CILogon
Enabling Federated Identity and Access Management for Scientific Collaborations
Jim Basney <jbasney@ncsa.illinois.edu>
Scott Koranda <skoranda@ncsa.illinois.edu>
July 2021 IAM Online
CILogon
www.cilogon.org
IAM for Research Collaborations
CILogon: 10+ year sustained effort to enable secure logon to scientific cyberinfrastructure (CI)
for seamless identity and access management (IAM)
using federated identities (SAML, OIDC, OAuth, JWT, X.509, LDAP, SSH, etc.) so researchers log on with their existing credentials from their home organization
supporting 12,000+ active users from 400+ organizations around the world
with onboarding/offboarding/attributes/groups/roles managed consistently across multiple applications
CILogon
www.cilogon.org
supporting access to science applications on HPC clusters, in Jupyter notebooks, using Globus, via REST APIs, and many other interfaces
using existing identity providers from the researcher’s home organization (SAML/ADFS) or external sources (Google, ORCID, GitHub)
SAML SP
OIDC Provider
X.509 CA
HSM
OIDC SP
SciTokens
COmanage
Identities
Tokens
SSH Keys
Groups
Attributes
Apps
Grouper
Advanced AuthZ
SAML IdP
User Registry
eduGAIN IdP
Google IdP
Science App
OAuth SP
ORCID IdP
Science App
Science App
Science App
InCommon IdP
GitHub IdP
LDAP
Science App
CILogon
www.cilogon.org
realizing our vision
align with InCommon Trusted Access Platform
(https://www.incommon.org/trusted-access/)
Shibboleth, COmanage, Grouper
provide hosted services
common IAM platform across many collaborations
growing CILogon operations (since 2010)
reliability / sustainability
CILogon
www.cilogon.org
Open Source
CILogon (https://github.com/cilogon)
OpenID Connect, OAuth, X.509
InCommon (https://www.incommon.org/trusted-access/)
Shibboleth, COmanage, Grouper
IdentityPython (https://idpy.org/)
pyFF, SATOSA
SciTokens (https://scitokens.org/)
OpenLDAP with voPerson (https://voperson.org)
CILogon
www.cilogon.org
sustainability
development supported by NSF/DOE
operational support from XSEDE
non-profit subscription model administered by NCSA/UIUC
supports long-term sustainability
provides contracted SLAs
CILogon remains open source and focused on research & scholarship needs
https://www.cilogon.org/subscribe
CILogon
www.cilogon.org
our 10+ year history
2009 Federated login to TeraGrid. NSF ARRA award.
2010 CILogon operations begin. IGTF X.509 CAs operational.
2011 NSF SDCI award. OAuth support. InCommon Silver support.
2012 DOE ASCR award. Globus identity linking. InCommon R&S.
2013 XSEDE operations support. LIGO Data Grid use.
2016 NSF CICI award. eduGAIN support. OIDC support.
2017 COmanage support. AWS deployment.
2019 Transition to subscription funding model.
2020 Grouper and SATOSA support.
2021 InCommon Catalyst Program. SciTokens and WLCG JWT support.
CILogon
www.cilogon.org
CILogon
www.cilogon.org
Top 20 IdPs�(by # of unique active users in June 2021)
638 National Institutes of Health
555 Fermi National Accelerator Laboratory
529 XSEDE
508 LIGO Scientific Collaboration
416 University of Michigan
377 University of Illinois Urbana-Champaign
335 Michigan State University
311 Penn State
249 Massachusetts Institute of Technology
238 University of Chicago
226 Purdue University Main Campus
215 Yale University
208 Stanford University
208 NCSA
194 University of California-Los Angeles
181 University of California-San Diego
163 Johns Hopkins
155 Northwestern University
153 Northeastern University
149 University of North Carolina Chapel Hill
CILogon
www.cilogon.org
https://aarc-community.org/architecture/
CILogon
www.cilogon.org
federation proxy
apps don’t need to handle the complexities of federation in isolation
many apps can’t handle 1000s of identity providers (e.g., AWS)
a federation proxy service can handle federation for many (related) apps
a federation proxy can handle targeted user identifiers consistently
open source software for operating your own proxy:
SATOSA / SimpleSAMLphp
proxy as-a-service providers:
CILogon / eduTEAMS / Globus
CILogon
www.cilogon.org
campus & researcher IDs
4,000+ identity providers available via eduGAIN
including CERN, NCSA, LIGO, XSEDE, ...
