How do Research Communities build Authentication and Authorisation Infrastructures that support Federated Identity Management? Which software do they choose and how do they make those critical decisions? Over the coming months we will be speaking with various organisations that have gone through this process and created infrastructure that implements the AARC Blueprint Architecture (AARC BPA).
Driven by the physics communities supported by UKRI-STFC (UK Research and Innovation Science and Technology Facilities Council), the eInfrastructure for Research and Innovation for STFC, or IRIS, is a collaboration of UKRI STFC, science activities and provider entities in the UK. It co-ordinates the provision of an eInfrastructure supporting these communities which includes a range of computing resources. These resources include core IT services, such as OpenStack, and are currently provisioned independently for each Research Community, including LIGO, EUCLID, SKA and others. We spoke with Thomas Dack, from STFC-RAL, who is tasked with harmonising authentication and authorisation within the Infrastructure.
Since the majority of the Research Communities served are primarily focused on Physics, IRIS has been closely following the work ongoing in WLCG (The Worldwide Large Hadron Collider Computing Grid) to identify a software stack and specification for an OAuth2 based infrastructure. A natural choice for IRIS was to use INDIGO IAM as their Authentication and Authorisation Infrastructure (AAI), due to prior experience with the tool through the INDIGO Datacloud project and since it’s also being piloted by WLCG. IAM has been enhanced to provide backwards compatibility with X.509 certificate proxy based systems, thanks to integration with RCAuth.eu. IAM supports OIDC, prefered by many downstream services, and IRIS plans to propagate group based authorization within the OIDC tokens. IAM also provides the ability to host a central IRIS Acceptable Use Policy (AUP), which all users must sign in order to access IRIS resources.
After much consideration, IRIS has decided to deploy IAM as the primary entry point to IRIS resources for all users (both computing managers and researchers); significant advantages being that authorization will be centralised and that accounts per resource will no longer be required. Another benefit of having the IRIS instance of IAM as the single entry point for IRIS resources is that it allows the IAM to act as an “IdP-of-last-resort” for the IRIS community. In situations where a resource has users who lack a suitable eduGain IdP to authenticate with, these users may register directly to have a “local” account within the IAM. Such local accounts mean that a user would still be able to use a single account to access all protected resources. Accounts created in this way do lose some assurance about the identity of the user – for example, as they have not accessed via eduGain you lose the guarantee at creation time they have an active affiliation with a partner institution – and so the policy around this use-case has not yet been finalised. Work is ongoing to determine the syntax for group based authorization and for Levels of Assurance (LoA) within the scope of the infrastructure.
Thanks to work done by the AARC Project and other groups in previous years, IRIS were in the fortunate position to be able to pick up existing guidelines and implement them. David Crooks, also STFC-RAL, is responsible for defining the security policies required for the infrastructure and took the AARC Policy Development kit as a starting point; the deployment of the IRIS IAM and its alignment with the AARC BPA made this an obvious choice. Work began by identifying the AUP, Privacy Notice and Top Level Security policies as the key first steps; drafts of these are now being circulated in the IRIS community. Looking forward, the Membership Management and Security Operations policies are likely next candidates, as well as consideration of appropriate levels of assurance as noted earlier. A paper exploring this work has recently been submitted as part of the CHEP (the Computing for High Energy and Nuclear Physics Conference) 2019 proceedings.
In addition to giving access to existing services such as the STFC OpenStack instance and the IRIS accounting portal, with work continuing on access to data services such as Rucio and dynafed, a new service to be offered using authentication provided by IRIS IAM is a collaborative MISP instance, a platform for security threat intelligence sharing. By allowing for the sharing of threat intelligence with trusted partners, it is hoped that IRIS will be able to improve the baseline level of security for its services.
Tom will be participating in the ongoing enhancement of IAM, a significant step being an upgrade to use Keycloak as the backend and OIDC provider. Keycloak is an open source identity and access management solution being adopted by an increasing number of Research Communities and Commercial organisations and is highly configurable to meet the needs of Infrastructure use cases.
Many thanks to Tom, David and others in IRIS for agreeing to share their story, we look forward to hearing updates at future FIM4R meetings! You can find links to the software mentioned here in the table below.
|INDIGO IAM||INDIGO Identity and Access Management (IAM) service, SP Proxy||https://github.com/indigo-iam/iam|
|Keycloak||Open Source Identity and Access Management, SP Proxy||https://www.keycloak.org|