Difference: EsiSelvitys (1 vs. 75)

Revision 752008-11-21 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 115 to 115
 The automatic access procedure can have the following Shibboleth attributes (example):

  • User Pekka is a researcher in the Huippu university.
Changed:
<
<
  • He wants access to =ResourceZ=.
>
>
  • He wants access to ResourceZ.
 
  • Pekka belongs to the group huippu.
Changed:
<
<
  • His user attributes follow the format HTTP_!SHIB_EP_PRINCIPALNAME, in this example HTTP_SHIB_EP_PRINCIPALNAME=pekka@huippu.fi.
>
>
  • His user attributes follow the format HTTP_SHIB_EP_PRINCIPALNAME, in this example HTTP_SHIB_EP_PRINCIPALNAME=pekka@huippu.fi.
 
  • The owner of ResourceZ has authorized the group huippu to access ResourceZ.
  • Pekka is granted access to ResourceZ.
Line: 148 to 148
 Referee's authorization procedure for a new user could be the following:

  1. The user is forwarded to a page containing a list of referees ordered by country: Does any referee know the user? Some applications may skip the referee procedure.
Changed:
<
<
  1. If the user expects that one or two referees know him/her, (s)he selects that/those referee(s). The application will be sent by email to up to two referees with links for recommending and denying.
>
>
  1. If the user expects that a referee knows him/her, (s)he selects that referee. The application will be sent by email to the referee with links for recommending and denying.
 
  1. If the referee recommends that the application be accepted, the application will be forwarded to the owner and the Language Bank administrator to be accepted. The referee can also identify the user if needed.
    • If the user does not know any referee, the application will be forwarded straight to the owner (or contact person) of the corpus and the Language Bank administrator.
    • If the referee selects the deny link, a rejection message will be sent to the administrator. Despite being rejected by the referee, the administrator still retains the option to accept the application, providing the owner agrees.
Line: 162 to 162
  If the user cannot be authenticated with Shibboleth, (s)he can fill in the electronic application form as non-registered to apply for authorization to access the resource.
Changed:
<
<
In this case, the email address of the user needs to be verified. If the user is authorized to access the resource, the referee or the owner can authenticate the user. Commercial users need to contact the Sales organization and sign a contract to access resources.
>
>
In this case, the email address of the user needs to be verified. If the user is authorized to access the resource, the referee or the owner can authenticate the user. Commercial users need to sign a contract to access resources.
 

Conclusion

Line: 178 to 178
  Personal certificates will not be used.
Changed:
<
<
META FILEATTACHMENT attr="" autoattached="1" comment="" date="1220532126" name="linguistics_user_automatic_process_draft.png" path="linguistics_user_automatic_process_draft.png" size="39363" user="Main.SatuTorikka" version="2"
>
>
META FILEATTACHMENT attachment="linguistics_user_automatic_process_draft.png" attr="" comment="" date="1227260312" name="linguistics_user_automatic_process_draft.png" path="linguistics_user_automatic_process_draft.png" size="41196" stream="linguistics_user_automatic_process_draft.png" tmpFilename="/usr/tmp/CGItemp63427" user="SatuTorikka" version="3"
 
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
Changed:
<
<
META FILEATTACHMENT attr="" autoattached="1" comment="" date="1220533210" name="linguistics_user_controlled_process_draft.png" path="linguistics_user_controlled_process_draft.png" size="130891" user="Main.SatuTorikka" version="5"
>
>
META FILEATTACHMENT attachment="linguistics_user_controlled_process_draft.png" attr="" comment="" date="1227260382" name="linguistics_user_controlled_process_draft.png" path="linguistics_user_controlled_process_draft.png" size="130771" stream="linguistics_user_controlled_process_draft.png" tmpFilename="/usr/tmp/CGItemp63628" user="SatuTorikka" version="6"
 
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"
META FILEATTACHMENT attr="" autoattached="1" comment="Customer process plan" date="1219758845" name="customer_process_draft.png" path="customer_process_draft.png" size="121252" user="Main.SatuTorikka" version="6"

Revision 742008-10-15 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 98 to 98
  eduGAIN is not yet a production-level service. The software is on the second release candidate level. The 1.0 version will be published soon. Only pilot projects will be possible before April 2010, when policy development is dated to be ready.
Changed:
<
<
CSC has proposed to allocate ½ FTE per year in the upcoming GN3 project to work on Service Action 3 Task 4 of EduGAIN. HAKA specialists would like to continue contributing like they have done in GN2. GN3 project proposal is still under editing and the project is planned to start in April 2009.
>
>
CSC has proposed to allocate ½ FTE per year in the upcoming GN3 project to work on Service Action 3 Task 4 of EduGAIN. HAKA specialists would like to continue contributing like they have done in GN2. GN3 project proposal is still under editing and the project is planned to start in April 2009.
 

Data access model

Revision 732008-09-16 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Revision 722008-09-15 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 82 to 82
  Haka is the identity federation of the Finnish universities, polytechnics and research institutions. HAKA uses SAML2/Shibboleth technolgy. The federation consists of the users' home organizations providing the user identities according to common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science. Haka has over 20 home organizations and about 50 services. A similar Higher Education federation in the USA is InCommon, which has an annual fee of $1000. Although the software encourages the federation model, bilateral agreements are, of course, possible.
Added:
>
>
The list of the federations and their status.
 Kalmar Union is a SAML2 project that will connect the Nordic countries' academic communities to establish a Nordic cross-federation. Haka will most probably join the Kalmar Union in spring 2009 when the it is scheduled to be in operation.

CSC could easily integrate the Haka authentication in the electronic application form, where the application form would serve as a Service Provider.

Revision 712008-09-05 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 51 to 51
  The organization accepting Public Key certificates needs a trust policy. The EUGridPMA (Policy Management Authority) is the international organization coordinating the trust fabric for e-Science Grid authentication within Europe. This table lists all members of the EUGridPMA. There is also a map.
Changed:
<
<
TERENA has also a repository containing verified root-CA certificates called TACAR (TERENA Academic CA Repository). Note that no Finnish operators nor NorduGrid, used Nordic grid operations, are present. It is not possible to get TACAR-accepted certificates in Finland. TACAR is a list of certificates not known by browsers by default. CSC and HAKA use TeliaSonera certificates, because they are known by most browsers and using them costs much less than setting up an own Public Key Infrastructure.
>
>
TERENA has also a repository containing verified root-CA certificates called TACAR (TERENA Academic CA Repository). Note that no Finnish operators nor NorduGrid, used Nordic grid operations, are present. It will be very difficult to get TACAR-accepted certificates in Finland. TACAR is a list of certificates not known by browsers by default, which make them totally unsuitable web usage . CSC and HAKA use TeliaSonera certificates, because they are known by most browsers and using them costs much less than setting up an own Public Key Infrastructure.
  Commercial certificates based on credit cards may not be vary reliable, because there is some evidence of a black market for stolen credit cards.

Revision 702008-09-05 - ManneMiettinen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 94 to 94
  In order to be granted access to protected resources and services from other federations, the users first need to be successfully authenticated by their home AAI and authorized by the visited Service Provider (usually based on attributes expressing a special role for the user). Some national systems lack the attributes or they are very few. eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.
Changed:
<
<
eduGAIN is not yet a production-level service. The software is on the second release candidate level. The 1.0 version will be published soon. Only pilot projects will be possible before April 2010, when policy development is dated to be ready. It is planned to start in April 2009.
>
>
eduGAIN is not yet a production-level service. The software is on the second release candidate level. The 1.0 version will be published soon. Only pilot projects will be possible before April 2010, when policy development is dated to be ready.

CSC has proposed to allocate ½ FTE per year in the upcoming GN3 project to work on Service Action 3 Task 4 of EduGAIN. HAKA specialists would like to continue contributing like they have done in GN2. GN3 project proposal is still under editing and the project is planned to start in April 2009.

 

Data access model

Revision 692008-09-05 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 12 to 12
  If both the administrator and the corpus owner accept the application, the administrator requests the CSC user manager to add the user to the group granting the required permissions. If the application is rejected, the administrator informs the user personally. As the number of corpora grows, the application form may have to be split into two or more parts.
Changed:
<
<

CSC user account management

>
>

CSC user account management

  After the web-based application is approved, the user should sign and send a paper form. The paper form with signature is required to authenticate the user. After receiving the signed paper form, the CSC user manager opens for the new user a new CSC user account with appropriate rights. User accounts are administered manually by CSC. User information will be stored in CSC's customer database Askare.
Line: 147 to 147
 
  1. If the user expects that one or two referees know him/her, (s)he selects that/those referee(s). The application will be sent by email to up to two referees with links for recommending and denying.
  2. If the referee recommends that the application be accepted, the application will be forwarded to the owner and the Language Bank administrator to be accepted. The referee can also identify the user if needed.
    • If the user does not know any referee, the application will be forwarded straight to the owner (or contact person) of the corpus and the Language Bank administrator.
Changed:
<
<
    • If the referee selects the deny link, a rejection message will be sent to the the administrator. Despite being rejected by the referee, the administrator still retains the option to accept the application, providing the owner agrees.
>
>
    • If the referee selects the deny link, a rejection message will be sent to the administrator. Despite being rejected by the referee, the administrator still retains the option to accept the application, providing the owner agrees.
  The same application form can also be used to collect new referee information. The form should contain a check-box for the referee candidate to express his/her willingness to function as a referee.
Line: 156 to 156
 

Non-registered users

Changed:
<
<
If the user cannot be authenticated with Shibboleth, [s]he can fill in the electronic application form as non-registered to apply for authorization to access the resource.
>
>
If the user cannot be authenticated with Shibboleth, (s)he can fill in the electronic application form as non-registered to apply for authorization to access the resource.
  In this case, the email address of the user needs to be verified. If the user is authorized to access the resource, the referee or the owner can authenticate the user. Commercial users need to contact the Sales organization and sign a contract to access resources.
Line: 165 to 165
 The cost/usefulness diagram below compares available AAI technologies: Certificates, eduGain, Saml2/Shibboleth and Referees.

techcostusefullness.png

Changed:
<
<
Figure: Technology cost/usefulness diagram (Pekka Järveläinen, CSC)
>
>
Figure: Technology cost/usefulness diagram (Pekka Järveläinen, CSC)
  The cost consists of the estimated amount of work required to set up the production service. The usefulness comprises quantity, quality and the scope of information about the potential users available. For example, the SAML2/Shibboleth technology grants a lot of high-quality information but only in the Finnish or Nordic scope, while eduGAIN hopefully covers most European academic users, but so much information cannot be expected. For this reason, a rough guess can be made that SAML2/Shibboleth and eduGAIN are equally useful.

Revision 682008-09-05 - TeroAalto

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 16 to 16
  After the web-based application is approved, the user should sign and send a paper form. The paper form with signature is required to authenticate the user. After receiving the signed paper form, the CSC user manager opens for the new user a new CSC user account with appropriate rights. User accounts are administered manually by CSC. User information will be stored in CSC's customer database Askare.
Changed:
<
<
Users access to linguistic resources via CSC's web interface Scientist's interface, or by logging on a UNIX server where the resources are located. Resources represent sets of corpora or linguistic programs. Users here mean end-users of resources. Technically, each resource corresponds to a UNIX group. Each user can be a member of several groups but each resource can have only one. The user may view and edit his personal information section via the Scientist's interface.
>
>
Users gain access to the linguistic resources via CSC's web interface Scientist's interface, or by logging on a UNIX server where the resources are located. Resources represent sets of corpora or linguistic programs. In this context, users mean end-users of the resources. Technically, each resource corresponds to a UNIX group. Each user can be a member of several groups but each resource can have only one. The user may view and edit his personal information section via the Scientist's interface.
 

