The EGI AAI “CheckIn” Service Kostas Koumantaros- GRNET On behalf of EGI-Engage JRA1.1 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142
EGI CheckIn Goals Attribute Authority IdP EGI CheckIn EGI Services First name, last EGI UID Mandatory name Attributes email affiliation 2
EGI AAI CheckIn Service • May 2015: Introduction of the EGI AAI Roadmap and Architecture 3
Why Proxy? ● All EGI SPs can have one statically configured IdP. ● No need to run an IdP Discovery Service on each EGI SP. ● Connected SPs get consistent/harmonised user identifiers and accompanying attribute sets from one or more AAs that can be interpreted in a uniform way for authZ purposes. ● External IdPs only deal with a single EGI SP proxy. ● In a nutshell: EGI services will not have to deal with the complexity of multiple IdPs/Federations/Attribute Authorities/technologies. This complexity will be handled centrally by the proxy. 4
EGI CheckIn Service Today • Available via eduGAIN • IdP Discovery • User Enrolment • User Consent • Support for LoA Production • Attribute Aggregation • SAML2.0 Attribute Query, REST, LDAP, SQL • Support for OIDC/OAuth2 IdPs • Google, Facebook, LinkedIn, Ready for production ORCID Alpha • Support for OIDC/OAuth2 SPs • Experimental support for eIDAS 5
Levels of Assurance Proposal under discussion • LoA: 0 • This category groups the credentials with basically no LoA associated. Examples are social-identity credentials with no vetting and no uniqueness of the ID guaranteed. • LoA: 1 • This category groups the credentials that are usable in a federated environment, but may require additional attributes to be used in all applications. 6
Levels of Assurance Proposal under discussion • LoA: 2 • This category groups the credentials that have a level of assurance that is considered aligned with all the EGI policies and allows to access all EGI services. • LoA: 3 • This category groups credentials with an higher LoA for both the authentication and the attributes distributed in the assertion. 7
Use cases for the LoA in EGI • Allow an IdP to advertise those LoAs for which it is able to meet the associated requirements. • Allow an IdP to indicate the actual LoA in its responses. • Allow a SP to express its expectations for the LoA at which a user should be authenticated. 8
EGI Unique Identifier requirements EGI User Identifier The EGI User ID should be: • personal - used by a single person. • persistent - used for an extended period of time across multiple sessions. • non-reassignable - assigned exclusively to a specific person, and never reassigned to another individual. • non-targeted - not intended for a specific relying party (or parties), i.e. should be shared. • globally unique - unique beyond the namespace of the IdP and the namespace of the SP(s) with which the ID is shared. • opaque - should (by itself) provide no information about the user, i.e. should be privacy-preserving. 9
EGI User Identifier implementation EGI Unique User Id Generation ● EGI User ID is created by the CheckIn service at the moment of the user’s first connection ● The IdP/SP Proxy adds (or replaces) the eduPersonUniqueId attribute, based on the first non-empty value from this attribute list: ○ ePUID, ePPN, ePTID ● The selected attribute value, combined with the entityID of the authN authority, is hashed and the “egi.eu” scope portion is added to the generated ePUID, e.g.: ef72285491ffe53c39b75bdcef46689f5d26ddfa00312365cc4fb5ce97e9ca87@egi.eu 10
IdP/SP Proxy technical architecture and deployment ● High Availability & Load Balancing. ● SimpleSAMLphp caches user sessions in Memcached, an in-memory key-value store for small chunks of arbitrary data. ● COmanage maintains EGI user profile information in PostgreSQL DB cluster: ○ Data are synced between master (read/write) and hot standby slave (read-only queries). ● Sessions are distributed and replicated among different Memcached servers, enabling load-balancing and failover. ● User requests are load balanced among multiple SimpleSAMLphp web front-ends that use the back-end matrix of Memcached servers. 11
IdP/SP Proxy: Integrated IdPs IdPs: ● EGI SSO ● ELIXIR research infrastructure AAI ● ORCID ● Virtual Home Organization (VHO) ● eduGAIN ● Social networks: ○ Google ○ Facebook ○ Linkedin 12
