Centralized Authorization in Non-Uniform Federation Communities of - - PowerPoint PPT Presentation

centralized authorization in non uniform federation
SMART_READER_LITE
LIVE PREVIEW

Centralized Authorization in Non-Uniform Federation Communities of - - PowerPoint PPT Presentation

Aug 28, 2023 347 likes •500 views

FERMILAB-SLIDES-18-105-CD Centralized Authorization in Non-Uniform Federation Communities of Interest Olga Terlyga NLIT 2018 May 22, 2018 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359

slide-1
SLIDE 1

Centralized Authorization in Non-Uniform Federation

Communities of Interest

Olga Terlyga NLIT 2018 May 22, 2018

FERMILAB-SLIDES-18-105-CD

This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of Energy, Office of Science, Office of High Energy Physics.

This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of Energy, Office of Science, Office of High Energy Physics.

slide-2
SLIDE 2

Centralized Authorization

5/22/2018 Olga Terlyga | NLIT 2018 2

  • Why do we care?
  • What should we do?
  • ----------------------------OFermilab
slide-3
SLIDE 3

Exchange of information happens and is necessary in many other areas of Laboratory operations

(Semi) Open Science

5/22/2018 Olga Terlyga | NLIT 2018 3

Scientific process is based on free exchange of ideas. Scientific collaborations require us to be more open than ever, while emphasis on cyber security puts pressure to become more closed off. The role of IT is to enable exchange of ideas and data balanced with security concerns.

Non-Scientific resources

  • ----------------------------OFermilab
slide-4
SLIDE 4

Global collaboration era

5/22/2018 Olga Terlyga | NLIT 2018 4

MINERVA collaboration

9 Centro Brasileiro de Pesquisa

.. .

9 Aligarh Muslim University Hor

.. .

9 Fermilab 9 University of Florida 9 University of Geneva 9 Universidad De Guanajuato 9 Hampton University 9 Massachusetts College Of Li

.. .

9 Indian Institute of Science Ed

.. .

9 Northwestern University 9 Oregon State University 9 Otterbein University 9 Pontifica l Catholic University .. 9 University of Pittsburgh 9 University of Rochester 9 Rutgers-New Brunswick 9 Tufts University 9 University of Minnesota Duluth 9 National University of Engine

.. .

9 Universidad Tecnica Federico

.. .

9 Ewell Hall 9 University of Oxford 9 University of Mississippi 9 University of Pennsylvania 9 University ofWroctaw

Sourh Pacific

Ocean North

Ar/antic Oce1n SculhAfrtca Southern

OFermilab

slide-5
SLIDE 5

Global collaboration era

5/22/2018 Olga Terlyga | NLIT 2018 5

OSG Computing Grid

\

Extreme Science and Englnei!rlng Discovery Environment

OFermilab

slide-6
SLIDE 6

5/22/2018 Olga Terlyga | NLIT 2018 6

Access = Authentication + Authorization

Access always needs to be managed Even open science is not 100% open

Accountability

OFermilab

slide-7
SLIDE 7

5/22/2018 Olga Terlyga | NLIT 2018 7

On Premise => More Control

  • On premise authentication

– Typically Single Sign-On – Maybe LDAP – …

  • On premise authorization

– Active Directory Security groups – Individual Service Provider’s Database – Identity Management – …

......

,

  • -------------------------OFermilab
slide-8
SLIDE 8

5/22/2018 Olga Terlyga | NLIT 2018 8

On Premise => Constraints

  • Users don’t want to maintain another set of credentials

– Passwords – Usernames – Registration process

  • Admins don’t want to maintain another set of credentials

– Expirations dates – Source of truth – HR involved in registration process – Short lived accounts – Price?

  • ----------------------------OFermilab
slide-9
SLIDE 9

5/22/2018 Olga Terlyga | NLIT 2018 9

Federation

Each person is uniquely identified within organization and within Federation

Federations 1 11 eduGAI N

O

Members 51 Voting-only 5 Members Candidates 13

Metadata

Federation A

Service

ldPs 2711 SPs 1947 Standalone AAs 6

Service Provider Federation C

  • ---------------------------- OFermilab
slide-10
SLIDE 10

5/22/2018 Olga Terlyga | NLIT 2018 10

Federation

Invaluable collaboration tool!

IdP IdP IdP

  • Placing every SP in federation is not practical
  • Each SP maintains authorization data?
  • Not every IdP is in Federation

Are there possibilities here for centralized authorization?

Metadata Federation A Service Provider Federation C

C)

OFermilab

slide-11
SLIDE 11

5/22/2018 Olga Terlyga | NLIT 2018 11

Identity and Access Management products

Typically

  • Portal style
  • Combine Authentication and

Authorization

  • More useful in self contained
  • rganizations

Some do integrate with federations

"°""-

+

.

,~I Roambi

sen,,cem,w ORACLE t3 workday l•VSJNHSSUIITl -
  • splunk>

Go,igle EJ

J!:iCalendar

G Mail

  • C.
  • a 0ne0nve

Ill• Outlook

Go i le L.

P'c1TR1x

l:nc

  • ,"

,.,, "' Y<JIRA

EGN* TE Yammer·

"

Do \A

, G .>gl

Password

Pi.1 G

fare

Cisco ex

OFermilab

slide-12
SLIDE 12

5/22/2018 Olga Terlyga | NLIT 2018 12

Federation Hub

On-premise SP On-premise SP On-premise SP

On-premise IdP External IdP External IdP External IdP

This looks more centralized from Authentication point of view. Are there possibilities here for centralized authorization?

  • ----------------------------OFermilab
slide-13
SLIDE 13

5/22/2018 Olga Terlyga | NLIT 2018 13

What should we do?

Centralized Authorization in Non-Uniform Federation

Communities of Interest

  • ----------------------------OFermilab