diff --git a/2110-Helmholtz-AAI-DFN/2110-Helmholtz-AAI-DFN.md b/2110-Helmholtz-AAI-DFN/2110-Helmholtz-AAI-DFN.md
index 2be3955b1b726df140ebe6191fae111c5d6379b6..264c80c342d3e18e8f643c8c3bc9e973084c8070 100644
--- a/2110-Helmholtz-AAI-DFN/2110-Helmholtz-AAI-DFN.md
+++ b/2110-Helmholtz-AAI-DFN/2110-Helmholtz-AAI-DFN.md
@@ -1,6 +1,6 @@
---
# vim:tw=100:ft=markdown
-author: <white><small>Sander Apweiler, Marcus Hardt, Uwe Jandt, Andreas Klotz</small></white>
+author: <white><small>Sander Apweiler (FZJ), Marcus Hardt (KIT), Uwe Jandt (DESY), Andreas Klotz (HZB)</small></white>
title: <white><br/><br/><small> Helmholtz-AAI </small></white>
date: <white>October 2021</white>
theme: marcus
@@ -14,11 +14,6 @@ mouseWheel: true
transition: none
backgroundTransition: none
---
-## Presentation Metadata:
-- Tag 1, 26. Oktober 2021
-- 11:15-12:15 Uhr
-- Agenda hier: [https://www.dfn.de/veranstaltungen/betriebstagungen/infos](https://www.dfn.de/veranstaltungen/betriebstagungen/infos) (bald)
-
## Outline
- Motivation
@@ -29,10 +24,10 @@ backgroundTransition: none
# Motivation <br/> + <br/> Overview
## Historical records
-- Helmholtz Data Federation (HDF) needed an AAI
+- Helmholtz Data Federation (HDF) needed an AAI (back in 2017)
- Proof of Concept implementation of the [AARC Blueprint Architecture](https://aarc-community.org/architecture)
- SP-IdP Proxy (in eduGain)
- - 4 Initial services (Nagios, OpenStack, DCache, WaTTS, ...)
+ - 4 Initial services (Nagios, OpenStack, dCache, WaTTS, ...)
- OpenID Connect as a primary target
- Adaptation of the [AARC Policy Development Kit](https://aarc-community.org/policies/policy-development-kit)
- Security + Trust
@@ -71,7 +66,7 @@ backgroundTransition: none
- Even "Homeless Users" __could__ be supported
-## {data-background-image="images/foederationen_und_bpa.png" data-background-size="contain"}
+## {data-background-image="images/foederationen_und_bpa_mod.png" data-background-size="contain"}
# Architecture
@@ -87,8 +82,6 @@ backgroundTransition: none
## AARC Results
-- [AARC Blueprint Architectures](https://aarc-community.org/architecture/)
- - Introduction of the "proxy" component
- [AARC Policy Development KIT](https://aarc-community.org/policies/policy-development-kit/)
- Fundamental policy templates for
- Operating an infrastructure
@@ -101,7 +94,13 @@ backgroundTransition: none
- Service Operation
- Acceptable Use Policy
- All policies designed to be GDPR compliant
+ **All policies designed to be GDPR compliant**
+
+- [AARC Blueprint Architectures](https://aarc-community.org/architecture/)
+ - Introduction of the "proxy" component
+
+
+## {data-background-image="images/bpa-final-glow.png" data-background-size="contain"}
## The **"proxy"** component
@@ -119,9 +118,6 @@ aka: "SP-IdP-Proxy"
- Stackable
-## {data-background-image="images/bpa-final-glow.png" data-background-size="contain"}
-
-
## Evolution of the BPA (~2019)
- Add differentiation:
- Between **community** and **infrastructure**
@@ -135,22 +131,10 @@ aka: "SP-IdP-Proxy"
# Implementation
-
-## Connected Services
-- Multi Protocol:
- - Identities: SAML, OpenID Connect, X.509
- - Services: OpenID Connect, SAML
-- Integrated Services:
- - Gitlab, Sync&Share, Chat, Storage, Compute & more.