OAuth-based identity providers
ORCID GitHub Google
supporting researcher mobility
supporting researchers w/o campus IdPs
CILogon
www.cilogon.org
informed consent
CILogon
www.cilogon.org
tokens for science
WLCG Common JWT Profiles (https://doi.org/10.5281/zenodo.3460257)
group based authorization (wlcg.groups)
capability based authorization (scope)
use cases:
1) identity token with groups
2) access token with groups
3) access token with authorization scopes
scitokens.org
CILogon
www.cilogon.org
registering your OIDC app
submit request at https://cilogon.org/oauth2/register
including app details
save client_id and client_secret
wait for notification�by help@cilogon.org
see docs: http://www.cilogon.org/oidc
CILogon
www.cilogon.org
managing your OIDC apps
subscribers manage apps using COmanage
CILogon
www.cilogon.org
OAuth APIs for managing apps
subscribers can also manage OIDC apps via standard APIs:
CILogon
www.cilogon.org
examples of CILogon-enabled sites
Apache Airavata Test Drive, Ask.CI, ATLAS Connect, Australian BioCommons, �BNL Quantum Astrometry, Brainlife.io, CADRE, CERN PanDA, Chem Compute, ClassTranscribe, CloudBank, Clowder, CMS Connect, Connect.ci, Custos, CyberGISX, CyVerse, DataCite, DataONE, Duke CI Connect, Einstein Toolkit, FABRIC, Fermilab, Flywheel, GeoChemSim, Globus, GW-Astronomy, HubICL, ImPACT, LIGO, LROSE, LS-CAT, LSST, Mass Open Cloud,�MIT Engaging OnDemand, MSU HPCC OnDemand, MyGeoHub, NEON,�NIH ClinOmics, NIH KnowEnG, Ocean Observatories Initiative,�Open Science Chain, OSC OnDemand, OSG Connect,�Pacific Research Platform, QUBES, SciGaP, SCiMMA, SEAGrid, SeedMeLab, SimVascular, Social Media Macroscope,�UCLA JupyterHub, Vanderbilt JupyterHub, and XSEDE
CILogon
www.cilogon.org
science gateways
enable web-based computational experiments and data management
CILogon-enabled hosted gateways:
Science Gateway Platform as a Service
CILogon
www.cilogon.org
Open OnDemand
Support for Apache HTTP authentication modules including ADFS, CAS, OIDC, Shibboleth, Keycloak
CILogon support via Keycloak
Mapping federated identities to local accounts
https://openondemand.org/
https://osc.github.io/ood-documentation/latest/authentication
CILogon
www.cilogon.org
Globus
campus authentication to your Globus Data Transfer Node
campus identities for Globus Auth
CILogon
www.cilogon.org
JupyterHub
notebooks support authoring/sharing of code, math, text, and multimedia
federated authentication using CILogon
one IdP or many
https://jupyterhub.readthedocs.io/en/latest/reference/authenticators.html�https://github.com/jupyterhub/oauthenticator�https://zero-to-jupyterhub.readthedocs.io/en/latest/authentication.html
CILogon
www.cilogon.org
Kubernetes
using Kubernetes native OIDC support�public clients, refresh tokens, API access�https://kubernetes.io/docs/reference/access-authn-authz/
demonstrated by PRP@UCSD�https://ucsd-prp.gitlab.io/userdocs/start/get-access/
CILogon
www.cilogon.org
“Managed Services to Simplify Cloud Access for Computer Science Research and Education”
University of California, San Diego (UCSD)'s San Diego Supercomputer Center (SDSC) and Information Technology Services (ITS) Division�University of Washington (UW)'s eScience Institute�University of California, Berkeley (UCB)'s Division of Data Science
CILogon
www.cilogon.org
CILogon
www.cilogon.org
CILogon
www.cilogon.org
CILogon
www.cilogon.org
CILogon
www.cilogon.org
CILogon
www.cilogon.org
eduGAIN
InCommon
CILogon SAML�SP
Subscriber�Attribute�Store
AWS SAML SP
CILogon SAML Proxy�IdP
CILogon
www.cilogon.org
“To actively support life science research communities with community scale digital infrastructure developed and maintained in concert with international peer infrastructures.”
