add outlook and one slide per development

50dd4046 · Marcus · cd5ca2e7 · 50dd4046
Commit 50dd4046 authored 3 years ago by Marcus
--- a/2110-Helmholtz-AAI-DFN/2110-Helmholtz-AAI-DFN.md
+++ b/2110-Helmholtz-AAI-DFN/2110-Helmholtz-AAI-DFN.md
 ---
 # vim:tw=100:ft=markdown
-author: <white><small>Sander Apweiler, Marcus Hardt, Uwe Jandt, Andreas Klotz</small></white>
+author: <white><small>Sander Apweiler (FZJ), Marcus Hardt (KIT), Uwe Jandt (DESY), Andreas Klotz (HZB)</small></white>
 title: <white><br/><br/><small> Helmholtz-AAI </small></white>
 date: <white>October 2021</white>
 theme: marcus
@@ -14,11 +14,6 @@ mouseWheel: true
 transition: none
 backgroundTransition: none
 ---
-## Presentation Metadata:
- Tag 1, 26. Oktober 2021
- 11:15-12:15 Uhr
- Agenda hier: [https://www.dfn.de/veranstaltungen/betriebstagungen/infos](https://www.dfn.de/veranstaltungen/betriebstagungen/infos) (bald)
-

 ## Outline
 - Motivation
@@ -29,10 +24,10 @@ backgroundTransition: none

 # Motivation <br/> + <br/> Overview
 ## Historical records
- Helmholtz Data Federation (HDF) needed an AAI
+- Helmholtz Data Federation (HDF) needed an AAI (back in 2017)
 - Proof of Concept implementation of the [AARC Blueprint Architecture](https://aarc-community.org/architecture)
    - SP-IdP Proxy (in eduGain)
-    - 4 Initial services (Nagios, OpenStack, DCache, WaTTS, ...)
+    - 4 Initial services (Nagios, OpenStack, dCache, WaTTS, ...)
    - OpenID Connect as a primary target
 - Adaptation of the [AARC Policy Development Kit](https://aarc-community.org/policies/policy-development-kit)
    - Security + Trust
@@ -71,7 +66,7 @@ backgroundTransition: none
    - Even "Homeless Users" __could__ be supported


-## {data-background-image="images/foederationen_und_bpa.png" data-background-size="contain"}
+## {data-background-image="images/foederationen_und_bpa_mod.png" data-background-size="contain"}


 # Architecture
@@ -87,8 +82,6 @@ backgroundTransition: none


 ## AARC Results
- [AARC Blueprint Architectures](https://aarc-community.org/architecture/) 
-    - Introduction of the "proxy" component
 - [AARC Policy Development KIT](https://aarc-community.org/policies/policy-development-kit/)
    - Fundamental policy templates for
        - Operating an infrastructure
@@ -101,7 +94,13 @@ backgroundTransition: none
        - Service Operation
        - Acceptable Use Policy

-         All policies designed to be GDPR compliant
+         **All policies designed to be GDPR compliant**
+
+- [AARC Blueprint Architectures](https://aarc-community.org/architecture/) 
+    - Introduction of the "proxy" component
+
+
+## {data-background-image="images/bpa-final-glow.png" data-background-size="contain"}


 ## The **"proxy"** component
@@ -119,9 +118,6 @@ aka: "SP-IdP-Proxy"
 - Stackable


-## {data-background-image="images/bpa-final-glow.png" data-background-size="contain"}
-
-
 ## Evolution of the BPA (~2019)
 - Add differentiation:
    - Between **community** and **infrastructure**
@@ -135,22 +131,10 @@ aka: "SP-IdP-Proxy"

 # Implementation

-
-## Connected Services
- Multi Protocol:
-    - Identities: SAML, OpenID Connect, X.509
-    - Services: OpenID Connect, SAML
- Integrated Services:
-  - Gitlab, Sync&Share, Chat, Storage, Compute & more.
-  - High level overview (a.k.a. Helmholtz Cloud Services): [cloud.helmholtz.de/services](https://cloud.helmholtz.de/services)
-  - More pilot services at [documentation pages](https://hifis.net/doc/cloud-services/list-of-services/#pilot-services)
-  - Exhaustive list: [aai.helmholtz.de/services](https://aai.helmholtz.de/services)
- Helmholtz Federated IT services (HIFIS, [hifis.net](https://hifis.net))
-  - Drives development, documentation and service integration
-
 ## **Helmholtz-AAI** <br/>implements<br/> **AARC BPA**
+
 ## Technical implementation
- Software: `unity`
+- Software: `unity` (also used for Eudat's [b2access](https://b2access.eudat.eu))
    - Production: [https://login.helmholtz.de](https://login.helmholtz.de)
    - Development: [https://login-dev.helmholtz.de](https://login-dev.helmholtz.de)
 - Self service Group Membership:
@@ -159,20 +143,24 @@ aka: "SP-IdP-Proxy"


