The EGI AAI CheckIn Service Kostas Koumantaros- GRNET On behalf of - - PowerPoint PPT Presentation

the egi aai checkin service
SMART_READER_LITE
LIVE PREVIEW

The EGI AAI CheckIn Service Kostas Koumantaros- GRNET On behalf of - - PowerPoint PPT Presentation

Dec 20, 2022 442 likes •691 views

The EGI AAI CheckIn Service Kostas Koumantaros- GRNET On behalf of EGI-Engage JRA1.1 www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 EGI CheckIn Goals Attribute

slide-1
SLIDE 1

www.egi.eu

EGI-Engage is co-funded by the Horizon 2020 Framework Programme

  • f the European Union under grant number 654142

The EGI AAI “CheckIn” Service

Kostas Koumantaros- GRNET

On behalf of EGI-Engage JRA1.1

slide-2
SLIDE 2

2

EGI CheckIn Goals

EGI Services EGI CheckIn IdP Attribute Authority EGI UID First name, last name email affiliation Mandatory Attributes

slide-3
SLIDE 3

3

EGI AAI CheckIn Service

  • May 2015: Introduction of the EGI AAI Roadmap and Architecture
slide-4
SLIDE 4

4

Why Proxy?

  • All EGI SPs can have one statically configured IdP.
  • No need to run an IdP Discovery Service on each EGI SP.
  • Connected SPs get consistent/harmonised user identifiers and

accompanying attribute sets from one or more AAs that can be interpreted in a uniform way for authZ purposes.

  • External IdPs only deal with a single EGI SP proxy.
  • In a nutshell: EGI services will not have to deal with the complexity of

multiple IdPs/Federations/Attribute Authorities/technologies. This complexity will be handled centrally by the proxy.

slide-5
SLIDE 5

5

EGI CheckIn Service Today

  • Available via eduGAIN
  • IdP Discovery
  • User Enrolment
  • User Consent
  • Support for LoA
  • Attribute Aggregation
  • SAML2.0 Attribute Query,

REST, LDAP, SQL

  • Support for OIDC/OAuth2 IdPs
  • Google, Facebook, LinkedIn,

ORCID

  • Support for OIDC/OAuth2 SPs
  • Experimental support for eIDAS

Production

Ready for production Alpha

slide-6
SLIDE 6

6

Levels of Assurance

  • LoA: 0
  • This category groups the credentials with basically no LoA associated.

Examples are social-identity credentials with no vetting and no uniqueness of the ID guaranteed.

  • LoA: 1
  • This category groups the credentials that are usable in a federated

environment, but may require additional attributes to be used in all applications.

Proposal under discussion

slide-7
SLIDE 7

7

Levels of Assurance

  • LoA: 2
  • This category groups the credentials that have a level of assurance that

is considered aligned with all the EGI policies and allows to access all EGI services.

  • LoA: 3
  • This category groups credentials with an higher LoA for both the

authentication and the attributes distributed in the assertion.

Proposal under discussion

slide-8
SLIDE 8

8

Use cases for the LoA in EGI

  • Allow an IdP to advertise those LoAs for which it is able to

meet the associated requirements.

  • Allow an IdP to indicate the actual LoA in its responses.
  • Allow a SP to express its expectations for the LoA at

which a user should be authenticated.

slide-9
SLIDE 9

9

EGI Unique Identifier requirements

The EGI User ID should be:

  • personal - used by a single person.
  • persistent - used for an extended period of time across multiple sessions.
  • non-reassignable - assigned exclusively to a specific person, and never reassigned to

another individual.

  • non-targeted - not intended for a specific relying party (or parties), i.e. should be shared.
  • globally unique - unique beyond the namespace of the IdP and the namespace of the

SP(s) with which the ID is shared.

  • paque - should (by itself) provide no information about the user, i.e. should be

privacy-preserving.

EGI User Identifier

slide-10
SLIDE 10

10

EGI User Identifier implementation

  • EGI User ID is created by the CheckIn service at the moment of the user’s first

connection

  • The IdP/SP Proxy adds (or replaces) the eduPersonUniqueId attribute, based on

the first non-empty value from this attribute list: ○ ePUID, ePPN, ePTID

  • The selected attribute value, combined with the entityID of the authN authority, is

hashed and the “egi.eu” scope portion is added to the generated ePUID, e.g.:

EGI Unique User Id Generation

ef72285491ffe53c39b75bdcef46689f5d26ddfa00312365cc4fb5ce97e9ca87@egi.eu

slide-11
SLIDE 11

11

IdP/SP Proxy technical architecture and deployment

  • High Availability & Load Balancing.
  • SimpleSAMLphp caches user sessions in Memcached, an in-memory

key-value store for small chunks of arbitrary data.

  • COmanage maintains EGI user profile information in PostgreSQL DB cluster:

○ Data are synced between master (read/write) and hot standby slave (read-only queries).

  • Sessions are distributed and replicated among different Memcached servers,

enabling load-balancing and failover.

