During the last decade e-infrastructure communities and their perception of X.509 certificate based access to e-infrastructures has changed significantly. Many of the existing and potential user communities of EGI consider the personal certificate based access as one of the main barriers of uptake. Some of these communities – together with their support teams from the National Grid Infrastructures (NGIs), NRENs and scientific projects – developed various solutions to simplify, sometimes even to completely eliminate, certificate based login mechanism for users. An overview of these solutions is given in a recently published report (Authentication solutions in the European Grid Infrastructure), covering approaches that build on ‘identity federations’. The previous blog post introduced the concept and benefits of identity federations; this post summarises related activities from the EGI community.
Identity federations enable users to access EGI services with username-password they were given by their home institutions and what they traditionally use for accessing institutional services such as email or intranet. There are basically two ways on how federated authentication can be integrated with the grid or federated cloud
offerings that NGIs provide:
- The grid/cloud sites could host middleware services that can connect these services to identity federations as service providers;
- The sites are integrated with identity federations through intermediary services that translate federated identities to grid/cloud specific identities, i.e. to X.509 certificates.
The first option requires significant changes to the middleware or hypervisor technologies and therefore could be achieved only with an enormous development work. The second case requires much less effort and can build on top of the existing grid middleware and cloud mechanisms. No surprise that several NGIs already provide bridging technologies to interface identity federations with grid, cloud middleware or portal environments. The most notable examples are provided by INFN Catania (using the Catania Science Gateway Framework), the SCI-BUS project (WS-PGRADE Science Gateway Technology) and the Swiss NGI (GridCertLib ). These solutions – alongside with other mechanisms – will be presented at the one day long AAI workshop of the EGI Technical Forum
, which aims to define an action plan for the harmonised adoption of emerging Authentication & Authorisation solutions within the European Grid Infrastructure.
Another important development in EGI is the ‘Grid Identity Pool
’ federation (GrIDP in short) which was recently established by the Grid Team at INFN Catania. GrIDP is an open federation that aims to facilitate cross-institutional, cross-national access to e-infrastructure services. The federation already includes 14 service providers
, all being science gateways that provide project or community-specific services for communities of interest in Italy, Europe or beyond. Among the five GrIDP identity providers
there is EGI.eu, with its Single Sign On identity database (SSO). Those who have an EGI SSO account, which is by the way free
to anyone, can access services of the GrIDP federation, and services of EGI, such as the Applications Database
. In the next future we would like to:
- Expand the GrIDP federation with additional service and identity providers;
- Establish identity providers that can perform strong identity validation, i.e. ensure that the credentials they issue really belong to the persons identified;
- Extend the federation with an 'attribute provider service' that could be uses to link project specific, experiment specific or other types of attributes to personal identities in order to simplify user authorization for service providers. Current candidates to fill this role are Grouper from Internet2 and COIP from Nordunet.