Versions Compared

Old Version 19

changes.mady.by.user Maarten Kremers

Saved on

compared with

New Version Current

changes.mady.by.user Maarten Kremers

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Section
Column
width25%

 

Column
width500px

Introduction

This is information page These are the information pages of GN4-1-JRA3-T1 also known as the research task on Attributes and Authorisations in the Federated Identity Ecosystem.

 

Tip
If you have any questions or remarks: feel free to
contact  
contact Maarten Kremers (Tasklead)

Objectives

The objectives of this research task are to:

  • Further improving group management, by continuing work on VOOT specifications based on input from use-cases and extending additional group-aware applications with VOOT support.
    • Increasing usefulness of groups, by introducing group awareness into appropriate cloud service middleware such as OpenStack.

    • Putting the user in control by working on distributed and user controlled authorisation. Making collaboration and authorisation management platforms such as HEXAA and PERUN interoperate and contributing to the work on User-Managed Access (UMA).
    • Increasing usefulness of groups, by introducing group awareness into appropriate cloud service middleware such as OpenStack.
    • Further improving group management, by continuing work on VOOT specifications based on input from use-cases and extending additional group-aware applications with VOOT support.
    • Stimulate user-centricity for identity federations, by studying implications, benefits and costs of moving from an organization-centric identity management model to a (more) user-centric identity federation model such as provided by eduID developments in various federations.

     

    Results

    Tip
     The results and dissemination of this task
    Panel
    titleDistributed Authorisation
    Panel
    titleEduKEEP


    People

    The following people are part of this task

    AffiliationName
    SURFnetMaarten Kremers (Tasklead)
    CESNETMichal Procházka
    CESNETSlávek Licehammer
    GARRLalla Mantovani
    GARRMarco Malavolti
    GARR Andrea Biancini
    NIIFKristóf Bajnok
    NIIF /MTA-SZTAKIMihály Héder
    NORDUnet / Umeå UniRoland Hedberg
    NORDUnet / Umeå UniRebecka Gulliksson
    RedIRIS / Uni MurciaAlejandro Perez Mendez
    SWITCHChristoph Graf
    SWITCHRolf Brugger

    Workitem

    In order to reach our goals the objectives are divided in the the following Work Items

    • Distributed Authorisation
    • User-Managed Access Controlled Attribute Service
    • Towards User-Centric Identity Management Model: EduKEEP

    Distributed Authorisation

    Panel
    titlePeople
    Panel
    titleGoal / Workplan
    Putting the user in control via distributed and user controlled authorisation.
    • exploiting results from the HEXAA open call project and other initiatives around disturbed AuthZ.
    • Standardisation / interoperability of these systems
    • Delegation model of accessing the AA information

     

    Increasing usefulness of groups,
     
    • Groups awareness for OpenStack

     

    Improve Group Management
    • Extend group-aware applications with VOOT
    • Produce or stimulate implementations of VOOT
    Panel
    titleDocuments / Links

    Distributed Authorisation Documents on Google Drive (Access on request)

     

    User-Managed Access Controlled Attribute Service

    Panel
    titlePeople
    Panel
    titleGoal / Workplan

    A Proof-of-Concep for a UMA controlled attribute service.

    An application which would ultimately allows an user to control access to all her attributes in one place and can be used by SAML2 IdPs and AAs or OpenID Connect OPs as their attribute sources. The way the application is to be build, it will be build independent of the implementation of the IdP and AA. They all should be able to use the same attribute service. All that is need is a common API.

    Panel
    titleDocuments / Links

    Towards an User-Centric Identity Management Model: EduKEEP

    Panel
    titlePeople
    Panel
    titleGoal / Workplan

    Most, if not all, identity federations participating in eduGAIN manage users in an organization-centric fashion, which has several implications, like users changing organizations get issued new identities, even though they are linked to the very same person. An other case is that if no suitable primary affiliation exists (students leaving university or research collaboration with industry partners), there is no straight-forward way to get issued a valid identity at all.
    In both cases, access to resources is lost, regardless of whether access rights were based on affiliation or on an individual basis.

    Moving from an organization-centric identity management model to a user-centric model would do the trick, based on long-lived identity provider where the user is in control. Existing identity providers will become attribute providers serving information about the relationship with the individual. The long-lived identity provider will release basic information, combined with the additional attributes from the attribute providers.

    Panel
    titleDocuments / Links

    Question? / Remarks?

    Please contact Maarten Kremers 

     

    Column
    width25%