1 / 17

Federated Identity Management for HEP

Federated Identity Management for HEP. David Kelsey HEPiX , Prague 26 Apr 2012. Overview. Introduction to Federated Identity Management ( IdM ) Research Communities Workshops WLCG Security TEG Next steps. Introduction to IdM. Remove identity management from the service

caitir
Download Presentation

Federated Identity Management for HEP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Federated Identity Management for HEP David Kelsey HEPiX, Prague26 Apr 2012

  2. Overview • Introduction to Federated Identity Management (IdM) • Research Communities Workshops • WLCG Security TEG • Next steps HEPiX IdM, Kelsey

  3. Introduction to IdM • Remove identity management from the service • Identity managed in one place, typically by employer • Benefits (and drawbacks!) of single sign-on • Identity Provider (IdP) manages and provides attributes about Users • For AuthN and to some extent AuthZ • Service Provider (SP) consumes attributes for access control and offers services to users • Federation:a common trust and policy framework between multiple organisations, IdPs and SPs • Federations also manage and distribute information (metadata) about the various providers HEPiX IdM, Kelsey

  4. SP IdP User Many different permutations depending on the technology HEPiX IdM, Kelsey

  5. SP IdP User AA Then add a community operated attribute authority (for AuthZ), e.g. VOMS HEPiX IdM, Kelsey

  6. Some example federations • Grid X.509 certificates in WLCG and elsewhere • International Grid Trust Federation • European higher education (Shib, SAML etc) • UK Access Management Federation, SWITCHaai, SURFfederatie • And many others • USA education and research: InCommon • TERENA Cert Service connects national identity federation to a CA for personal certs (and similar CIlogon in USA) • eduGAIN is linking national federations • Social networking (OpenID, Oauth) HEPiX IdM, Kelsey

  7. Federated IdM in “Research” • A collaborative effort started in June 2011 • Involves photon & neutron facilities, social science & humanities, high energy physics, climate science and life sciences (fusion energy later?) • 3 workshops to date (next one in June 2012) • https://indico.cern.ch/conferenceDisplay.py?confId=177418 • Documented common requirements, a common vision and recommendations • To research communities, identity federations, funding bodies • An important use case for international federation • CERN-OPEN-2012-006: https://cdsweb.cern.ch/record/1442597 HEPiX IdM, Kelsey

  8. Common Requirements • User friendliness • Browser and non-browser federated access • Bridging between communities • Multiple technologies and translators • Open standards and sustainable licenses • Different Levels of Assurance • Authorisation under community and/or facility control • Well defined semantically harmonisedattributes • Flexible and scalable IdPattribute release policy • Attributes must be able to cross national borders • Attribute aggregation for authorisation • Privacy and data protection to be addressed with community-wide individual identities HEPiX IdM, Kelsey

  9. Operational Requirements • Risk analysis • Traceability • Security incident response • Transparency of policies • Reliability and resilience • Smooth transition • Easy integration with local SP HEPiX IdM, Kelsey

  10. Common vision statement Acommon policy and trust framework for Identity Management based on existing structures and federations either presently in use by or available to the communities. This framework must provide researchers with unique electronic identities authenticated in multiple administrative domains and across national boundaries that can be used together with community defined attributes to authorize access to digital resources HEPiX IdM, Kelsey

  11. Recommendations • To Research Communities • Must perform a risk analysis of using federated IdM • Together with technology providers, IdPs and SPs • Perform pilot studies • In collaboration with FIM providers HEPiX IdM, Kelsey

  12. Recommendations (2) • To technology providers • This includes REFEDS and national federations • Separation of AuthN and AuthZ • Revocation of Credentials • Attribute delegation to the research community • Levels of Assurance HEPiX IdM, Kelsey

  13. Recommendations (3) • To funding bodies • An agreed funding model • An agreed governance structure HEPiX IdM, Kelsey

  14. Federated IdM in HEP • X.509 certificates for Grid services • Using TERENA Cert Service in many places • But many other services (not just Grid!) • E.g. collaboration tools, wikis, mail lists, webs, agenda pages, etc. • Today CERN has to manage 10s of thousands of user accounts, many are “external” • eduroam is one possible federated solution (for wireless) • What about other services/federations? • Using Shibboleth, SAML, OpenID, etc • Technology appropriate to required level of assurance HEPiX IdM, Kelsey

  15. WLCG Federated Identity • Security TEG just started on this task • Very much linked to the collaborative work • Trust is essential! • not just technology • How to involve IGTF? • We need to agree a good HEP pilot project to get some experience HEPiX IdM, Kelsey

  16. Next steps • WLCG Security TEG • Need to agree to the vision and recommendations in the draft paper • Need to identify a good pilot project for WLCG/HEP/CERN • On the agenda for WLCG GDB in May • WLCG MB “endorsement” required • Before the June workshop HEPiX IdM, Kelsey

  17. Questions? HEPiX IdM, Kelsey

More Related