Use case
Providing x509 based access capabilities to the end-user without the need for them to maintain or understand PKI. PKI infrastructures work very well for experts who are used to handling certificates and private keys, but is conceived as very difficult by most end-users. For automated systems, certificate-based authentication is, however, fast, reliable, well-supported, well-understood from a security point-of-view etc.
Would it be possible to establish a setup where certificates remain under the hood and end-users can use a ‘simple’ username/password based institutional login to authenticate?
Proposed and piloted components to address this use case
- CILogon (incl OA4MP, Shibb, MyProxy, Simple CA).
- VOportal (demo purposes only) + Master Portal
- VOMS (interface with)
The current status of this work has been presented at the general AARC meeting in Utrecht in May 2016. See this Slide presentation for more details Token Translations: CILogon for Europe
AARC pilot implementation
Our setup falls apart in roughly three separate parts (see Fig. 1 below):
- a central online CA with a web frontend (yellow parts),
- a caching and credential handling Master Portal (red parts),
- Science gateways run by VOs (VO portals) (blue parts).
The end-user interacts almost exclusively with the VO portals.
The Master Portal is a new component, based on a replication of the CILogon software, in order to move all the complexity away from the VO-run science gateways. The net result is that it is extremely easy for the VO portals to securely obtain credentials, based on the OpenID Connect protocol (acting as a client). The Master Portal takes care of obtaining the longer-lived end-entity certificates, caching them in the form of a proxy certificates and handling the additions of the VO-based attributes. Due to the more modular setup, having this extra component in the middle also makes it easier to reuse the same online CA for different e-Infrastructures.
In collaboration with AARC-Policy Work Package (NA3), we have built an online CA following all the necessary policies for such CAs. This CA has just been approved for accreditation by the IGTF, paving the way for adoption in the real world. Building a fully-compliant online CA turned out to be one of the more complex parts of this pilot. Ultimately this CA should be run by one of the bigger players involved, on a pan-European scale, accessible and usable by the entire European research community.
We have successfully set up Proof-of-Concept pilots with both ELIXIR and EGI, where these infrastructures each run copies of the Master Portal. The basic workflow has been proven and it is foreseen that these pilots will go into a next phase in the coming year, in which we will finalize the CA and the Master Portal software.
We hope that this work will enable many more researchers to use the available infrastructures fully to their potential without having to deal with the complexities of the underlying certificates.
Status per June 1st 2016
The current status of this work has been presented at the general AARC meeting in Utrecht in May 2016. See this Slide presentation for more details Token Translations: CILogon for Europe