Challenges

Revision 672008-09-05 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 16 to 16
  After the web-based application is approved, the user should sign and send a paper form. The paper form with signature is required to authenticate the user. After receiving the signed paper form, the CSC user manager opens for the new user a new CSC user account with appropriate rights. User accounts are administered manually by CSC. User information will be stored in CSC's customer database Askare.
Changed:
<
<
Users access to linguistic resources via CSC's web interface Scientist's interface, or by logging on a UNIX server where the resources are located. Resources represent sets of corpora or linguistic programs. Technically, each resource corresponds to a UNIX group. Each user can be a member of several groups but each resource can have only one. The user may view and edit his personal information section via the Scientist's interface.
>
>
Users access to linguistic resources via CSC's web interface Scientist's interface, or by logging on a UNIX server where the resources are located. Resources represent sets of corpora or linguistic programs. Users here mean end-users of resources. Technically, each resource corresponds to a UNIX group. Each user can be a member of several groups but each resource can have only one. The user may view and edit his personal information section via the Scientist's interface.
 

Challenges

Revision 662008-09-05 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 61 to 61
  Shibboleth has two major halves: an identity provider (IdP) that authenticates users and releases selected information about them and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources.
Changed:
<
<
The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java and operates in any standard servlet container like Tomcat, which is a freely distributed IdP www server. Unlike the better-known Apache httpd server, Tomcat is based on Java and implements the Java Servlet and JavaServer Pages definitions.
>
>
The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java and operates in any standard servlet container like Tomcat, which is a freely distributed www server. Unlike the better-known Apache httpd server, Tomcat is based on Java and implements the Java Servlet and JavaServer Pages definitions.
  In addition, Shibboleth contains the WAYF (Where Are You From) server component. After connecting to a resource in order to gain access to it, the user will be redirected to the WAYF server to be authenticated at the user's home organization. The role of the WAYF server is to present a list of home organizations to the user. The user selects his home organization and is redirected to its login page. If the user is already authenticated at his home organization, he does not have to be reauthenticated. An example: HAKA WAYF server page.

Revision 652008-09-05 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 145 to 145
 
  1. The user is forwarded to a page containing a list of referees ordered by country: Does any referee know the user? Some applications may skip the referee procedure.
  2. If the user expects that one or two referees know him/her, (s)he selects that/those referee(s). The application will be sent by email to up to two referees with links for recommending and denying.
Changed:
<
<
  1. If the referee recommends that the application be accepted, the application will be forwarded to the owner and the Language Bank administrator to be accepted.
>
>
  1. If the referee recommends that the application be accepted, the application will be forwarded to the owner and the Language Bank administrator to be accepted. The referee can also identify the user if needed.
 
    • If the user does not know any referee, the application will be forwarded straight to the owner (or contact person) of the corpus and the Language Bank administrator.
    • If the referee selects the deny link, a rejection message will be sent to the the administrator. Despite being rejected by the referee, the administrator still retains the option to accept the application, providing the owner agrees.
Line: 153 to 153
  Figure: User process for linguistics with Shibboleth authentication, electronic applications and referees
Deleted:
<
<

Contract customers' procedure

 
Changed:
<
<
If the user cannot be authenticated with Shibboleth, (s)he can make a contract to use linguistic services (for example users from research institutes or companies). # The applicant fills the electronic application form (non-secured, open to everyone). # Open applications require an e-mail address verification when submitted.
>
>

Non-registered users

If the user cannot be authenticated with Shibboleth, [s]he can fill in the electronic application form as non-registered to apply for authorization to access the resource.

In this case, the email address of the user needs to be verified. If the user is authorized to access the resource, the referee or the owner can authenticate the user. Commercial users need to contact the Sales organization and sign a contract to access resources.

 

Conclusion

Revision 642008-09-05 - TeroAalto

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 16 to 16
  After the web-based application is approved, the user should sign and send a paper form. The paper form with signature is required to authenticate the user. After receiving the signed paper form, the CSC user manager opens for the new user a new CSC user account with appropriate rights. User accounts are administered manually by CSC. User information will be stored in CSC's customer database Askare.
Changed:
<
<
Users access to linguistic resources via CSC's web interface Scientist's interface, or by logging on a UNIX server where the resources are located. Resources represent sets of corpora or linguistic programs. Technically, each resource corresponds to a UNIX group. The user may view and edit his personal information section via the Scientist's interface.
>
>
Users access to linguistic resources via CSC's web interface Scientist's interface, or by logging on a UNIX server where the resources are located. Resources represent sets of corpora or linguistic programs. Technically, each resource corresponds to a UNIX group. Each user can be a member of several groups but each resource can have only one. The user may view and edit his personal information section via the Scientist's interface.
 

Challenges

Changed:
<
<
As the research network expands, previously used authentication methods become inadequate. The current systems in use within single countries are not as such suitable for international purposes. It's neither possible for administrators to reliably assess and monitor the users. Individual countries also have their own conventions and methods, making their systems incompatible with each other.
>
>
As the research network expands, previously used authentication methods become inadequate. The current systems in use within single countries are not as such suitable for international purposes. It is neither possible for administrators to reliably assess and monitor the users. Individual countries also have their own conventions and methods, making their systems incompatible with each other.
 
Changed:
<
<
The growing number of users with various needs puts pressure on automatisation of user processes. Automatisation of user processes can raise the quality of service to users, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. CSC has already made plans for new web-based application forms and electronic user processes. CSC has purchased the Sun Identity Manager (IdM) software for identity management.
>
>
The growing number of users with various needs puts pressure on automatisation of user processes. Automatisation of user processes can raise the quality of service experienced by the users, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety and give better tools for monitoring. CSC has already made plans for new web-based application forms and electronic user processes. CSC has purchased the Sun Identity Manager (IdM) software for identity management.
 

AAI Technologies

Changed:
<
<
Currently available electronic technologies for Authentication and Authorisation Infrastructures (AAI) which CSC is involved are presented: Certificates, Saml2/Shibboleth and EduGain. You can find detailed information about various AAI technologies in Report on comparison and assessment of eID management solutions interoperability.
>
>
The currently available electronic technologies for Authentication and Authorisation Infrastructures (AAI) which CSC is involved are presented: Certificates, Saml2/Shibboleth and eduGain. Detailed information about the various AAI technologies can be found in the Report on comparison and assessment of eID management solutions interoperability.
 

Certificates

Changed:
<
<
Certificates can be used to identify a person or a server. A personal certificate is a file that uniquely identifies its owner. Certificates contains information identifying the owner of the certificate, a public key itself, the expiration date of the certificate, the name of the CA (certification authority) that signed the certificate, and some other data. Server certificates are widely used to identify servers e.g Shibboleth or any SSL/TLS (HTTPS) servers.
>
>
Certificates can be used to identify a person or a server. A personal certificate is a file that uniquely identifies its owner. The certificates contain information identifying the owner of the certificate, the public key itself, the expiration date of the certificate, the name of the CA (certification authority) that signed the certificate and some other data. Server certificates are widely used to identify servers, e.g. Shibboleth or any SSL/TLS (HTTPS) servers.
 
Changed:
<
<
The grids are based on X.509 Public Key certificates described by rfc3280. Some countries and universities have very secure identification cards with smart cards, but because they require a special smart card reader, they are widely used in Estonia only.
>
>
The grids are based on X.509 Public Key certificates described by rfc3280. Some countries and universities have very secure identification cards with smart cards, but because they require a special smart card reader, they are only widely used in Estonia.
 

Pros

Line: 44 to 43
 
  • not widely used
  • contain only name and email information
Changed:
<
<
  • difficult infrastructure, user certificates used only by the grid
>
>
  • difficult infrastructure, user certificates only used by the grid
 
  • difficult to use, one or two more passwords or pins
Changed:
<
<
  • difficult to program, most common C/Python-Application Programming Interface openssl isn't well documented.
  • hardware ones are expensive, 40 ¤ and require reader (windows only driver) about same cost
>
>
  • difficult to program, the most common C/Python-Application Programming Interface, openssl is not well documented
  • hardware ones are expensive (40 ¤) and require a reader (Windows-only driver) with about the same cost
 
  • trust issues

The organization accepting Public Key certificates needs a trust policy. The EUGridPMA (Policy Management Authority) is the international organization coordinating the trust fabric for e-Science Grid authentication within Europe. This table lists all members of the EUGridPMA. There is also a map.

Changed:
<
<
Also TERENA has a repository which contains verified root-CA certificates called TACAR (TERENA Academic CA Repository). Note that there is no Finnish operators nor NorduGrid, which is used Nordic grid operations. It's NOT possible to get TACAR accepted certificates in Finland. TACAR is list of certificates NOT know browsers by default. CSC and HAKA use TeliaSonera certificates, because they are known by most browsers and cost are much lower than setup own Public Key Infrastructure.
>
>
TERENA has also a repository containing verified root-CA certificates called TACAR (TERENA Academic CA Repository). Note that no Finnish operators nor NorduGrid, used Nordic grid operations, are present. It is not possible to get TACAR-accepted certificates in Finland. TACAR is a list of certificates not known by browsers by default. CSC and HAKA use TeliaSonera certificates, because they are known by most browsers and using them costs much less than setting up an own Public Key Infrastructure.
 
Changed:
<
<
Commercial certificates based on credit cards may not be vary reliable, because there is some evidence of black market for stolen credit cards.
>
>
Commercial certificates based on credit cards may not be vary reliable, because there is some evidence of a black market for stolen credit cards.
 

SAML2/Shibboleth federation

Changed:
<
<
SAML (Security Assertion Markup Language) is an OASIS standard for XML exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for web single sign-on across or within organizational boundaries. Shibboleth version 2 is directly compatible with SAML2 version. A user authenticates with his or her organizational credentials. A single password is required for multiple applications. In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources.
>
>
SAML (Security Assertion Markup Language) is an OASIS standard for exchanging authentication, access rights and attribute information in XML. Shibboleth is a SAML-based, open source software package for web single sign-on across or within organizational boundaries. Shibboleth version 2 is directly compatible with SAML2 version. A user in authenticated with his or her organizational credentials. A single password is required for multiple applications. In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources.
 
Changed:
<
<
Shibboleth has two major halves: an identity provider (IdP), which authenticates users and releases selected information about them, and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources. The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java, and operates in any standard servlet container like tomcat.
>
>
Shibboleth has two major halves: an identity provider (IdP) that authenticates users and releases selected information about them and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources.
 
Changed:
<
<
In addition, Shibboleth contains the WAYF server component. After connecting to a resource to access it, the user will be redirected to the WAYF (Where Are You From) server to be authenticated at user's home organization. The role of the WAYF server is to present a list of Home Organizations to the user. The user selects his home organization and is redirected to its login page. If the user is already authenticated at his home organization, he does not have to reauthenticate. An example:
>
>
The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java and operates in any standard servlet container like Tomcat, which is a freely distributed IdP www server. Unlike the better-known Apache httpd server, Tomcat is based on Java and implements the Java Servlet and JavaServer Pages definitions.

In addition, Shibboleth contains the WAYF (Where Are You From) server component. After connecting to a resource in order to gain access to it, the user will be redirected to the WAYF server to be authenticated at the user's home organization. The role of the WAYF server is to present a list of home organizations to the user. The user selects his home organization and is redirected to its login page. If the user is already authenticated at his home organization, he does not have to be reauthenticated. An example:

 HAKA WAYF server page.
Changed:
<
<
For a series of technical explanations of how Shibboleth works, from easy to expert, refer to SWITCH Demo.
>
>
For a series of technical explanations on how Shibboleth works, from easy to expert, refer to SWITCH Demo.
 
Changed:
<
<
Shibboleth will release the user information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and test service. The funetEduPerson schema is compatible with SCHAC schema.
>
>
Shibboleth will release the user information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and test service. The funetEduPerson schema is compatible with the SCHAC schema.
  The mandatory attributes are:
  • cn, commonName, displayName + sn
  • sn, surName, family name
  • displayName, used givenName, the name the individual has registered as the one (s)he uses
Changed:
<
<
  • eduPersonPrincipalName, should be represented in the form user@scope, where scope defines a local security domain
>
>
  • eduPersonPrincipalName, should be represented in the form user@scope, where scope defines a local security domain
 
  • schacHomeOrganization, specifies a person´s home organization using the domain name of the organization.
  • schacHomeOrganizationType, countrycode:string, fi:university
Changed:
<
<
The schema also contains the funetEduPersonProgram, which is an educational degree program. Privacy is guaranteed by controlled Attribute Release Policies for Haka federation.
>
>
The schema also contains the funetEduPersonProgram, which is an educational degree program. Privacy is guaranteed by controlled Attribute Release Policies for the Haka federation. Adding new mandatory attributes is a very difficult and slow process and therefore only recommended in cases where additional information is truly vital.
 
