ELIXIR Proxy IdP
Transcription
ELIXIR Proxy IdP
Relying services EGA eLearning Cloud Intranet … … Data archive ELIXIR AAI Credential translation Dataset authorisation management (REMS) Step-up AuthN ELIXIR Proxy IdP Group/role mgmt (PERUN) ELIXIR Directory Bona fide management Attribute self-management eduGAIN IdPs 3 Common IdPs External authentication (e-infrastructures) Relying services EGA eLearning Cloud Intranet Credential translation Step-up AuthN ELIXIR Proxy IdP … … Data archive ELIXIR AAI ELIXIR ProxyDataset IdP authorisation management - User has one ELIXIR identity - User can authenticate using Group/role management external identities ELIXIR Bona fide management Directory - Proxy IdP consolidates the IDs Attribute self-management eduGAIN IdPs 4 Common IdPs External authentication (e-infrastructures) Relying services EGA Cloud wiki … Intranet … … Data archive ELIXIR AAI [email protected] (ELIXIR ID) [email protected] (eduGAIN) 5 tommioffinland@google (Google ID) External authentication (e-infrastructures) 0000-0002-36343756 (ORCID) Relying services EGA eLearning Cloud Intranet Credential translation Step-up AuthN ELIXIR Proxy IdP … … Data archive ELIXIR AAI Step-up Authentication Dataset authorisation 1. User authenticates weakly management using external authentication Group/role management 2. User authenticates with second ELIXIR factor Bona fide management Directory - e.g. SMS-OTP or a mobile app Attribute self-management eduGAIN IdPs 6 Common IdPs External authentication (e-infrastructures) Relying services EGA eLearning Cloud Intranet Credential translation Step-up AuthN ELIXIR Proxy IdP eduGAIN IdPs 7 … … Data archive Credential translation ELIXIR AAI - ELIXIR Proxy IdP is web Datasetare authorisation - Some services non-web management - SSH access to a cloud VM Group/role - Access to datamanagement files ELIXIR - Triggering transfer Bonafile fide management Directory - X.509 (CILogon) Attribute self-management - Kerberos Common IdPs External authentication (e-infrastructures) Relying services EGA eLearning Cloud Credential translation Intranet … … Data archive Group management (PERUN) Step-up - Users can create and AuthN manage groups ELIXIR - Add/Invite new members Directory ELIXIR Proxy IdP - Remove members - Etc - Access to services can relyIdPs eduGAIN IdPs Common on group memberships 8 ELIXIR AAI Dataset authorisation management Group/role management Bona fide management Attribute self-management External authentication (e-infrastructures) Relying services EGA Cloud eLearning Intranet … … Data archive Bona Fide researchers Credential can have ELIXIR ID - Anyone translation - Bona Fide researcher: a member of bioinformatics Step-up AuthN with certain basic community ELIXIR privileges Directory ELIXIR Proxy IdP - For instance: access to availability database eduGAIN IdPs 9 Common IdPs ELIXIR AAI Dataset authorisation management Group/role management Bona fide management Attribute self-management External authentication (e-infrastructures) Relying services EGA eLearning Cloud Intranet … … Data archive ELIXIR AAI Credential translation Dataset authorisation Step-up management (REMS) AuthN - Sensitive human data ELIXIR Directory ELIXIRaccess Proxy IdP application - Data needed eduGAIN IdPs 10 Common IdPs Dataset authorisation management Group/role management Bona fide management Attribute self-management External authentication (e-infrastructures) 3. Circulate to approver 1. Apply for access DAC 1 Approver IdP Principal investigator Applicant 4. Approve IdP SP 2. Commit to licence terms Research group Members of the application REMS Dataset 1 DAC 2 Approver Workflow Reports Dataset 2 Entitlements IdP 5. Access Metadata on dataset 1&2 • • • • • 2. Notification circulated to group managers 1a. Apply for group membership via URL IdP IdP IdP ELIXIR ProxyIdP Group 1 Perun Group application form Group manager Group 2 Users 1b. Invited via email Group manager Groups 3. Approve/deny the application • • Relying services Intranet Perun pushes group information on every change ELIXIR Proxy IdP eduGAIN IdPs User registration Common IdPs ELIXIR AAI Allowed groups on Intranet Perun User and group management External authentication (e-infrastructures) User qualification Authentication Authorization Example service Service type Endorsed user AuthN: strong 2FA AuthZ: yes, DAC Sensitive services Sensitive human data Bona fide user AuthN: yes AuthZ: yes Restricted services Availability catalogue Any user AuthN: yes/no AuthZ: no Public services E-Learning, Ensembl Being defined in ELIXIR Implementation Study - Task 1 ELIXIR Beacon project. 18 User qualification Authentication Authorization Service type Example service Endorsed user AuthN: strong 2FA AuthZ: yes, DAC Sensitive services Sensitive human data Bona fide user AuthN: yes AuthZ: yes Restricted services Availability catalogue Any user AuthN: yes/no AuthZ: no Public services E-Learning, Ensembl Any user: - s/he may need to login (if the service differentiates between users) 19 User qualification Authentication Authorization Service type Example service Endorsed user AuthN: strong 2FA AuthZ: yes, DAC Sensitive services Sensitive human data Bona fide user AuthN: yes AuthZ: yes Restricted services Availability catalogue Any user AuthN: yes/no AuthZ: no Public services E-Learning, Ensembl ”Bona Fide” researcher - feature (attribute) of a person - may need to commit to a Code of Conduct - may need a community approval 20 User qualification Authentication Authorization Service type Example service Endorsed user AuthN: strong 2FA AuthZ: yes, DAC Sensitive services Sensitive human data Bona fide user AuthN: yes AuthZ: yes Restricted services Availability catalogue Any user AuthN: yes/no AuthZ: no Public services E-Learning, Ensembl Endorsed user - The user needs to apply for access - attach a research plan - Each application is screened individually (e.g. by a data access committee, DAC) 21 • • • • •