Federated Identity Management IG - PowerPoint Presentation

Slide1

Federated Identity Management IG

FIM4R CLARIN pilot –

progress report

Menzo Windhouwer (CLARIN ERIC, Meertens Institute)

Basically a legal proxy whereby CLARIN ERIC joins national identity federations on behalf of its

centres (= Service Providers)Details and the agreement: clarin.eu/spfUp-to-date list of end-user service providers: clarin.eu/node/3962 and centres.clarin.eu/spfExperiments with a SAML – OAuth2 bridgeQuality checks for the SP SAML metadata

FIM4R CLARIN

pilot – progress

FIM4R CLARIN

pilot – Identity FederationsACOnet, AustriaBelnet Federation, Belgium

SWITCHaai

,

Switzerland

eduID.cz

, Czech

Republic

DFN,

Germany

TAAT

,

Estonia

SIR

,

Spain

Haka

,

Finland

Fédération

Éducation-Recherche

,

France

[eduGAIN

]

GRNET

,

Greece

eduID.hu

,

Hungary

Edugate

,

Ireland

IDEM

,

Italy

[eduGAIN

]

LAIFE

,

Latvia

SurfConext

, The

Netherlands

FEIDE

,

Norway

PIONIER.id

,

Poland

RCTSaai

,

Portugal

SWAMID

,

Sweden [eduGAIN]

ArnesAAI

,

Slovenia

UK Federation, United Kingdom [eduGAIN]

InCommon

, United States of America

WAYF, Denmark, Iceland

LITNET

fedi

, Lithuania

Slovenia [

eduGAIN

]

MPI (lux17)

MPI (catalog)MPI (corpus1)INLIDS (clarin)IDS (repos)BBAWCSC (

lat

)

CSC (

korp)UTUUFALICLTTMeertensMeertens (OpenSKOS)HuygensCLARIN-DKBASCMUCELRCLARINOHZSKUIL-OTSCLARIN-PLCLARINSI

FIM4R CLARIN

pilot – Service Providers

Problem addressed:

An user is logged in to Service 1 which calls Service 2 on behalf of the user. How is the identity of the user passed on, and how can Service 2 trust it?Solutions investigated by CLARIN-NL and BiGGrid:Open or semi-open systemOAuth1SAML ECPWS-TrustGEMBus STSOAuth2Selected solution for CLARIN test casesX.509 certificatesInvestigated in EUDAT

User Delegation in the CLARIN Metadata Infrastructure - Part I - Research

SAML – OAuth2

bridge

SAML – OAuth2

bridge: solution

Authorisation

Service

S1

S2

?

IdP

AS

runs within a (separate) SP

is trusted by all involved services

also provides identity information (based on Shibboleth attributes)

“

user@idp

”

Authorisation

serverQuite a few to choose from, quality variesTrials: ndg-oauth, SURFnet OAuth-Apis, Unity IDMOAuth2 clientClients available for Java, Python, PHP, …Well specified protocol, clients interchangeableOAuth2 resource serverClients available for Java, Python, PHP, …Interoperability with the AS can be a problem

OAuth 2.0 Token Introspection (IETF draft RFC)

User Delegation in the CLARIN Metadata Infrastructure - Part II - Implementation

SAML – OAuth2

bridge: implementation

Interaction between registries with private use areas

CMDI Component Registry to the ISOcat Data Category RegistryInteraction between tools and archives with closed resourcesCLASS to The Language ArchiveInteraction between tools and private work spacesWebLicht to OwnCloudExtensions:Multistep delegationDesktop or mobile applications…User Delegation in the CLARIN Infrastructure

SAML – OAuth2 bridge:

use cases

Prepare SAML

– OAuth2 bridge for productionAdd more service providersAdd more federationsFuture Plans

Thank You!

Reactions: menzo.windhouwer@meertens.knaw.nl

Jonathan

Blumtritt (University of Cologne)Daan Broeder (MPI, Meertens Institute)Joost van Dijk (SURFnet)Willem Elbers (MPI, CLARIN ERIC)Willem van Engen (NIKHEF)

Twan

Goosen

(MPI, CLARIN ERIC) – animated slides!Marie Hinrichs (University of Tübingen)Remco Poortinga – van Wijnen (SURFnet)Mischa Sallé (NIKHEF)Shakila Shayan (MPI)Wei Qiu (University of Tübingen)Dieter van Uytvanck (CLARIN ERIC)SAML – OAuth2 bridge: acknowledgements