8 th EUGrid PMA Meeting Karlsruhe 2006 The

8 th EUGrid. PMA Meeting, Karlsruhe, 2006 The e–Infrastructure AAI roadmap in Europe Trends in European AA policy EUGrid. PMA Karlsruhe meeting David Groep, NIKHEF 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy

Aims of the Integrated AAI Roadmap for the European e-Infrastructures create a single seamless AA experience for the user Spans – the authentication/ID provisioning domain – as well as the authorisation area – across any kind of application • • 2006 -10 -05 ‘grids’ like we know today network access (eduroam) web resource access (m)any other services 8 th EUGrid. PMA Meeting - trends in European AA policy 2

e-IRG integrated AAI Roadmap Trans-disciplinary (Grid projects, NRENs, other user communities) and trans-continental forums that move towards the establishment of a global, seamless AA infrastructure for e. Science applications should be encouraged. The e-IRG wishes to acknowledge the efforts made in this direction by the IGTF and the open information exchange point provided by TERENA task forces. Recommendation to the e-IRG Austrian EU Presidency 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 3

e-IRG mandate The main objective of the e-IRG is to support on the political, advisory and monitoring level, the creation of a policy and administrative framework for the easy and cost-effective shared use of electronic resources in Europe (focusing on Gridcomputing, data storage, and networking resources) across technological, administrative and national domains. The e-IRG consists of official delegations from the ministries of Education of the various European countries. It has an important role in assigning funding priorities for EU framework programmes and the strategy for e-Europe. 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 4

Contributors Roadmap contributors and actors in the field • e-IRG (high-level policy) • TERENA: TF-EMC 2, TF-Mobility • IGTF • • • eduroam™ GEANT 2 JRA 5 (edu. GAIN) REFEDs many national federations (CH, ES, NL, NO, UK, …) software providers: Shibboleth, A-Select, PAPI, … 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 5

Grid Authorization • ‘user’ centric communities • either grass-roots or infrastructure-based • primary applications today in compute/database access 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 6

Grid Auth. Z status • User-centric community management today – for (virtually) all grids based on authentication by IGTF accredited authorities • these assertions are used for authorization, where – there is far greater variety in mechanisms and concepts – software in a continuous transition phase – actual user communities are ‘expert’ and relatively ‘small’, i. e. , O(100 000) users 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 7

Grid Authorization Current (deployed) models in most compute/data grids all based on ‘proxies’, implementing SSO and delegation • Identity-based authorization – lists of authorized users, possibly organised on a VO basis – model is being deprecated in larger deployments • Attribute-based authorization – – VO-managed {databases, directories} issuing VO-signed assertions VO identity itself based on IGTF certificates resource providers grant access based on these VO attributes pushed down with the service request (typically as ACs embedded as an extension in the proxy certificate), “VOMS” • in part supported by (proxy) credential caches: “My. Proxy” 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 8

Grid Characteristics • Special characteristics – rights delegation (typically to processes) – rights/role selection based on the ‘session’, and not the target resource per se – ‘on-demand’ creation of new sources of authority (VOs) • grid communities cut through organisations 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 9

Software developments in AA (grid) software has become flexible over the past few years: • most software now supports both push and pull of attributes and assertions • it’s slowly becoming syntax-agnostic (X 509 (AC), SAML, …) Pull Push 1 2 4 3 1 2 3 4 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 10

OGSA AA model • Grid (OGSA) AA architecture – explicitly acknowledges multiple sources of authority in the authorization chain graphic: OGSA 1. 0, GGF standard track document 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 11

Grid Middleware AA support runtime graphic: Globus Toolkit 4, Frank Siebenlist et al. PERMIS/XACML PDP, or a SAML PIP, or … 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 12

More initiatives • edu. GAIN – summary with too many experts in the room – based on ‘federation connectors’ to mediate between federations (domains, realms) – common services • Home Location Service • (can be extended with others) – basic interactions • • • (Access. Req/Acces. Resp) Auth. NData. Req/ Auth. NData. Resp Home. Location. Req/ Home. Location. Resp Attr. Req/ Attr. Resp Auth. ZReq/ Auth. ZResp – using WS and SAML – see links provided by Reimer and Diego 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 13