 ## Helmholtz-AAI Features
+- Well documented at [https://aai.helmholtz.de](https://aai.helmholtz.de)
+- Implements the [Policy Development Kit](https://aarc-community.org/policies/policy-development-kit)
 - Follows AARC recommendations (a lot of the `G0XY` documents)
    - <=> To use specific schemas for attributes and their content
- Focused on OIDC
- Implements the [Policy Development Kit](https://aarc-community.org/policies/policy-development-kit)
- Explicit Assurance
- Well Documented
- URN registries for 
-    - `G002` (Soon: `G059`) style group memberships
-    - `G027` style resource capabilities
- HIFIS is an (observing) member of AEGIS
-
+    - HIFIS is an (observing) member of AEGIS
+- Focus on OIDC
+    - OpenID is not OpenID Connect
+    - OpenID connect is defined be the OpenID Foundation
+    - The OpenID protocol is deprecated
+- Three levels of authorisation
+    - Community based
+    - Home Organisation Based
+    - Assurance Based


 ## Authorisation Management<br/>Based on **Community**
+<div class="columns">
+  <div class="column">
 - **Virtual Organisation (VO)** approach
 - Very similar: HPC compute projects
 - **VO** Managers can administer community members
@@ -181,16 +169,46 @@ aka: "SP-IdP-Proxy"
        - `climate -> ozone -> south-pole`
        - `cern -> cms -> admin`

+ </div>
+  <div class="column">
+```json
+  "eduperson_entitlement": [
+    "urn:geant:helmholtz.de:group:Helmholtz-member",
+    "urn:geant:helmholtz.de:group:HIFIS:Associates",
+    "urn:geant:helmholtz.de:group:HIFIS:Core",
+    "urn:geant:helmholtz.de:group:HIFIS",
+    "urn:geant:helmholtz.de:group:IMK-TRO-EWCC",
+    "urn:geant:helmholtz.de:group:KIT"
+  ]
+```
+</div>
+ </div>
+

 ## Authorisation Management<br/>Based on **Origin**
+<div class="columns">
+  <div class="column">
 - **Home-IdP based** approach
 - Home IdP can assert complementary information
 - Services can filter users by
    - Home-Org asserted eligibility to use certain resources
    - Status: - Employee / Student / Guest

+ </div>
+  <div class="column">
+```json
+  "eduperson_entitlement": [
+    "http://bwidm.de/entitlement/bwLSDF-SyncShare",
+    "urn:mace:dir:entitlement:common-lib-terms",
+  ]
+```
+</div>
+ </div>
+

 ## Authorisation Management<br/>Based on **Assurance**
+<div class="columns">
+  <div class="column">
 - Levels of Assurance: [REFEDS Assurance Framework](https://refeds.org/assurance)
    - Passport seen, Work-Contract available (Most academic Institutes)
    - Uniqueness of the identifier
@@ -201,41 +219,204 @@ aka: "SP-IdP-Proxy"
    - Scientists only need to upgrade their identity, if necessary to access service
    - Services can provide different levels of access

