ELIXIR AAI - welcome
Michal Prochazka, Dominik Bucik
AAI workshop 11 September 2018
www.elixir-europe.org
Motivation
During the training
2
Design of ELIXIR AAI
3
ELIXIR AAI design
4
ELIXIR AAI
External authentication�(e-infrastructures)
Relying services
eduGAIN IdPs
Common IdPs
ELIXIR Proxy IdP
ELIXIR Directory
Bona fide management
Dataset authorisation management (REMS)
Group/role mgmt (Perun)
Credential translation
EGA
eLearning
Cloud
Intranet
wiki
Data archive
Your test service
…
Attribute self-management
Step-up AuthN
ELIXIR AAI design
5
ELIXIR AAI
External authentication�(e-infrastructures)
Relying services
eduGAIN IdPs
Common IdPs
ELIXIR Proxy IdP
ELIXIR Directory
Bona fide management
Dataset authorisation management
Group/role management
Credential translation
EGA
eLearning
Cloud
Intranet
wiki
Data archive
…
…
Attribute self-management
Step-up AuthN
ELIXIR Proxy IdP
ELIXIR identity
6
ELIXIR AAI
External authentication�(e-infrastructures)
Relying services
EGA
wiki
Cloud
Intranet
…
Data archive
…
…
tommioffinland@google�(Google ID)
tommi@csc.fi�(eduGAIN)
0000-0001-2345-6789 (ORCID)
tommi@elixir-europe.org�(ELIXIR ID)
Select your external authentication provider...
7
In this training
8
ELIXIR AAI
External authentication�(e-infrastructures)
Relying services
eduGAIN IdPs
ELIXIR Directory
Bona fide management
Dataset authorisation management
Group/role management
Credential translation
EGA
eLearning
Cloud
wiki
Data archive
…
…
Attribute self-management
Step-up AuthN
ELIXIR Proxy IdP
Your test service
Today you will integrate an OpenID Connect client to the test environment of the ELIXIR Proxy IdP.
ELIXIR AAI design
9
ELIXIR AAI
External authentication�(e-infrastructures)
Relying services
eduGAIN IdPs
Common IdPs
ELIXIR Proxy IdP
ELIXIR Directory
Bona fide management
Dataset authorisation management
Group/role management
Credential translation
EGA
eLearning
Cloud
Intranet
wiki
Data archive
…
…
Attribute self-management
Step-up AuthN
Step-up Authentication
1. User authenticates weakly using external authentication
2. User authenticates with second factor
- e.g. SMS-OTP or a mobile app
ELIXIR AAI design
10
ELIXIR AAI
External authentication�(e-infrastructures)
Relying services
eduGAIN IdPs
Common IdPs
ELIXIR Proxy IdP
ELIXIR Directory
Bona fide management
Dataset authorisation management
Group/role management
Credential translation
EGA
eLearning
Cloud
Intranet
wiki
Data archive
…
…
Attribute self-management
Step-up AuthN
Credential translation
ELIXIR AAI design
11
ELIXIR AAI
External authentication�(e-infrastructures)
Relying services
eduGAIN IdPs
Common IdPs
ELIXIR Proxy IdP
ELIXIR Directory
Bona fide management
Dataset authorisation management
Group/role management
Credential translation
EGA
eLearning
Cloud
Intranet
wiki
Data archive
…
…
Attribute self-management
Step-up AuthN
Group management (PERUN)
ELIXIR AAI design
12
ELIXIR AAI
External authentication�(e-infrastructures)
Relying services
eduGAIN IdPs
Common IdPs
ELIXIR Proxy IdP
ELIXIR Directory
Bona fide management
Dataset authorisation management
Group/role management
Credential translation
EGA
eLearning
Cloud
Intranet
wiki
Data archive
…
…
Attribute self-management
Step-up AuthN
Bona Fide researchers
ELIXIR AAI design
13
ELIXIR AAI
External authentication�(e-infrastructures)
Relying services
eduGAIN IdPs
Common IdPs
ELIXIR Proxy IdP
ELIXIR Directory
Bona fide management
Dataset authorisation management
Group/role management
Credential translation
EGA
eLearning
Cloud
Intranet
wiki
Data archive
…
…
Attribute self-management
Step-up AuthN
Dataset authorisation management (REMS)
14
1.
2.
3.
4.
5.
6.
7.
8.
Attributes
Attributes
Attributes
Attributes
Proxy SP
Proxy IdP
IdP
ELIXIR RP
ELIXIR AAI
DS
Introduction to ELIXIR AAI
AAI = Authentication and Authorisation Infrastructure
15
ELIXIR AAI history – where we are now
16
High level stuff: ELIXIR AAI strategy
17
Related work: Life Science AAI
18
19
www.elixir-europe.org