�Target ~30,000 life science researchers in AU
CILogon
www.cilogon.org
“Established in 2009, the Australian Access Federation (AAF) is Australia’s identity federation and part of a global network of over 61 federations around the world.”
CILogon
www.cilogon.org
Initial Collaboration Target
�University of Melbourne Centre for Cancer Research (UMCCR)�“Driving innovation and implementation for clinical impact in cancer care”
�Zero Childhood Cancer Program (ZERO)
“Australia’s first-ever personalised medicine program for children and young people with high-risk cancer”
CILogon
www.cilogon.org
CILogon
www.cilogon.org
Center for Translational Data Science, � University of Chicago
�“Gen3 Data Commons are cyberinfrastructure that co-locates data analysis, exploration and visualization tools with data management services for import and export of structured information like clinical, phenotypic, or biospecimen data, and data objects, like genomics data files or medical images.”
CILogon
www.cilogon.org
CILogon
www.cilogon.org
CILogon
www.cilogon.org
Global Authz Interoperability
��GA4GH Passports �and the Authorization and Authentication Infrastructure
CILogon
www.cilogon.org
GA4GH AAI �OpenID Connect Profile
“In particular, this specification introduces a JSON Web Token (JWT) syntax for an access token to enable an OIDC provider (called a Broker) to allow a downstream access token consumer (called a Claim Clearinghouse) to locate the Broker’s /userinfo endpoint as a means to fetch GA4GH Claims. This specification is suggested to be used together with others that specify the syntax and semantics of the GA4GH Claims exchanged.”
CILogon
www.cilogon.org
CILogon
www.cilogon.org
https://demo0.cilogon.org/
CILogon
www.cilogon.org
Thanks!
contact:
help@cilogon.org
CILogon
www.cilogon.org
extra slides
CILogon
www.cilogon.org
our vision
enable logon to scientific cyberinfrastructure (CI)
seamless IAM for academic research collaborations
use campus identity (eduGAIN/InCommon/Shibboleth)
manage onboarding/offboarding/attributes/groups/roles in one place (COmanage)
integrate with a variety of research apps�(OIDC, OAuth, JWT, SAML, LDAP, X.509, SSH)
CILogon
www.cilogon.org
our vision
enable logon to scientific cyberinfrastructure (CI)
seamless IAM for academic research collaborations
use campus identity (eduGAIN/InCommon/Shibboleth)
manage onboarding/offboarding/attributes/groups/roles in one place (COmanage, Grouper)
integrate with a variety of research apps�(OIDC, OAuth, JWT, SAML, LDAP, X.509, SSH)
via a non-profit, open source, reliable, sustainable hosted IAM service
CILogon
www.cilogon.org
examples
grid computing
science gateways
jupyter notebooks
campus HPC clusters
CILogon
www.cilogon.org
federated identity management
and
collaborative organization management
SAML SP
OIDC Provider
X.509 CA
HSM
OIDC SP
LDAP
COmanage
Identities
Tokens
SSH Keys
Groups
Attributes
Apps
SAML AA
User Registry
eduGAIN IdP
Google IdP
Science App
OAuth SP
ORCID IdP
Science App
Science App
Science App
InCommon IdP
GitHub IdP
SciTokens*
Science App
* SciTokens support coming in 2020
CILogon
www.cilogon.org
building blocks
InCommon Federation:
single sign-on for US R&E
eduGAIN:
global interfederation
REFEDS:
international standards for R&E federations
InCommon Trusted Access Platform:� open source IAM software
CILogon
www.cilogon.org
InCommon Trusted Access Platform
Shibboleth: federated single sign-on
COmanage: collaborative organization management
Grouper: enterprise group and access management (including point-in-time auditing)
Midpoint: provisioning engine
https://www.incommon.org/trusted-access/
CILogon
www.cilogon.org
deployed to AWS
benefits of Net+ AWS
multiple availability zones
Docker containers in swarm mode
using R53 EC2 RDS ELB EFS
CILogon
www.cilogon.org
our baseline: REFEDS R&S
Attribute release continues to be the #1 stumbling block for new users.
We operate under the REFEDS R&S policy.
