EGI Installation Check-in Updates and Support Activities

The EGI foundation, funded by the European Commission, has implemented various updates in their Installation Check-in process. These updates include adding support for AES-GCM encrypted attribute assertions, enabling expiration policies, improving user notifications, and deploying a new Federation Registry portal. Additionally, ongoing activities involve Keycloak enhancements, Ansible role development, and integration efforts for compliant access to services.

• EGI
• Installation Check-in
• Updates
• Support Activities
• European Commission

elodees Follow

Uploaded on Sep 18, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. EGI: Advanced Computing for Research www.egi.eu @EGI_eInfra Installation Check-in EGI-ACE WP6 The work of the EGI Foundation is partly funded by the European Commission under H2020 Framework Programme

2. Installation Check-in Updates Upgraded Check-in Proxy (SimpleSAMLphp) to add support for AES-GCM encrypted attribute assertions released by Shibboleth v4 based Identity Providers Updated Check-in Membership Registry (COmanage) to allow users to re-send email verification links for completing registration process Enabled VO/group expiration policies Enabled periodic email notifications to users Contacted VO managers about new policies and the membership renewal process Grace period until Sept 15 Fix bug with false notifications after the renewal of the VO membership [TODO] www.egi.eu @EGI_eInfra 2 18/09/2024

3. Installation Check-in Updates (Contd.) Deployed new Federation Registry portal to allow users to manage the service lifecycle (registration/recoconfiguration/deregistration) across all integration environments (development, demo & production) Update service integration documentation [In progress] Improve description of service registration form fields (e.g. compliance with Data Protection Code of Conduct) [TODO] Improve email notifications for service owners/registry operators [TODO] Improved user inform/consent page New consent page for OIDC services allowing users to authorise scopes/permissions o Improve look & feel [In progress] Warn users before transferring personal information to services not complying with GEANT Data Protection Code of Conduct [TODO] www.egi.eu @EGI_eInfra 3 18/09/2024

4. Installation Check-in Updates (Contd.) Keycloak Add support for time-based VO/group membership [In progress] Add support for using different signing/encryption keys for SAML & OIDC [In progress] Ansible role for keycloak deployment [In progress] Bug fixes [DONE] o Imported RSA keys and Java keystore keys are always of type "sig [PR] o Problem when trying to build server distribution [PR] BUT a significant number (13) feature requests is still under review by upstream www.egi.eu @EGI_eInfra 4 18/09/2024

5. Installation Check-in Support Activities DIRAC integration Configure group in Check-in Membership Registry (COmanage) users who can t login using a REFEDS R&S compliant IdP. Approved members of the group will be able to access services (e.g. RCauth CA) that require R&S compliance [In Progress] UmbrellaID integration Integrate acceptance instance of UmbrellaID as a Community IdP with demo instance of Check-in [DONE] Integrate production instance of UmbrellaID as a Community IdP with production instance of Check-in [TODO] www.egi.eu @EGI_eInfra 5 18/09/2024

6. Installation Check-in Support Activities (Contd.) EISCAT Configure authorisation for new OIDC-based Data Portal [Moving to production] Configure EISCAT download server as a resource server (client with access to introspection endpoint [Moving to production] Improve identity linking documentation (clarify assurance aspects) [TODO] D4Science Integration of D4Science IdP as Community AAI to Check-in with dedicated login button o Development instance of D4Science IdP integrated with development instance of Check-in [DONE] o Development instance of D4Science IdP integrated with demo instance of Check-in [TODO] o Production instance of D4Science IdP integrated with production instance of Check-in [TODO] www.egi.eu @EGI_eInfra 6 18/09/2024

7. Installation Check-in Roadmap Activity Responsible person/Partner Description Start Date (MM/YY) End Date (MM/YY) Extend cryptographic support for connected Identity Providers GRNET Upgrade/patch SimpleSAMLphp to add support for AES-GCM encrypted attribute assertions released by Shibboleth v4 based Identity Providers 01/21 0207/21 DONE Improve user registration GRNET Allow users to re-send email verification links for completing registration process 01/21 0207/21 DONE Integrate with DIRAC GRNET Support users with: - Personal IGTF Classic/MICS X509 certificates - IOTA certificates issued by Rcauth Online CA 01/21 04/21 DONE www.egi.eu @EGI_eInfra 7 18/09/2024

8. Installation Check-in Roadmap Activity Responsible person/Partner Description Start Date (MM/YY) End Date (MM/YY) Improve Service Provider integration process GRNET Manage connection of Service Providers (de-registration/reconfiguration) via Federation Registry Tool Two-step approval GGUS integration 01/21 0307/21 DONE Update Privacy Policy EGI Foundation Compliance with GEANT Data Protection Code of Conduct v1 and/or any other code of conduct compatible with legislation and guidelines on data protection and privacy including GDPR 01/21 0307/21 DONE Improve identity linking user experience and interface GRNET - Improve linked identities panel to include friendly IdP name and logo Support implicit identity linking 02/21 0409/21 On Hold - www.egi.eu @EGI_eInfra 8 18/09/2024

