federated identity management ig fim4r clarin pilot – progress report menzo windhouwer (clarin...
TRANSCRIPT
Federated Identity Management IGFIM4R CLARIN pilot – progress report
Menzo Windhouwer (CLARIN ERIC, Meertens Institute)
Basically a legal proxy whereby CLARIN ERIC joins national identity federations on behalf of its centres (= Service Providers)
Details and the agreement: clarin.eu/spf Up-to-date list of end-user service providers:
clarin.eu/node/3962 and centres.clarin.eu/spf Experiments with a SAML – OAuth2 bridge Quality checks for the SP SAML metadata
FIM4R CLARIN pilot – progress
FIM4R CLARIN pilot – Identity Federations
1. ACOnet, Austria
2. Belnet Federation, Belgium
3. SWITCHaai, Switzerland
4. eduID.cz, Czech Republic
5. DFN, Germany
6. TAAT, Estonia
7. SIR, Spain
8. Haka, Finland
9. Federation Education-Recherche, France [eduGAIN]
10. GRNET, Greece
11. eduID.hu, Hungary
12. Edugate, Ireland
13. IDEM, Italy [eduGAIN]
14. LAIFE, Latvia
15. SurfConext, The Netherlands
16. FEIDE, Norway
17. PIONIER.id, Poland
18. RCTSaai, Portugal
19. SWAMID, Sweden [eduGAIN]
20. ArnesAAI, Slovenia
21. UK Federation, United Kingdom [eduGAIN]
22. InCommon, United States of America
23. WAYF, Denmark, Iceland
24. LITNET fedi, Lithuania
25. Slovenia [eduGAIN]
1. MPI (lux17)
2. MPI (catalog)
3. MPI (corpus1)
4. INL
5. IDS (clarin)
6. IDS (repos)
7. BBAW
8. CSC (lat)
9. CSC (korp)
10. UTU
11. UFAL
12. ICLTT
13. Meertens
14. Meertens (OpenSKOS)
15. Huygens
16. CLARIN-DK
17. BAS
18. CMU
19. CELR
20. CLARINO
21. HZSK
22. UIL-OTS
23. CLARIN-PL
24. CLARINSI
FIM4R CLARIN pilot – Service Providers
Problem addressed: An user is logged in to Service 1 which calls Service 2 on behalf of the user.
How is the identity of the user passed on, and how can Service 2 trust it?
Solutions investigated by CLARIN-NL and BiGGrid: Open or semi-open system OAuth1 SAML ECP WS-Trust GEMBus STS OAuth2
Selected solution for CLARIN test cases X.509 certificates
Investigated in EUDAT
User Delegation in the CLARIN Metadata Infrastructure - Part I - Research
SAML – OAuth2 bridge
SAML – OAuth2 bridge: solution
AuthorisationService
S1 S2
?
IdPAS
- runs within a (separate) SP- is trusted by all involved
services- also provides identity
information (based on Shibboleth attributes)
“user@idp”
Authorisation server Quite a few to choose from, quality varies Trials: ndg-oauth, SURFnet OAuth-Apis, Unity IDM
OAuth2 client Clients available for Java, Python, PHP, … Well specified protocol, clients interchangeable
OAuth2 resource server Clients available for Java, Python, PHP, … Interoperability with the AS can be a problem
OAuth 2.0 Token Introspection (IETF draft RFC)
User Delegation in the CLARIN Metadata Infrastructure - Part II - Implementation
SAML – OAuth2 bridge: implementation
Interaction between registries with private use areas CMDI Component Registry to the ISOcat Data Category Registry
Interaction between tools and archives with closed resources CLASS to The Language Archive
Interaction between tools and private work spaces WebLicht to OwnCloud
Extensions: Multistep delegation Desktop or mobile applications …
User Delegation in the CLARIN Infrastructure
SAML – OAuth2 bridge: use cases
Prepare SAML – OAuth2 bridge for production
Add more service providers
Add more federations
Future Plans
Jonathan Blumtritt (University of Cologne) Daan Broeder (MPI, Meertens Institute) Joost van Dijk (SURFnet) Willem Elbers (MPI, CLARIN ERIC) Willem van Engen (NIKHEF) Twan Goosen (MPI, CLARIN ERIC) – animated slides! Marie Hinrichs (University of Tübingen) Remco Poortinga – van Wijnen (SURFnet) Mischa Salle (NIKHEF) Shakila Shayan (MPI) Wei Qiu (University of Tübingen) Dieter van Uytvanck (CLARIN ERIC)
SAML – OAuth2 bridge: acknowledgements