Changed:
<
<
Haka is the identity federation of the Finnish universities, polytechnics and research institutions. HAKA uses SAML2/Shibboleth technolgy. The federation consists of the users' home organizations providing the user identities according to common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science. Haka has over 20 home organizations and about 50 services. Similar Higher Education federation in the USA is InCommon which has an annual fee of $1000. Although the software encourages federation bilateral agreements are of course possible.
>
>
Haka is the identity federation of the Finnish universities, polytechnics and research institutions. HAKA uses SAML2/Shibboleth technolgy. The federation consists of the users' home organizations providing the user identities according to common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science. Haka has over 20 home organizations and about 50 services. A similar Higher Education federation in the USA is InCommon, which has an annual fee of $1000. Although the software encourages the federation model, bilateral agreements are, of course, possible.
 
Changed:
<
<
Kalmar Union is a SAML2 project that will connect Nordic countries' academic communities to establish a Nordic cross-federation. Haka will most probably join the Kalmar Union in spring 2009 when the Kalmar Union is scheduled to be in operation.
>
>
Kalmar Union is a SAML2 project that will connect the Nordic countries' academic communities to establish a Nordic cross-federation. Haka will most probably join the Kalmar Union in spring 2009 when the it is scheduled to be in operation.
 
Changed:
<
<
CSC could easily integrate the Haka authentication in the electronic application form, where the application form would serve as Service Provider.
>
>
CSC could easily integrate the Haka authentication in the electronic application form, where the application form would serve as a Service Provider.
 

eduGAIN

The purpose of eduGAIN is to provide the means for achieving interoperation between different Authentication and Authorisation Infrastructures (AAI).

Changed:
<
<
There are a number of AAI systems developed and used on the national (NREN, National Research and Education Network) level. Shibboleth (Internet2) is the federation technology used in the US, Switzerland, Finland, Germany, Great Britain, Hungary and Greece (more under development). PAPI is used in Spain, A-Select in The Netherlands, simpleSAMLphp in Norway. There is also a RADIUS-based AAI used in Croatia.

In order to be granted access to protected resources and services from other federations, the users first need to be successfully authenticated by their home AAI and authorized by the visited Service Provider (usually based on attributes expressing a special role of the user). eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.

>
>
There are a number of AAI systems developed and used on the national (NREN, National Research and Education Network) level. Shibboleth (Internet2) is the federation technology used in the US, Switzerland, Finland, Germany, Great Britain, Hungary and Greece (under development). PAPI is used in Spain, A-Select in The Netherlands, simpleSAMLphp in Norway. There is also a RADIUS-based AAI used in Croatia.
 
Changed:
<
<
eduGAIN is not yet a production-level service. The software is on the second release candidate level. The 1.0 version will be published soon. Only pilot projects will be possible before April 2010, when policy development is dated to be ready. It's planned to start in April 2009.
>
>
In order to be granted access to protected resources and services from other federations, the users first need to be successfully authenticated by their home AAI and authorized by the visited Service Provider (usually based on attributes expressing a special role for the user). Some national systems lack the attributes or they are very few. eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.
 
Changed:
<
<

Referees

CHECK?? An applying user becomes trusted by being approved by a referee. The referee can also identify the user. Referees will be nominated and referee lists maintained by the Helsinki University Department of General Linguistics. CSC's customer database Askare can store the referee lists. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well. Information about the referee should be stored with application data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.

>
>
eduGAIN is not yet a production-level service. The software is on the second release candidate level. The 1.0 version will be published soon. Only pilot projects will be possible before April 2010, when policy development is dated to be ready. It is planned to start in April 2009.
 

Data access model

Changed:
<
<
Shibboleth will be used to authenticate users of the Language Bank of Finland. Access to resources will be granted with a single authentication after providing username and password. Resources represent sets of corpora, linguistic programs or other permissions.
>
>
Shibboleth will be used to authenticate users of the Language Bank of Finland. Access to the resources will be granted with a single authentication transaction by providing username and password. The resources represent sets of corpora, linguistic programs or other permissions.
 
Changed:
<
<
After the user connects to a desired resource, [s]he can access the resource automatically if [s]he belongs to a group that is allowed to access the named resource. If the owner of the resource has set limits on its use, the user can continue to the owner controlled application procedure. A listing of available linguistic research resources will be displayed to the user, from which [s]he may select one or several resources. If the user cannot be authenticated with Shibboleth, [s]he can make a contract to use linguistic services.
>
>
After the user connects to a desired resource, (s)he can access the resource automatically if (s)he belongs to a group that is allowed to access the named resource. If the owner of the resource has set limits for its use, the user can continue to the owner-controlled application procedure. A list of the available linguistic research resources will be displayed to the user, in which (s)he may select one or several. If the user cannot be authenticated with Shibboleth, (s)he can make a contract to access the linguistic services.
 

Automatic access to resources

Changed:
<
<
Automatic access means here attribute based access to a chosen resource. After successful authentication at user's home organization, the resource decides on granting or denying the user access. In the background, the home organization provided minimal user attributes to the resource, which it requires for the access authorization decision and for delivering its service. If the user is already authenticated, [s]he may access this resource immediately.
>
>
Automatic access means here an attribute-based access to a chosen resource. After successful authentication at the user's home organization, the resource decides on granting or denying access for the user. In the background, the home organization has provided minimal user attributes to the resource, which it requires for the access authorization decision and for delivering its service. If the user is already authenticated, (s)he may access this resource immediately.
  For example, a researcher from University A can directly access the resource, provided that the resource is accessible to researchers from University A. SAML2/Shibboleth can act as an identity provider (IdP), which authenticates users and provides attributes.

The automatic access procedure can have the following Shibboleth attributes (example):

Changed:
<
<
  • User Pekka is a researcher in the Huippu university.
  • He wants to access ResourceZ.
  • Pekka belongs to group huippu.
  • His user attribute is of format HTTP_!SHIB_EP_PRINCIPALNAME, in this example HTTP_SHIB_EP_PRINCIPALNAME=pekka@huippu.fi.
  • The owner of the resourceZ has authorized group huippu to access resourceZ.
  • Pekka is granted access to resourceZ.
>
>
  • User Pekka is a researcher in the Huippu university.
  • He wants access to =ResourceZ=.
  • Pekka belongs to the group huippu.
  • His user attributes follow the format HTTP_!SHIB_EP_PRINCIPALNAME, in this example HTTP_SHIB_EP_PRINCIPALNAME=pekka@huippu.fi.
  • The owner of ResourceZ has authorized the group huippu to access ResourceZ.
  • Pekka is granted access to ResourceZ.
 
Changed:
<
<
User information will not have to be saved in the database nor will the user need a CSC user account. For monitoring, usage statistics may be generated.
>
>
User information will not need to be saved in the database nor will the user need a CSC user account. For monitoring, usage statistics may be generated.
 
Changed:
<
<
Once a user is authenticated he can access any other Shibboleth-enabled resources without entering his login name and password again, providing that [s]he is authorized to access these resources. It is only necessary to log in again if the user closes his web browser or if no Shibboleth resource is accessed for some time.
>
>
Once a user is authenticated, he can access any other Shibboleth-enabled resources without entering his login name and password again, providing that (s)he is authorized to access these resources. It is only necessary to log in again if the user exits his web browser or if no Shibboleth resource is accessed for some time.
  Figure: User process for linguistics with Shibboleth authentication and automatic access to resources
Changed:
<
<

Owner controlled access to resources

>
>

Owner-controlled access to resources

  If the owner of the resource (e.g. corpus owner) has set limits to the use of the resource, the user may have to apply for authorization to access the resource. Also in this case, Shibboleth will be used to authenticate users.
Changed:
<
<
The owner controlled application procedure for a new user could be the following:

  1. The user first selects one or several resources from a listing of available linguistic research resources. Resources have limitations defined by the owner. After the user connects to a resource to access it, [s]he will be redirected to his home organization to be authenticated. If the user is already authenticated, [s]he does not have to reauthenticate.
  2. After successful authentication, an electronic application form will open for applying authorization to access the resource(s). In the background, user's home organization provided a set of attributes about him for the application form to prefill the form.
  3. Now the user will complete the application form to describe his needs. The purpose for which the resources are applied is a ground for authorization. After the user has completed the application form, [s]he will select Send.
>
>
The owner-controlled application procedure for a new user could be the following:
 
Changed:
<
<
After the application is sent, it will be forwarded to the referee's authorization (see below). Some applications may skip the referee process. The owner of the resource will finally decide on granting or denying access to the resource. If both the administrator and the owner accept the application, the user will receive the access with required permissions.
>
>
  1. The user first selects one or several resources from a list of available linguistic research resources. The resources have limitations defined by their owners. After the user connects to a resource in order to gain access to it, (s)he will be redirected to his home organization to be authenticated. If the user is already authenticated, (s)he does not have to reauthenticate.
  2. After successful authentication, an electronic application form will open for applying authorization to access the resource(s). In the background, the user's home organization has provided a set of attributes about him/her for the application form to prefill the form.
  3. Now the user will complete the application form to describe his needs. The purpose for which the resources are applied serves as the basis for the authorization. After the user has completed the application form, (s)he will select Send.
 
Changed:
<
<
Application data will need to be saved in order to forward it to referees and owners. For this purpose, saving the application data in the database is the best solution. Opening a normal CSC user account would offer tools for monitoring??.
>
>
After the application is sent, it is forwarded to the referee's authorization (see below). Some applications may skip the referee process. The owner of the resource will finally decide on granting or denying access to the resource. If both the administrator and the owner accept the application, the user will receive the access with the required permissions.
 
Added:
>
>
The application data will need to be saved in order to forward it to referees and owners. For this purpose, saving the application data in the database is the best solution. Opening up a normal CSC user account would offer tools for monitoring.
 

Referee's authorization

Changed:
<
<
CHECK??An applying user becomes trusted by being approved by a referee. Naturally, the referees need to be trusted as well. Information about the referee should be stored with application data. The referee can also identify the user, if [s]he is not authenticated.
>
>
An applying user becomes trusted by being approved by a referee. The referee can also identify the user. Referees will be nominated and referee lists maintained by the Helsinki University Department of General Linguistics. CSC's customer database Askare can store the referee lists. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well. Information about the referee should be stored with application data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect. The referee can also identify the user, if (s)he is not authenticated.
  Referee's authorization procedure for a new user could be the following:
Changed:
<
<
  1. The user is forwarded to a page containing a list of referees ordered by country: Does any referee know the user? A part of the applications may skip the referee procedure.
  2. If the user expects that one or two referees know him/her, [s]he selects that referee. The application will be sent by email to up to two referees with recommend and deny links.
  3. If the referee recommends that the application be accepted, the application will be forwarded to the owner and the Language Bank administrator to be accepted.
>
>
  1. The user is forwarded to a page containing a list of referees ordered by country: Does any referee know the user? Some applications may skip the referee procedure.
  2. If the user expects that one or two referees know him/her, (s)he selects that/those referee(s). The application will be sent by email to up to two referees with links for recommending and denying.
  3. If the referee recommends that the application be accepted, the application will be forwarded to the owner and the Language Bank administrator to be accepted.
 
    • If the user does not know any referee, the application will be forwarded straight to the owner (or contact person) of the corpus and the Language Bank administrator.
Changed:
<
<
    • If the referee clicks the deny link, a rejection message will be sent to the user.
>
>
    • If the referee selects the deny link, a rejection message will be sent to the the administrator. Despite being rejected by the referee, the administrator still retains the option to accept the application, providing the owner agrees.
  The same application form can also be used to collect new referee information. The form should contain a check-box for the referee candidate to express his/her willingness to function as a referee.
Line: 164 to 155
 

Contract customers' procedure

Changed:
<
<
If the user cannot be authenticated with Shibboleth, [s]he can make a contract to use linguistic services (for example users from research institutes or companies).
>
>
If the user cannot be authenticated with Shibboleth, (s)he can make a contract to use linguistic services (for example users from research institutes or companies).
 # The applicant fills the electronic application form (non-secured, open to everyone). # Open applications require an e-mail address verification when submitted.

