Versions Compared

Old Version 22

changes.mady.by.user Jiří Pavlík

Saved on

compared with

New Version 23

changes.mady.by.user Jiří Pavlík

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Requirements: Authentication and authorization technologies

The stakeholders invovled in the survey in some cases have been already using AAI technologies, and may have requirements associated to this topic: type of IdPs, standards to be considered in the AARC architecture, need for delegation technologies or non-web access to services.

BioVel

BioVel community will move in the direction of using the institutional credentials, possibly federated in eduGAIN, to access the services specific for the community but also possibly to access the multi-disciplinary e-infrastructures. In other words, institutionally affiliated login Shibboleth/SAML federated plus a solution for homeless users.

Support for delegation is a complex matter  under investigation in BioVeL. Chains of delegation are needed, both for authentication information and authorization information, and ultimately for accounting purposes.

DARIAH

DARIAH user authentication is leveraging on the institutional IdP of their users, part of national federations such as eduGAIN federations, and the catch-all community IdP to host homeless users, who are a consistent fraction of the community user-base.

DARIAH is interested in SAML2, and OpenID/OAuth2 technologies, plus X509 credentials for legacy reasons.

It is important for the community that the authentication technologies are as much user friendly as possible. For the community is also important the support for delegation and non-web access, on top of the normal web accessible services.

PSNC

Users of the PSNC services need to use their institutional IdPs to access the services, depending on the service offered, also catch-all community IdP or social media can be relevant. User friendly technologies to access web based an non browser based services are important.

Photon and Neutron

The photon and neutron community is using the Umbrella infrastructure for authentication and authorization. The technologies relevant for the community are SAML2 and X509 certificates.

Umbrella users are using credentials from their institutional IdPs and the federation in eduGAIN is an added value, alternatively users who cannot access to a federated IdP can use the catch-all IdP provided by Umbrella itself.

For the photon and neutron use cases AAI must support: easy single sign on solution, web based and non-web applications, delegation.

EGI

EGI authentication is based on X509 certificates, released by the IGTF federation. From a technical point of view X509 credentials satisfy most of the requirements of the EGI infrastructure.

Authorization on EGI services is mostly regulated by the membership to a virtual organization (VO). Services support VOs, and give access to the resources to the members of the VO. Finer levels of granulaity are possible with user groupings or roles within the VO. All these information - which are in fact community attributes - are added as extensions to the proxy certificate by the VOMS service (Virtual Organization Management Service). VOMS allows the VO Managers, the community responsible, to manage autonomously user membership and the other attributes. In this way EGI service providers delegate authorization to the communities.

EUDAT

For a multidisciplinary infrastructure as EUDAT it is important to keep open the possibilities for the users to choose the IdP of their preference, this includes institutional IdPs, both federated in national federations and non federated, catch-all IdP provided bu the research communities, and social IdP. The LoA associated to them is also important.

Within the EUDAT infrastructure many services are offered and each service has it’s own needs with respect to authentication technologies. Currently EUDAT is supporting X.509, SAML and OAuth2. Some services are web based but others are not. In this case the infrastructure is currently using X.509 based solutions. Moreover, EUDAT aims for a single sign on experience but given the complexity of the infrastructure this is not always possible.

FMI

The best solution for FMI would be to get AAI as a service, as provided by the commercial provider currently used. FMI needs to integrate IdPs both federated and non federated in the national federations, as well as social IdPs for the homeless users.

Easy and user friendly SSO, friendly for the end users but also for the service providers, support for both web based applications, and command line applications.

D4Science

D4Science services are enabled for SAML2, X509 and (under evaluation) Open ID Connect, OAuth2, in terms of sources of identity information, the infrastructure will need to access institutional IdPs, catch-all IdPs managed by the communities and in the future social credentials.

The federation with the national federation is under evaluation, and in general D4Science would benefit of simpler procedures to join an IdP federation as service provider.

D4Science services would benefit from delegation and non-web access capabilities.

CLARIN

CLARIN users are using, or will use, both their institutional credentials federated and not federated in national federations. Plus the CLARIN catch-all IdP, in order – if possible – to avoid the use of social credentials.

CLARIN use cases involves both web-based and non-web based access to services, and also delegation capabilities, which are being currently tested.

 

Training on how to deal with the shortcomings of FIM would be helpful: SAML error messages, testing connections, how to request attributes in foreign federations. CLARIN addresses some of the issues via the Service Provider Federation. We also attempt to address these issues ourselves, but most of them are generic FIM issues.

There should be more information for IdP operators on how SPs use them and what problems they have to solve.

Education

For the education community the institutional IdPs are the most likely credentials that the users will use. Governmental IdPs, e-ID, could be also potentially  interesting once they will reach full maturity.

Either solution will be predominant, user friendliness is the higher requirements for this community.

Currently the coverage and the features of the national and European IdP federation are not entirely fulfilling the needs of the education sector. Besides the campuses not yet federated there are other categories of users who would be left out anyway: for example the high school students not yet registered in a university but who need to access some tools, and the citizen users in the university library.

 Requirements: Attribute release policies