The e

1
The eInfrastructure AAI roadmap in
EuropeTrends in European AA policy
8th EUGridPMA Meeting, Karlsruhe, 2006

• EUGridPMA Karlsruhe meeting
• David Groep, NIKHEF

2
Aims of the Integrated AAI

• Roadmap for the European e-Infrastructures
  create a single seamless AA experience for the
  user
• Spans
• the authentication/ID provisioning domain
• as well as the authorisation area
• across any kind of application
• grids like we know today
• network access (eduroam)
• web resource access
• (m)any other services

3
e-IRG integrated AAI Roadmap

• Trans-disciplinary (Grid projects, NRENs, other
  user communities) and trans-continental forums
  that move towards the establishment of a global,
  seamless AA infrastructure for e-Science
  applications should be encouraged.
• The e-IRG wishes to acknowledge the efforts made
  in this direction by the IGTF and the open
  information exchange point provided by TERENA
  task forces.
• Recommendation to the e-IRGAustrian EU
  Presidency 2006

4
e-IRG mandate

• The main objective of the e-IRG is to support on
  the political, advisory and monitoring level, the
  creation of a policy and administrative framework
  for the easy and cost-effective shared use of
  electronic resources in Europe (focusing on
  Grid-computing, data storage, and networking
  resources) across technological, administrative
  and national domains.
• The e-IRG consists of official delegations from
  the ministries of Education of the various
  European countries. It has an important role in
  assigning funding priorities for EU framework
  programmes and the strategy for e-Europe.

5
Contributors

• Roadmap contributors and actors in the field
• e-IRG (high-level policy)
• TERENA TF-EMC2, TF-Mobility
• IGTF
• eduroam
• GEANT2 JRA5 (eduGAIN)
• REFEDs
• many national federations (CH, ES, NL, NO, UK, )
• software providers Shibboleth, A-Select, PAPI,

6
Grid Authorization

• user centric communities
• either grass-roots or infrastructure-based
• primary applications today in compute/data/databas
  e access

7
Grid AuthZ status

• User-centric community management today
• for (virtually) all grids based on authentication
  by IGTF accredited authorities
• these assertions are used for authorization,
  where
• there is far greater variety in mechanisms and
  concepts
• software in a continuous transition phase
• actual user communities are expert and
  relatively small,i.e., O(100 000) users

8
Grid Authorization

• Current (deployed) models in most compute/data
  grids
• all based on proxies, implementing SSO and
  delegation
• Identity-based authorization
• lists of authorized users, possibly organised on
  a VO basis
• model is being deprecated in larger deployments
• Attribute-based authorization
• VO-managed databases, directories issuing
  VO-signed assertions
• VO identity itself based on IGTF certificates
• resource providers grant access based on these VO
  attributes
• pushed down with the service request (typically
  as ACs embedded as an extension in the proxy
  certificate), VOMS
• in part supported by (proxy) credential caches
  MyProxy

9
Grid Characteristics

• Special characteristics
• rights delegation (typically to processes)
• rights/role selection based on the session,
  and not the target resource per se
• on-demand creation of new sources of authority
  (VOs)
• grid communities cut through organisations

10
Software developments in AA

• (grid) software has become flexible over the past
  few years
• most software now supports both push and pull of
  attributes and assertions
• its slowly becoming syntax-agnostic (X509 (AC),
  SAML, )

Pull
Push
4
2
1
3
11
OGSA AA model

• Grid (OGSA) AA architecture
• explicitly acknowledges multiple sources of
  authority in the authorization chain

graphic OGSA 1.0, GGF standard track document
12
Grid Middleware AA support
runtime graphic Globus Toolkit 4, Frank
Siebenlist et al.
PERMIS/XACML PDP, or a SAML PIP, or
13
More initiatives

• eduGAIN summary with too many experts in the
  room ?
• based on federation connectors to mediate
  between federations (domains, realms)
• common services
• Home Location Service
• (can be extended with others)
• basic interactions
• (AccessReq/AccesResp)
• AuthNDataReq/ AuthNDataResp
• HomeLocationReq/ HomeLocationResp
• AttrReq/ AttrResp
• AuthZReq/ AuthZResp
• using WS and SAML
• see links provided by Reimer and Diego

