EOSC-hub & RCauth.eu presentation
- 1. eosc-hub.eu @EOSC_eu EOSC-hub receives funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 777536. On-line OIDC based PKIX credentials RCauth.eu
- 2. 2 Motivation and driving consideration about the service Service architecture and interfaces: overview - How the user can access the service E.g.: REST, GUI, CLIs, etc. - Service options and attributes Acceptable Usage Policy (AUP) Access policy and business model Use cases Documentation/tutorial/information 11/27/2018 Content
- 3. 3 provide access to PKI-secured services leveraging client-certificate, and deep delegation access, with non-interactive use and AAI integration capabilities …without exposing the complexity of PKI to the user 11/27/2018 Motivation
- 4. 4 RCauth.eu is part of a credential management ecosystem Can optionally be extended with a credential management system: Master Portals (OIDC and SSH access), WaTTS, and IAM 11/27/2018 Service architecture and interfaces
- 5. 5 RCauth: Three components: - Web frontend (“delegation service”), based on US-CIlogon software: OpenID Connect provider - Back-end CA based on myproxy-server with an HSM - Filtering WAYF towards eduGAIN evolving towards a multi-tenant multi-national HA deployment Operations: supported (not exclusively) by EOSC-HUB, SURF, GEANT, … Further reading: https://aarc-project.eu/digital-certificates-behind-the-scenes-the-aarc- cilogon-pilot/ https://wiki.nikhef.nl/grid/AARC_Pilot https://rcauth.eu/ 17/04/2018 EOSC-hub AAI RCauth
- 6. 6 Access is provided to qualified clients through: an OIDC REST based protocol to end-users through eduGAIN integrated WebSSO 11/27/2018 Service access CA: RCauth: an HSM-backed Online CA Login: via a filtering WAYF (R&S + Sirtfi) to eduGAIN Several infra & community IdP/SPs are also attached IGTF accredited under IOTA profile (DOGWOOD) Provides 11-day certificates Clients to the CA: Clients are MasterPortals, WaTTS, and also other non-EOSC TTS services: Intermediary to the actual clients which are the Science Gateways Needed for caching the credentials Handling the complexity
- 7. 7 Research Infrastructures coordinated based on Scntfi organized community management can bridge their own users into RCauth.eu regardless of eduGAIN availability https://www.igtf.net/snctfi/ https://aarc-project.eu/guidelines/aarc-g015/ Any user, anywhere in the world, can use the service provided the assurance level is sufficient. The home organization and the user must meet REFEDS R&S and Sirtfi incident response expectations Goes well together with AARC AAI proxy implementations 11/27/2018 Service options and attributes
- 8. 8 The RCauth.eu service complies with the IGTF ‘dogwood’ assurance level, so users must meet its criteria as well Detailed requirements: https://rcauth.eu/policy/ You must agree to the privacy policy: https://rcauth.eu/privacy 11/27/2018 Acceptable Usage Policy
- 9. 9 This service is free at point of use, and is supported by funding from a variety of national and European sources SURF (NL), EOSC-HUB (EU), GEANT (EU), and Nikhef Primary audience is the EMEA region CIlogon.org is available in the US (and global). There are no connection fees for RIs and e-Infrastructures – material contributions may be required to participate as a stakeholder in its governance model For details, see the governance model terms https://rcauth.eu/policy/RCauth-ICA-governance-DRAFT.pdf 11/27/2018 Access policies and funding models
- 10. 10 Current use cases supported by RCauth.eu ELIXIR AAI – as a back-end to access cloud resources Project MinE – command-line access to HTC resources using federated login for ALS researchers WLCG federated access to transfer services (AuthZ) ... and many more … Available in all major federated AAI proxy implementations 11/27/2018 Featured use cases
- 11. 11 Do it Yourself example flow for RCauth-like scenarios 11 REFEDS R&S Sirtfi Trust see also https://rcdemo.nikhef.nl/ Built on CILogon and MyProxy www.cilogon.org Community Science Portal Infrastructure Master Portal Credential Store Policy Filtering WAYF / eduGAIN User Home Org or Infrastructure IdP Accredited PKIX Authority
- 12. 12 For service documentation, see https://rcauth.eu/ For code transparency: https://github.com/rcauth-eu Contact and service requests: ca@rcauth.eu 11/27/2018 Documentations
- 13. eosc-hub.eu @EOSC_eu Thank you for your attention! ca@rcauth.eu RCauth.eu is co-supported by SURF, EOSC-HUB, GEANT, and Nikhef
Editor's Notes
- #12: VO portal can be anything even a simple shell Certs stored only for 11 days Master portal can add attributes via VOMS (or others in the future)