+ </div>
+  <div class="column">
+```json
+  "eduperson_assurance": [
+    "https://refeds.org/assurance/profile/cappuccino",
+    "https://refeds.org/assurance/ATP/ePA-1d",
+    "https://refeds.org/assurance/ATP/ePA-1m",
+    "https://refeds.org/assurance/IAP/local-enterprise",
+    "https://refeds.org/assurance/IAP/low",
+    "https://refeds.org/assurance/IAP/medium",
+    "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
+    "https://refeds.org/assurance/ID/unique"
+  ]
+```
+</div>
+ </div>
+
+## Information available at services
+```json
+{
+    "body": {
+        "aud": "oidc-agent-marcus2",
+        "client_id": "oidc-agent-marcus2",
+        "exp": 1635174663,
+        "iat": 1635170663,
+        "iss": "https://login.helmholtz.de/oauth2",
+        "jti": "c8978ad3-0296-43a4-bad2-1e6045a767a4",
+        "scope": "openid display_name sn email profile credentials eduperson_scoped_affiliation eduperson_entitlement eduperson_principal_name eduperson_unique_id eduperson_assurance",
+        "sub": "6c611e2a-2c1c-487f-9948-c058a36c8f0e"
+    },
+    "header": {
+        "alg": "RS256",
+        "typ": "at+jwt"
+    },
+    "signature": "PO2KI0-BtyzT98avx3qYmJQzrDHvwkNYPrczoKn_V1udVuUAzoVCO7g9w2XhTIFWOV7mCr7J0edqx3MEuEhi8iq57UDJIUrJto6fw4M84OyxbTlNyjGz6aw8Xm3hqxCvLlKB8840h-58FtbwfuvKjyY5eCs3LnyY84Rjd-Fg3-fsRbIsozfDiVLO_WudOAgbbJx9OzsHcdjargxPt7fnMZzo5RCqgcHT4stEFK7AjYDOIjnB97kTQ0y1yRKLiNo1eSzoNgbdaJctH0GhuHZk1r-S1o4EK5r34kesOoopI9pFtpvwuyQctJFgc71CzSlEBWMz5eEiLzXnRaaqBvIo3g"
+}
+
+{
+    "display_name": "Marcus Hardt",
+    "eduperson_assurance": [
+        "https://refeds.org/assurance/profile/cappuccino",
+        "https://refeds.org/assurance/ATP/ePA-1d",
+        "https://refeds.org/assurance/ATP/ePA-1m",
+        "https://refeds.org/assurance/IAP/local-enterprise",
+        "https://refeds.org/assurance/IAP/low",
+        "https://refeds.org/assurance/IAP/medium",
+        "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
+        "https://refeds.org/assurance/ID/unique"
+    ],
+    "eduperson_entitlement": [
+        "urn:geant:h-df.de:group:HDF#login.helmholtz.de",
+        "urn:geant:h-df.de:group:lsdf_admin#login.helmholtz.de",
+        "urn:geant:h-df.de:group:m-team:feudal-developers#login.helmholtz.de",
+        "urn:geant:h-df.de:group:m-team#login.helmholtz.de",
+        "urn:geant:h-df.de:group:MyExampleColab#login.helmholtz.de",
+        "urn:geant:h-df.de:group:wlcg-test#login.helmholtz.de",
+        "urn:geant:helmholtz.de:group:Helmholtz-member#login.helmholtz.de",
+        "urn:geant:helmholtz.de:group:HIFIS:Associates#login.helmholtz.de",
+        "urn:geant:helmholtz.de:group:HIFIS:Core#login.helmholtz.de",
+        "urn:geant:helmholtz.de:group:HIFIS#login.helmholtz.de",
+        "urn:geant:helmholtz.de:group:IMK-TRO-EWCC#login.helmholtz.de",
+        "urn:geant:helmholtz.de:group:KIT#login.helmholtz.de",
+        "urn:mace:dir:entitlement:common-lib-terms",
+        "http://bwidm.de/entitlement/bwLSDF-SyncShare"
+    ],
+    "eduperson_principal_name": "lo0018@kit.edu",
+    "eduperson_scoped_affiliation": [
+        "employee@kit.edu",
+        "member@kit.edu"
+    ],
+    "eduperson_unique_id": "6c611e2a2c1c487f9948c058a36c8f0e@login.helmholtz-data-federation.de",
+    "email": "marcus.hardt@kit.edu",
+    "email_verified": true,
+    "family_name": "Hardt",
+    "given_name": "Marcus",
+    "name": "Marcus Hardt",
+    "preferred_username": "marcus",
+    "sn": "Hardt",
+    "ssh_key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqA5FW6m3FbFhCOsRQBxKMRki5qJxoNhZdaeLXg6ym/ marcus@test2022\n",
+    "sub": "6c611e2a-2c1c-487f-9948-c058a36c8f0e"
+}
+```

-## AAI usage
-<img src="images/aai-usage-plot.png" width=85%>

+## Connected Services
+- Multi Protocol:
+    - Identities: SAML, OpenID Connect, X.509
+    - Services: OpenID Connect, SAML
+- Integrated Services:
+    - Helmholtz Federated IT services (HIFIS, [hifis.net](https://hifis.net))
+      - Drives development, documentation and service integration
+      - [cloud.helmholtz.de/services](https://cloud.helmholtz.de/services)
+  - Technially feasible: Rocketchat, Storage, Compute & more.
+  - More pilot services at [documentation pages](https://hifis.net/doc/cloud-services/list-of-services/#pilot-services)
+  - Exhaustive list: [aai.helmholtz.de/services](https://aai.helmholtz.de/services)

-## <small>Further documentation</small>
- See further documentation:
-  - <https://aai.helmholtz.de/doc>
-  - <https://hifis.net/doc>