14
What is happing now?

• Several domains implemented some integrated AAI
  today
• evaluationary grid middleware solutions
  targeted at expert power users
• wireless network access targeted at the
  masses, almost irrespective of status
• web resources targeted at selected academic
  users, but not very selective as resources are
  not high value

15
Production app eduroam

• transparent (wireless) network access based on
  credentials issued by the home organisation
• distributed RADIUS infrastructure based on
  pair-wise hierarchical trust
• no qualified AuthZ

16
Production apps examples

• Examples from the Access Management
  Infrastructure for the UK
• ScienceDirect
• BlackBoard
• BIOSIS
• CAB Abstracts
• Education Image Gallery, Education Media Online
• Index to The Times
• Land, Life Leisure
• Statistical Accounts of Scotland
• Landmap
• Zetoc Alert, Search
• other domains started use similar technology
  (such as Dutch government DigID project using
  A-Select)

17
Issues with integration

• Wider value range of resources to control
• from low-risk wireless access to high-risk
  supercomputers
• To engage more users, the current model of
  user-held credentials, or having disparate
  credentials for grid and other activities, not
  necessarily sustainable
• only scientific power users could maybe manage
• general audience just cannot handle the current
  grid AA systems
• need integrated models, that respects both local
  autonomy, recognises existing credential quality,
  and retains the global coordination we have today
• note that this is technology-agnostic, its pure
  policy
• the software stacks we have today can almost do
  anything

18
Possible interfaces to integration

• indirect AuthN based on existing IdMs
• enable grid AuthN systems (e.g. VOMS) to also
  propagate other (home) IdM attributes
• enable resource access controls to talk to
  multiple SoAs
• express VO membership as a function of home IdM
  attributes
• The reverse can also be considered
• VO membership could entitle you to guest
  associate-ship with a real organisationso that
  (selected) VO members can use resources that are
  available to the real organisation
• these scenarios are largely independent of the
  middleware (GSI or Shib or A-Select or )
• except that SAML cannot yet well support
  (restricted) delegation

19
PKI AuthN based on existing IdMs

• see presentation by Christoph Witzig in a moment

20
2. Propagating other IdP attributes
slide from Chistoph Witzig, SWITCH, EGEE MWSG
2006-09-27
21
3. Multiple SoA support in access control

• enable resource access controls to talk to
  multiple SoAs
• based on pluggable authorization framework, such
  as in newer middleware like Globus Toolkit 4,
  gLite, c

graphic from Chistoph Witzig, SWITCH, GGF16,
February 2006
22
4. VO membership as function of home attributes
query to resolve membership list of FQAN
?!
role productionmembers- John Doe- the
students of UHOclass 101, 2008- Maggie
23
Many interesting issues to be addressed

• Technical issues solvable policy harmonisation
  is non-trivial
• far wider range of qualities in the attributes
• different incentives for keeping information
  current
• responsibility for attributes resides with
  different parties
• VO to manage community membership but can small
  VOs maintain such an infrastructure? a task for
  an (independent) e-Infrastructure provider
• home organisation to manage organic attributes
  but not attributes are usually considered
  equally valuable, and there is lots of variety
  between the UHOs
• access rights may suddenly depend on attributes
  with different quality

24

• encourage work towards a common federation for
  academia and research institutes that ensures
  mutual recognition of the strength and validity
  of their authorization assertions.
• e-IRG RecommendationDutch EU Presidency 2004
• how do we go about it?
• what role do we have in this domain?
• we have experience in policy coordination ...

25
Proposal possible directions forward

• At the national level, for each authority
• monitor developments towards the creation of
  national AAIs and federations
• engage in (national) AAI initiatives that support
  your current and potential subscriber base
• promote the bridging of emerging federations at
  the national level
• At the European and global level
• ensure awareness of IGTF policy coordination work
  and its relevance to developments in the overall
  AAI developments
• actively foster the definition of levels of
  assurance, its expression in all relevant
  syntaxes, and engage in the definition of these
  levels
• ensure that our policies do not inadvertently put
  up roadblocks on the way towards an integrated
  AAI
• promote (national) federations that interface
  with our current and future subscriber base at
  both the authN and (later) the AuthZ level