indigo datacloud indigo aai an overview and status update
play

INDIGO DataCloud INDIGO AAI An overview and status update - PowerPoint PPT Presentation

Jun 03, 2023 •94 likes •641 views

INDIGO DataCloud INDIGO AAI An overview and status update RIA-653549 Andrea Ceccanti (INFN) on behalf of the INDIGO AAI Task Force indigo-aai-tf@lists.indigo-datacloud.org INDIGO Datacloud An H2020 project approved

  1. 
 INDIGO – DataCloud 
 INDIGO AAI An overview and status update RIA-653549 � Andrea Ceccanti (INFN) on behalf of the INDIGO AAI Task Force � indigo-aai-tf@lists.indigo-datacloud.org

  2. INDIGO Datacloud ▪ An H2020 project approved in January 2015 in the EINFRA-1-2014 call ‣ 11 M € ‣ 30 Months (Apr. 2015 -> Sept. 2017) ▪ Who: 26 partners from 11 European countries ▪ What: develop an open source platform for computing and data targeted at multi-disciplinary scientific communities ▪ Where: provisioned over hybrid (public and private) e-infrastructures 2

  3. INDIGO objectives ▪ Provide seamless access to data and computing provisioned over private, public or hybrid e- infrastuctures ▪ Leverage and extend current Cloud technologies, fill the gaps, provide tools and services to support scientists, software developers, resource providers and e-infrastructures for the efficient exploitation of computing, data and network technologies : Better software for better science 3

  4. The INDIGO approach ▪ Based on Open Source solutions ‣ widely supported by big communities ▪ whenever possible exploit general solutions instead of specific tools/services ‣ increased sustainability ▪ ensure that the framework offered to final users, as well as to developers, will have a low learning curve ‣ ease of adoption and integration 4

  5. Example use case scenario Computational Portal “as a service” 5

  6. Example use case scenario Computational Portal “as a service” ▪ A scientific community has an application (or a set of them) that should be accessed through a portal, and: ‣ Requires a dynamically instantiated batch queue as a back-end ‣ Exhibits unpredictable workload ‣ Supports multiple access profiles ‣ Should be deployable through Cloud providers, with features such as redundancy and elasticity ‣ May require cloud-bursting to other infrastructures ‣ Should support access to external reference data and data local to the application, which must be accessible in a distributed way 6

  7. The AAI problem ▪ Heterogeneous authentication/authorization mechanisms ‣ but we need common AAI ground, persistent identifiers, support for delegation, easy integration in services ▪ To be effective, security should not impact usability ‣ we need support for federated identities ▪ We need AAI solutions that allow our users to manage authentication and authorization on dynamically provisioned resources in a secure way ‣ Without being security experts! INDIGO-DataCloud RIA-653549 7

  8. INDIGO AAI: approach ▪ How can we have common AuthN and AuthZ primitives that “just work” across several distributed infrastructures? ▪ Which tools should we provide to our users so that they have complete control on how AuthN and AuthZ is configured and performed on the resources (assembled from distributed providers) they will use for their research? ▪ How do we avoid reinventing the wheel? How do we exploit what is already available, leverage existing standards and ensure that what we develop is sustainable? INDIGO-DataCloud RIA-653549 8

  9. INDIGO AAI: main challenges ▪ Authentication/Identity ‣ Supporting federated authN mechanism ‣ Persistent INDIGO identifier ‣ Offline access ▪ Authorization ‣ Orthogonal to AuthN ‣ Attribute-based ‣ Dynamic ‣ Consistent across heterogeneous infrastructure ▪ Delegation 9

  10. INDIGO AAI architecture 10

  11. Authentication Slide courtesy of Paul Millar 11

  12. Identity layer challenges ▪ Support multiple AuthN mechanisms ‣ SAML, OpenID-Connect, X.509 ▪ Harmonise Identities ▪ One INDIGO identity linked to multiple user authN mechanisms ▪ Persistent INDIGO identity identifier ▪ Link group membership and other attributes to INDIGO identity ▪ similarly to what VOMS does with VO attributes and X.509 certificates, but in a way that is orthogonal to the AuthN mechanism used 12

