16. Some pilot projects • Photon/neutron facilities • “Umbrella” project (PaNdata and CRISP) • Moving to single federated IdP (from ~24 facilities) • Mixture of central IdP and local attributes • But not using national IdFs Federated IdM, Kelsey

  17. Pilot projects (2) Life Sciences (Biomedinfra.fi, EMBL-EBI, ELIXIR, EGI.euetc) • Pilot 1 (authentication) to provide an option for European Genome-phenome Archive (EGA) users to use federated identity and SAML 2.0 technology when using EGA services • Pilot 2 (authorization) to create an electronic workflow that allows researchers to apply access to NCoEDGNordicDB dataset distributed by the EGA through its affiliated Data Access Committee (DAC). • Nordic Centre of Excellence in Disease Genetics Federated IdM, Kelsey

  18. How can we work together? Some personal ideas (for discussion) Policy matters • Scalable general negotiation SPs with IdFs • Mechanisms for (scalable) negotiation of required attribute release • Risks, traceability and security incident response Technical issues • Aggregation of attributes • IdP and community AA • Levels of Assurance • Pilot projects Federated IdM, Kelsey

  19. Questions? Federated IdM, Kelsey

More Related