- - High level overview (a.k.a. Helmholtz Cloud Services): [cloud.helmholtz.de/services](https://cloud.helmholtz.de/services)
- - More pilot services at [documentation pages](https://hifis.net/doc/cloud-services/list-of-services/#pilot-services)
- - Exhaustive list: [aai.helmholtz.de/services](https://aai.helmholtz.de/services)
-- Helmholtz Federated IT services (HIFIS, [hifis.net](https://hifis.net))
- - Drives development, documentation and service integration
-
## **Helmholtz-AAI** <br/>implements<br/> **AARC BPA**
+
## Technical implementation
-- Software: `unity`
+- Software: `unity` (also used for Eudat's [b2access](https://b2access.eudat.eu))
- Production: [https://login.helmholtz.de](https://login.helmholtz.de)
- Development: [https://login-dev.helmholtz.de](https://login-dev.helmholtz.de)
- Self service Group Membership:
@@ -159,20 +143,24 @@ aka: "SP-IdP-Proxy"
## Helmholtz-AAI Features
+- Well documented at [https://aai.helmholtz.de](https://aai.helmholtz.de)
+- Implements the [Policy Development Kit](https://aarc-community.org/policies/policy-development-kit)
- Follows AARC recommendations (a lot of the `G0XY` documents)
- <=> To use specific schemas for attributes and their content
-- Focused on OIDC
-- Implements the [Policy Development Kit](https://aarc-community.org/policies/policy-development-kit)
-- Explicit Assurance
-- Well Documented
-- URN registries for
- - `G002` (Soon: `G059`) style group memberships
- - `G027` style resource capabilities
-- HIFIS is an (observing) member of AEGIS
-
+ - HIFIS is an (observing) member of AEGIS
+- Focus on OIDC
+ - OpenID is not OpenID Connect
+ - OpenID connect is defined be the OpenID Foundation
+ - The OpenID protocol is deprecated
+- Three levels of authorisation
+ - Community based
+ - Home Organisation Based
+ - Assurance Based
## Authorisation Management<br/>Based on **Community**
+<div class="columns">
+ <div class="column">
- **Virtual Organisation (VO)** approach
- Very similar: HPC compute projects
- **VO** Managers can administer community members
@@ -181,16 +169,46 @@ aka: "SP-IdP-Proxy"
- `climate -> ozone -> south-pole`
- `cern -> cms -> admin`
+ </div>
+ <div class="column">
+```json
+ "eduperson_entitlement": [
+ "urn:geant:helmholtz.de:group:Helmholtz-member",
+ "urn:geant:helmholtz.de:group:HIFIS:Associates",
+ "urn:geant:helmholtz.de:group:HIFIS:Core",
+ "urn:geant:helmholtz.de:group:HIFIS",
+ "urn:geant:helmholtz.de:group:IMK-TRO-EWCC",
+ "urn:geant:helmholtz.de:group:KIT"
+ ]
+```
+</div>
+ </div>
+
## Authorisation Management<br/>Based on **Origin**
+<div class="columns">
+ <div class="column">
- **Home-IdP based** approach
- Home IdP can assert complementary information
- Services can filter users by
- Home-Org asserted eligibility to use certain resources
- Status: - Employee / Student / Guest
+ </div>
+ <div class="column">
+```json
+ "eduperson_entitlement": [
+ "http://bwidm.de/entitlement/bwLSDF-SyncShare",
+ "urn:mace:dir:entitlement:common-lib-terms",
+ ]
+```
+</div>
+ </div>
+
## Authorisation Management<br/>Based on **Assurance**
+<div class="columns">
