FIM4R CLARIN pilot progress report Menzo Windhouwer CLARIN ERIC Meertens Institute Basically a legal proxy whereby CLARIN ERIC joins national identity federations on behalf of its centres ID: 790602
Download The PPT/PDF document "Federated Identity Management IG" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Federated Identity Management IG
FIM4R CLARIN pilot –
progress report
Menzo Windhouwer (CLARIN ERIC, Meertens Institute)
Basically a legal proxy whereby CLARIN ERIC joins national identity federations on behalf of its
centres (= Service Providers)Details and the agreement: clarin.eu/spfUp-to-date list of end-user service providers: clarin.eu/node/3962 and centres.clarin.eu/spfExperiments with a SAML – OAuth2 bridgeQuality checks for the SP SAML metadata
FIM4R CLARIN
pilot – progress
Slide3FIM4R CLARIN
pilot – Identity FederationsACOnet, AustriaBelnet Federation, Belgium
SWITCHaai
,
Switzerland
eduID.cz
, Czech
Republic
DFN,
Germany
TAAT
,
Estonia
SIR
,
Spain
Haka
,
Finland
Fédération
Éducation-Recherche
,
France
[eduGAIN
]
GRNET
,
Greece
eduID.hu
,
Hungary
Edugate
,
Ireland
IDEM
,
Italy
[eduGAIN
]
LAIFE
,
Latvia
SurfConext
, The
Netherlands
FEIDE
,
Norway
PIONIER.id
,
Poland
RCTSaai
,
Portugal
SWAMID
,
Sweden [eduGAIN]
ArnesAAI
,
Slovenia
UK Federation, United Kingdom [eduGAIN]
InCommon
, United States of America
WAYF, Denmark, Iceland
LITNET
fedi
, Lithuania
Slovenia [
eduGAIN
]
Slide4MPI (lux17)
MPI (catalog)MPI (corpus1)INLIDS (clarin)IDS (repos)BBAWCSC (
lat
)
CSC (
korp)UTUUFALICLTTMeertensMeertens (OpenSKOS)HuygensCLARIN-DKBASCMUCELRCLARINOHZSKUIL-OTSCLARIN-PLCLARINSI
FIM4R CLARIN
pilot – Service Providers
Slide5Problem addressed:
An user is logged in to Service 1 which calls Service 2 on behalf of the user. How is the identity of the user passed on, and how can Service 2 trust it?Solutions investigated by CLARIN-NL and BiGGrid:Open or semi-open systemOAuth1SAML ECPWS-TrustGEMBus STSOAuth2Selected solution for CLARIN test casesX.509 certificatesInvestigated in EUDAT
User Delegation in the CLARIN Metadata Infrastructure - Part I - Research
SAML – OAuth2
bridge
Slide6SAML – OAuth2
bridge: solution
Authorisation
Service
S1
S2
?
IdP
AS
runs within a (separate) SP
is trusted by all involved services
also provides identity information (based on Shibboleth attributes)
“
user@idp
”
Slide7Authorisation
serverQuite a few to choose from, quality variesTrials: ndg-oauth, SURFnet OAuth-Apis, Unity IDMOAuth2 clientClients available for Java, Python, PHP, …Well specified protocol, clients interchangeableOAuth2 resource serverClients available for Java, Python, PHP, …Interoperability with the AS can be a problem
OAuth 2.0 Token Introspection (IETF draft RFC)
User Delegation in the CLARIN Metadata Infrastructure - Part II - Implementation
SAML – OAuth2
bridge: implementation
Slide8Interaction between registries with private use areas
CMDI Component Registry to the ISOcat Data Category RegistryInteraction between tools and archives with closed resourcesCLASS to The Language ArchiveInteraction between tools and private work spacesWebLicht to OwnCloudExtensions:Multistep delegationDesktop or mobile applications…User Delegation in the CLARIN Infrastructure
SAML – OAuth2 bridge:
use cases
Slide9Prepare SAML
– OAuth2 bridge for productionAdd more service providersAdd more federationsFuture Plans
Slide10Thank You!
Reactions: menzo.windhouwer@meertens.knaw.nl
Slide11Jonathan
Blumtritt (University of Cologne)Daan Broeder (MPI, Meertens Institute)Joost van Dijk (SURFnet)Willem Elbers (MPI, CLARIN ERIC)Willem van Engen (NIKHEF)
Twan
Goosen
(MPI, CLARIN ERIC) – animated slides!Marie Hinrichs (University of Tübingen)Remco Poortinga – van Wijnen (SURFnet)Mischa Sallé (NIKHEF)Shakila Shayan (MPI)Wei Qiu (University of Tübingen)Dieter van Uytvanck (CLARIN ERIC)SAML – OAuth2 bridge: acknowledgements