  • User requests are load balanced among multiple SimpleSAMLphp web

front-ends that use the back-end matrix of Memcached servers.

slide-12
SLIDE 12

12

IdP/SP Proxy: Integrated IdPs

IdPs:

  • EGI SSO
  • ELIXIR research

infrastructure AAI

  • ORCID
  • Virtual Home Organization

(VHO)

  • eduGAIN
  • Social networks:

○ Google ○ Facebook ○ Linkedin

slide-13
SLIDE 13

13

Integration with attribute authorities

  • Connection with Perun - DONE
  • Connection with GOCDB - DONE
  • Connection with COmanage - DONE
  • Connection with the new OpenConnext Attribute Aggregator:

Pilot in collaboration with AARC project

slide-14
SLIDE 14

14

Attribute aggregation

  • The EGI CheckIn supports attribute aggregation through:

○ SAML 2.0 AttributeQuery Attribute Aggregator (SimpleSAMLphp module) ■ Enables SSP to issue SAML 2.0 attribute queries to Attribute Authorities that support SAML 2.0 SOAP binding ○ LDAP Attribute Aggregator (SimpleSAMLphp module) ■ Allows SSP to issue LDAP queries for retrieving attributes ○ REST Attribute Aggregator (SimpleSAMLphp module) ■ Allows SSP to retrieve attributes from a RESTful web service ○ OpenConext attribute aggregation (Java application) ■ Handles attribute aggregation and provides REST API for accessing attribute information

slide-15
SLIDE 15

15

CoCo & R&S compliance

  • CheckIn compliances

○ Compliant with R&S ○ Not compliant with CoCo but this will happen soon as the needed policies are put in place

  • Identifiers

○ eduPersonUniqueId ○ eduPersonPrincipalName ○ eduPersonTargetedID

  • Mail attribute

○ mail

  • Name attributes

○ displayName ○ givenName ○ sn (surname)

  • Authorization attribute

○ eduPersonScopedAffiliation

slide-16
SLIDE 16

16

Token Translation: CILogon + RC Auth

slide-17
SLIDE 17

17

User Enrollment

EGI CheckIn supports different user enrollment flows depending on the attributes released by the user’s Home Identity Provider:

  • Self-service Sign Up: Allows joining the EGI User Community without

approval by an administrator if all the information below is asserted by the Home Organisation: ○ at least one of the following unique user identifiers: ■ pseudonymous, non-reassignable identifier (eduPersonUniqueId attribute); ■ name-based identifier (eduPersonPrincipalName attribute); ■ pseudonymous identifier (eduPersonTargetedID attribute or SAML persistent identifier) ○ first name (givenName attribute) and surname (sn attribute) ○ email address (mail attribute) ○ role (affiliation) at Home Organisation (eduPersonScopedAffiliation attribute)

slide-18
SLIDE 18

18

User Enrollment

  • Sign Up: If any of the required information cannot be released by the Home

Organisation: ○ user needs to self-assert the values of the missing attributes ○ request must then be approved by an EGI User Sponsor

  • Identity linking: Allows access to EGI resources with a single personal EGI ID,

using any of the linked login credentials → organisational or social

slide-19
SLIDE 19

19

OpenID Connect Support

  • Service Providers can connect to the EGI AAI using OpenID Connect (OIDC)

as an alternative to SAML2

  • EGI AAI OIDC Provider allows users to sign in using any of the supported

backend authentication mechanisms, i.e institutional IdPs (eduGAIN) or Social Providers

  • Easy OIDC client registration through Client Management UI:

○ Obtain OAuth 2.0 credentials ○ Register one or more redirect URIs ○ Register required scopes (e.g. openid, profile, email)

slide-20
SLIDE 20

www.egi.eu

Thank you for your attention.

Questions?

This work by Parties of the EGI-Engage Consortium is licensed under a Creative Commons Attribution 4.0 International License.

slide-21
SLIDE 21

21

AARC Blueprint Architecture

slide-22
SLIDE 22

22

IdP/SP Proxy technical architecture

  • SimpleSAMLphp caches user sessions in Memcached, an in-memory key-value store for

small chunks of arbitrary data

  • COmanage maintains EGI user profile information in PostgreSQL DB cluster; Data are

synced between master (read/write) and hot standby slave (read-only queries)

  • Sessions are distributed and replicated among different Memcached servers, enabling

load-balancing and fail-over

  • User requests are load balanced among multiple SimpleSAMLphp web front-ends that

use the back-end matrix

  • f

Memcached servers

High Availability & Load Balancing

slide-23
SLIDE 23

23

User Enrollment

EGI CheckIn supports different user enrollment flows depending on the attributes released by the user’s Home Identity Provider: Self-service Sign Up: Allows joining the EGI User Community without approval by an administrator if all the information below is asserted by the Home Organisation: at least one of the following unique user identifiers: pseudonymous, non-reassignable identifier (eduPersonUniqueId attribute); name-based identifier (eduPersonPrincipalName attribute); pseudonymous identifier (eduPersonTargetedID attribute or SAML persistent identifier) first name (givenName attribute) and surname (sn attribute) email address (mail attribute) role (affiliation) at Home Organisation (eduPersonScopedAffiliation attribute)

slide-24
SLIDE 24

24

IdP/SP Proxy: SP integration flow

EGI SP:

  • Central/Core service
  • IaaS fedCloud
  • ...

Register SP Development instance https://aai-dev.egi.eu/oidc/ EGI SP:

  • Central/Core service
  • IaaS fedCloud
  • ...

Register SP Production instance https://aai.egi.eu/oidc/ IF OK