Merge branch 'initial' into 'master'

initial go

See merge request !2

2110-Helmholtz-AAI-DFN/2110-Helmholtz-AAI-DFN.md

@@ -7,52 +7,242 @@ theme: marcus
 parallaxBackgroundImage: images/helmholtz-bg-slide.png
 title-slide-attributes:
     data-background-image: images/helmholtz-bg-head.png
+slideNumber: \'c/t\'
+preloadIframes: true
+showNotes: false
+mouseWheel: true
+transition: none
+backgroundTransition: none
 ---
 ## Presentation Metadata:
 - Tag 1, 26. Oktober 2021
 - 11:15-12:15 Uhr
 - Agenda hier: [https://www.dfn.de/veranstaltungen/betriebstagungen/infos](https://www.dfn.de/veranstaltungen/betriebstagungen/infos) (bald)
-- test2333
+
+
+## Outline
+- Motivation
+- Architecture
+- Implementation
+- Developments
+
+
+# Motivation <br/> + <br/> Overview
+## Historical records
+- Helmholtz Data Federation (HDF) needed an AAI
+- Proof of Concept implementation of the [AARC Blueprint Architecture](https://aarc-community.org/architecture)
+    - SP-IdP Proxy (in eduGain)
+    - 4 Initial services (Nagios, OpenStack, DCache, WaTTS, ...)
+    - OpenID Connect as a primary target
+- Adaptation of the [AARC Policy Development Kit](https://aarc-community.org/policies/policy-development-kit)
+    - Security + Trust
+    - Policy Compatibility with large infrastructures (WLCG, LIGO, XSEDE, ELIXIR, ...)
+
+<none class="fragment"data-fragment-index="2"> Then HIFIS started
+
+
+## {data-background-image="images/motivation1b.png" data-background-size="fill"}
+## {data-background-image="images/motivation2b.png" data-background-size="fill"}
+## {data-background-image="images/motivation3b.png" data-background-size="fill"}
 
 
 ## Helmholtz AAI: Goals
-- Seamless access to cloud services 
-    - Helmholtz: Services for users at Helmholtz Centres and Partners
-    - Very general approach => Don't be limited by specific organisational structure
-- Compatible with the European Open Science Cloud (EOSC)
 - Users can access **many** federated services
-- With their **one account** of their home Organisation
-- Support services beyond the browser
+    - with the **one account** of their Home Organisation
+- Seamless access
+    - Enable Services for users at Helmholtz Centres and Partners
+    - Enable researchers and guests to access Services
+    - Very general approach => Don't be limited by specific organisational structure
+- Enable PIs to manage their own Virtual Organisations (VOs)
+- Compatibility with the European Open Science Cloud (EOSC)
+- Support for services beyond the browser
     - Delegation (Computing Jobs)
     - REST APIs
     - Shell access
 