Conclusion

Changed:
<
<
The cost/usefulness diagram below compares available AAI technologies: Certificates, EduGain, Saml2/Shibboleth and Referees.
>
>
The cost/usefulness diagram below compares available AAI technologies: Certificates, eduGain, Saml2/Shibboleth and Referees.
  techcostusefullness.png Figure: Technology cost/usefulness diagram (Pekka Järveläinen, CSC)
Changed:
<
<
The cost consists of the estimated amount of work required to set up the production service. The usefulness comprises quantity, quality and the scope of information about the potential users available. For example, the SAML2/Shibboleth technology grants a lot of high-quality information but only in the Finnish or Nordic scope, while eduGAIN hopefully covers most European academic users, but so much information can't be expected. For this reason, a rough guess can be made that SAML2/Shibboleth and eduGAIN are equally useful.
>
>
The cost consists of the estimated amount of work required to set up the production service. The usefulness comprises quantity, quality and the scope of information about the potential users available. For example, the SAML2/Shibboleth technology grants a lot of high-quality information but only in the Finnish or Nordic scope, while eduGAIN hopefully covers most European academic users, but so much information cannot be expected. For this reason, a rough guess can be made that SAML2/Shibboleth and eduGAIN are equally useful.
 
Changed:
<
<
Referees process usefulness depends on the proportion of applications it scopes, majority of users must be know by referee to ensure usefulness. Well organized referees group will be very useful and technical requirements are quite low, only some web forms and data in database.
>
>
The referee process's usefulness depends on the proportion of applications it scopes, the majority of users must be known by the referees to ensure usefulness. A well-organized referees group will be very useful and the technical requirements are quite low, consisting of only some web forms and data in databases.
  Personal certificates will not be used.

Revision 632008-09-04 - TeroAalto

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 6 to 6
 

The Language Bank of Finland

Changed:
<
<
User applications to the Language Bank of Finland are delivered via an web-based application form. Upon submission, the form sends the application to the Language Bank administrator by email.
>
>
User applications to the Language Bank of Finland are delivered via a web-based application form. Upon submission, the form sends the application to the Language Bank administrator by email.
  Many corpora further require a personal permission from their owner. A single person can be responsible for a single language or even only for a single text within the language. The application form also sends an email copy of the application to the owner (or contact person) of the corpus the user has expressed interest in.
Changed:
<
<
If both the administrator and the corpus's owner accept the application, the administrator requests the CSC user manager to add the user to the group granting the required permissions. If the application is rejected, the administrator informs the user personally. As the number of corpora grows, the application form may have to be split into two or more parts.
>
>
If both the administrator and the corpus owner accept the application, the administrator requests the CSC user manager to add the user to the group granting the required permissions. If the application is rejected, the administrator informs the user personally. As the number of corpora grows, the application form may have to be split into two or more parts.
 
Changed:
<
<

CSC user account management

>
>

CSC user account management

  After the web-based application is approved, the user should sign and send a paper form. The paper form with signature is required to authenticate the user. After receiving the signed paper form, the CSC user manager opens for the new user a new CSC user account with appropriate rights. User accounts are administered manually by CSC. User information will be stored in CSC's customer database Askare.
Line: 185 to 184
 
META FILEATTACHMENT attr="" autoattached="1" comment="" date="1220532126" name="linguistics_user_automatic_process_draft.png" path="linguistics_user_automatic_process_draft.png" size="39363" user="Main.SatuTorikka" version="2"
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
Changed:
<
<
META FILEATTACHMENT attachment="linguistics_user_controlled_process_draft.png" attr="" comment="" date="1220533210" name="linguistics_user_controlled_process_draft.png" path="linguistics_user_controlled_process_draft.png" size="130891" stream="linguistics_user_controlled_process_draft.png" user="Main.SatuTorikka" version="5"
>
>
META FILEATTACHMENT attr="" autoattached="1" comment="" date="1220533210" name="linguistics_user_controlled_process_draft.png" path="linguistics_user_controlled_process_draft.png" size="130891" user="Main.SatuTorikka" version="5"
 
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"
META FILEATTACHMENT attr="" autoattached="1" comment="Customer process plan" date="1219758845" name="customer_process_draft.png" path="customer_process_draft.png" size="121252" user="Main.SatuTorikka" version="6"

Revision 622008-09-04 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 146 to 146
  Application data will need to be saved in order to forward it to referees and owners. For this purpose, saving the application data in the database is the best solution. Opening a normal CSC user account would offer tools for monitoring??.
Deleted:
<
<
Figure: User process for linguistics with Shibboleth authentication, electronic application and referees
 

Referee's authorization

Line: 162 to 161
  The same application form can also be used to collect new referee information. The form should contain a check-box for the referee candidate to express his/her willingness to function as a referee.
Added:
>
>
Figure: User process for linguistics with Shibboleth authentication, electronic applications and referees
 

Contract customers' procedure

If the user cannot be authenticated with Shibboleth, [s]he can make a contract to use linguistic services (for example users from research institutes or companies).

Line: 182 to 183
  Personal certificates will not be used.
Changed:
<
<
META FILEATTACHMENT attr="" autoattached="1" comment="" date="1220525633" name="linguistics_user_automatic_process_draft.png" path="linguistics_user_automatic_process_draft.png" size="50671" user="Main.SatuTorikka" version="1"
>
>
META FILEATTACHMENT attr="" autoattached="1" comment="" date="1220532126" name="linguistics_user_automatic_process_draft.png" path="linguistics_user_automatic_process_draft.png" size="39363" user="Main.SatuTorikka" version="2"
 
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
Changed:
<
<
META FILEATTACHMENT attr="" autoattached="1" comment="" date="1220525579" name="linguistics_user_controlled_process_draft.png" path="linguistics_user_controlled_process_draft.png" size="123084" user="Main.SatuTorikka" version="1"
>
>
META FILEATTACHMENT attachment="linguistics_user_controlled_process_draft.png" attr="" comment="" date="1220533210" name="linguistics_user_controlled_process_draft.png" path="linguistics_user_controlled_process_draft.png" size="130891" stream="linguistics_user_controlled_process_draft.png" user="Main.SatuTorikka" version="5"
 
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"
META FILEATTACHMENT attr="" autoattached="1" comment="Customer process plan" date="1219758845" name="customer_process_draft.png" path="customer_process_draft.png" size="121252" user="Main.SatuTorikka" version="6"

Revision 612008-09-04 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 130 to 130
  Once a user is authenticated he can access any other Shibboleth-enabled resources without entering his login name and password again, providing that [s]he is authorized to access these resources. It is only necessary to log in again if the user closes his web browser or if no Shibboleth resource is accessed for some time.
Added:
>
>
Figure: User process for linguistics with Shibboleth authentication and automatic access to resources
 

Owner controlled access to resources

If the owner of the resource (e.g. corpus owner) has set limits to the use of the resource, the user may have to apply for authorization to access the resource. Also in this case, Shibboleth will be used to authenticate users.

Line: 144 to 146
  Application data will need to be saved in order to forward it to referees and owners. For this purpose, saving the application data in the database is the best solution. Opening a normal CSC user account would offer tools for monitoring??.
Changed:
<
<
Figure: User process for linguistics with Shibboleth authentication, electronic applications, and referees
>
>
Figure: User process for linguistics with Shibboleth authentication, electronic application and referees
 

Referee's authorization

Line: 180 to 182
  Personal certificates will not be used.
Added:
>
>
META FILEATTACHMENT attr="" autoattached="1" comment="" date="1220525633" name="linguistics_user_automatic_process_draft.png" path="linguistics_user_automatic_process_draft.png" size="50671" user="Main.SatuTorikka" version="1"
 
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
Added:
>
>
META FILEATTACHMENT attr="" autoattached="1" comment="" date="1220525579" name="linguistics_user_controlled_process_draft.png" path="linguistics_user_controlled_process_draft.png" size="123084" user="Main.SatuTorikka" version="1"
 
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"
META FILEATTACHMENT attr="" autoattached="1" comment="Customer process plan" date="1219758845" name="customer_process_draft.png" path="customer_process_draft.png" size="121252" user="Main.SatuTorikka" version="6"

Revision 602008-09-04 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 73 to 73
  For a series of technical explanations of how Shibboleth works, from easy to expert, refer to SWITCH Demo.
Changed:
<
<
Shibboleth will release the user information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and test service.
>
>
Shibboleth will release the user information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and test service. The funetEduPerson schema is compatible with SCHAC schema.
  The mandatory attributes are:
  • cn, commonName, displayName + sn

Revision 592008-09-03 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 178 to 178
 Referees process usefulness depends on the proportion of applications it scopes, majority of users must be know by referee to ensure usefulness. Well organized referees group will be very useful and technical requirements are quite low, only some web forms and data in database.
Changed:
<
<
Personal certificates will not be used, except if their will be required by clarin federation.
>
>
Personal certificates will not be used.
 
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"

Revision 582008-09-02 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 17 to 17
  After the web-based application is approved, the user should sign and send a paper form. The paper form with signature is required to authenticate the user. After receiving the signed paper form, the CSC user manager opens for the new user a new CSC user account with appropriate rights. User accounts are administered manually by CSC. User information will be stored in CSC's customer database Askare.
Changed:
<
<
Users access to linguistic resources via CSC's web interface Scientist's interface or by logging on a UNIX server where resources are located. Resources represent sets of corpora or linguistic programs. Technically, each resource corresponds to a UNIX group. The user may view and edit his personal information section via the Scientist's interface.
>
>
Users access to linguistic resources via CSC's web interface Scientist's interface, or by logging on a UNIX server where the resources are located. Resources represent sets of corpora or linguistic programs. Technically, each resource corresponds to a UNIX group. The user may view and edit his personal information section via the Scientist's interface.
 

Challenges

Line: 108 to 107
 

Data access model

Changed:
<
<
Shibboleth will be used to authenticate users of the Language Bank of Finland. Resources represent sets of corpora or other permissions the access to which are granted with a single authentication. After the user connects to a desired resource, [s]he can access the resource automatically if [s]he belongs to a group that is allowed to access the named resource, provided that the resource is accessible to that group. If the owner of the resource has set limits on its use, the user can continue to the application procedure.
>
>
Shibboleth will be used to authenticate users of the Language Bank of Finland. Access to resources will be granted with a single authentication after providing username and password. Resources represent sets of corpora, linguistic programs or other permissions.
 
Changed:
<
<
A listing of available linguistic research resources will be displayed to the user, from which [s]he may select one or several resources.
>
>
After the user connects to a desired resource, [s]he can access the resource automatically if [s]he belongs to a group that is allowed to access the named resource. If the owner of the resource has set limits on its use, the user can continue to the owner controlled application procedure. A listing of available linguistic research resources will be displayed to the user, from which [s]he may select one or several resources. If the user cannot be authenticated with Shibboleth, [s]he can make a contract to use linguistic services.
 

Automatic access to resources

Changed:
<
<
Automatic access means here attribute based access to a chosen resource. After successful authentication at home organization, the resource decides on granting or denying the user access. In the background, the home organization provided minimal user details to the resource, which it requires for the access authorization decision and for delivering its service. If the user is already authenticated, [s]he may access this resource immediately. For example, a researcher from University A can directly access the resource, provided that the resource is accessible to researchers from University A. SAML2/Shibboleth can act as an identity provider (IdP), which authenticates users and provides attributes.
>
>
Automatic access means here attribute based access to a chosen resource. After successful authentication at user's home organization, the resource decides on granting or denying the user access. In the background, the home organization provided minimal user attributes to the resource, which it requires for the access authorization decision and for delivering its service. If the user is already authenticated, [s]he may access this resource immediately.

For example, a researcher from University A can directly access the resource, provided that the resource is accessible to researchers from University A. SAML2/Shibboleth can act as an identity provider (IdP), which authenticates users and provides attributes.