+## AAI usage
+<img src="images/aai-usage-plot.png" width=85%>



 # AAI Developments in Helmholtz
-## Developments
- Local-agent
- oidc on the commandline
-    - oidc-agent
-    - mytoken
- ssh/oidc with federated identities
-
-
-# Backupslides
-## Not to forget:
- Helmholtz-AAI is free of charge (at least for Helmholtz)
-
-
----------------------------------------------------------------------------------------
-
-
-## {data-background-image="images/h-aai-konrad.png" data-background-size="fill"}
-
-# Usage Figures {data-background-image="images/hdf-aai-over-time.png" data-background-size="contain" data-transition="zoom"}
-## {data-background-image="images/hdf-aai-over-time.png" data-background-size="contain"}
-
+## Helmholtz Cloud Agent
+- [https://hifis.net/doc/service-integration/local-agent/](https://hifis.net/doc/service-integration/local-agent/)
+- First (exemplary) use-case: Nubes
+    - Enable DESY cloud portal (cloud.helmholtz.de)
+    - To use (Nubes)[https://nubes.helmholtz-berlin.de](NextCloud) resources at HZB
+    - Challenge: 
+        - Exchange user provisioning information
+        - Integrate local systems
+
+
+## oidc-agent
+- Goal: Support OIDC on end user computers
+- Initial goal: Unix commandline (linux + mac)
+    - Handle all the issues with different OIDC Providers
+    - Adequate security features
+        - All sensitive information on disk is encrypted 
+        - Everything (sensitive) in RAM is obfuscated
+        - Keep the user from stupid moves
+    - Works just like ssh-agent
+        - `oidc-agent, oidc-gen, oidc-add, oidc-token`
+        - Including **agent forwarding** and **x-session integration**
+    - Works well with many OIDC providers 
+        - <bitsmall> Google, Eudat, eduTEAMS, EGI-Checkin, Elixir, Helmholtz-AAI, WLCG, Indigo IAM, KIT, Human Brain, ...</bitsmall>
+- New goal: Support for GUI environments (windows + mac + linux)
+
+## mytoken
+- Mytokens are a new class of tokens
+- Use case: Long running compute job<br/>
+    - Longer than lifetime of Access Token
+
+<div class="fragment"data-fragment-index="2">
+<div class="columns">
+  <div class="column">
+  - **Mytoken Server**
+      - Proxy for Refresh Tokens (RT)
+      - Implemented as an extension of OIDC
+  - User flow:
+      1. Create mytoken (MT)
+      2. Use MT to obtain
+            - Access Tokens (AT)
+            - Other mytokens</ul></ol> </ul>
+
+<div class="fragment"data-fragment-index="3">
+```json
+[{"exp"        :1634300000,
+  "nbf"        :1634400000,
+  "geoip_allow":["DE"],
+  "scope"      :"compute.create",
+ },{
+  "exp"        :1635300000,
+  "nbf"        :1635400000,
+  "geoip_allow":["DE", "FR", "NL"],
+  "scope"      :"storage.write",
+}]
+```
+</div>
+
+  </div>
+  <div class="column"><img class="plain" src="images/mytokenGeneralConcept.png" width=90%></div>
+</div>
+</div>
+
+
+## ssh-oidc
+- Enable **ssh** via **federated identity** (OIDC)
+    - without recompiling OpenSSH
+    - with a clear authorisation concept
+- Solution:
+    - PAM module
+    - Mapping Daemon
+    - Client Wrapper
+- Available for Linux
+    - Mac and Windows in development (Putty, maybe: MobaXterm)
+- Test it at [https://ssh-oidc-demo.data.kit.edu](https://ssh-oidc-demo.data.kit.edu)
+
+<!--## Developments-->
+<!--- [Helmholtz Cloud Agent](https://hifis.net/doc/service-integration/local-agent/) -->
+<!--- oidc on the commandline-->
+<!--    - [oidc-agent](https://github.com/indigo-dc/oidc-agent)-->
+<!--    - [mytoken](https://mytoken.data.kit.edu)-->
+<!--- [ssh/oidc](https://github.com/EOSC-synergy/ssh-oidc) with federated identities-->
+
+
+## Outlook
+- Integrate more services
+    - Large Resources (HPC / Clusters)
+- Spread the technology
+- Interoperate with other Community AAIs
+    - How to handle cross-community access?
+    - How about OIDC-Federations?
+- Contribute to AARC Guidelines:
+    - IdP Hinting
+    - SCIM and Deprovisioning
+    - Expression of Entitlements
+- Manage expectations, e.g. identity linking

 ## More information