Does your campus support REFEDS R&S?
https://refeds.org/research-and-scholarship
https://cilogon.org/testidp/
CILogon
www.cilogon.org
security for global interfederation
We operate under the SIRTFI framework: Security Incident Response Trust Framework for Federated Identity
https://refeds.org/sirtfi
Supported by the NCSA Incident Response Team
https://security.ncsa.illinois.edu/
CILogon
www.cilogon.org
certificates for int’l science
CILogon CA policy update for int’l use approved in 2016 by Interoperable Global Trust Federation
Requiring R&S + Sirtfi
CILogon
www.cilogon.org
managing project groups/roles
COmanage provides:
enrollment flows
expiration policies
self service permissions
pipelines
https://www.cilogon.org/comanage
CILogon
www.cilogon.org
collaboration management platform �built for federated identity
Open Source
Internet2/InCommon
PHP
20+ deployments managing more than 50K federated identities
OpenID Connect (OIDC)
third gen OpenID (after OpenID 1.0/2.0)
specifications: https://openid.net/connect/
authentication layer on top of OAuth 2.0 authorization framework (RFC 6749)
adds new token type: ID Token
adds new OAuth resource: UserInfo
standard claims and scope values
CILogon
www.cilogon.org
MediaWiki
custom COmanage user identifier assignment for MediaWiki username
MediaWiki's OIDC extension for auth
CILogon OIDC Provider sends custom MediaWiki username as sub claim
MediaWiki's OAuth extension for COmanage account provisioner
http://www.cilogon.org/mediawiki
CILogon
www.cilogon.org
federated SSH keys
users register SSH public key during enrollment
associated with their federated identity
provisioned to LDAP
used by SSH server for authorization
https://serverfault.com/questions/653792/ssh-key-authentication-using-ldap
CILogon
www.cilogon.org
support for idphint specification
https://www.cilogon.org/oidc
https://aarc-project.eu/guidelines/aarc-g049/
AARC-G049 A specification for IdP hinting
This document defines a generic browser-based protocol for conveying – to services – hints about the IdPs or IdP-SP-proxies that should be used for authenticating the principal.
CILogon
www.cilogon.org
attribute-based authz example
eduPersonAffiliation: specifies the person's relationship(s) to the institution in broad categories
permissible values: faculty, student, staff, alum, member, affiliate, employee, library-walk-in
specification: https://refeds.org/eduperson
use cases:
CILogon
www.cilogon.org
role-based authz example: AWS
COmanage assigns Roles to each Person
via enrollment, approval workflows, expiration, etc.
linked to federated identities of the Person
CILogon SAML Proxy asserts Roles to AWS at authentication time
SAML proxy allows use of multiple identity providers
AWS IAM maps Roles to Permissions for access to AWS services
AWS Security Token Service (STS) provides temporary security credentials for CLI/API access
CILogon
www.cilogon.org
configuring your OIDC app
OIDC Discovery URL provides metadata
https://cilogon.org/.well-known/openid-configuration
contact help@cilogon.org to �customize IdPs, claims, etc.
docs / examples:�http://www.cilogon.org/oidc
CILogon
www.cilogon.org
integration examples
science gateways
HPC clusters
Jupyter notebooks
wikis
mailing lists
Kubernetes
Globus
SSH
grid computing
AWS
G Suite
Auth0
CILogon
www.cilogon.org
seamless campus integration
bypass CILogon screens when accessing local campus research applications
consent managed locally by campus
always use campus IdP
an OpenID Connect proxy to your campus SAML IdP
example: https://cybergateway.iu.edu/
CILogon
www.cilogon.org
bridging campus and VO IAM
passing campus and VO attributes to the application
obtaining user consent via OIDC
manage VO attributes in COmanage
customize attributes/claims per app
application-specific identifiers
linking campus, researcher, and VO IDs
driving authorization via group memberships
CILogon
www.cilogon.org
voPerson
an LDAP attribute schema (object class) with usage recommendations for VOs
voperson.org
voPersonApplicationUID | voPersonExternalID |
voPersonAuthorName | voPersonID |
voPersonCertificateDN | voPersonSoRID |
voPersonCertificateIssuerDN | voPersonStatus |
https://voperson.org/
CILogon
www.cilogon.org
Zoom Survey!�Thank you.��Next IAM Online: August 11, 2021, 2:00 p.m. ET
CILogon
www.cilogon.org
Go CAMPing
CAMP includes community presentations such as case studies, organizations’ innovations in identity management, best practices, and other information that helps move the community forward.
2021 CAMP dates: October 4 - 8
Learn more at: https://incommon.org/academy/camp-meetings/2021-camp-week/
CILogon
www.cilogon.org