Versions Compared

Old Version 10

changes.mady.by.user Jiří Pavlík

Saved on

compared with

New Version 11

changes.mady.by.user Jiří Pavlík

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As EUDAT runs a lot of different services internally, SPs are offered different technologies for integration with B2ACCESS. Based on work originally done in the Contrail project and carried forward by the first EUDAT project, services can choose to use SAML (using the WebSSO profile), OAuth2 (RFC 6749), or X.509 certificates. In a simple scenario, a service will use OAuth for simple access and authorisation; a more complex scenario would use SAML to authenticate and pass authorisation decisions to an XACML infrastructure. In the most elaborate scenario, users would authenticate to a (community or EUDAT) portal using SAML WebSSO (which in turn redirects to the “home” IdP); then the portal obtains an OAuth access token to grant further rights, including the right to obtain a certificate on behalf of the user from a web services certification authority (internal to B2ACCESS) - it then generates the keys and obtains the certificate which includes authorisation attributes. This scenario provides extra security compared to many of the traditional portals as the issuance of the certificate requires additional authorisation (the portal has to be registered as an OAuth client and needs to be authorised to obtain a particular user’s certificate); the management of such authorisations can be predefined administratively or by the user and can be audited subsequently. Power users can download the certificate and use it to drive non-web services from the command line, e.g. B2SAFE and data transfers.  Despite its complexity, this approach offers a high degree of flexibility of integration of the many different components that comprise an EUDAT infrastructure, and many services will choose to use only the least complicated AAI mechanisms depending on their security requirements.

D4Science

The Authentication Service supports username/password and X509 Certificates factors: the former is used mainly for human-machines interactions (Portal or SOAP Services) and the latter is mainly used for machine-machine interactions (SOAP Services called by other services). 

The user interface portal support SAML federation with the classic Web Browser SSO profile. An hybrid profile based on Web Browser SSO and SAML Token profile enables SAML federation for SOAP Web Services.

FMI

FMI is using Auth0 (https://auth0.com/), which is a commercial solution for AAI integration.

Education

The institutional IdPs are using SAML2 technology, and solutions like Grouper for the attribute management.