  13. Identity in INDIGO ▪ The INDIGO identity layer speaks OpenID-connect ▪ The INDIGO Identity and Access Management Service is an OIDC provider ▪ Authenticates users with supported AuthN mechanism ▪ SAML, X.509, OIDC ‣ Provides to RP access to identity information through standard OIDC interfaces ▪ Can be seen as a first credential translation step 13

  14. Why OpenID connect ▪ Standard and widely adopted in industry ‣ Don’t reinvent the wheel ▪ Reduced integration complexity in relying services ▪ Lots of things we need are covered and standardized ‣ Dynamic Registration of clients/relying parties ‣ Token revocation ‣ Discovery ‣ Session management ‣ Distributed/Aggregated claims ▪ Mobile-friendly 14

  15. INDIGO AuthN flow INDIGO Service Access service Marcus wants to access some service at INDIGO service Home IdP Indigo IAM

  16. INDIGO AuthN flow INDIGO Service Access service INDIGO Services sees that Marcus is not authenticated, and redirects him to INDIGO IAM for authentication Home IdP Indigo IAM

  17. INDIGO AuthN flow INDIGO Service redirect to IAM for AuthN Home IdP Indigo IAM

  18. INDIGO AuthN flow INDIGO Service redirect to IAM for AuthN IAM lets Marcus choose how he wants to authenticate Marcus chooses his Home IdP Home IdP Indigo IAM

  19. INDIGO AuthN flow INDIGO Service redirect to home IdP for AuthN Home IdP Indigo IAM

  20. INDIGO AuthN flow INDIGO Service Home IdP authenticates Marcus and sends back an AuthN assertion Home IdP Indigo IAM

  21. INDIGO AuthN flow INDIGO Service IAM validates assertion. Marcus is now authenticated at IAM. Home IdP Indigo IAM

  22. INDIGO AuthN flow INDIGO Service send back to IS OIDC authz code Home IdP Indigo IAM

  23. INDIGO AuthN flow INDIGO Service exchange authZ code for OIDC ID-token access token Home IdP Indigo IAM

  24. INDIGO AuthN flow INDIGO Service IS validates ID-Token. Marcus is now authenticated at IS Home IdP Indigo IAM

  25. INDIGO AuthN flow INDIGO Service IS requests additional profile information about Marcus from IAM user info endpoint Home IdP Indigo IAM

  26. IAM Status ▪ Implementation based on the Mitre OpenID connect server reference implementation ▪ https://github.com/mitreid-connect/OpenID-Connect- Java-Spring-Server ‣ Certified open source OIDC server implementation ‣ Actively maintained ▪ also used as the base of the Shibboleth IdP OIDC implementation ‣ Main OIDC functionality covered ▪ Token issuing and management, Client registration/discovery, Scope management ▪ Simple and usable management web application provided 26

  27. IAM Authentication status ▪ OAuth client/token/consent management done ▪ Local username/password authentication done ▪ External SAML IdP authentication done ▪ Identity orthogonal to AuthN done ▪ Group information available via OIDC done ▪ External OIDC IdP authentication in progress ▪ Certificate authentication in progress ▪ AuthN mechanism exposed via OIDC in progress 27

  28. IAM Authentication status ▪ OAuth client/token/consent management done ▪ Local username/password authentication done ▪ External SAML IdP authentication done ETA: June release ▪ Identity orthogonal to AuthN done ▪ Group information available via OIDC done ▪ External OIDC IdP authentication in progress ▪ Certificate authentication in progress ▪ AuthN mechanism exposed via OIDC in progress 27

  29. Authorization Slide courtesy of Paul Millar 28

  30. Authorization challenges ▪ Consistency ‣ Provide solutions to dynamically define, propagate, compose and enforce authorization policies on resources at various levels of the infrastructure ▪ Scalability ‣ in a scalable way ▪ Manageability ‣ supporting cross-organizational user, group and privilege management as well as enrollment and registration flows ▪ Integration ‣ in a way that produces minimal integration friction in services 29

