Authentication and Authorization in Astronomy: A Deep Dive into ASTERICS
12/12/2016
1
ASTERICS-OBELICS Workshop 2016 /
Rome
Authentication and Authorization in the VO
1
st
ASTERICS-OBELICS Workshop
12-14 December 2016, Rome, Italy.
Authentication and
Authorization in the
Virtual Observatory
Dr. Giuliano Taffoni
INAF – Osservatorio Astronomico di Trieste
Deputy Chair, IVOA Grid & Web Services WG
What is Auth and Authz
What is the scope?
Authentication is a process by which you verify that
someone is who they claim they are.
Authorization is the process of establishing if the user
(who is already authenticated), is permitted to have
access to a resource
Who is for?
Researchers, developers, projects
….
B
ut each used to
have it’s own solution
The Virtual Observatory Approach
•
“The single-sign-on architecture is a system in which users
assign
cryptographic credentials
to user agents so that the
agents may act with the user’s identity and access rights.”
•
“This standard describes how agents use those
credentials to
authenticate
the user’s identity in requests
to
services
.”
•
SSO recommendation “is a profile against
existing
security standards”
Single Sign On Standard
Allow “clients” to access a service that requires
authentication.
Supported standards
•
No
authentication required.
•
HTTP Basic Authentication
•
Transport Layer Security (TLS) with passwords
.
•
Transport Layer Security (TLS) with client
certificates.
•
Cookies
•
Open Authentication (OAuth)
•
Security Assertion Markup Language (SAML)
•
OpenID
Credential Delegation
The credential delegation protocol allows a
client
program
to delegate a user's
credentials
to a
service such that that service may make requests
of other services in the name of that user. The
protocol defines a REST service that works
alongside other IVO services.
It is based on
X.509 certificates
But also other protocols as oAuth
Authorization
Trend in projects and infrastructures is: “take care of your own
authorization” but:
•
The owner(s) of a resource may, at any time, change the rules by
which a resource may be accessed. This is the granting and revoking
of access.
•
When users try to access resources, the granting rules for that
resource are evaluated at runtime. This is the authorization check.
•
Is the application aware of service authorization?
Not necessary
but it must implement standard messages (eg. 501 Error:
Authorization failed)
IVOA Authz: GMS discussion
•
GMS: Group Management Service: manage
authz in terms of groups
–
A single individual is too restrictive
–
Having a list of individuals is difficult to maintain
–
Grouping individuals and referencing them by a
group identifier provides a necessary level of
abstraction
•
Used and proposed by Canadian CADC tested
by INAF
•
Based on RESTful APIs
•
Fully integrated with IVOA Registry services
Acknowledgement
H2020-
Astronomy ESFRI and Research
Infrastructure Cluster (Grant Agreement
number: 653477).
12/12/2016
ASTERICS-OBELICS Workshop 2016 /
Rome
9
Explore the world of authentication and authorization in the field of astronomy through the lens of the ASTERICS project. Learn about the importance of verifying identities and granting access rights, the Virtual Observatory Approach, Single Sign-On standards, and Credential Delegation protocols. Dive into the complexities of user authentication and authorization in the realm of astronomy research infrastructure.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 Authentication and Authorization in the VO 1st ASTERICS-OBELICS Workshop 12-14 December 2016, Rome, Italy. H2020-Astronomy ESFRI and Research Infrastructure Cluster (Grant Agreement number: 653477). 12/12/2016 ASTERICS-OBELICS Workshop 2016 / Rome 1
Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 Authentication and Authorization in the Virtual Observatory Dr. Giuliano Taffoni INAF Osservatorio Astronomico di Trieste Deputy Chair, IVOA Grid & Web Services WG
Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 What is Auth and Authz What is the scope? Authentication is a process by which you verify that someone is who they claim they are. Authorization is the process of establishing if the user (who is already authenticated), is permitted to have access to a resource Who is for? Researchers, developers, projects . But each used to have it s own solution
Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 The Virtual Observatory Approach The single-sign-on architecture is a system in which users assign cryptographic credentials to user agents so that the agents may act with the user s identity and access rights. This standard describes how agents use those credentials to authenticatethe user s identity in requests to services. SSO recommendation is a profile against existing security standards
Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 Single Sign On Standard Allow clients to access a service that requires authentication. Supported standards No authentication required. HTTP Basic Authentication Transport Layer Security (TLS) with passwords. Transport Layer Security (TLS) with client certificates. Cookies Open Authentication (OAuth) Security Assertion Markup Language (SAML) OpenID
Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 Credential Delegation The credential delegation protocol allows a client program to delegate a user's credentialsto a service such that that service may make requests of other services in the name of that user. The protocol defines a REST service that works alongside other IVO services. It is based on X.509 certificates But also other protocols as oAuth
Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 Authorization Trend in projects and infrastructures is: take care of your own authorization but: The owner(s) of a resource may, at any time, change the rules by which a resource may be accessed. This is the granting and revoking of access. When users try to access resources, the granting rules for that resource are evaluated at runtime. This is the authorization check. Is the application aware of service authorization? Not necessary but it must implement standard messages (eg. 501 Error: Authorization failed)
Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 IVOA Authz: GMS discussion GMS: Group Management Service: manage authz in terms of groups A single individual is too restrictive Having a list of individuals is difficult to maintain Grouping individuals and referencing them by a group identifier provides a necessary level of abstraction Used and proposed by Canadian CADC tested by INAF Based on RESTful APIs Fully integrated with IVOA Registry services
Astronomy ESFRI & Research Infrastructure Cluster ASTERICS - 653477 Acknowledgement H2020-Astronomy ESFRI and Research Infrastructure Cluster (Grant Agreement number: 653477). 12/12/2016 ASTERICS-OBELICS Workshop 2016 / Rome 9