9. Installation Check-in Roadmap Activity Responsible person/Partner Description Start Date (MM/YY) End Date (MM/YY) Extend usage statistics GRNET - Geographic/country statistics for user logins, community/VOs, service access Unique logins statistics (NEW) 01/21 0305/21 DONE - Support for (de)provisioning GRNET/CESNET Continuous update of: - X509 certificate information with Perun - Identity and VO/group/role information with FedCloud providers 02/21 0609/21 On Hold Improve Check- in/VO membership lifecycle management GRNET - VO/group expiration policies 0605/21 1207/21 DONE www.egi.eu @EGI_eInfra 9 18/09/2024

10. Installation Check-in Roadmap Activity Responsible person/Partner Description Start Date (MM/YY) End Date (MM/YY) Improve Check- in/VO membership lifecycle management GRNET - Periodic renewal of linked identities 10/21 TODO Improve Check- in/VO membership lifecycle management GRNET - Automatic Check-in identity expiration and anonymisation 11/21 TODO www.egi.eu @EGI_eInfra 10 18/09/2024

11. Installation Check-in Roadmap Activity Responsible person/Partner Description Start Date (MM/YY) End Date (MM/YY) Improve interoperability GRNET Support IdP hinting (AARC-G049) 03/21 04/21 DONE Improve interoperability GRNET Support REFEDS Assurance Framework 03/21 04/21 DONE Improve interoperability GRNET Support combined evaluation of assurance 05/21 0608/21 In Progress Improve interoperability GRNET - - IdP Hinting (AARC-G061) Community user identifier (AARC- G026) Affiliation (AARC-G025 & AARC-G057) Attribute Profile (AARC-G056) [DRAFT] OAuth2 token validation across infrastructures (AARC-G051) [DRAFT] 12/21 TODO - - - www.egi.eu @EGI_eInfra 11 18/09/2024

12. Installation Check-in Roadmap Activity Responsible person/Partner Description Start Date (MM/YY) End Date (MM/YY) Improve monitoring GRNET Automated web browser-based SAML & OIDC login (selenium) 05/20 05/21 DONE Improve data privacy management GRNET Improve user inform/consent page for OIDC services - TODO: Uniform look & feel with SAML consent screen 05/21 0609/21 In Progress Support (De)Provisioning GRNET LDAP-based (de)provisioning 05/21 0609/21 In Progress Improve integration with Operations Portal GRNET Sync VO information (e.g. AUP, VO managers, membership) 12/21 TODO www.egi.eu @EGI_eInfra 12 18/09/2024

13. Installation Check-in Roadmap Activity Responsible person/Partner Description Start Date (MM/YY) End Date (MM/YY) Keycloak: AUP management GRNET - - AUP on demand renewal AUP periodic renewal 03/21 03/21 Upstream Review Keycloak: Group management GRNET - Allow users to view their group membership information Add support for notifying users when they join/leave groups 04/21 04/21 Upstream Review - Keycloak: Conditional email verification GRNET Skip email verification based on email_verified claim 4/21 04/21 Upstream Review Keycloak Support for stronger authentication GRNET Two-factor authentication: - Support OTP - Support signalling 05/01 06/21 Upstream Review www.egi.eu @EGI_eInfra 13 18/09/2024

14. Installation Check-in Roadmap Activity Responsible person/Partner Description Start Date (MM/YY) End Date (MM/YY) Keycloak: Migration to new upstream GRNET Migrate to Keycloak v13 05/21 05/21 DONE Keycloak: Enrich client metadata GRNET Enrich SAML & OIDC client model with: - Privacy Policy URI - Terms of Use/AUP URI 05/21 06/21 Upstream Review Keycloak: Improve data privacy management GRNET Show Privacy Policy and AUP information in user inform/consent management page 06/21 06/21 Upstream Review Automate Keycloak deployment GRNET Create ansible roles & playbooks 0809/21 In Progress Keycloak: Group management GRNET Enrich group membership metadata with validFrom/validThrough information 08/21 In Progress www.egi.eu @EGI_eInfra 14 18/09/2024

15. Installation Check-in Roadmap Activity Responsible person/Partner Description Start Date (MM/YY) End Date (MM/YY) Keycloak-ready: Phase I GRNET Use of Keycloak for Check-in OIDC OP 10/21 Keycloak-ready: Phase II GRNET Use of Keycloak for Check-in SAML IdP 06/22 Keycloak-ready: Phase III GRNET Use of Keycloak for Check-in User & VO/Group Registry 12/22 www.egi.eu @EGI_eInfra 15 18/09/2024