This subtasks deals with the pilots for attribute management

• Authentication technologies. New user communities prefer using technologies for authentication different from X509 digital certificates, for example username/password based authentication.

• Single sign on. Users should be enabled to use their institutional credentials to access EGI services. One  barrier  for  new  users  is  that  they  have  to  obtain a  new  credential  to  access  the  e­infrastructure.  In  some  cases, this  is  just  an  inconvenience,  yet another  credential  to  manage,  but  for  some  users  (those  outside institutions  or the  major  IdP  federations) it  may  be  not  possible  to  obtain  such  a credential.  User  friendliness  is  of  course  a  major  feature  for  any  Single Sign On  capability.

• Community attributes-­based authorization. Community-based authorization has been implemented in EGI from the beginning, and is at the basis of the collaborative nature of EGI. It is fundamental for EGI that every AAI technology and architecture enables the communities to manage the capabilities and the roles of their users, and to let these attributes be used by the services to regulate the authorization. Given the scale of the EGI service, providers cannot implement per-­user authorization, but must authorize a user based on the attributes associated to that user.
• Non-­web access. EGI services are accessible natively by command line clients, implementing the services’ standard APIs. While there are several options for users to use web-­tools to access the resources, authentication must consider both web and non-­web access scenarios.
• Delegation. EGI services allow complex workflows, and users often submit thousands of computational tasks that need to access other resources (e.g. storage) on their behalf. The authentication technology must support delegation, either natively or through credential translation to another technology. Without delegation EGI users cannot get the full potential of the services.
• Scalable policies for attribute release. EGI is a highly distributed infrastructure, with hundreds of service providers, hundreds of communities, and tens of thousands of users. In this scenario, it is critical that the policies and the procedures are scalable with the number of actors involved.
• PID for users. EGI foresees the need for a user unique and persistent identifier. One use case is to map multiple credentials to a single user. A second use case, and in particular for an EGI-­specific unique identifier, is to share authorization assertions between EGI services, which may not be possible when using an IdP-­provided user UID.
• LoA management. EGI supports a very diverse set of use cases. Open data is a typical use case where a very large community of users can access a data set, but there is need for a lightweight authentication, for example to account for the number of actual users using a service. In this example, EGI needs to enable users without the need for ‘expensive’ high assurance credentials. Clearly service providers must be able to extract information about the LoA from the attributes associated to the user identity. LoA definitions should be standard and simple, so as not to over-­complicate the service provider’s decision as to whether or not to allow the user task.
• Credential translation services. While the plan is to push forward with the direct support of federated identity technologies for the central tools and the new service types, some services, for example those offering HTC resource, will likely continue to use X509 technologies, therefore credentials translation capabilities are necessary to allow users with federated identity credentials to access the full set of EGI services.

These use cases have been translated to requirements and have been described in the Deliverable "DJRA1.1:Analysis of user community and service provider requirements"  
Page 18 of this document provides a dedicated description of the issues.....currently face with regard to federated identity management. Requirements R1, R3, R5, R6, R7, R8, R9, R14, R15, R16 and R_P_3 (see page 33 and onwards) are applicable to this context and have been guiding our work in this pilot.

Proposed and piloted solutions to address these issues

• We established a pilot proxy.....

The current status of this work has been presented at the general AARC meeting in Utrecht in May 2016. See this Slide presentation for more details. SA1.2 Pilots. Updates

Requirements	Components in Blue Print Architecture	Status and Results
Requirements R?.....R?		Status per June, 1st 2016

Status per June 1st 2016

• ....
• ....

Information about the Openstack pilot set-up

We deployed an Openstack testbed on two virtual machines:

• am02.pilots.aarc-project.eu is the controller node
• am05.pilots.aarc-project.eu is the compute node

The OpenStack version installed is Liberty, on the operating system Ubuntu 14.04. The OpenStack components deployed are: keystone, neutron, nova, glance and horizon

The keystone component was configured to work in a federated environment: it acts as (Shibboleth) Service Provider. No local accounts were created on it, apart the admin one.

When an user goes to the horizon login page, there are two options:

• login with Keystone credentials (which obviuosly hasn't got)
• login through SAML assertion

Chosen the SAML option, the user is redirected on a page where can select the preferred Identity Provider for performing the authentication: currently it was configured only the IDP of the pilot testbed (am-proxy.pilots.aarc-project.eu).

Once filled-in its data, the user is brought back to horizon where he can finally access to the openstack functionalities.

The actions he can perform depend on:

• the local group which the user is mapped to
• the role assigned to the user in that particular group for one of the existing OpenStack project

On OpenStack it was created 3 projects for the AARC pilot users: aarc-pilot, aarc-pilot2 and aarc-pilot3.

The local groups reflect the eduPersonAffiliation attribute owned by the users in their IDP: member, student, employee, faculty and staff.

The role assigned for a particular project can be: user or admin

The following is a simplified rule just for explaining how the IDP users are mapped to ephemeral account:

All the users having "faculty" in the eduPersonAffiliation attribute are mapped to the local group which has got the id=2694979ea7fb41a9a6adf00eb212a335 and as local username is used the eppn.

The dashboard login page is https://am02.pilots.aarc-project.eu/horizon/

Some tech details. Notes on some issues found

• When trying to login into horizon using the local accounts defined in openstack (admin and demo users), the access fails with the following error reported in the log /var/log/apache2/error.log:

For solving it we had to set "OPENSTACK_SSL_NO_VERIFY = True" in the horizon configuration. It is also important having the CAs added in the python-requests in horizon (as mentioned in https://wiki.egi.eu/wiki/Federated_Cloud_APIs_and_SDKs#CA_Certificates )

• When trying the federated login via the SAML authentication, if you get the following error page:

and in the /var/log/apache2/keystone.log there is the following error:

you may have hit this bug http://trwa.ca/2014/10/shibboleth-2-5-apache-2-4-and-breaking-apache-basic-auth/

So creating this file

and enabling it in shibboleth solves the issue

Information about the COmanage Registry set-up

We deployed a COmanage Registry service on the virtual machine am03.pilots.aarc-project.eu:

• chosen the organizational identiy unpooled option

The registry was configured as service provider: the IDP contacted is am-proxy.pilots.aarc-project.eu

• the registry admin is professor3
• created for the moment 2 COs: aarc-white and aarc-yellow
• at each COs correspond a dedicated project in OpenStack
• we are testing the user mapping to the several projects in OpenStack: depending on the role in their COs, users have got different rights in their project