  The automatic access procedure can have the following Shibboleth attributes (example):
Line: 125 to 126
 
  • The owner of the resourceZ has authorized group huippu to access resourceZ.
  • Pekka is granted access to resourceZ.
Added:
>
>
User information will not have to be saved in the database nor will the user need a CSC user account. For monitoring, usage statistics may be generated.
 Once a user is authenticated he can access any other Shibboleth-enabled resources without entering his login name and password again, providing that [s]he is authorized to access these resources. It is only necessary to log in again if the user closes his web browser or if no Shibboleth resource is accessed for some time.

Owner controlled access to resources

If the owner of the resource (e.g. corpus owner) has set limits to the use of the resource, the user may have to apply for authorization to access the resource. Also in this case, Shibboleth will be used to authenticate users.

Changed:
<
<
The owner controlled procedure for a new user could be the following:
>
>
The owner controlled application procedure for a new user could be the following:
 
Changed:
<
<
  1. The user first opens a listing of available linguistic research resources, from which the user[s]he selects one or several resources with limitations defined by the owner. After the user connects to a resource to access it, [s]he will be redirected to be authenticated by his home organization. After successful authentication at his home organization, or if the user is already authenticated, [s]he will be redirected to the application procedure.
  2. The application form will now open to apply for authorization to access the resource(s). In the background, the home organization of the user provided a set of attributes about him to the application. Thus, the application form will open with pre-filled information.
>
>
  1. The user first selects one or several resources from a listing of available linguistic research resources. Resources have limitations defined by the owner. After the user connects to a resource to access it, [s]he will be redirected to his home organization to be authenticated. If the user is already authenticated, [s]he does not have to reauthenticate.
  2. After successful authentication, an electronic application form will open for applying authorization to access the resource(s). In the background, user's home organization provided a set of attributes about him for the application form to prefill the form.
 
  1. Now the user will complete the application form to describe his needs. The purpose for which the resources are applied is a ground for authorization. After the user has completed the application form, [s]he will select Send.
Changed:
<
<
After the application is sent, it will be forwarded to the referees for authorization (see below). Some applications may skip the referee process. The owner of the resource will finally decide on granting or denying access to the resource. If both the administrator and the owner accept the application, the user will receive the access with required permissions.
>
>
After the application is sent, it will be forwarded to the referee's authorization (see below). Some applications may skip the referee process. The owner of the resource will finally decide on granting or denying access to the resource. If both the administrator and the owner accept the application, the user will receive the access with required permissions.

Application data will need to be saved in order to forward it to referees and owners. For this purpose, saving the application data in the database is the best solution. Opening a normal CSC user account would offer tools for monitoring??.

Figure: User process for linguistics with Shibboleth authentication, electronic applications, and referees

 

Referee's authorization

Changed:
<
<
CHECK??An applying user becomes trusted by being approved by a referee. The referee can also identify the user. Referees will be nominated and referee lists maintained by the Helsinki University Department of General Linguistics. CSC's customer database Askare can store the referee lists. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well. Information about the referee should be stored with application data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.
>
>
CHECK??An applying user becomes trusted by being approved by a referee. Naturally, the referees need to be trusted as well. Information about the referee should be stored with application data. The referee can also identify the user, if [s]he is not authenticated.

Referee's authorization procedure for a new user could be the following:

  1 The user is forwarded to a page containing a list of referees ordered by country: Does any referee know the user? A part of the applications may skip the referee procedure.
Changed:
<
<
  1. If the user expects that one or two referees know him/her, the application will be sent by email to up to two referees with recommend and deny links.
    1. If the user does not know any referee, the application will be forwarded straight to the owner (or contact person) of the corpus and the Language Bank administrator (normal procedure).
    2. If the referee clicks the deny link, a rejection message will be sent to the user.
  2. If the referee recommends that the application be accepted, CSC will create a new user account with appropriate rights.
>
>
  1. If the user expects that one or two referees know him/her, [s]he selects that referee. The application will be sent by email to up to two referees with recommend and deny links.
  2. If the referee recommends that the application be accepted, the application will be forwarded to the owner and the Language Bank administrator to be accepted.
    • If the user does not know any referee, the application will be forwarded straight to the owner (or contact person) of the corpus and the Language Bank administrator.
    • If the referee clicks the deny link, a rejection message will be sent to the user.

The same application form can also be used to collect new referee information. The form should contain a check-box for the referee candidate to express his/her willingness to function as a referee.

 
Changed:
<
<
The same application forms can also be used to collect new referee information. The forms need to contain a check-box for the referee candidate to express his/her willingness to function as a referee.
>
>

Contract customers' procedure

 
Changed:
<
<
needed??
>
>
If the user cannot be authenticated with Shibboleth, [s]he can make a contract to use linguistic services (for example users from research institutes or companies).
 # The applicant fills the electronic application form (non-secured, open to everyone). # Open applications require an e-mail address verification when submitted.
Deleted:
<
<
Figure: User process for linguistics with Shibboleth authentication, electronic applications, and referees
 

Conclusion

The cost/usefulness diagram below compares available AAI technologies: Certificates, EduGain, Saml2/Shibboleth and Referees.

Revision 572008-09-02 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 15 to 15
 

CSC user account management

Changed:
<
<
After the web-based application is approved, the user should sign and send a paper form. The paper form with signature is required to authenticate the user. After receiving the signed paper form, the CSC user manager opens for the new user a new CSC user account with appropriate rights.
>
>
After the web-based application is approved, the user should sign and send a paper form. The paper form with signature is required to authenticate the user. After receiving the signed paper form, the CSC user manager opens for the new user a new CSC user account with appropriate rights. User accounts are administered manually by CSC. User information will be stored in CSC's customer database Askare.
 
Changed:
<
<
User accounts are administered manually by CSC. User information will be stored in CSC's customer database Askare, and the UADM system. The user may view and edit his personal information section via the Scientist's interface.
>
>
Users access to linguistic resources via CSC's web interface Scientist's interface or by logging on a UNIX server where resources are located. Resources represent sets of corpora or linguistic programs. Technically, each resource corresponds to a UNIX group. The user may view and edit his personal information section via the Scientist's interface.
 

Challenges

Line: 64 to 64
  SAML (Security Assertion Markup Language) is an OASIS standard for XML exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for web single sign-on across or within organizational boundaries. Shibboleth version 2 is directly compatible with SAML2 version. A user authenticates with his or her organizational credentials. A single password is required for multiple applications. In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources.
Deleted:
<
<
For a series of technical explanations of how Shibboleth works, from easy to expert, refer to the SWITCH Federation site
  Shibboleth has two major halves: an identity provider (IdP), which authenticates users and releases selected information about them, and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources. The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java, and operates in any standard servlet container like tomcat.
Added:
>
>
In addition, Shibboleth contains the WAYF server component. After connecting to a resource to access it, the user will be redirected to the WAYF (Where Are You From) server to be authenticated at user's home organization. The role of the WAYF server is to present a list of Home Organizations to the user. The user selects his home organization and is redirected to its login page. If the user is already authenticated at his home organization, he does not have to reauthenticate. An example: HAKA WAYF server page.

For a series of technical explanations of how Shibboleth works, from easy to expert, refer to SWITCH Demo.

 Shibboleth will release the user information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and test service.

The mandatory attributes are:

Line: 81 to 85
  The schema also contains the funetEduPersonProgram, which is an educational degree program. Privacy is guaranteed by controlled Attribute Release Policies for Haka federation.
Changed:
<
<
Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The federation consists of the users' home organizations providing the user identities according to common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science. Haka has over 20 home organizations and about 50 services. Similar Higher Education federation in the USA is InCommon which has an annual fee of $1000. Although the software encourages federation bilateral agreements are of course possible.
>
>
Haka is the identity federation of the Finnish universities, polytechnics and research institutions. HAKA uses SAML2/Shibboleth technolgy. The federation consists of the users' home organizations providing the user identities according to common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science. Haka has over 20 home organizations and about 50 services. Similar Higher Education federation in the USA is InCommon which has an annual fee of $1000. Although the software encourages federation bilateral agreements are of course possible.
 
Changed:
<
<
Kalmar Union is a project connecting Nordic countries' academic communities to establish a Nordic cross-federation.
>
>
Kalmar Union is a SAML2 project that will connect Nordic countries' academic communities to establish a Nordic cross-federation. Haka will most probably join the Kalmar Union in spring 2009 when the Kalmar Union is scheduled to be in operation.

CSC could easily integrate the Haka authentication in the electronic application form, where the application form would serve as Service Provider.

 
Deleted:
<
<
CSC could easily integrate the Haka authentication in the electronic application form, where the application form would serve as Service Provider. Haka will most probably join the Kalmar Union in spring 2009.
 

eduGAIN

Line: 103 to 108
 

Data access model

Changed:
<
<
Shibboleth will be used to authenticate users of the Language Bank of Finland and the CLARIN federation. Resources represent sets of corpora or other permissions the access to which are granted with a single authentication. After the user connects to a desired resource, [s]he can access the resource automatically if [s]he belongs to a group that is allowed to access the named resource, provided that the resource is accessible to that group. If the owner of the resource has set limits on its use, the user can continue to the application procedure.
>
>
Shibboleth will be used to authenticate users of the Language Bank of Finland. Resources represent sets of corpora or other permissions the access to which are granted with a single authentication. After the user connects to a desired resource, [s]he can access the resource automatically if [s]he belongs to a group that is allowed to access the named resource, provided that the resource is accessible to that group. If the owner of the resource has set limits on its use, the user can continue to the application procedure.
 
Changed:
<
<
A listing of available linguistic research resources will be displayed to the user, from which [s]he may select one or several resources. After the user connects to a resource, e.g. a corpus, to access it, [s]he will be redirected to the WAYF (Where Are You From) server to be authenticated at his home organization. The role of the WAYF server is to present a list of Home Organizations to the user. The user selects his home organization and is redirected to its login page. If the user is already authenticated at his home organization, he does not have to reauthenticate. An example: HAKA WAYF server page.
>
>
A listing of available linguistic research resources will be displayed to the user, from which [s]he may select one or several resources.
 

Automatic access to resources

Revision 562008-09-01 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 9 to 9
 User applications to the Language Bank of Finland are delivered via an web-based application form. Upon submission, the form sends the application to the Language Bank administrator by email.
Changed:
<
<
Many corpora further require a personal permission from their owner. A single person can be responsible for a single language or even only for a single text within the language. The application form also sends an email copy of the application to the owner (or contact person) of the corpus the applicant has expressed interest in.
>
>
Many corpora further require a personal permission from their owner. A single person can be responsible for a single language or even only for a single text within the language. The application form also sends an email copy of the application to the owner (or contact person) of the corpus the user has expressed interest in.
 
Changed:
<
<
If both the administrator and the corpus's owner accept the application, the administrator requests the CSC user manager to add the applicant to the group granting the required permissions. If the application is rejected, the administrator informs the applicant personally. As the number of corpora grows, the application form may have to be split into two or more parts.
>
>
If both the administrator and the corpus's owner accept the application, the administrator requests the CSC user manager to add the user to the group granting the required permissions. If the application is rejected, the administrator informs the user personally. As the number of corpora grows, the application form may have to be split into two or more parts.
 

CSC user account management

Changed:
<
<
When the online application is approved, the applicant signs and sends a paper form. A signature is required to authenticate the applicant. After receiving the signed paper form, the CSC user manager opens for the new customer a new CSC user account with appropriate rights, and joins him/her to a new or an existing project. User accounts are administered manually by CSC. Customer information will be stored in CSC's customer database Askare, and the UADM system.

Data model for customer processes

Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. Modern authentication methods can be a part of electronic customer processes. CSC has already made plans for new electronic user account applications, and purchased the Sun Identity Manager (IdM) software for identity management.

