wiki:GEC10IdentityAndAttributes

Version 8 (modified by tmitchel@bbn.com, 13 years ago) (diff)

--

Identity and Attributes in GENI

Session leaders

Ken Klingenstein, Internet 2
Tom Mitchell, BBN

Time

Tues 1:00 - 2:30 pm

Description

This meeting will seek agreement on an approach to identity and attributes in GENI.

GENI requires a way of positively identifying experimenters and granting them access to tools and resources. Current control frameworks either maintain their own database of experimenters or explicitly outsource this task to an identity provider. In addition to identifying experimenters, GENI needs information about attributes like institutional affiliation, project role, etc.

The goal of this session is to discuss a proposal and reach community consensus on a way forward for identity management and attributes in GENI.

Proposal

External identity providers should be added as sources of identity attributes for GENI experimenters. Specifically, an InCommon compatible GENI portal should be developed to allow new GENI experimenters to authenticate using their own institutional accounts. GENI should also standardize a set of identity attributes required for resource manipulation within GENI. A proposed implementation and schedule will be presented.

Agenda

Introduction - Tom Mitchell (5 mins)
IdM Principles and key issues - Ken Klingenstein (20 mins)
Proposed implementation - Tom Mitchell (15 mins)
Invited discussion - Rob Ricci (10 mins)
Invited discussion - Jeff Chase (10 mins)
Open Discussion - All (20 mins)
Summary and Wrap Up - Tom Mitchell (10 mins)

Community Agreement

  • Add external identity providers to GENI
  • GPO should build a prototype InCommon compatible GENI portal / slice authority
  • Agree on an initial set of required identity attributes
    • Name
    • Institution
    • Affiliation
    • Email address
    • Phone number

Next Steps

  • GPO will build a prototype portal / slice authority that accepts InCommon logons and produces slice credentials
    • Build a portal
    • Become an InCommon service provider
    • Work with a few test institutions to get desired attributes from their identity providers
    • Federate with a few GENI Aggregates
  • Demonstrate this portal at GEC11
    • Pending group evaluation, expand this portal to other institutions and aggregates

Selected Discussion Points

Ken Klingenstein
  • GENI should adopt same practice as sites like PubMed: sign in via old user/pass or InCommon
  • Use local identity in a global fashion
  • Other countries use this more than the US
  • Standards are developing
  • IETF GSSAPI will lead to federated SSH
    • But currently this is for web login
    • Note this is federated and not domesticated which is likely what GENI wants
  • Access Control
    • Scale is hard
    • Group management tools help
    • Privilege management is sometimes needed
    • Fine grain delegation needed
  • Identity Management Principles
    • Scale
    • Address privacy via consent
    • Leverage institutional attributes
    • Make consistent with security
  • Extra GENI principles
    • Cluster / CF specific attributes should be auto managed
    • Integrate across existing projects
    • Provide access to GENI to new users and communities
  • CoManage is complementary
  • Let GENI leverage this infrastructure
Rob Ricci
  • I want
    • Accountability
    • Neck to wring
    • Name, email, institution, role
    • PI or faculty advisor
      • Could be a candidate for a self asserted attribute
    • Class enrollment would be nice to have
  • ProtoGENI already does this
  • ProtoGENI will accept these attributes from trusted sources
  • ProtoGENI will separate the concept of the slice authority from the identity provider
    • A change, but a good idea
  • Optimize for low hassle with assurances of trustworthiness
  • Scale isn't that big:
    • Thousands currently, not 10s of thousands
    • Adding undergrads will stretch that
  • ProtoGENI users
    • 25% non US
    • PIs verify students
    • ProtoGENI (Rob) verifies PIs
      • 100s of users, not thousands
  • Pruning of accounts is manual currently
  • Users are trusted to self update their information currently
Jeff Chase
  • Build in security, trust roots, and federation into GENI
  • Separate policy from mechanisms
  • Use off the shelf solutions, like Shibboleth
  • Grouper (now part of CoManage) allows an institution to manage group memberships
  • Use Shibboleth at the edge of GENI using a portal
  • Use existing X509 keys internally
  • Don't use the Shibboleth delegated authentication stuff for now
  • How do we handle revocation? Limited life certificates?
  • Putting attributes in certificates would mean revealing attributes to services that the identity provider did not explicitly permit
Group
  • Rob Ricci: if this could help with 'instant gratification' of a newly enrolled student getting access, that would be nice
  • Andy Bavier says PL is willing to federate with a new, GPO-run portal / slice authority that does this
  • Andy is interested in using CoManage or similar to offload some attribute maintenance
  • Trusting the GPO portal still requires establishing trust, and the portal would still manually approve experimenter applications

Background reading

Identity and Access Management (http://www.internet2.edu/pubs/200703-IS-MW.pdf)
Shibboleth (http://www.internet2.edu/pubs/shibboleth-infosheet.pdf)
TeraGrid federated login with PKI implementation using InCommon ( http://www.ncsa.illinois.edu/~jbasney/tgfed.pdf )

Attachments (5)