identity federation for authenticating and authorizing researchers

ei4africa workshop- University of Lagos

Identity Federation For Authenticating and Authorizing

ResearchersCletus OkolieNOC Manager

Eko-Konnect Research and Education Initiative

19/03/2014


Outline

• What are e-Infrastructures?• What are Science Gateways• Federated Services – Terms and Principles• NgREN Catch-All Identity Provider

Demonstration

19/03/2014


e-Infrastructures• It can be defined as networked tools, data and resources that support a

community of researchers, broadly including all those who participate in and benefit from research

• ICT elements that support e-Science

• e-Science - novel, large-scale inter-disciplinary global collaborations between scientists and researchers across many different areas.

• ICT Elements – high-speed research communication networks– powerful computational resources (dedicated high performance computers, clusters,

large numbers of commodity PCs)– grid and cloud technologies, data infrastructures (data sources, scientific literature), – sensors, web-based portals, scientific gateways and mobile devices.

• When integrated together = e-Infrastructures

19/03/2014


A potential user of an e-infrastructure needs ….

• A more powerful computer to run an application• A great number of these computers to deliver results faster• Access to specialized High Performance Computing facilities• Access to large data sources• Access to software not available• To collaborate with other scientists across the world• Access to scientific literature resources• To connect to specialized instrumentation for analysis• To connect to sensors for data collection• Access to these facilities via a web-based portal or mobile

device19/03/2014


Federated Identity Services, Certification Authorities & Science Gateways

Principles and Terminology

19/03/2014


Identity Federations

• An identity federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about users and resources to enable access via authentication

• IdF – Identity Federation– SP – Service Providers– IdP – Identity Providers– Discovery Service– Policies

19/03/2014


Public Key Infrastructure - PKI

• Certification Authority - CA• Registration Authority - RA• Validation Authority - VA• X.509 Certificates

19/03/2014


PKI

• A user applies for a certificate with his public key at a Registration Authority (RA)

• User identity is confirmed and certificate is issued• The user digitally signs the new certificate• The Validation authority checks the identity of

the issued certificate• Implemented in softwareCA =

https://ngca.eko-konnect.net.ng/CAVA = https://ngca.eko-konnect.net.ng/CA/mgt/scert.php

19/03/2014

https://ngca.eko-konnect.net.ng/CA

https://ngca.eko-konnect.net.ng/CA/mgt/scert.php

https://ngca.eko-konnect.net.ng/CA/mgt/scert.php


CA

19/03/2014


Identity Federations (IdFs)

• There is only one CA and IdF per county except in some countries like US

• There can be several RAs and VAs• But with good authentication systems in place

each institution can have an IdP• Currently a “Catch-All” IdP for the NgREN is run

and maintained by Eko-konnect• These can be used by institutions without any

functional authentication system19/03/2014


Science Gateway

09/11/2013

Virtual community connecting geographically separated researchers with web based

interfaces to help them to share data, run remote computers and access applications and information in order to design, carry out studies

and interpret research results.


Problems with access to e-infrastructure

• PKI and Personal CAs• Federated credentials

19/03/2014


Components of an Identity Federations

19/03/20134


Service Provide (SP)

• Is a term used to describe anyone who has a service, resource or set of content that they want to make available to users via a login.

• The login is used to limit access to services• SP do not hold information about user• It relies on IdP to get user information• Example is the Africa Grid Science Gateway

and the EduERP portal

19/03/2014

http://sgw.africa-grid.org/applications


Identity Providers (IdPs)

• An Identity Provider or 'IdP' is a term used to describe any institution or organisation that manages information about users and wants to provide access to resources for these users.

• There are currently thousands of Identity Providers worldwide supporting over 16 million users

• There is an IdP maintained and managed in Nigeria and is accessible on https://ngidp.eko-konnect.net.ng

19/03/2014


Identity Federation (IdF)

• An identity federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about users and resources to enable access and use of the resources

19/03/2014


Authentication vs Authorization

• Authentication establishes the user’s identity, done by identity provider– To get authenticated by an IdP people have to be enrolled on it

and registered, upon proper identification, on the registry connected to the IdP

• Authorization defines the user’s permission within the application– The fact that you are the one you claim to be (i.e., you are

authenticated by an IdP) does not imply, by portal policy, that you are automatically authorised to access and use the Africa Grid Science Gateway. To do so people have to fill the authorisation request form.

19/03/2014


Accessing the TRODAN Data withNgREN Catch-All Identity Provider

Demonstrationhttp://ngidp.eko-konnect.net.ng

19/03/2014

http://ngidp.eko-konnect.net.ng/


Accessing the TRODAN Data

• Register a user account on the NgREN IdP• Connect to sgw.africa-grid.org and be

redirected to register with an IdP in your region.

• Applications- Earth SciencesTRODAN Data Repository

19/03/2014


DEMO

19/03/2014


Thank you for listening

Questions?

19/03/2014

identity federation for authenticating and authorizing researchers

Education

ei4africa workshop university

identity federation

federated identity services

identity providers idps

identity federations

escience escience

lagos virtual community

data collection access