+ <div class="column">
- Levels of Assurance: [REFEDS Assurance Framework](https://refeds.org/assurance)
- Passport seen, Work-Contract available (Most academic Institutes)
- Uniqueness of the identifier
@@ -201,41 +219,204 @@ aka: "SP-IdP-Proxy"
- Scientists only need to upgrade their identity, if necessary to access service
- Services can provide different levels of access
+ </div>
+ <div class="column">
+```json
+ "eduperson_assurance": [
+ "https://refeds.org/assurance/profile/cappuccino",
+ "https://refeds.org/assurance/ATP/ePA-1d",
+ "https://refeds.org/assurance/ATP/ePA-1m",
+ "https://refeds.org/assurance/IAP/local-enterprise",
+ "https://refeds.org/assurance/IAP/low",
+ "https://refeds.org/assurance/IAP/medium",
+ "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
+ "https://refeds.org/assurance/ID/unique"
+ ]
+```
+</div>
+ </div>
+
+## Information available at services
+```json
+{
+ "body": {
+ "aud": "oidc-agent-marcus2",
+ "client_id": "oidc-agent-marcus2",
+ "exp": 1635174663,
+ "iat": 1635170663,
+ "iss": "https://login.helmholtz.de/oauth2",
+ "jti": "c8978ad3-0296-43a4-bad2-1e6045a767a4",
+ "scope": "openid display_name sn email profile credentials eduperson_scoped_affiliation eduperson_entitlement eduperson_principal_name eduperson_unique_id eduperson_assurance",
+ "sub": "6c611e2a-2c1c-487f-9948-c058a36c8f0e"
+ },
+ "header": {
+ "alg": "RS256",
+ "typ": "at+jwt"
+ },
+ "signature": "PO2KI0-BtyzT98avx3qYmJQzrDHvwkNYPrczoKn_V1udVuUAzoVCO7g9w2XhTIFWOV7mCr7J0edqx3MEuEhi8iq57UDJIUrJto6fw4M84OyxbTlNyjGz6aw8Xm3hqxCvLlKB8840h-58FtbwfuvKjyY5eCs3LnyY84Rjd-Fg3-fsRbIsozfDiVLO_WudOAgbbJx9OzsHcdjargxPt7fnMZzo5RCqgcHT4stEFK7AjYDOIjnB97kTQ0y1yRKLiNo1eSzoNgbdaJctH0GhuHZk1r-S1o4EK5r34kesOoopI9pFtpvwuyQctJFgc71CzSlEBWMz5eEiLzXnRaaqBvIo3g"
+}
+
+{
+ "display_name": "Marcus Hardt",
+ "eduperson_assurance": [
+ "https://refeds.org/assurance/profile/cappuccino",
+ "https://refeds.org/assurance/ATP/ePA-1d",
+ "https://refeds.org/assurance/ATP/ePA-1m",
+ "https://refeds.org/assurance/IAP/local-enterprise",
+ "https://refeds.org/assurance/IAP/low",
+ "https://refeds.org/assurance/IAP/medium",
+ "https://refeds.org/assurance/ID/eppn-unique-no-reassign",
+ "https://refeds.org/assurance/ID/unique"
+ ],
+ "eduperson_entitlement": [
+ "urn:geant:h-df.de:group:HDF#login.helmholtz.de",
+ "urn:geant:h-df.de:group:lsdf_admin#login.helmholtz.de",
+ "urn:geant:h-df.de:group:m-team:feudal-developers#login.helmholtz.de",
+ "urn:geant:h-df.de:group:m-team#login.helmholtz.de",
+ "urn:geant:h-df.de:group:MyExampleColab#login.helmholtz.de",
+ "urn:geant:h-df.de:group:wlcg-test#login.helmholtz.de",
+ "urn:geant:helmholtz.de:group:Helmholtz-member#login.helmholtz.de",
+ "urn:geant:helmholtz.de:group:HIFIS:Associates#login.helmholtz.de",
+ "urn:geant:helmholtz.de:group:HIFIS:Core#login.helmholtz.de",
+ "urn:geant:helmholtz.de:group:HIFIS#login.helmholtz.de",
+ "urn:geant:helmholtz.de:group:IMK-TRO-EWCC#login.helmholtz.de",
+ "urn:geant:helmholtz.de:group:KIT#login.helmholtz.de",
+ "urn:mace:dir:entitlement:common-lib-terms",
+ "http://bwidm.de/entitlement/bwLSDF-SyncShare"
+ ],