What is happing now? Several domains implemented some integrated AAI today • ‘evaluationary’ grid middleware solutions – targeted at ‘expert power users’ • wireless network access – targeted at ‘the masses’, almost irrespective of status • web resources – targeted at ‘selected academic users’, but not very selective as resources are not ‘high value’ • … 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 14

Production app: eduroam • transparent (wireless) network access based on credentials issued by the home organisation – distributed RADIUS infrastructure based on pair-wise hierarchical trust – no ‘qualified’ Auth. Z 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 15

Production apps examples • Examples from the Access Management Infrastructure for the UK – – – – – Science. Direct Black. Board BIOSIS CAB Abstracts Education Image Gallery, Education Media Online Index to The Times Land, Life & Leisure Statistical Accounts of Scotland Landmap Zetoc Alert, Search • other domains started use similar technology (such as Dutch government Dig. ID project using A-Select) 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 16

Issues with integration • Wider value range of resources to control – from ‘low-risk’ wireless access to ‘high-risk’ supercomputers • To engage more users, the current model of user-held credentials, or having disparate credentials for ‘grid’ and other activities, not necessarily sustainable – only scientific power users could maybe manage – general audience just cannot handle the current grid AA systems • need integrated models, that respects both local autonomy, recognises existing credential quality, and retains the global coordination we have today – note that this is technology-agnostic, its pure policy – the software stacks we have today can almost do anything 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 17

Possible interfaces to integration 1. 2. 3. 4. indirect Auth. N based on existing Id. M’s enable grid Auth. N systems (e. g. VOMS) to also propagate other (home) Id. M attributes enable resource access controls to talk to multiple So. As express VO membership as a function of home Id. M attributes The reverse can also be considered • VO membership could entitle you to ‘guest’ associate-ship with a real organisation so that (selected) VO members can use resources that are available to the real organisation • • these scenario’s are largely independent of the middleware (GSI or Shib or A-Select or …) except that SAML cannot yet well support (restricted) delegation 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 18

PKI Auth. N based on existing Id. Ms • see presentation by Christoph Witzig in a moment 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 19

2. Propagating other Id. P attributes slide from: Chistoph Witzig, SWITCH, EGEE MWSG 2006 -09 -27 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 20

3. Multiple So. A support in access control • enable resource access controls to talk to multiple So. As – based on pluggable authorization framework, such as in newer middleware like Globus Toolkit 4, g. Lite, &c graphic from: Chistoph Witzig, SWITCH, GGF 16, February 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 21

4. VO membership as function of home attributes query to resolve membership list of FQAN role: production members: - John Doe - the students of UHO: class 101, 2008 - Maggie 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 22

Many interesting issues to be addressed Technical issues solvable – policy harmonisation is non-trivial • far wider range of qualities in the attributes • different incentives for keeping information current • responsibility for attributes resides with different parties – VO to manage community membership – but can small VOs maintain such an infrastructure? a task for an (independent) ‘e-Infrastructure’ provider – home organisation to manage organic attributes – but not attributes are usually considered ‘equally valuable’, and there is lots of variety between the UHOs – access rights may suddenly depend on attributes with different quality 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 23

encourage work towards a common federation for academia and research institutes that ensures mutual recognition of the strength and validity of their authorization assertions. e-IRG Recommendation Dutch EU Presidency 2004 • how do we go about it? • what role do we have in this domain? • we have experience in policy coordination. . . 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 24

Proposal: possible directions forward • At the national level, for each authority – monitor developments towards the creation of national AAIs and federations – engage in (national) AAI initiatives that support your current and potential subscriber base – promote the bridging of emerging federations at the national level • At the European and global level – ensure awareness of IGTF policy coordination work and its relevance to developments in the overall AAI developments – actively foster the definition of levels of assurance, its expression in all relevant syntaxes, and engage in the definition of these levels – ensure that our policies do not inadvertently put up roadblocks on the way towards an integrated AAI – promote (national) federations that interface with our current and future subscriber base at both the auth. N and (later) the Auth. Z level 2006 -10 -05 8 th EUGrid. PMA Meeting - trends in European AA policy 25