ELIXIR AAI - welcome

Michal Prochazka, Dominik Bucik

AAI workshop 11 September 2018

​

www.elixir-europe.org

Motivation

During the training

• You will learn how to setup OpenID Connect client - relying service
• You will learn how to integrate a relying service to ELIXIR AAI test environment for authentication
• Then you will do it yourself
• You will learn how to elevate it to the production environment

​

2

Design of ELIXIR AAI

3

ELIXIR AAI design

4

ELIXIR AAI

External authentication�(e-infrastructures)

Relying services

eduGAIN IdPs

Common IdPs

ELIXIR Proxy IdP

ELIXIR Directory

Bona fide management

Dataset authorisation management (REMS)

Group/role mgmt (Perun)

Credential translation

EGA

eLearning

Cloud

Intranet

wiki

Data archive

Your test service

…

Attribute self-management

Step-up AuthN

ELIXIR AAI design

5

ELIXIR AAI

External authentication�(e-infrastructures)

Relying services

eduGAIN IdPs

Common IdPs

ELIXIR Proxy IdP

ELIXIR Directory

Bona fide management

Dataset authorisation management

Group/role management

Credential translation

EGA

eLearning

Cloud

Intranet

wiki

Data archive

…

…

Attribute self-management

Step-up AuthN

ELIXIR Proxy IdP

• User has one ELIXIR ID
• User can authenticate using external identities
• Proxy IdP consolidates the IDs
• Acts as SAML or OpenID Connect IdP for Relying services

ELIXIR identity

6

ELIXIR AAI

External authentication�(e-infrastructures)

Relying services

EGA

wiki

Cloud

Intranet

…

Data archive

…

…

tommioffinland@google�(Google ID)

tommi@csc.fi�(eduGAIN)

0000-0001-2345-6789 (ORCID)

tommi@elixir-europe.org�(ELIXIR ID)

Select your external authentication provider...

7

In this training

8

ELIXIR AAI

External authentication�(e-infrastructures)

Relying services

eduGAIN IdPs

ELIXIR Directory

Bona fide management

Dataset authorisation management

Group/role management

Credential translation

EGA

eLearning

Cloud

wiki

Data archive

…

…

Attribute self-management

Step-up AuthN

ELIXIR Proxy IdP

Your test service

Google

Today you will integrate an OpenID Connect client to the test environment of the ELIXIR Proxy IdP.

​

ELIXIR AAI design

9

ELIXIR AAI

External authentication�(e-infrastructures)

Relying services

eduGAIN IdPs

Common IdPs

ELIXIR Proxy IdP

ELIXIR Directory

Bona fide management

Dataset authorisation management

Group/role management

Credential translation

EGA

eLearning

Cloud

Intranet

wiki

Data archive

…

…

Attribute self-management

Step-up AuthN

Step-up Authentication

1. User authenticates weakly using external authentication

2. User authenticates with second factor

- e.g. SMS-OTP or a mobile app

ELIXIR AAI design

10

ELIXIR AAI

External authentication�(e-infrastructures)

Relying services

eduGAIN IdPs

Common IdPs

ELIXIR Proxy IdP

ELIXIR Directory

Bona fide management

Dataset authorisation management

Group/role management

Credential translation

EGA

eLearning

Cloud

Intranet

wiki

Data archive

…

…

Attribute self-management

Step-up AuthN

Credential translation

• ELIXIR Proxy IdP is web
• Some services are non-web
• SSH access to a VM
• Triggering file transfer
• File systems
• X.509 (CILogon/RCAuth.eu)

ELIXIR AAI design

11

ELIXIR AAI

External authentication�(e-infrastructures)

Relying services

eduGAIN IdPs

Common IdPs

ELIXIR Proxy IdP

ELIXIR Directory

Bona fide management

Dataset authorisation management

Group/role management

Credential translation

EGA

eLearning

Cloud

Intranet

wiki

Data archive

…

…

Attribute self-management

Step-up AuthN

Group management (PERUN)

• Users can create and manage groups
• Add/Invite new members
• Remove members
• Etc
• Access to services can rely on group memberships

ELIXIR AAI design

12

ELIXIR AAI

External authentication�(e-infrastructures)

Relying services

eduGAIN IdPs

Common IdPs

ELIXIR Proxy IdP

ELIXIR Directory

Bona fide management

Dataset authorisation management

Group/role management

Credential translation

EGA

eLearning

Cloud

Intranet

wiki

Data archive

…

…

Attribute self-management

Step-up AuthN

Bona Fide researchers

• Anyone can have ELIXIR ID
• Bona Fide researcher: a member of bioinformatics community with certain basic privileges
• For instance: access to availability database or beacon

ELIXIR AAI design

13

ELIXIR AAI

External authentication�(e-infrastructures)

Relying services

eduGAIN IdPs

Common IdPs

ELIXIR Proxy IdP

ELIXIR Directory

Bona fide management

Dataset authorisation management

Group/role management

Credential translation

EGA

eLearning

Cloud

Intranet

wiki

Data archive

…

…

Attribute self-management

Step-up AuthN

Dataset authorisation management (REMS)

• Sensitive human data
• Data access application needed

14

1.

2.

3.

4.

5.

6.

7.

8.

Attributes

Attributes

Attributes

Attributes

Proxy SP

Proxy IdP

IdP

ELIXIR RP

ELIXIR AAI

DS

Introduction to ELIXIR AAI

AAI = Authentication and Authorisation Infrastructure

15

ELIXIR AAI history – where we are now

• Use case gathering -- Autumn 2014
• https://docs.google.com/document/d/12fBLl8WenlxABQDzYEAJ6NtOhIXnZBPiGQLuhFUCyqo/edit
• Requirements and design – Spring 2015
• https://docs.google.com/document/d/1CMY1np3GyvPD8LcKvXljXcRO04V2zu3n_Jcg19jgNOw/edit
• Deployment starts – Autumn 2015 – EXCELERATE WP4.3.1
• Part of ELIXIR Compute platform
• ELIXIR AAI enters production -- November 2016
• Currently
• 61 Relying services in production and 20 in test env using SAML
• 6 Relying services in production and 45 in test env using OIDC
• 1841 users

​

16

High level stuff: ELIXIR AAI strategy

• Agreed on by the ELIXIR Heads of Nodes committee in 6/2016
• https://docs.google.com/document/d/1cJ3mR8lqfZKRMvSFalSmPbqd1OPU-L6YcUFIRnh1rhQ/edit
• Covers
• ELIXIR AAI under the responsibility of the hub
• Relations to e-infrastructures (collaborate, make use of)
• Relations to other BMS research infrastructure (common AAI)
• ELIXIR AAI policies for end users, relying parties and AAI operators

​

17

Related work: Life Science AAI

• Many AAI needs are common to all biological and medical sciences research infrastructures
• BBMRI, EATRIS, ECRIN, ELIXIR, EMBRC, EU-OPENSCREEN, Euro-BioImaging, INFRAFRONTIER, Instruct, ISBE, MIRRI...
• CORBEL WP5/AARC project: �“Requirements specification for Life Science AAI”
• https://docs.google.com/document/d/1Rcl6sTqyBEnhsxlZdGKUeWZJQ3F11QTBeQOPNKwo8JQ/edit
• Started a pilot within AARC2 project 11/2017
• Accepted EOSC-Life project, starting from 2019

18

19

www.elixir-europe.org