+ "eduperson_principal_name": "lo0018@kit.edu",
+ "eduperson_scoped_affiliation": [
+ "employee@kit.edu",
+ "member@kit.edu"
+ ],
+ "eduperson_unique_id": "6c611e2a2c1c487f9948c058a36c8f0e@login.helmholtz-data-federation.de",
+ "email": "marcus.hardt@kit.edu",
+ "email_verified": true,
+ "family_name": "Hardt",
+ "given_name": "Marcus",
+ "name": "Marcus Hardt",
+ "preferred_username": "marcus",
+ "sn": "Hardt",
+ "ssh_key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqA5FW6m3FbFhCOsRQBxKMRki5qJxoNhZdaeLXg6ym/ marcus@test2022\n",
+ "sub": "6c611e2a-2c1c-487f-9948-c058a36c8f0e"
+}
+```
-## AAI usage
-<img src="images/aai-usage-plot.png" width=85%>
+## Connected Services
+- Multi Protocol:
+ - Identities: SAML, OpenID Connect, X.509
+ - Services: OpenID Connect, SAML
+- Integrated Services:
+ - Helmholtz Federated IT services (HIFIS, [hifis.net](https://hifis.net))
+ - Drives development, documentation and service integration
+ - [cloud.helmholtz.de/services](https://cloud.helmholtz.de/services)
+ - Technially feasible: Rocketchat, Storage, Compute & more.
+ - More pilot services at [documentation pages](https://hifis.net/doc/cloud-services/list-of-services/#pilot-services)
+ - Exhaustive list: [aai.helmholtz.de/services](https://aai.helmholtz.de/services)
-## <small>Further documentation</small>
-- See further documentation:
- - <https://aai.helmholtz.de/doc>
- - <https://hifis.net/doc>
+## AAI usage
+<img src="images/aai-usage-plot.png" width=85%>
# AAI Developments in Helmholtz
-## Developments
-- Local-agent
-- oidc on the commandline
- - oidc-agent
- - mytoken
-- ssh/oidc with federated identities
-
-
-# Backupslides
-## Not to forget:
-- Helmholtz-AAI is free of charge (at least for Helmholtz)
-
-
-----------------------------------------------------------------------------------------
-
-
-## {data-background-image="images/h-aai-konrad.png" data-background-size="fill"}
-
-# Usage Figures {data-background-image="images/hdf-aai-over-time.png" data-background-size="contain" data-transition="zoom"}
-## {data-background-image="images/hdf-aai-over-time.png" data-background-size="contain"}
-
+## Helmholtz Cloud Agent
+- [https://hifis.net/doc/service-integration/local-agent/](https://hifis.net/doc/service-integration/local-agent/)
+- First (exemplary) use-case: Nubes
+ - Enable DESY cloud portal (cloud.helmholtz.de)
+ - To use (Nubes)[https://nubes.helmholtz-berlin.de](NextCloud) resources at HZB
+ - Challenge:
+ - Exchange user provisioning information
+ - Integrate local systems
+
+
+## oidc-agent
+- Goal: Support OIDC on end user computers
+- Initial goal: Unix commandline (linux + mac)
+ - Handle all the issues with different OIDC Providers
+ - Adequate security features
+ - All sensitive information on disk is encrypted
+ - Everything (sensitive) in RAM is obfuscated
+ - Keep the user from stupid moves
+ - Works just like ssh-agent
+ - `oidc-agent, oidc-gen, oidc-add, oidc-token`
+ - Including **agent forwarding** and **x-session integration**
+ - Works well with many OIDC providers
+ - <bitsmall> Google, Eudat, eduTEAMS, EGI-Checkin, Elixir, Helmholtz-AAI, WLCG, Indigo IAM, KIT, Human Brain, ...</bitsmall>