  31. Authorization challenges ▪ Consistency ‣ Provide solutions to dynamically define, propagate, compose and enforce authorization policies on resources at various levels of the infrastructure ▪ Scalability ‣ in a scalable way ▪ Manageability ‣ supporting cross-organizational user, group and privilege management as well as enrollment and registration flows ▪ Integration ‣ in a way that produces minimal integration friction in services 30

  32. AuthZ in INDIGO: OAuth 2 ▪ A standard framework for delegated authorization to access HTTP protected resources ▪ Decouples AuthZ from AuthN ▪ Natural solution for delegated authorization in HTTP services 31

  33. Authorization in INDIGO ▪ INDIGO services are HTTP APIs protected by an OAuth Authorization Service ▪ In order to access resources, a client needs an access token ▪ OAuth scopes used to ‣ target the token to specific APIs/ services ‣ provide hints for finer grained authZ ▪ Identity layer provides other attributes as base for AuthZ decisions 32

  34. Scope-based authorization ▪ Each service registers the supported scopes when it registers at the authorization server (AS) ▪ The AS maintains policies that determine which client is authorized to request a given scope ▪ The request for a given scope is authorized by the user through the OAuth consent mechanism ‣ but is possible to define trusted, whitelisted client services for which user consent is not requested ▪ Authorization is enforced at the target service considering scopes and other relevant information 33

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Training and dissemination tools Eva Cetini (RBI) ecetinic@irb.hr INDIGO-DataCloud Tour of

Training and dissemination tools Eva Cetini (RBI) ecetinic@irb.hr INDIGO-DataCloud Tour of

INDIGO - DataCloud Training and dissemination tools Eva Cetini (RBI) ecetinic@irb.hr INDIGO-DataCloud Tour of the website (https://youtu.be/U8yJLlt-6O0) Two software releases: Midnight Blue & Electric INDIGO INDIGO Gitbook

331 views • 4 slides
INDIGO-DataCloud EGI Fed Cloud contribution Giacinto Donvito (INFN) INDIGO-DataCloud Technical

INDIGO-DataCloud EGI Fed Cloud contribution Giacinto Donvito (INFN) INDIGO-DataCloud Technical

INDIGO-DataCloud EGI Fed Cloud contribution Giacinto Donvito (INFN) INDIGO-DataCloud Technical Director RIA-653549 EGI Fed Cloud F2F Meeting Outline General approach of the INDIGO Platform The Platform in the proposal The overall

709 views • 34 slides
Storage Management in INDIGO Paul Millar paul.millar@desy.de with contributions from Marcus

Storage Management in INDIGO Paul Millar paul.millar@desy.de with contributions from Marcus

Storage Management in INDIGO Paul Millar paul.millar@desy.de with contributions from Marcus Hardt, Patrick Fuhrmann, ukasz Dutka, Giacinto Donvito. INDIGO-DataCloud: cheat sheet A Horizon-2020 project Approved: January 2015; Started:

805 views • 22 slides
Q S QoS and DLC in d DLC i IaaS INDIGO- DataCloud Presenter : Patrick Fuhrmann Contributions

Q S QoS and DLC in d DLC i IaaS INDIGO- DataCloud Presenter : Patrick Fuhrmann Contributions

Q S QoS and DLC in d DLC i IaaS INDIGO- DataCloud Presenter : Patrick Fuhrmann Contributions by: Giacinto Donvito, INFN Marcus Hardt, KIT Paul Millar, DESY Alvaro Garcia, CSIC Alvaro Garcia, CSIC With ki d With kind contributions by t

760 views • 38 slides
The Indigo Extraction Process The indigo plant growing in the field Indigo extraction site

The Indigo Extraction Process The indigo plant growing in the field Indigo extraction site

The Indigo Extraction Process The indigo plant growing in the field Indigo extraction site Equipment is set up at the plant site Cutting the indigo plant Carrying the indigo plant from the field to the van Loading the indigo plant on

248 views • 23 slides
Agent Update & Training 29-Apr-19 Agenda Indigo-Clean full product line review

Agent Update & Training 29-Apr-19 Agenda Indigo-Clean full product line review

Agent Update & Training 29-Apr-19 Agenda Indigo-Clean full product line review Understand the difference between Indigo-Clean disinfecting luminaires and Kenall luminaires that use Indigo-Clean Technology Key selling points