Integration with attribute authorities • Connection with Perun - DONE • Connection with GOCDB - DONE • Connection with COmanage - DONE • Connection with the new OpenConnext Attribute Aggregator: Pilot in collaboration with AARC project 13
Attribute aggregation ● The EGI CheckIn supports attribute aggregation through: ○ SAML 2.0 AttributeQuery Attribute Aggregator (SimpleSAMLphp module) ■ Enables SSP to issue SAML 2.0 attribute queries to Attribute Authorities that support SAML 2.0 SOAP binding ○ LDAP Attribute Aggregator (SimpleSAMLphp module) ■ Allows SSP to issue LDAP queries for retrieving attributes ○ REST Attribute Aggregator (SimpleSAMLphp module) ■ Allows SSP to retrieve attributes from a RESTful web service ○ OpenConext attribute aggregation (Java application) ■ Handles attribute aggregation and provides REST API for accessing attribute information 14
CoCo & R&S compliance ● CheckIn compliances ○ Compliant with R&S ○ Not compliant with CoCo but this will happen soon as the needed policies are put in place ● Identifiers ○ eduPersonUniqueId ○ eduPersonPrincipalName ○ eduPersonTargetedID ● Mail attribute ○ mail ● Name attributes ○ displayName ○ givenName ○ sn (surname) ● Authorization attribute ○ eduPersonScopedAffiliation 15
Token Translation: CILogon + RC Auth 16
User Enrollment EGI CheckIn supports different user enrollment flows depending on the attributes released by the user’s Home Identity Provider: ● Self-service Sign Up: Allows joining the EGI User Community without approval by an administrator if all the information below is asserted by the Home Organisation: ○ at least one of the following unique user identifiers: ■ pseudonymous, non-reassignable identifier (eduPersonUniqueId attribute); ■ name-based identifier (eduPersonPrincipalName attribute); ■ pseudonymous identifier (eduPersonTargetedID attribute or SAML persistent identifier) ○ first name (givenName attribute) and surname (sn attribute) ○ email address (mail attribute) ○ role (affiliation) at Home Organisation (eduPersonScopedAffiliation attribute) 17
User Enrollment ● Sign Up: If any of the required information cannot be released by the Home Organisation: ○ user needs to self-assert the values of the missing attributes ○ request must then be approved by an EGI User Sponsor ● Identity linking: Allows access to EGI resources with a single personal EGI ID, using any of the linked login credentials → organisational or social 18
OpenID Connect Support ● Service Providers can connect to the EGI AAI using OpenID Connect (OIDC) as an alternative to SAML2 ● EGI AAI OIDC Provider allows users to sign in using any of the supported backend authentication mechanisms, i.e institutional IdPs (eduGAIN) or Social Providers ● Easy OIDC client registration through Client Management UI : ○ Obtain OAuth 2.0 credentials ○ Register one or more redirect URIs ○ Register required scopes (e.g. openid, profile, email) 19
Thank you for your attention. Questions? www.egi.eu This work by Parties of the EGI-Engage Consortium is licensed under a Creative Commons Attribution 4.0 International License.
AARC Blueprint Architecture 21
IdP/SP Proxy technical architecture High Availability & Load Balancing • SimpleSAMLphp caches user sessions in Memcached, an in-memory key-value store for small chunks of arbitrary data • COmanage maintains EGI user profile information in PostgreSQL DB cluster; Data are synced between master (read/write) and hot standby slave (read-only queries) • Sessions are distributed and replicated among different Memcached servers, enabling load-balancing and fail-over • User requests are load balanced among multiple SimpleSAMLphp web front-ends that use the back-end matrix of Memcached servers 22
User Enrollment EGI CheckIn supports different user enrollment flows depending on the attributes released by the user’s Home Identity Provider: Self-service Sign Up: Allows joining the EGI User Community without approval by an administrator if all the information below is asserted by the Home Organisation: at least one of the following unique user identifiers: pseudonymous, non-reassignable identifier ( eduPersonUniqueId attribute); name-based identifier ( eduPersonPrincipalName attribute); pseudonymous identifier ( eduPersonTargetedID attribute or SAML persistent identifier) first name ( givenName attribute) and surname ( sn attribute) email address ( mail attribute) role (affiliation) at Home Organisation ( eduPersonScopedAffiliation attribute) 23
Recommend
More recommend
