- - PowerPoint PPT Presentation

a study of credential integration model in academic
SMART_READER_LITE
LIVE PREVIEW

- - PowerPoint PPT Presentation

Mar 28, 2024 104 likes •286 views

A"Study"of"Credential"Integration"Model" in"Academic"Research"Federation" Supporting"a"Wide"Variety"of"Services International,Symposium,Grids,&,Clouds,2018 20 th

slide-1
SLIDE 1

A"Study"of"Credential"Integration"Model" in"Academic"Research"Federation" Supporting"a"Wide"Variety"of"Services

Eisaku SAKANE,,Takeshi,NISHIMURA,,Kento Aida,,Motonori NAKAMURA National,Institute,of,Informatics,,Japan

International,Symposium,Grids,&,Clouds,2018 20th – 23rd March,2018 Academia,Sinica,,Taipei,,Taiwan

slide-2
SLIDE 2

Outline

  • Introduction-to-GakuNin and-HPCI
  • Issues
  • Consideration of-credential-integration
  • Related-works
  • Summary

2

slide-3
SLIDE 3

An#Academic#Identity#Federation#in#Japan

3

Content&Services Application&Services

Most&of& Major& Publishers eLearning ePortfolio Admin& Services

Lib#Services Web#mail Groupware E=Learning

SP

Univ.#A

  • Univ. B
  • Univ. C

IdP

GakuNin Steering&Committee

  • Federation&Policy
  • IdP Auditing
  • Promotion

E=Journals

Info.&Web&Site Registration&Sys. Metadata&Repo.

Discovery&Service Easy#Access#from#out#

  • f#Campus

Seamless#access#with# SSO Reduction#of#ID#management# cost, Improvement#of#security

Foodle 3 Academic#Federations# have#been#established#per# country#basis

slide-4
SLIDE 4

HPCI:&High&Performance&Computing&Infrastructure

4

GSI9enabled&SSH&login Supercomputer centers (IdP & IdM) MICS9based&CA

  • cert. related&system

getting proxy&cert.&with&Shibboleth PI Researcher

:&Communication&w/&Shibboleth

HPCI&authentication&system&features&include:

  • Single&user&ID&and&multiple&accounts&called&HPCI9ID,&HPCI&and&local&accounts
  • HPCI&accounts&are&managed&by&identity&providers.
  • A&hierarchical&initial&identity&vetting&system&based&on&face9to9face&meetings&with&photo9IDs
  • Two&kinds&of&credentials&for&services&in&HPCI:
  • Shibboleth&assertion&for&Web&services:&certificate&issuance,&CMS,&etc.
  • GSI&proxy&certificate&for&access&to&supercomputers&and&storages
slide-5
SLIDE 5

Difference(between(HPCI(and(Gakunin

  • What(is(difference(between(HPCI(and(Gakunin?
  • IdP in(HPCI(is(different(from(IdP in(Gakunin:
  • Gakunin IdP is(managed(by(an(academic(institution(and(covers(all(constituent(members(of(its(

academic(institution.

  • HPCI(IdP is(managed(by(a(supercomputer(center((university(or(institute)(and(covers(only(HPCI(

users(who(are(not(only(academic(researchers(but(also(industrial(ones.

  • Why(did(HPCI(build(dedicated(IdPs ?
  • HPCI(IdP has(to(satisfy(a(strict(LoA imposing(identity(vetting(via(a(faceFtoFface(meeting.
  • HPCI(IdP needs(to(cover(industrial(researchers.
  • HPCI(is(not(a(common(service(to(all(constituent(members(of(an academic(institution(like(eF

Journals.

  • Only(if(HPCI(users(are(academic(ones,(at(least(HPCI(and(Gakunin IdPs should(be(

integrated.

5

slide-6
SLIDE 6

Guiding question

  • How.do.we.integrate.HPCI.IdP and.GakuNin IdP in.order.that.

academic.users.only.need.to.manage.one.credential?

  • We.select.GakuNin IdP as.primary.identity.provider.because.GakuNin

IdP is.operated.by.home.organization that.user.belongs.to.

  • How do.we.apply.a.credential.issued.by.GakuNin IdP to.HPCI.services?