A data model should be defined that describes the objects Customer, Project and Resource, and states their relationships (simplified model):

  • Customer
    • Firstname Lastname
    • Email address
    • Address
    • Phone
    • is a member of Project (1... n)
    • has a Resource (1 ... n)
  • Project
    • Name
    • Description
    • has Customer as a member (1 ... n)
    • has a Resource (1 ... n)
  • Resource
    • rights to use certain corpora, software or databases
    • user account on a server (e.g. corpus.csc.fi)
    • disk space on various servers
    • CPU quota
The customer is always a member of a project; at the minimum of an individual research project. The project description is a ground for granting resources. It describes the purpose of research for which the resources are applied. The project description table already exists in CSC's customer database Askare and it's user editable via the Personal Information section of the Scientist's interface.

Resources are partly associated with the customer, partly shared by members of a project. Resources represent sets of corpora or other resources the access to which are granted with a single authentication with CSC user account. Technically, each resource corresponds to a UNIX group.

>
>
After the web-based application is approved, the user should sign and send a paper form. The paper form with signature is required to authenticate the user. After receiving the signed paper form, the CSC user manager opens for the new user a new CSC user account with appropriate rights.
 
Added:
>
>
User accounts are administered manually by CSC. User information will be stored in CSC's customer database Askare, and the UADM system. The user may view and edit his personal information section via the Scientist's interface.
 

Challenges

Changed:
<
<
As the research network expands, previously used authentication methods become inadequate. The current systems in use within single countries are not as such suitable for international purposes. It's neither possible for administrators to reliably assess the applicants and monitor the users. Individual countries also have their own conventions and methods, making their systems incompatible with each other. The growing number of users with various needs puts pressure on automatisation of customer processes.
>
>
As the research network expands, previously used authentication methods become inadequate. The current systems in use within single countries are not as such suitable for international purposes. It's neither possible for administrators to reliably assess and monitor the users. Individual countries also have their own conventions and methods, making their systems incompatible with each other.

The growing number of users with various needs puts pressure on automatisation of user processes. Automatisation of user processes can raise the quality of service to users, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. CSC has already made plans for new web-based application forms and electronic user processes. CSC has purchased the Sun Identity Manager (IdM) software for identity management.

 

AAI Technologies

Changed:
<
<
Currently available electronic technologies for Authentication and Authorisation Infrastructures (AAI) which CSC is involved are presented: Certificates, Saml2/Shibboleth and EduGain. You can find detailed information about various AAI technologies in Report on comparison and assessment of eID management solutions interoperability.
>
>
Currently available electronic technologies for Authentication and Authorisation Infrastructures (AAI) which CSC is involved are presented: Certificates, Saml2/Shibboleth and EduGain. You can find detailed information about various AAI technologies in Report on comparison and assessment of eID management solutions interoperability.
 

Certificates

Line: 78 to 53
  The organization accepting Public Key certificates needs a trust policy. The EUGridPMA (Policy Management Authority) is the international organization coordinating the trust fabric for e-Science Grid authentication within Europe. This table lists all members of the EUGridPMA. There is also a map.
Changed:
<
<
Also TERENA has a repository which contains verified root-CA certificates called TACAR (TERENA Academic CA Repository). Note that there is no Finnish operators nor NorduGrid, which is used Nordic grid operations. It's NOT possible to get
>
>
Also TERENA has a repository which contains verified root-CA certificates called TACAR (TERENA Academic CA Repository). Note that there is no Finnish operators nor NorduGrid, which is used Nordic grid operations. It's NOT possible to get
 TACAR accepted certificates in Finland. TACAR is list of certificates NOT know browsers by default. CSC and HAKA use TeliaSonera certificates, because they are known by most browsers and cost are much lower than setup own Public Key Infrastructure.
Line: 91 to 66
 In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. For a series of technical explanations of how Shibboleth works, from easy to expert, refer to the SWITCH Federation site
Changed:
<
<
Shibboleth has two major halves: an identity provider (IdP), which authenticates users and releases selected information about them, and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources. The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java, and operates in any standard servlet container like tomcat.
>
>
Shibboleth has two major halves: an identity provider (IdP), which authenticates users and releases selected information about them, and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources. The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java, and operates in any standard servlet container like tomcat.
  Shibboleth will release the user information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and test service.
Line: 122 to 97
  eduGAIN is not yet a production-level service. The software is on the second release candidate level. The 1.0 version will be published soon. Only pilot projects will be possible before April 2010, when policy development is dated to be ready. It's planned to start in April 2009.
Added:
>
>

Referees

CHECK?? An applying user becomes trusted by being approved by a referee. The referee can also identify the user. Referees will be nominated and referee lists maintained by the Helsinki University Department of General Linguistics. CSC's customer database Askare can store the referee lists. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well. Information about the referee should be stored with application data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.

 

Data access model

Changed:
<
<
Shibboleth will be used to authenticate users of the Language Bank of Finland and the CLARIN federation. After the user connects to a desired resource, e.g. a corpus, [s]he can access the resource automatically if [s]he belongs to a group that is allowed to access the named resource, provided that the resource is accessible to that group. If the owner of the resource has set limits on its use, the user can continue to the application procedure.
>
>
Shibboleth will be used to authenticate users of the Language Bank of Finland and the CLARIN federation. Resources represent sets of corpora or other permissions the access to which are granted with a single authentication. After the user connects to a desired resource, [s]he can access the resource automatically if [s]he belongs to a group that is allowed to access the named resource, provided that the resource is accessible to that group. If the owner of the resource has set limits on its use, the user can continue to the application procedure.
  A listing of available linguistic research resources will be displayed to the user, from which [s]he may select one or several resources. After the user connects to a resource, e.g. a corpus, to access it, [s]he will be redirected to the WAYF (Where Are You From) server to be authenticated at his home organization. The role of the WAYF server is to present a list of Home Organizations to the user. The user selects his home organization and is redirected to its login page. If the user is already authenticated at his home organization, he does not have to reauthenticate. An example:
Changed:
<
<
HAKA WAYF server page.
>
>
HAKA WAYF server page.
 
Changed:
<
<

Automatic access to resources

>
>

Automatic access to resources

 
Changed:
<
<
Automatic access means here attribute based access to a chosen resource. After successful authentication at home organization, the resource decides on granting or denying the user access. In the background, the home organization provided minimal user details to the resource, which it requires for the access authorization decision and for delivering its service. If the user is already authenticated, [s]he may access this resource immediately. For example, a researcher from University A can directly access the resource, provided that the resource is accessible to researchers from University A. SAML2/Shibboleth can act as an identity provider (IdP), which authenticates users and provides attributes.
>
>
Automatic access means here attribute based access to a chosen resource. After successful authentication at home organization, the resource decides on granting or denying the user access. In the background, the home organization provided minimal user details to the resource, which it requires for the access authorization decision and for delivering its service. If the user is already authenticated, [s]he may access this resource immediately. For example, a researcher from University A can directly access the resource, provided that the resource is accessible to researchers from University A. SAML2/Shibboleth can act as an identity provider (IdP), which authenticates users and provides attributes.
  The automatic access procedure can have the following Shibboleth attributes (example):
Changed:
<
<
  • User Pekka is a researcher in the Huippu university.
  • He wants to access ResourceZ.
>
>
  • User Pekka is a researcher in the Huippu university.
  • He wants to access ResourceZ.
 
  • Pekka belongs to group huippu.
Changed:
<
<
  • His user attribute is of format HTTP_!SHIB_EP_PRINCIPALNAME, in this example HTTP_SHIB_EP_PRINCIPALNAME=pekka@huippu.fi.
  • The owner of the resourceZ has authorized group huippu to access resourceZ.
  • Pekka is granted access to resourceZ.
>
>
  • His user attribute is of format HTTP_!SHIB_EP_PRINCIPALNAME, in this example HTTP_SHIB_EP_PRINCIPALNAME=pekka@huippu.fi.
  • The owner of the resourceZ has authorized group huippu to access resourceZ.
  • Pekka is granted access to resourceZ.
  Once a user is authenticated he can access any other Shibboleth-enabled resources without entering his login name and password again, providing that [s]he is authorized to access these resources. It is only necessary to log in again if the user closes his web browser or if no Shibboleth resource is accessed for some time.
Added:
>
>

Owner controlled access to resources

 
Changed:
<
<

Owner controlled access to resources

If the owner of the resource (e.g. a corpus owner) has set limits to the use of the resource, the user may have to apply for authorization to access the resource. Also in this case, Shibboleth will be used to authenticate users.

After successful authentication at his home organization,

the resource decides on granting or denying him access. In the background, the Home Organization provided minimal user details to the ??, which it requires for the access authorization decision and for delivering its service. Data protection is assured.

CSC has already made plans for new electronic user account applications, and purchased the Sun Identity Manager (IdM) software for identity management.

This means that automatic access is possible for resources, the use of which is allowed to whose use do not require individual decisions s the user details to the Resource, which it requires for the access authorization decision and for delivering its service. do not require that the owner or referees decide upon the use of the resource open have not set limits that do not require owner approved access control, access rights to use corpus can be given automatically.

>
>
If the owner of the resource (e.g. corpus owner) has set limits to the use of the resource, the user may have to apply for authorization to access the resource. Also in this case, Shibboleth will be used to authenticate users.
 
Changed:
<
<
A data model should be defined that describes the objects Customer, Project and Resource, and states their relationships (simplified model):
>
>
The owner controlled procedure for a new user could be the following:
 
Changed:
<
<
  • Customer
    • Firstname Lastname
    • Email address
    • Address
    • Phone
    • is a member of Project (1... n)
    • has a Resource (1 ... n)
  • Project
    • Name
    • Description
    • has Customer as a member (1 ... n)
    • has a Resource (1 ... n)
  • Resource
    • rights to use certain corpora, software or databases
    • user account on a server (e.g. corpus.csc.fi)
    • disk space on various servers
    • CPU quota
>
>
  1. The user first opens a listing of available linguistic research resources, from which the user[s]he selects one or several resources with limitations defined by the owner. After the user connects to a resource to access it, [s]he will be redirected to be authenticated by his home organization. After successful authentication at his home organization, or if the user is already authenticated, [s]he will be redirected to the application procedure.
  2. The application form will now open to apply for authorization to access the resource(s). In the background, the home organization of the user provided a set of attributes about him to the application. Thus, the application form will open with pre-filled information.
  3. Now the user will complete the application form to describe his needs. The purpose for which the resources are applied is a ground for authorization. After the user has completed the application form, [s]he will select Send.
 
Changed:
<
<
The customer is always a member of a project; at the minimum of an individual research project. The project description is a ground for granting resources. It describes the purpose of research for which the resources are applied. The project description table already exists in CSC's customer database Askare and it's user editable via the Personal Information section of the Scientist's interface.
>
>
After the application is sent, it will be forwarded to the referees for authorization (see below). Some applications may skip the referee process. The owner of the resource will finally decide on granting or denying access to the resource. If both the administrator and the owner accept the application, the user will receive the access with required permissions.
 
Changed:
<
<
Resources are partly associated with the customer, partly shared by members of a project. Resources represent sets of corpora or other resources the access to which are granted with a single authentication with CSC user account. Technically, each resource corresponds to a UNIX group.
>
>

Referee's authorization

 
Changed:
<
<
Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring.
>
>
CHECK??An applying user becomes trusted by being approved by a referee. The referee can also identify the user. Referees will be nominated and referee lists maintained by the Helsinki University Department of General Linguistics. CSC's customer database Askare can store the referee lists. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well. Information about the referee should be stored with application data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.
 
Changed:
<
<
The user wants to access a resource

Access to Resource Granted Basically, the Shibboleth login process is like any other login process. To access a protected resource, the user has to authenticate. However, in our case the user authenticates himself not at the resource itself but at his Home Organization. He does not need an additional account at each resource nor has he to provide his username and password to third parties, but only to his Home Organization. Session End

Referees

An applying user becomes trusted by being approved by a referee. The referee can also identify the user. Referees will be nominated and referee lists maintained by the Helsinki University Department of General Linguistics. CSC's customer database Askare can store the referee lists. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well. Information about the referee should be stored with application data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.

