scott koranda jim basney cilogon 2€¦ · 17/05/2016 · cilogon cilogon 2.0 project 3 year nsf...
TRANSCRIPT
Jim BasneyScott Koranda
CILogon 2.0
This material is based upon work supported by the National Science Foundation under grant numbers 0850557, 0943633, 1053575, 1440609, and 1547268 and by the Department of Energy under award number DE-SC0008597. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the United States Government or any agency thereof.
CILogon www.cilogon.org
CILogon 2.0 Project
❏ 3 year NSF CICI award❏ January 2016 - December 2018
❏ Provide an integrated open source Identity and Access Management (IdAM) platform for cyberinfrastructure❏ CILogon: federated identity management❏ COmanage: collaborative organization
management❏ Support international collaborations
CILogon www.cilogon.org
NSF CICI Program
❏ Cybersecurity Innovation for Cyberinfrastructure (CICI)
❏ Funds projects in the areas of❏ Cybersecurity Center of Excellence❏ Regional Cybersecurity Collaboration❏ Secure and Resilient Architecture❏ Secure Architecture Design❏ Data Provenance for Cybersecurity
https://www.nsf.gov/funding/pgm_summ.jsp?pims_id=505159
CILogon www.cilogon.org
CILogon 2.0 Team Members
❏ Jim Basney❏ Terry Fleury❏ Jeff Gaynor❏ Venkat Yekkirala
❏ Heather Flanagan❏ Scott Koranda❏ Benn Oshrin❏ Arlen Johnson
CILogon www.cilogon.org
Science Partners
❏ NANOGrav Physics Frontiers Center
❏ Laser Interferometer Gravitational-Wave Observatory (LIGO)
❏ Data Observation Network for Earth (DataONE)
CILogon www.cilogon.org
Cyberinfrastructure Partners
❏ Operational support❏ Integration platform❏ International use
cases
❏ Support for European identities
❏ Using eduGAIN
CILogon www.cilogon.org
SAML SP
OIDC Provider
X.509 CA HSM
OIDC SP
MFA (OATH)
LDAP
COmanage
Identities
MFA Tokens
SSH Keys
Groups
Attributes
SAML AA
User Registry Interface
eduGAIN IdP
Google IdP
Science App
OAuth SPORCID
Science App
Science App
Science App
InCommon IdP
Logical Component
View
CILogon www.cilogon.org
SAML to OpenID Connect (OIDC) Gateway
❏ Supporting e-Science clients❏ Review & approval by CILogon staff
❏ User consent based on requested scopes❏ openid, profile, email❏ org.cilogon.userinfo (eppn, affiliation)❏ edu.uiuc.ncsa.myproxy.getcert
(to allow X.509 certificate issuance)❏ VO attributes
www.cilogon.org/oidc
CILogon www.cilogon.org
CILogon User Consent
CILogon www.cilogon.org
A Transparent Gateway
❏ CILogon passes campus/VO attributes to the e-Science SP❏ Always requiring user consent❏ Attribute scopes approved per-client
❏ COmanage displays terms and conditions during VO enrollment❏ VO attribute release policy applied per client
CILogon www.cilogon.org
Open Researcher and Contributor ID (ORCID)
❏ Linking ORCID iDs to federated IDs❏ orcid.org❏ on campus❏ search.dataone.org❏ cilogon.org
❏ eduPersonOrcid❏ REFEDS ORCID working group
CILogon www.cilogon.org
Demo
SAML SP
OIDC Provider
LDAP
COmanage
User Registry Interface
Demo App
InCommon IdP
❏ Initial integration of CILogon OIDC with COmanage LDAP to retrieve VO memberships and ORCID iD
CILogon www.cilogon.org
CILogon www.cilogon.org
CILogon www.cilogon.org
CILogon www.cilogon.org
CILogon www.cilogon.org
CILogon www.cilogon.org
CILogon www.cilogon.org
Demo
CILogon www.cilogon.org
Demo
{"sub":"http://cilogon.org/serverA/users/534","name":"James Alan Basney","given_name":"James","family_name":"Basney","email":"[email protected]""idp_name":"University of Illinois at Urbana-Champaign","idp":"urn:mace:incommon:uiuc.edu","affiliation": "[email protected];[email protected];[email protected]","eppn":"[email protected]","eptid":"urn:mace:incommon:uiuc.edu!https://cilogon.org/shibboleth!cyXC3O5fi0t1NBsW1NsOxZDyDd4=","eduPersonOrcid":["http://orcid.org/0000-0002-0139-0640"],"isMemberOf":["members","members:Research","Publication Policy"],}
CILogon www.cilogon.org
CILogon in Europe
❏ Supporting internationalresearch collaborations
❏ Int’l IdP support at cilogon.org soon via InCommon’s eduGAIN membership❏ Depends on int’l R&S adoption
❏ European CILogon instance❏ Addresses EU attribute release policies❏ IGTF accredited CA: https://rcauth.eu/
CILogon www.cilogon.org
CILogon Monthly Usage
CILogon www.cilogon.org
CILogon Monthly Usage
CILogon www.cilogon.org
❏ In February 2016, Globus began listing InCommon IdPs directly, rather than as “alternate login” option❏ InCommon / CILogon use doubled!
Encouraging Federated Logins
CILogon www.cilogon.org
Attribute Release Challenges
❏ R&S attributes not released for students❏ Affiliate researcher❏ Former student❏ Former employee❏ IdP operational failures
Students do research!
CILogon www.cilogon.org
Most Used IdPs in Apr 2016
1. LIGO2. NIH3. U of Michigan4. Purdue University5. U of Chicago6. UIUC7. UCLA8. University of Colorado at Boulder9. Google (was #1 in 2012)10.University of California, Berkeley
11.Argonne Nat’l Lab12. Indiana University13.University of Minnesota14.LBNL15.Johns Hopkins16.Yale University17.Cornell University18.Case Western Reserve
University19.Stanford University20.University of
Nebraska-Lincoln
R&S ECP
R&S
R&S
R&S
R&S
R&S
R&S
R&S
R&S
R&S
R&S
R&S
R&S
R&S
ECP
ECP
ECP
(unique active users per IdP)
CILogon www.cilogon.org
COmanage News
❏ COmanage Registry Release 1.0.0 in December 2015
❏ COmanage Registry Release 1.0.3 in TIER Release 1
❏ COmanage Release 1.0.4 current