6

slide-7
SLIDE 7

Authentication+flow+in+HPCI

7

Initial+Identity Vetting Shibboleth SAML GSI HPCI+account+issuing+(IdP) Certificate+issuing as+a+Web+service Supercomputers, Storages bridging

職員証 情報 研太郎

  • 国立情報学研究所

registered+data C Name C Affiliation

Shibboleth+IdP myproxyClogon S h i b b

  • l

e t h + S P

Check

g s i C l

  • g

i n

slide-8
SLIDE 8

Possibilities)for)GakuNin credential)application

8

Initial)Identity Vetting Shibboleth SAML GSI HPCI)account)issuing)(IdP) Certificate)issuing as)a)Web)service Supercomputers, Storages bridging

職員証 情報 研太郎

  • 国立情報学研究所

Shibboleth)IdP myproxyElogon S h i b b

  • l

e t h ) S P

Check

g s i E l

  • g

i n

registered)data E Name E Affiliation

slide-9
SLIDE 9

Possibilities)for)GakuNin credential)application

9

Initial)Identity Vetting Shibboleth SAML GSI HPCI)account)issuing Certificate)issuing as)a)Web)service Supercomputers, Storages bridging

職員証 情報 研太郎

  • 国立情報学研究所

Shibboleth)IdP myproxyClogon S h i b b

  • l

e t h ) S P

Check

g s i C l

  • g

i n

registered)data C Name C Affiliation

We)consider)applying)the)GakuNin credential)to)the)initial)identity) vetting)in)HPCI)IdM.

slide-10
SLIDE 10

Basic&idea: Initial&identity&vetting&with&external&credential

10

identity&vetting&based&

  • n&an&LoA

Trusted&Third&Party&(CA,&IdP,&…) IdM an&applicant

1.&Presenting&some credential 2.&Inquiry&about&the&applicant

generalized our previous&work,&PoS(ISGC2017)009

0.&Agree&with&cooperation

notifying&the&applicant

  • f the inquiry
slide-11
SLIDE 11

Initial'identity'vetting'with'credential'issued'by' GakuNin IdP

11

the'applicant'already has the account. GakuNin IdP HPCI'IdM an'applicant

1.'Access'to'a'Web'service'for'initial'vetting

generalized our previous'work,'PoS(ISGC2017)009

0.'Agree'with'cooperation 2.'Shibboleth'authentication

slide-12
SLIDE 12

Initial'identity'vetting'with'credential'issued'by' GakuNin IdP (Cont’d)

12

the'applicant'already has the account. GakuNin IdP HPCI'IdM an'applicant generalized our previous'work,'PoS(ISGC2017)009

0.'Agree'with'cooperation 2.'Shibboleth'authentication 2.1.'The'IdP authenticates'the'applicant. 2.2.'The'IdP confirms'whether'the applicant allows'the'IdP to'send'the'required' attributes'to'the'IdM. 2.3. The'IdM can'check'the'identity'data'against' the'information'provided'by'the IdP.

slide-13
SLIDE 13

Discussion

  • Do the+proposed+procedure+provide+the+same+level of assurance?
  • HPCI+IdM must+vet+the+identity+of+user+based+on+a+face<to<face+meeting+with+a+

photo<ID.

13

職員証 情報 研太郎

  • 国立情報学研究所

GakuNin IdP (University)

The+user+present+her/his+photo<ID+issued+by+ home+university. The+proposed+procedure+can+intuitively+be+regarded++the+same+ as+the+initial+identity+vetting+based+on+a+face<to<face+meeting.

slide-14
SLIDE 14

Discussion((Cont’d)

  • Another(possibility(of(GakuNin crendential application.
  • Due to the end of GSI support, HPCI needs to reconsider the authentication

and authorization system in HPCI to access to supercomputers(and(storages.

  • Credential(for(Web(services(may(be(changed(by(new(AA(system(in(HPCI.
  • However(the(GakuNin credential application(to initial identity(vetting(will(

remain(almost(unchanged.

14

slide-15
SLIDE 15

Related'Works

  • AARC'Blueprint'Architecture
  • Snctfi from'AARC’s'policy'work

15

slide-16
SLIDE 16

Summary

  • We)introduced)authentication)infrastructures,)GakuNin and)HPCI.
  • We)proposed)a)credential)integration)model)in)which)GakuNin

credential)(SAML)assertion))can)be)used)to)the)initial)identity)vetting) in)HPCI.

  • Our)approach)can)be)extended)to more general)case.
  • Our approach)should)be)corroborated)with)a)trust)framework.

16