Authentication and Authorization in Astronomy: A Deep Dive into ASTERICS

Slide Note
Embed
Share

Explore the world of authentication and authorization in the field of astronomy through the lens of the ASTERICS project. Learn about the importance of verifying identities and granting access rights, the Virtual Observatory Approach, Single Sign-On standards, and Credential Delegation protocols. Dive into the complexities of user authentication and authorization in the realm of astronomy research infrastructure.


Uploaded on Sep 21, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 Authentication and Authorization in the VO 1st ASTERICS-OBELICS Workshop 12-14 December 2016, Rome, Italy. H2020-Astronomy ESFRI and Research Infrastructure Cluster (Grant Agreement number: 653477). 12/12/2016 ASTERICS-OBELICS Workshop 2016 / Rome 1

  2. Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 Authentication and Authorization in the Virtual Observatory Dr. Giuliano Taffoni INAF Osservatorio Astronomico di Trieste Deputy Chair, IVOA Grid & Web Services WG

  3. Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 What is Auth and Authz What is the scope? Authentication is a process by which you verify that someone is who they claim they are. Authorization is the process of establishing if the user (who is already authenticated), is permitted to have access to a resource Who is for? Researchers, developers, projects . But each used to have it s own solution

  4. Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 The Virtual Observatory Approach The single-sign-on architecture is a system in which users assign cryptographic credentials to user agents so that the agents may act with the user s identity and access rights. This standard describes how agents use those credentials to authenticatethe user s identity in requests to services. SSO recommendation is a profile against existing security standards

  5. Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 Single Sign On Standard Allow clients to access a service that requires authentication. Supported standards No authentication required. HTTP Basic Authentication Transport Layer Security (TLS) with passwords. Transport Layer Security (TLS) with client certificates. Cookies Open Authentication (OAuth) Security Assertion Markup Language (SAML) OpenID

  6. Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 Credential Delegation The credential delegation protocol allows a client program to delegate a user's credentialsto a service such that that service may make requests of other services in the name of that user. The protocol defines a REST service that works alongside other IVO services. It is based on X.509 certificates But also other protocols as oAuth

  7. Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 Authorization Trend in projects and infrastructures is: take care of your own authorization but: The owner(s) of a resource may, at any time, change the rules by which a resource may be accessed. This is the granting and revoking of access. When users try to access resources, the granting rules for that resource are evaluated at runtime. This is the authorization check. Is the application aware of service authorization? Not necessary but it must implement standard messages (eg. 501 Error: Authorization failed)

  8. Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 IVOA Authz: GMS discussion GMS: Group Management Service: manage authz in terms of groups A single individual is too restrictive Having a list of individuals is difficult to maintain Grouping individuals and referencing them by a group identifier provides a necessary level of abstraction Used and proposed by Canadian CADC tested by INAF Based on RESTful APIs Fully integrated with IVOA Registry services

  9. Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 Acknowledgement H2020-Astronomy ESFRI and Research Infrastructure Cluster (Grant Agreement number: 653477). 12/12/2016 ASTERICS-OBELICS Workshop 2016 / Rome 9

Related


More Related Content