+- New goal: Support for GUI environments (windows + mac + linux)
+
+## mytoken
+- Mytokens are a new class of tokens
+- Use case: Long running compute job<br/>
+ - Longer than lifetime of Access Token
+
+<div class="fragment"data-fragment-index="2">
+<div class="columns">
+ <div class="column">
+ - **Mytoken Server**
+ - Proxy for Refresh Tokens (RT)
+ - Implemented as an extension of OIDC
+ - User flow:
+ 1. Create mytoken (MT)
+ 2. Use MT to obtain
+ - Access Tokens (AT)
+ - Other mytokens</ul></ol> </ul>
+
+<div class="fragment"data-fragment-index="3">
+```json
+[{"exp" :1634300000,
+ "nbf" :1634400000,
+ "geoip_allow":["DE"],
+ "scope" :"compute.create",
+ },{
+ "exp" :1635300000,
+ "nbf" :1635400000,
+ "geoip_allow":["DE", "FR", "NL"],
+ "scope" :"storage.write",
+}]
+```
+</div>
+
+ </div>
+ <div class="column"><img class="plain" src="images/mytokenGeneralConcept.png" width=90%></div>
+</div>
+</div>
+
+
+## ssh-oidc
+- Enable **ssh** via **federated identity** (OIDC)
+ - without recompiling OpenSSH
+ - with a clear authorisation concept
+- Solution:
+ - PAM module
+ - Mapping Daemon
+ - Client Wrapper
+- Available for Linux
+ - Mac and Windows in development (Putty, maybe: MobaXterm)
+- Test it at [https://ssh-oidc-demo.data.kit.edu](https://ssh-oidc-demo.data.kit.edu)
+
+<!--## Developments-->
+<!--- [Helmholtz Cloud Agent](https://hifis.net/doc/service-integration/local-agent/) -->
+<!--- oidc on the commandline-->
+<!-- - [oidc-agent](https://github.com/indigo-dc/oidc-agent)-->
+<!-- - [mytoken](https://mytoken.data.kit.edu)-->
+<!--- [ssh/oidc](https://github.com/EOSC-synergy/ssh-oidc) with federated identities-->
+
+
+## Outlook
+- Integrate more services
+ - Large Resources (HPC / Clusters)
+- Spread the technology
+- Interoperate with other Community AAIs
+ - How to handle cross-community access?
+ - How about OIDC-Federations?
+- Contribute to AARC Guidelines:
+ - IdP Hinting
+ - SCIM and Deprovisioning
+ - Expression of Entitlements
+- Manage expectations, e.g. identity linking
## More information
diff --git a/2110-Helmholtz-AAI-DFN/images/aai-usage-plot.png b/2110-Helmholtz-AAI-DFN/images/aai-usage-plot.png
index c3d80faf13f084a34534ade22cc33e0ebf5bac3d..3a355f48f86eb06e7f879726469a3b19381837b7 100644
Binary files a/2110-Helmholtz-AAI-DFN/images/aai-usage-plot.png and b/2110-Helmholtz-AAI-DFN/images/aai-usage-plot.png differ
diff --git a/2110-Helmholtz-AAI-DFN/images/foederationen_und_bpa_mod.png b/2110-Helmholtz-AAI-DFN/images/foederationen_und_bpa_mod.png
new file mode 100644
index 0000000000000000000000000000000000000000..03952442913d690aa99d036844ddfcae77be44c2
Binary files /dev/null and b/2110-Helmholtz-AAI-DFN/images/foederationen_und_bpa_mod.png differ
diff --git a/2110-Helmholtz-AAI-DFN/images/mytokenGeneralConcept.png b/2110-Helmholtz-AAI-DFN/images/mytokenGeneralConcept.png
new file mode 100644
index 0000000000000000000000000000000000000000..e8e1cedafaacada81da58c3b80768bd129fecf05
Binary files /dev/null and b/2110-Helmholtz-AAI-DFN/images/mytokenGeneralConcept.png differ