Community Managed Authentication and Authentication Infrastructure
Time 12/10/19 10:20AM-10:45AM
Room Oak Alley (4th)
ELIXIR unites Europe’s leading life science organizations in managing and safeguarding the increasing volume of data being generated by publicly funded research. Apart from that, ELIXIR designed and currently operates its own state-of-the-art authentication and authorization infrastructure (AAI).
The main goal of ELIXIR AAI is to enable self-management of identities within the community and to enable seamless access to all services regardless of them being operated within the community, by a third party, or in a cloud.
The central component of the AAI is identity and access management system Perun, which was presented at the Internet2 Technology Exchange 2017 as a solution for identity and access management for campuses. In this presentation, we will demonstrate that Perun, in combination with other components, is versatile enough to be also used for the management of international virtual organizations such as ELIXIR. For integration to services, either internal or external, the identity access proxy is used to provide a unified way to connect them using standardized protocols SAML2 and OpenID Connect/OAuth2 and also to ensure the release of required attributes with values harmonized on a community level. On a technical level, the identity access proxy is composed of SimpleSAMLphp and MITREid, which are communicating with the identity and access management system represented by the earlier mentioned Perun system.
From the users' point of view, the whole infrastructure is transparent. End users interact with registrations or membership renewal for virtual organizations and groups. Sign in process is relying on users identities provided by a home institution using eduGAIN or social identities for users without institutional identity. The ELIXIR AAI is hidden from a user during the sign in process unless there is an extra step required like accepting the new version of acceptable usage policies or a multi-factor authentication demanded by accessed service.
Services can join the infrastructure using standardized protocols SAML2 or OpenID Connect/OAuth2, which can be combined with provisioning and de-provisioning capabilities of the identity and access management system. The centralized AAI assures that each user has a single persistent non-reassignable identifier and also that the minimal set of required attributes are delivered to the services.
The whole infrastructure is in production since autumn 2016 and so far is used by over two thousand users with an expectation to grow up to hundreds of thousands of users. More than a hundred services are connected to the infrastructure and about half of them are in production. The services vary from internal ones to external, services provided by European e-infrastructures, and even commercial ones.
Speaker Slavek Licehammer CESNET (Czech Education and Scientific NETwork)
Primary track InCommon