Model for practical implementation

This model is a practical implementation using electronic applications, AAI technologies and referees. The procedure for an applicant to become a new customer of the Language Bank of Finland could be as follows:

  1. The applicant fills one of the two electronic application forms: SAML2/Shibboleth-secured or open (non-secured, open to everyone).
  2. Open applications require an e-mail address verification when submitted.
  3. The applicant is forwarded to a page containing a list of referees ordered by country: Does any referee know the applicant? A part of the applications may skip the referee procedure.
  4. If the applicant expects that one or two referees know him/her, the application will be sent by email to up to two referees with recommend and deny links.
    1. If the applicant does not know any referee, the application will be forwarded straight to the owner (or contact person) of the corpus and the Language Bank administrator (normal procedure).
    2. If the referee clicks the deny link, a rejection message will be sent to the applicant.
>
>
1 The user is forwarded to a page containing a list of referees ordered by country: Does any referee know the user? A part of the applications may skip the referee procedure.
  1. If the user expects that one or two referees know him/her, the application will be sent by email to up to two referees with recommend and deny links.
    1. If the user does not know any referee, the application will be forwarded straight to the owner (or contact person) of the corpus and the Language Bank administrator (normal procedure).
    2. If the referee clicks the deny link, a rejection message will be sent to the user.
 
  1. If the referee recommends that the application be accepted, CSC will create a new user account with appropriate rights.
Deleted:
<
<
Figure: Customer process model using electronic applications, AAI technologies and referees
 The same application forms can also be used to collect new referee information. The forms need to contain a check-box for the referee candidate to express his/her willingness to function as a referee.
Added:
>
>
needed?? # The applicant fills the electronic application form (non-secured, open to everyone). # Open applications require an e-mail address verification when submitted.

Figure: User process for linguistics with Shibboleth authentication, electronic applications, and referees

 

Conclusion

Changed:
<
<
The cost/usefulness diagram below compares available AAI technologies: Certificates, EduGain, Saml2/Shibboleth and Referees.
>
>
The cost/usefulness diagram below compares available AAI technologies: Certificates, EduGain, Saml2/Shibboleth and Referees.
  techcostusefullness.png
Deleted:
<
<

 Figure: Technology cost/usefulness diagram (Pekka Järveläinen, CSC)
Changed:
<
<
The cost consists of the estimated amount of work required to set up the production service. The usefulness comprises quantity, quality and the scope of information about the potential customers available. For example, the SAML2/Shibboleth technology grants a lot of high-quality information but only in the Finnish or Nordic scope, while eduGAIN hopefully covers most European academic users, but so much information can't be expected. For this reason, a rough guess can be made that SAML2/Shibboleth and eduGAIN are equally useful.
>
>
The cost consists of the estimated amount of work required to set up the production service. The usefulness comprises quantity, quality and the scope of information about the potential users available. For example, the SAML2/Shibboleth technology grants a lot of high-quality information but only in the Finnish or Nordic scope, while eduGAIN hopefully covers most European academic users, but so much information can't be expected. For this reason, a rough guess can be made that SAML2/Shibboleth and eduGAIN are equally useful.
 
Changed:
<
<
Referees process usefulness depends on the proportion of applications it scopes, majority of applicants must be know by referee to ensure usefulness. Well organized referees group will be very useful and technical requirements are quite low, only some web forms
>
>
Referees process usefulness depends on the proportion of applications it scopes, majority of users must be know by referee to ensure usefulness. Well organized referees group will be very useful and technical requirements are quite low, only some web forms
 and data in database.

Personal certificates will not be used, except if their will be required by clarin federation.

Revision 552008-09-01 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 58 to 58
  Certificates can be used to identify a person or a server. A personal certificate is a file that uniquely identifies its owner. Certificates contains information identifying the owner of the certificate, a public key itself, the expiration date of the certificate, the name of the CA (certification authority) that signed the certificate, and some other data. Server certificates are widely used to identify servers e.g Shibboleth or any SSL/TLS (HTTPS) servers.
Deleted:
<
<
There are widely used server certificates identifying Shibboleth or any SSL/TLS (HTTPS) servers.
 The grids are based on X.509 Public Key certificates described by rfc3280. Some countries and universities have very secure identification cards with smart cards, but because they require a special smart card reader, they are widely used in Estonia only.

Revision 542008-09-01 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 96 to 96
 Shibboleth has two major halves: an identity provider (IdP), which authenticates users and releases selected information about them, and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources. The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java, and operates in any standard servlet container like tomcat.
Changed:
<
<
Shibboleth will release the user information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and new one and test service.
>
>
Shibboleth will release the user information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and test service.
  The mandatory attributes are:
  • cn, commonName, displayName + sn
Line: 231 to 231
 Referees process usefulness depends on the proportion of applications it scopes, majority of applicants must be know by referee to ensure usefulness. Well organized referees group will be very useful and technical requirements are quite low, only some web forms and data in database.

Added:
>
>
Personal certificates will not be used, except if their will be required by clarin federation.
 
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"

Revision 532008-08-29 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 126 to 126
 

Data access model

Changed:
<
<
Shibboleth will be used to authenticate users of the Language Bank of Finland and the CLARIN federation. After the user connects to a resource, e.g. a corpora, [s]he can access the resource automatically if s[he] belongs to a group that is allowed to access the named resource and the resource is accessible to that group. If the owner of the resource has set limits on its use, the user can continue to the application procedure.
>
>
Shibboleth will be used to authenticate users of the Language Bank of Finland and the CLARIN federation. After the user connects to a desired resource, e.g. a corpus, [s]he can access the resource automatically if [s]he belongs to a group that is allowed to access the named resource, provided that the resource is accessible to that group. If the owner of the resource has set limits on its use, the user can continue to the application procedure.
 
Changed:
<
<
After the user connects to a resource, e.g. a corpora, [s]he will be redirected to WAYF service to log on his home organization. If the user is already logged on his home organization, he does not have to relog.
>
>
A listing of available linguistic research resources will be displayed to the user, from which [s]he may select one or several resources. After the user connects to a resource, e.g. a corpus, to access it, [s]he will be redirected to the WAYF (Where Are You From) server to be authenticated at his home organization. The role of the WAYF server is to present a list of Home Organizations to the user. The user selects his home organization and is redirected to its login page. If the user is already authenticated at his home organization, he does not have to reauthenticate. An example: HAKA WAYF server page.
 
Added:
>
>

Automatic access to resources

 
Changed:
<
<
Resource Request

Shibboleth has two major halves: an identity provider (IdP), which authenticates users and releases selected information about them, and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources. The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java, and operates in any standard servlet container like tomcat.

Shibboleth will release the user information called attributes.

This page gives a very short and non-technical introduction about the general procedure of a Shibboleth login. Once you have read through this page, the medium demo will show you the same procedure more detailed while guiding you through the live Demo. Finally, if you still can bear some more technical details, read the expert demo. Overview

The setting: A user of 'University B' wants to access a Shibboleth protected e-learning resource 'Medical Training 1' hosted on www.resource.ex. Fig. 1 summarizes the various steps of the login procedure. Intro Overview

User connects to Resource and is redirected Resource Request

Figure 2: User accesses resource in his web browser

The user wants to access a resource hosted on www.resource.ex. Provided the user did recently access another Shibboleth protected resource, access to this resource may be granted immediately. Otherwise, the user has first to authenticate at his Home Organization 'University B'. Therefore, the user's web browser gets redirected to the WAYF ('Where Are You From') server. In this example it is on www.wayf.ex. Phase 2 - Home Organization Selection Where Are You From Service

Figure 3: User selects his Home Organization

The role of the WAYF server is to present a list of Home Organizations to the user. The user selects his Home Organization 'University B' and is redirected to its login page at www.uni-b.ex. In case the Home Organization has been selected earlier and remembered in the web browser, this step might be skipped. Phase 3 - User Authentication at his Home Organization Authentication at HomeOrg

Figure 4: User authenticates himself at his Home Organization

The user sees the familiar login page of 'University B' and provides his login name and password. If login name and password match, the user is redirected back to the resource on www.resource.ex he initially requested. Phase 4 - Access to Resource Granted Access Granted

Figure 5: User is granted access to resource

After successful authentication at his Home Organization, the resource decides on granting or denying him access. In the background, the Home Organization provided minimal user details to the Resource, which it requires for the access authorization decision and for delivering its service. Data protection is assured. Summary - Shibboleth Login Procedure Full Demo

>
>
Automatic access means here attribute based access to a chosen resource. After successful authentication at home organization, the resource decides on granting or denying the user access. In the background, the home organization provided minimal user details to the resource, which it requires for the access authorization decision and for delivering its service. If the user is already authenticated, [s]he may access this resource immediately. For example, a researcher from University A can directly access the resource, provided that the resource is accessible to researchers from University A. SAML2/Shibboleth can act as an identity provider (IdP), which authenticates users and provides attributes.
 
Changed:
<
<
Figure 6: Login procedure
>
>
The automatic access procedure can have the following Shibboleth attributes (example):
 
Changed:
<
<
Basically, the Shibboleth login process is like any other login process. To access a protected resource, the user has to authenticate. However, in our case the user authenticates himself not at the resource itself but at his Home Organization. He does not need an additional account at each resource nor has he to provide his username and password to third parties, but only to his Home Organization. Session End
>
>
  • User Pekka is a researcher in the Huippu university.
  • He wants to access ResourceZ.
  • Pekka belongs to group huippu.
  • His user attribute is of format HTTP_!SHIB_EP_PRINCIPALNAME, in this example HTTP_SHIB_EP_PRINCIPALNAME=pekka@huippu.fi.
  • The owner of the resourceZ has authorized group huippu to access resourceZ.
  • Pekka is granted access to resourceZ.
 
Changed:
<
<
Once a Shibboleth user is authenticated he can access any other Shibboleth-enabled resources without providing his login name and password again. This is only necessary if the user closes his web browser or if no Shibboleth resource is accessed for some time.
>
>
Once a user is authenticated he can access any other Shibboleth-enabled resources without entering his login name and password again, providing that [s]he is authorized to access these resources. It is only necessary to log in again if the user closes his web browser or if no Shibboleth resource is accessed for some time.
 
Deleted:
<
<

Automatic access to resources

 
Changed:
<
<
For corpora that do not require owner approved access control, access rights to use a corpus can be given automatically. Automatic access means here attribute based access. For example, a researcher from the University of Helsinki can access the corpus in question after authentication. SAML2/Shibboleth can act as an identity provider (IdP), which authenticates users and provides attributes.
>
>

Owner controlled access to resources

 
Added:
>
>
If the owner of the resource (e.g. a corpus owner) has set limits to the use of the resource, the user may have to apply for authorization to access the resource. Also in this case, Shibboleth will be used to authenticate users.
 
Changed:
<
<
Miten hallita tiedostojen oikeuksia ja muita resursseja, kun käyttäjällä ei ole CSC:n käyttäjätunnusta? Keksin viime viikon lopulla vastauksen: tietokanta.

On todennäköistä että tulee luetellulle joukolle suunnattuja palveluita, joissa shibboleth attribuuttien AND ja OR operaatiot eivät riitä tai ainakin ovat vaikeasti hallittavissa. Koska tälläisiä palveluita on näkyvissä useita (clarin, Arin BoF 5.9), on tärkeää miettiä CSC:n laajuinen ratkaisu.

Ideani mukaan tietokannassa on kunkin resurssin kohdalla tieto, kuka/ketkä siihen pääsevät käsiksi. Pääsyoikeustieto voi olla eri muotoista: yksittäinen shibboleth attribuutti tyyliin HTTP_SHIB_EP_PRINCIPALNAME=pj@csc.fi, HTTP_SHIB_EP_PRINCIPALNAME kuuluu ryhmään rämä, jota ryhmää ylläpitävät geoluokkien opettajat tai kieliaineistojen omistajat CSC:n ulkopuolla, tai monimutkaisempia sääntöjä tyyyliin tiedoston ACL:n mukaan tai tähtitieteilijät 2009 toisen uuden kuun jälkeiseen maanantaihin saakka. Kiitos Seppolle tästä sääntö ideasta!

>
>
After successful authentication at his home organization,
 
Added:
>
>
the resource decides on granting or denying him access. In the background, the Home Organization provided minimal user details to the ??, which it requires for the access authorization decision and for delivering its service. Data protection is assured.
 
