ELIXIR Proxy IdP

Relying services
EGA
eLearning
Cloud
Intranet
…
…
Data archive
ELIXIR AAI
Credential
translation
Dataset authorisation
management (REMS)
Step-up
AuthN
ELIXIR Proxy IdP
Group/role mgmt (PERUN)
ELIXIR
Directory
Bona fide management
Attribute self-management
eduGAIN IdPs
3
Common IdPs
External authentication
(e-infrastructures)
Relying services
EGA
eLearning
Cloud
Intranet
Credential
translation
Step-up
AuthN
ELIXIR Proxy IdP
…
…
Data archive
ELIXIR AAI
ELIXIR ProxyDataset
IdP authorisation
management
- User has one
ELIXIR identity
- User can authenticate
using
Group/role management
external identities
ELIXIR
Bona fide management
Directory
- Proxy IdP consolidates the IDs
Attribute self-management
eduGAIN IdPs
4
Common IdPs
External authentication
(e-infrastructures)
Relying services
EGA
Cloud
wiki
…
Intranet
…
…
Data archive
ELIXIR AAI
tommi@elixir-europe.org
(ELIXIR ID)
nyronen@csc.fi
(eduGAIN)
5
tommioffinland@google
(Google ID)
External authentication
(e-infrastructures)
0000-0002-36343756 (ORCID)
Relying services
EGA
eLearning
Cloud
Intranet
Credential
translation
Step-up
AuthN
ELIXIR Proxy IdP
…
…
Data archive
ELIXIR AAI
Step-up Authentication
Dataset authorisation
1. User authenticates
weakly
management
using external authentication
Group/role management
2. User authenticates
with second
ELIXIR
factor
Bona fide management
Directory
- e.g. SMS-OTP or a mobile app
Attribute self-management
eduGAIN IdPs
6
Common IdPs
External authentication
(e-infrastructures)
Relying services
EGA
eLearning
Cloud
Intranet
Credential
translation
Step-up
AuthN
ELIXIR Proxy IdP
eduGAIN IdPs
7
…
…
Data archive
Credential translation
ELIXIR AAI
- ELIXIR Proxy IdP is web
Datasetare
authorisation
- Some services
non-web
management
- SSH access to a cloud VM
Group/role
- Access to
datamanagement
files
ELIXIR
- Triggering
transfer
Bonafile
fide management
Directory
- X.509 (CILogon)
Attribute self-management
- Kerberos
Common IdPs
External authentication
(e-infrastructures)
Relying services
EGA
eLearning
Cloud
Credential
translation
Intranet
…
…
Data archive
Group management (PERUN)
Step-up
- Users can
create and
AuthN
manage
groups
ELIXIR
- Add/Invite new members
Directory
ELIXIR Proxy IdP
- Remove members
- Etc
- Access
to services can
relyIdPs
eduGAIN IdPs
Common
on group memberships
8
ELIXIR AAI
Dataset authorisation
management
Group/role management
Bona fide management
Attribute self-management
External authentication
(e-infrastructures)
Relying services
EGA
Cloud
eLearning
Intranet
…
…
Data archive
Bona Fide researchers
Credential can have ELIXIR ID
- Anyone
translation
- Bona Fide researcher: a
member
of bioinformatics
Step-up
AuthN with certain basic
community
ELIXIR
privileges
Directory
ELIXIR Proxy IdP
- For instance: access to
availability database
eduGAIN IdPs
9
Common IdPs
ELIXIR AAI
Dataset authorisation
management
Group/role management
Bona fide management
Attribute self-management
External authentication
(e-infrastructures)
Relying services
EGA
eLearning
Cloud
Intranet
…
…
Data archive
ELIXIR AAI
Credential
translation
Dataset authorisation
Step-up
management
(REMS)
AuthN
- Sensitive human data ELIXIR
Directory
ELIXIRaccess
Proxy IdP application
- Data
needed
eduGAIN IdPs
10
Common IdPs
Dataset authorisation
management
Group/role management
Bona fide management
Attribute self-management
External authentication
(e-infrastructures)
3. Circulate to
approver
1. Apply
for access
DAC 1
Approver
IdP
Principal
investigator
Applicant
4. Approve
IdP
SP
2. Commit to licence
terms
Research group
Members of the application
REMS
Dataset 1
DAC 2
Approver
Workflow
Reports
Dataset 2
Entitlements
IdP
5. Access
Metadata on
dataset 1&2
•
•
•
•
•
2. Notification
circulated to group
managers
1a. Apply for group
membership via URL
IdP
IdP
IdP
ELIXIR ProxyIdP
Group 1
Perun
Group
application
form
Group
manager
Group 2
Users
1b. Invited via
email
Group
manager
Groups
3. Approve/deny
the application
•
•
Relying services
Intranet
Perun pushes
group
information on
every change
ELIXIR Proxy IdP
eduGAIN IdPs
User registration
Common IdPs
ELIXIR AAI
Allowed groups on Intranet
Perun
User and group management
External authentication
(e-infrastructures)
User
qualification
Authentication
Authorization
Example
service
Service type
Endorsed
user
AuthN: strong 2FA
AuthZ: yes, DAC
Sensitive
services
Sensitive human
data
Bona fide
user
AuthN: yes
AuthZ: yes
Restricted
services
Availability
catalogue
Any user
AuthN: yes/no
AuthZ: no
Public
services
E-Learning,
Ensembl
Being defined in ELIXIR Implementation Study - Task 1 ELIXIR Beacon project.
18
User
qualification
Authentication
Authorization
Service type
Example
service
Endorsed
user
AuthN: strong 2FA
AuthZ: yes, DAC
Sensitive
services
Sensitive human
data
Bona fide
user
AuthN: yes
AuthZ: yes
Restricted
services
Availability
catalogue
Any user
AuthN: yes/no
AuthZ: no
Public
services
E-Learning,
Ensembl
Any user:
- s/he may need to login (if the service
differentiates between users)
19
User
qualification
Authentication
Authorization
Service type
Example
service
Endorsed
user
AuthN: strong 2FA
AuthZ: yes, DAC
Sensitive
services
Sensitive human
data
Bona fide
user
AuthN: yes
AuthZ: yes
Restricted
services
Availability
catalogue
Any user
AuthN: yes/no
AuthZ: no
Public
services
E-Learning,
Ensembl
”Bona Fide” researcher
- feature (attribute) of a person
- may need to commit to a Code of
Conduct
- may need a community approval
20
User
qualification
Authentication
Authorization
Service type
Example
service
Endorsed
user
AuthN: strong 2FA
AuthZ: yes, DAC
Sensitive
services
Sensitive human
data
Bona fide
user
AuthN: yes
AuthZ: yes
Restricted
services
Availability
catalogue
Any user
AuthN: yes/no
AuthZ: no
Public
services
E-Learning,
Ensembl
Endorsed user
- The user needs to apply for access
- attach a research plan
- Each application is screened
individually (e.g. by a data access
committee, DAC)
21
•
•
•
•
•