EMI I

NFS

O-R

I-261

611

Session SummaryAAI Needs for DCIs

John White, HIPChristoph Witzig, SWITCH

john.white@cern.chchristoph.witzig@switch.ch

EMI I

NFS

O-R

I-261

611

Outline

• Introduction• Requirements and Plans of different Communities• Summary Findings

• Note:– authN = authentication– authZ = authorization

EMI I

NFS

O-R

I-261

611

Introduction• AAI = authentication and authorization infrastructure• DCI = distributed computing infrastructure• AAI-DCI Workshop– organized as part of EMI workplan– Indico:

https://www.egi.eu/indico/sessionDisplay.py?sessionId=11&slotId=0&confId=48 - 2010-09-14

– Milestone document to follow

• EMI needs to provide harmonized middleware stack– Provide user-friendly interface, especially for

authenticating to an infrastructure

EMI I

NFS

O-R

I-261

611

Questionnaire to Communities (1/2)

• Targeted a set of communities with dependency to an (emerging) infrastructure– Many tied to an ESFRI project

• All are rather large communities distributed over many European countries

• Most are rather early in their lifecycle

EMI I

NFS

O-R

I-261

611

Questionnaire to Communities (2/2)

1. How are users authenticated?1. Which credentials are in use?2. How is the user vetting done?

2. Is there a link to national identities?3. Which types of resources are in use? How are users

authorized?1. Resources access through Grid?2. Resources accessed without Grid?

4. Where does project want to be in ~5 years?5. Are users and resource owners happy with current

authN and authZ schemes?

EMI I

NFS

O-R

I-261

611

The vision …

EMI I

NFS

O-R

I-261

611

… and the reality

EMI I

NFS

O-R

I-261

611

Earthscience Grid (1/2)

• Horst Schwichtenberg, Fraunhofer Institute• Access to data is central for ES– Archived sensor data or derived data from multiple

sources and in multiple formats• different providers and different systems

• Geographical Information System (GIS)– WS Specification from Open Geospatial Consortium

(OGC) no specification for authN/authZ– Work in progress

• HTTP authN, HTTP cookies, SSL X.509, SAML, Shibboleth and openID

EMI I

NFS

O-R

I-261

611

Earthscience Grid (2/2)

• Requirements:– Protect data down to the single user– Federated identity and single sign-on• SAML and OAuth, WS-* protocols• SSO based on Shibboleth and OpenID

– Science gateways to provide access to computing infrastructure (EGI) in the background• Automatic certificate generation

– Data centers need to protect licensed data and code

EMI I

NFS

O-R

I-261

611

Biomedical Community (1/2)

• Key requirements:– Preserve patient privacy– Copyrighted data processing tools

• Current authN:– X.509 (grid users and French Health Professional

smartcards)

• Resources:– EGI storage (SRM) and external data repositories– Web-based resources

EMI I

NFS

O-R

I-261

611

Biomedical Community (2/2)

• Goal in ~5 years:– Homogenous AA handling in Grid services– Access control to relational and semantic stores

• User’s view: – AA scheme is irrelevant. Only functionality

matters. – Dedicated solutions often needed in Life Sciences.

EMI I

NFS

O-R

I-261

611

CLARIN (1/2)

• Dieter Van Uytvanck, MPI for Psycholinguistics• Aim:– Provide language resources and technologies for

humanities and social sciences

• Typical use-case:– On basis of browsing catalogues and/or searching

through data create a virtual collection and process it through work flows using web services

EMI I

NFS

O-R

I-261

611

CLARIN (2/2)

• Long term AA objectives:– Rely on user’s home organization of national AAIs for

establishing trust SAML, Shib– CLARIN as legal entity to sign contracts with national

identity federations– Rely on eduGAIN to provide trust between national

AAIs• Issues raised:– License acceptance must be solved (special license

service)– Multi-level WAYFs and attribute release consent

confusing for the user

EMI I

NFS

O-R

I-261

611

Photon Facilities (1/2)

• Hans Weyer, PSI• Environment:– Photon facilities with wide range of research areas

and ~30’000 visiting scientists / year– ~15 synchrotrons in EU, often national facilities

• Facilities partly co-operating, partly competing

EMI I

NFS

O-R

I-261

611

Photon Facilities (2/2)

• AA Ansatz: “Umbrella”– Use EU wide, central user identification• Username, pwd, email, birthday

– Local management of additional, site-specific attributes• Phone, registrations, facility roles, proposals

– Based on SAML– Note: Do not plan to use national AAIs for authN

EMI I

NFS

O-R

I-261

611

ILL – Neutron Science

• Neutron facility, very diverse user community• Need federated authentication and

management of user’s attributes• authN should provide access to – Web based applications– Network connection– Workstation access

EMI I

NFS

O-R

I-261

611

ELIXIR• ESFRI BMS Project coordinated by EBI• Very large user community (~1 mio users)• Provide access to life science data (genoms, …)

for many different sciences

• Users are not authenticated• many users find authN unacceptable

• Sensitive data (e.g. patients data) handled through a special procedures (data custodian)

EMI I

NFS

O-R

I-261

611

Lifewatch

• Axel Poigné, Fraunhofer• Still design phase – no decisions taken• Present thoughts:– X.509 not appropriate– Use Shibboleth • Credential translation for access to Grid• OpenID complementary

EMI I

NFS

O-R

I-261

611

HEP

• Maarten Litmaath, CERN• Key technologies:– X.509, IGTF– VOMS

• Issues with Grid security– Certificates are difficult for users to handle– Proxy issues, use of primary FQANs– etc

EMI I

NFS

O-R

I-261

611

Other talks

• Moonshot: D.Kouril, CESNET• Goal: enable use of identity federations and SAML for non-web

applications• Target core internet protocols: SSH, SMTP, IMAP, NFSv4, HTTP…• Started spring 2010

• Presentations of– IGI: V.Ciaschini, INFN– UK NGI, C. Devereux, STFC

EMI I

NFS

O-R

I-261

611

Summary Findings (1/2)

• Different communities do have different requirements

• User-centric view is mandatory– Very large and very diverse user communites – Many users have “modest IT knowledge” and “limited

enthusiasm for complex solutions”

EMI I

NFS

O-R

I-261

611

Summary Findings (2/2)

• Key technologies– Federated identity / SAML / Shibboleth

• With / without leveraging national AAIs– X.509 still basis for Grid technology

– SLCS, MICS CA– Need novel ways to bridge security domains

• ECP support in Shibboleth (useful for portals Swiss Grid Portal project)

• Security token service (work item in EMI)• Pseudonymity service (EMI)• Moonshot

• Key requirement for AA solutions:– Standards-based, interoperable

EMI I

NFS

O-R

I-261

611

• Should be aware of time lag between development and deployment

• But if not all, then most roads lead to Rome