767 views • 59 slides
TRUFA Presented by Lara Lloret Iglesias IFCA (Spain) lloret@ifca.unican.es RIA-653549 INDIGO

TRUFA Presented by Lara Lloret Iglesias IFCA (Spain) lloret@ifca.unican.es RIA-653549 INDIGO

Case Study and INDIGO solution for: TRUFA Presented by Lara Lloret Iglesias IFCA (Spain) lloret@ifca.unican.es RIA-653549 INDIGO SUMMIT EGI-INDIGO workshop on community application support Catania, 10 th May 2017 TRUFA

278 views • 7 slides
Age Agent Updat Update & Tr Training Agenda OR Update Commercial Activity

Age Agent Updat Update & Tr Training Agenda OR Update Commercial Activity

Age Agent Updat Update & Tr Training Agenda OR Update Commercial Activity Pricing Update Marketing Support New Product Launch Indigo-Clean Downlight Indigo-Clean MEIC Series Questions Kenall Confidential 2

365 views • 24 slides
Identity and Access Management with the INDIGO IAM service Andrea Ceccanti

Identity and Access Management with the INDIGO IAM service Andrea Ceccanti

Identity and Access Management with the INDIGO IAM service Andrea Ceccanti andrea.ceccanti@cnaf.infn.it EOSC-Hub AAI Tech Talk Europe, Earth, June 15th 2018 INDIGO Identity and Access Management service Flexible authentication support (SAML,

430 views • 24 slides
1 Ill start with a brief history of Indigo Renderer and our market context, and then go over

1 Ill start with a brief history of Indigo Renderer and our market context, and then go over

Hi, my name is Thomas Ludwig, Im with Glare Technologies, developers of Indigo Renderer Were a small company of 3 fulltime employees, plus some friends and contractors helping out. Ive been with Glare for 10 years now, though the history

962 views • 17 slides
Digital Print Growth in the Card Market James Gargus Business Development Manager HP Indigo

Digital Print Growth in the Card Market James Gargus Business Development Manager HP Indigo

Digital Print Growth in the Card Market James Gargus Business Development Manager HP Indigo North America Glen Adams Lead Field Solutions Architect HP Indigo North America April 2, 2019 1 Production Mix Forecast to 2022 95% 95% 90%

293 views • 7 slides
Synergy a new approach for optimizing the resource usage in OpenStack Overview Synergy cloud

Synergy a new approach for optimizing the resource usage in OpenStack Overview Synergy cloud

Lisa Zangrando INFN Padova Synergy a new approach for optimizing the resource usage in OpenStack Overview Synergy cloud service developed in the context of the INDIGO-DataCloud European project which aims to develop a new cloud software

629 views • 16 slides
DESIGN CONSIDERATIONS FOR PHYSICAL REALISM AND PRACTICAL USE IN INDIGO RENDERER Thomas Ludwig

DESIGN CONSIDERATIONS FOR PHYSICAL REALISM AND PRACTICAL USE IN INDIGO RENDERER Thomas Ludwig

DESIGN CONSIDERATIONS FOR PHYSICAL REALISM AND PRACTICAL USE IN INDIGO RENDERER Thomas Ludwig Glare Technologies Ltd. https://www.indigorenderer.com https://www.glaretechnologies.com OVERVIEW History and context Motivation

521 views • 17 slides
Gen enes t s to J Jea eans A A Green een S Solution t to Blue e Den enim UC Berkeley

Gen enes t s to J Jea eans A A Green een S Solution t to Blue e Den enim UC Berkeley

Gen enes t s to J Jea eans A A Green een S Solution t to Blue e Den enim UC Berkeley iGEM Bernardo Cervantes Hojae Lee Roy Park Ramya Prathuri Thomas Rich 3,000,000,000 jeans per year 40,000 Steingruber, Indigo and Indigo

652 views • 35 slides
DESIGN AND PROTOTYPING WORKSHOP 11/13/19 ATTENTION!!! macOS Catalina Users Indigo Studio is

DESIGN AND PROTOTYPING WORKSHOP 11/13/19 ATTENTION!!! macOS Catalina Users Indigo Studio is