-# Helmholtz-AAI Key Features
-
-## Basics
-- EOSC compatible
-    - AARC Blueprint Architectures (BPA)
-    - AARC Policy Development Kit (PDK)
-- Users supported via
-    - DFN-AAI / eduGAIN
-    - Social: ORCID + Github + Google
-    - Homeless Users: Can easily be supported
-- Works in Production today
-    - Ready to include more services 
-    - Ready to include more Communities
-        - E.g. NFDIs
-
-## Authorisation
-- Support for multiple means of authorisation (**central** and **de central**)
-    - Group Membership (aka "Virtual Organisations")
-        - => Managed by Scientists themselves
-    - Entitlements from Home-Organisation
-        - => Managed by Administration
-    - Levels of Assurance: [REFEDS Assurance Framework](https://refeds.org/assurance)
-        - Passport seen, Work-Contract available
-        - Uniqueness of the identifier
-        - Freshness of attributes
-    - Membership in Home-Organisation
+
+## Relation to DFN-AAI
+- Overlap only in the acronym "AAI"
+- Helmholtz AAI is _one_ service inside DFN-AAI
+    - it's an SP-IdP-proxy
+- Users come in via 
+    - **DFN-AAI**, eduGAIN, 
+    - And others: ORCID, Github, Google
+    - Even "Homeless Users" __could__ be supported
+- FIXME: xxxxx move assurance downward; Add other DFN relations here
+- Assurance ([Refeds Assurance Framework](https://refeds.org/assurance))
+    - To express the quality of an identity
+        - DFN-AAI => RAF Cappuccino / IGTF Dogwood  (passport shown)
+        - eduGAIN => IGTF Dogwood (permanent identifier)
+        - Social => AARC Assam (verified email)
+
+
+# Architecture
+## AARC
+- [Authentication and Authorisation for Research Communities (AARC)](https://aarc-project.eu)
+    - 25 Partners 
+    - 4 Years
+- Mission
+    - Analyse **existing** Architectures
+    - Analyse **existing** Policies
+    - => Give recommendations 
+        - 21 Final, ~15 more on the roadmap
+
+
+## AARC Results
+- [AARC Blueprint Architectures](https://aarc-community.org/architecture/) 
+    - Introduction of the "proxy" component
+- [AARC Policy Development KIT](https://aarc-community.org/policies/policy-development-kit/)
+    - Fundamental policy templates for
+        - Operating an infrastructure
+        - Handling Incident Response
+        - Manage Members
+        - Requirements on Authentication
+        - Risk Assessment
+        - Data Protection
+        - Privacy Policy
+        - Service Operation
+        - Acceptable Use Policy
+
+         All policies designed to be GDPR compliant
+
+
+## The **"proxy"** component
+aka: "SP-IdP-Proxy"
+
+- Scalability!
+    - Stop every IdP needing to talk to every SP (`2800 * 1800`)
+    - Reliable Attribute release 
+        - (Different nations, different IdPs, each with different schema)
+- Third party **authorisation**
+    - *"Community Attribute Services"*
+- Enforcement of authorisation
+- Protocol Translation Translation
+    - SAML, OIDC, X.509
+- Stackable
+
+
+## {data-background-image="images/bpa-final-glow.png" data-background-size="contain"}
+
+
+## Evolution of the BPA (~2019)
+- Add differentiation:
+    - Between **community** and **infrastructure**
+    - Between "infrastructure run by a community" and "general e-Infrastructure"
+    - Different types of Services
+- Introduces the vocabulary used 
+- Full Document: <small>[https://zenodo.org/record/3672785/files/AARC-G045-AARC_BPA_2019-Final.pdf](https://zenodo.org/record/3672785/files/AARC-G045-AARC_BPA_2019-Final.pdf)</small>
+
+## {data-background-image="images/bpa2019.png" data-background-size="contain"}
+
+
+# Implementation
+
+
+## Connected Services
+- Multi Protocol:
+    - Identities: SAML, OpenID Connect, X.509
+    - Services: OpenID Connect, SAML
+- Examples for integrated services
+  - Gitlab
+  - RocketChat
+  - Storage and Compute Services
+  - Full list: [https://aai.helmholtz.de/services](https://aai.helmholtz.de/services/)
+- Helmholtz Federated IT services (HIFIS, [https://www.hifis.net](https://www.hifis.net)) 
+  - Drives development, documentation and service integration
+
+## **Helmholtz-AAI** <br/>implements<br/> **AARC BPA**
+## Technical implementation
+- Software: `unity`
+    - Production: [https://login.helmholtz.de](https://login.helmholtz.de)
+    - Development: [https://login-dev.helmholtz.de](https://login-dev.helmholtz.de)
+- Self service Group Membership:
+    - Principal Investigators can request a group
+    - Manage their members
+
+
+## Helmholtz-AAI Features
+- Follows AARC recommendations (a lot of the `G0XY` documents)
+    - <=> To use specific schemas for attributes and their content
+- Focused on OIDC
+- Implements the [Policy Development Kit](https://aarc-community.org/policies/policy-development-kit)
+- Explicit Assurance
+- Well Documented
+- URN registries for 
+    - `G002` (Soon: `G059`) style group memberships
+    - `G027` style resource capabilities
+- HIFIS is an (observing) member of AEGIS
+
+
+
+===============
+## Notes
+- many protocols (x509, ...)
+
+## Authorisation Management<br/>Based on **Community**
+- **Virtual Organisation (VO)** approach
+- Very similar: HPC compute projects
+- **VO** Managers can administer community members
+- Services can filter users by
+    - VO Attributes
+        - `climate -> ozone -> south-pole`
+        - `cern -> cms -> admin`
+
+
+## Authorisation Management<br/>Based on **Origin**
+- **Home-IdP based** approach
+- Home IdP can assert complementary information
+- Services can filter users by
+    - Home-Org asserted eligibility to use certain resources
+    - Status: - Employee / Student / Guest
+
+
+## Authorisation Management<br/>Based on **Assurance**
+- Levels of Assurance: [REFEDS Assurance Framework](https://refeds.org/assurance)
+    - Passport seen, Work-Contract available (Most academic Institutes)
+    - Uniqueness of the identifier
+    - Freshness of attributes
+    - Verified Email Address (Social Media)
+- Benefit
+    - AAI can host "lesser-than-maximum" users
+    - Scientists only need to upgrade their identity, if necessary to access service
+    - Services can provide different levels of access
+
+
+## <small>Interfaces for Service Integration</small>
+- Multiple Protocols:
+    - Identities: SAML, OpenID Connect, X.509
+    - Services: OpenID Connect, SAML
+- Examples for integrated services
+  - Gitlab
+  - RocketChat
+  - OpenStack
+  - Helmholtz Federated IT services (HIFIS, [https://www.hifis.net](https://www.hifis.net)) 
+    - HIFIS Cloud [https://cloud.helmholtz.de](https://cloud.helmholtz.de/#/services)
+    - Drives further development, documentation and service integration
+- More docs at Helmholtz AAI:
+  - [https://aai.helmholtz.de/doc](https://aai.helmholtz.de/doc)
+
+================
+
+
+
+# AAI Developments in Helmholtz
+## Developments
+- Local-agent
+- oidc on the commandline
+    - oidc-agent
+    - mytoken
+- ssh/oidc with federated identities
+
+
+# Backupslides
+## Not to forget:
+- Helmholtz-AAI is free of charge (at least for Helmholtz)
+
+
+----------------------------------------------------------------------------------------
+
 
 ## {data-background-image="images/h-aai-konrad.png" data-background-size="fill"}
 

2110-Helmholtz-AAI-DFN/Makefile

@@ -111,10 +111,10 @@ publish: reveal.js default
 	@echo "Done"
 
 view-remote: publish
-	@firefox $(REMOTE_URL)
+	@xdg-open $(REMOTE_URL) >/dev/null 2>&1 &
 
 view: reveal.js default
-	@firefox file://$(BASEDIR)/$(PROJECT).html-preview.html
+	@xdg-open file://$(BASEDIR)/$(PROJECT).html-preview.html >/dev/null 2>&1 & 
 
 publish-all: publish
 	@ssh hardt-it.de "cd web/`basename ${REMOTE}`; test -e reveal.js || ln -s ../reveal.js ."