The ITI Program @ SC&I Presents DESIGN AND PROTOTYPING WORKSHOP 11/13/19 ATTENTION!!! macOS Catalina Users Indigo Studio is not supported on Catalina. Sign-in for a loaner laptop. Please Pick up handouts Find a seat

325 views • 19 slides
Indigo Block located at 65 East Cottage St IAG Meeting May 16, 2016, 6:00pm Presented by:

Indigo Block located at 65 East Cottage St IAG Meeting May 16, 2016, 6:00pm Presented by:

Indigo Block located at 65 East Cottage St IAG Meeting May 16, 2016, 6:00pm Presented by: Dorchester Bay Economic Development Corporation Boston Capital Escazu Development Newmarket Community Partners Davis Square Architects Agenda (1)

770 views • 30 slides
Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity

5/24/2017 Security and Privacy Why Security is Difficult 12A. Operating Systems and Security complexity of our software and systems 12B. Authentication millions of lines of code, thousands of developers rich and powerful protocols

533 views • 14 slides
Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents Work Authorization Document Control Account Information Control

Work Authorization Documents https://cametoolbox.fnal.gov/Project/WADReports?ProjectName=HL-L... Work Authorization Documents Work Authorization Document Control Account Information Control Account Manager: 10629N Nobrega, Fred Control

56 views • 5 slides
Little Brother is watching - we know all your secrets! Siegfried Rasthofer | Fraunhofer SIT,

Little Brother is watching - we know all your secrets! Siegfried Rasthofer | Fraunhofer SIT,

Little Brother is watching - we know all your secrets! Siegfried Rasthofer | Fraunhofer SIT, Germany Steven Arzt | Fraunhofer SIT, Germany Stephan Huber | Fraunhofer SIT, Germany With the help of: Alexander Traud, Benedikt Hiemenz, Daniel

1.23k views • 95 slides
Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the

Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the

Grid Authentication and Authorisation Issues kos Frohner at CERN Overview Setting the scene: requirements Old style authorisation: DN based gridmap-files Overview of the EDG components VO user management: VOMS

384 views • 21 slides
Service Coordination Training: Participant-Directed Services Hosted by Tuesday, August 21 st 2018

Service Coordination Training: Participant-Directed Services Hosted by Tuesday, August 21 st 2018

Service Coordination Training: Participant-Directed Services Hosted by Tuesday, August 21 st 2018 1 This training is presented to you by PPL in collaboration with the CHC Managed Care Organizations and the Office of Long Term Living The

682 views • 52 slides
W HO IS IN J AIL ? Population Changes 2008-2018: 34% Jail incarceration rate decreased 12%

W HO IS IN J AIL ? Population Changes 2008-2018: 34% Jail incarceration rate decreased 12%

PRETRIAL RELEASE: S TATE L AWS & R ECENT L EGISLATION AMBER WIDGERY | MAY 2020 N ATIONAL C ONFERENCE OF S TATE L EGISLATURES Non-profit, bipartisan organization. Members are all 7,383 legislators and 30,000 legislative staff in 50

511 views • 23 slides
Sharing Research Data Sets Jeffrey Brown, Lesley Curtis, and Rich Platt June 13, 2014 Previously

Sharing Research Data Sets Jeffrey Brown, Lesley Curtis, and Rich Platt June 13, 2014 Previously

The NIH Collaboratory Distributed Research Network: A Privacy Protecting Method for Sharing Research Data Sets Jeffrey Brown, Lesley Curtis, and Rich Platt June 13, 2014 Previously The NIH Collaboratory: Data Sharing Principles- An Initial

841 views • 32 slides
1 Basic Polic ie s for Small Gove r nme nts E xample for r e que sting vac ation time :

1 Basic Polic ie s for Small Gove r nme nts E xample for r e que sting vac ation time :

Basic Polic ie s for Small Gove r nme nts Basic Polic ie s for Small Gove r nme nts What is a polic y? Diffe re nc e b e twe e n a po lic y a nd pro c e dure Po lic ie s: Co mmunic a te a n o rg a niza tio n s c ulture ,

585 views • 5 slides

More recommend