Changed:
<
<

Owner controlled access to resources

>
>
CSC has already made plans for new electronic user account applications, and purchased the Sun Identity Manager (IdM) software for identity management.
 
Changed:
<
<
If the owner of a corpus requires access control, Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. Modern authentication methods can be a part of electronic customer processes. CSC has already made plans for new electronic user account applications, and purchased the Sun Identity Manager (IdM) software for identity management.
>
>
This means that automatic access is possible for resources, the use of which is allowed to whose use do not require individual decisions s the user details to the Resource, which it requires for the access authorization decision and for delivering its service. do not require that the owner or referees decide upon the use of the resource open have not set limits that do not require owner approved access control, access rights to use corpus can be given automatically.
  A data model should be defined that describes the objects Customer, Project and Resource, and states their relationships (simplified model):
Line: 241 to 186
  Resources are partly associated with the customer, partly shared by members of a project. Resources represent sets of corpora or other resources the access to which are granted with a single authentication with CSC user account. Technically, each resource corresponds to a UNIX group.
Added:
>
>
Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring.

The user wants to access a resource

Access to Resource Granted Basically, the Shibboleth login process is like any other login process. To access a protected resource, the user has to authenticate. However, in our case the user authenticates himself not at the resource itself but at his Home Organization. He does not need an additional account at each resource nor has he to provide his username and password to third parties, but only to his Home Organization. Session End

 

Referees

Changed:
<
<
An applying user becomes trusted by being approved by a referee. Referees will be nominated and referee lists maintained by the Helsinki University Department of General Linguistics. CSC's customer database Askare can store the referee lists. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well. Information about the referee should be stored with application data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.
>
>
An applying user becomes trusted by being approved by a referee. The referee can also identify the user. Referees will be nominated and referee lists maintained by the Helsinki University Department of General Linguistics. CSC's customer database Askare can store the referee lists. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well. Information about the referee should be stored with application data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.
 

Model for practical implementation

Revision 522008-08-29 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 126 to 126
 

Data access model

Changed:
<
<

Authentication

>
>
Shibboleth will be used to authenticate users of the Language Bank of Finland and the CLARIN federation. After the user connects to a resource, e.g. a corpora, [s]he can access the resource automatically if s[he] belongs to a group that is allowed to access the named resource and the resource is accessible to that group. If the owner of the resource has set limits on its use, the user can continue to the application procedure.

After the user connects to a resource, e.g. a corpora, [s]he will be redirected to WAYF service to log on his home organization. If the user is already logged on his home organization, he does not have to relog.

Resource Request

  Shibboleth has two major halves: an identity provider (IdP), which authenticates users and releases selected information about them, and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources. The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java, and operates in any standard servlet container like tomcat.

Shibboleth will release the user information called attributes.

Deleted:
<
<
WAYF service
 
Added:
>
>
This page gives a very short and non-technical introduction about the general procedure of a Shibboleth login. Once you have read through this page, the medium demo will show you the same procedure more detailed while guiding you through the live Demo. Finally, if you still can bear some more technical details, read the expert demo. Overview

The setting: A user of 'University B' wants to access a Shibboleth protected e-learning resource 'Medical Training 1' hosted on www.resource.ex. Fig. 1 summarizes the various steps of the login procedure. Intro Overview

User connects to Resource and is redirected Resource Request

Figure 2: User accesses resource in his web browser

The user wants to access a resource hosted on www.resource.ex. Provided the user did recently access another Shibboleth protected resource, access to this resource may be granted immediately. Otherwise, the user has first to authenticate at his Home Organization 'University B'. Therefore, the user's web browser gets redirected to the WAYF ('Where Are You From') server. In this example it is on www.wayf.ex. Phase 2 - Home Organization Selection Where Are You From Service

Figure 3: User selects his Home Organization

The role of the WAYF server is to present a list of Home Organizations to the user. The user selects his Home Organization 'University B' and is redirected to its login page at www.uni-b.ex. In case the Home Organization has been selected earlier and remembered in the web browser, this step might be skipped. Phase 3 - User Authentication at his Home Organization Authentication at HomeOrg

Figure 4: User authenticates himself at his Home Organization

The user sees the familiar login page of 'University B' and provides his login name and password. If login name and password match, the user is redirected back to the resource on www.resource.ex he initially requested. Phase 4 - Access to Resource Granted Access Granted

Figure 5: User is granted access to resource

After successful authentication at his Home Organization, the resource decides on granting or denying him access. In the background, the Home Organization provided minimal user details to the Resource, which it requires for the access authorization decision and for delivering its service. Data protection is assured. Summary - Shibboleth Login Procedure Full Demo

Figure 6: Login procedure

Basically, the Shibboleth login process is like any other login process. To access a protected resource, the user has to authenticate. However, in our case the user authenticates himself not at the resource itself but at his Home Organization. He does not need an additional account at each resource nor has he to provide his username and password to third parties, but only to his Home Organization. Session End

Once a Shibboleth user is authenticated he can access any other Shibboleth-enabled resources without providing his login name and password again. This is only necessary if the user closes his web browser or if no Shibboleth resource is accessed for some time.

 
Changed:
<
<

Automatic access

>
>

Automatic access to resources

  For corpora that do not require owner approved access control, access rights to use a corpus can be given automatically. Automatic access means here attribute based access. For example, a researcher from the University of Helsinki can access the corpus in question after authentication. SAML2/Shibboleth can act as an identity provider (IdP), which authenticates users and provides attributes.
Line: 163 to 212
 Kiitos Seppolle tästä sääntö ideasta!
Changed:
<
<

Controlled access

>
>

Owner controlled access to resources

  If the owner of a corpus requires access control, Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. Modern authentication methods can be a part of electronic customer processes. CSC has already made plans for new electronic user account applications, and purchased the Sun Identity Manager (IdM) software for identity management.

Revision 512008-08-29 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 56 to 56
 

Certificates

Changed:
<
<
A personal certificate is a file that uniquely identifies its owner. Certificates contains information identifying the owner of the certificate, a public key itself, the expiration date of the certificate, the name of the CA (certification authority) that signed the certificate, and some other data. There are widely used server certificates identifying Shibboleth or any SSL/TLS (HTTPS) servers.
>
>
Certificates can be used to identify a person or a server. A personal certificate is a file that uniquely identifies its owner. Certificates contains information identifying the owner of the certificate, a public key itself, the expiration date of the certificate, the name of the CA (certification authority) that signed the certificate, and some other data. Server certificates are widely used to identify servers e.g Shibboleth or any SSL/TLS (HTTPS) servers.

There are widely used server certificates identifying Shibboleth or any SSL/TLS (HTTPS) servers.

  The grids are based on X.509 Public Key certificates described by rfc3280. Some countries and universities have very secure identification cards with smart cards, but because they require a special smart card reader, they are widely used in Estonia only.
Line: 124 to 126
 

Data access model

Added:
>
>

Authentication

Shibboleth has two major halves: an identity provider (IdP), which authenticates users and releases selected information about them, and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources. The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java, and operates in any standard servlet container like tomcat.

Shibboleth will release the user information called attributes. WAYF service

 

Automatic access

For corpora that do not require owner approved access control, access rights to use a corpus can be given automatically. Automatic access means here attribute based access. For example, a researcher from the University of Helsinki can access the corpus in question after authentication. SAML2/Shibboleth can act as an identity provider (IdP), which authenticates users and provides attributes.

Revision 502008-08-29 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 56 to 56
 

Certificates

Changed:
<
<
A certificate is a file that uniquely identifies its owner. Certificates contains information identifying the owner of the certificate, a public key itself, the expiration date of the certificate, the name of the CA (certification authority) that signed the certificate, and some other data.
>
>
A personal certificate is a file that uniquely identifies its owner. Certificates contains information identifying the owner of the certificate, a public key itself, the expiration date of the certificate, the name of the CA (certification authority) that signed the certificate, and some other data. There are widely used server certificates identifying Shibboleth or any SSL/TLS (HTTPS) servers.
  The grids are based on X.509 Public Key certificates described by rfc3280. Some countries and universities have very secure identification cards with smart cards, but because they require a special smart card reader, they are widely used in Estonia only.

Revision 492008-08-28 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 17 to 17
  When the online application is approved, the applicant signs and sends a paper form. A signature is required to authenticate the applicant. After receiving the signed paper form, the CSC user manager opens for the new customer a new CSC user account with appropriate rights, and joins him/her to a new or an existing project. User accounts are administered manually by CSC. Customer information will be stored in CSC's customer database Askare, and the UADM system.
Deleted:
<
<

Challenges

As the research network expands, previously used authentication methods become inadequate. The current systems in use within single countries are not as such suitable for international purposes. It's neither possible for administrators to reliably assess the applicants and monitor the users. Individual countries also have their own conventions and methods, making their systems incompatible with each other. The growing number of users with various needs puts pressure on automatisation of customer processes.

 

Data model for customer processes

Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. Modern authentication methods can be a part of electronic customer processes. CSC has already made plans for new electronic user account applications, and purchased the Sun Identity Manager (IdM) software for identity management.

Line: 38 to 33
 
  • Project
    • Name
    • Description
Changed:
<
<
    • has a Member (1 ... n)
>
>
    • has Customer as a member (1 ... n)
 
    • has a Resource (1 ... n)
  • Resource
    • rights to use certain corpora, software or databases
Changed:
<
<
    • account on a server
>
>
    • user account on a server (e.g. corpus.csc.fi)
 
    • disk space on various servers
    • CPU quota
The customer is always a member of a project; at the minimum of an individual research project. The project description is a ground for granting resources. It describes the purpose of research for which the resources are applied. The project description table
Line: 50 to 45
  Resources are partly associated with the customer, partly shared by members of a project. Resources represent sets of corpora or other resources the access to which are granted with a single authentication with CSC user account. Technically, each resource corresponds to a UNIX group.
Added:
>
>

Challenges

As the research network expands, previously used authentication methods become inadequate. The current systems in use within single countries are not as such suitable for international purposes. It's neither possible for administrators to reliably assess the applicants and monitor the users. Individual countries also have their own conventions and methods, making their systems incompatible with each other. The growing number of users with various needs puts pressure on automatisation of customer processes.

 

AAI Technologies

Changed:
<
<
Currently available electronic technologies for Authentication and Authorisation Infrastructures (AAI) which CSC is involved are presented: Certificates, Saml2/Shibboleth and EduGain. There is more similar technologies compared Report on comparison and assessment of eID management solutions interoperability.
>
>
Currently available electronic technologies for Authentication and Authorisation Infrastructures (AAI) which CSC is involved are presented: Certificates, Saml2/Shibboleth and EduGain. You can find detailed information about various AAI technologies in Report on comparison and assessment of eID management solutions interoperability.
 

Certificates

Line: 87 to 87
 

SAML2/Shibboleth federation

Changed:
<
<
SAML (Security Assertion Markup Language) is an OASIS standard for XML exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for web single sign-on across or within organizational boundaries. A user authenticates with his or her organizational credentials. A single password is required for multiple applications.
>
>
SAML (Security Assertion Markup Language) is an OASIS standard for XML exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for web single sign-on across or within organizational boundaries. Shibboleth version 2 is directly compatible with SAML2 version. A user authenticates with his or her organizational credentials. A single password is required for multiple applications.
 In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. For a series of technical explanations of how Shibboleth works, from easy to expert, refer to the SWITCH Federation site
Line: 122 to 122
  eduGAIN is not yet a production-level service. The software is on the second release candidate level. The 1.0 version will be published soon. Only pilot projects will be possible before April 2010, when policy development is dated to be ready. It's planned to start in April 2009.
Added:
>
>

Data access model

Automatic access

For corpora that do not require owner approved access control, access rights to use a corpus can be given automatically. Automatic access means here attribute based access. For example, a researcher from the University of Helsinki can access the corpus in question after authentication. SAML2/Shibboleth can act as an identity provider (IdP), which authenticates users and provides attributes.

Miten hallita tiedostojen oikeuksia ja muita resursseja, kun käyttäjällä ei ole CSC:n käyttäjätunnusta? Keksin viime viikon lopulla vastauksen: tietokanta.

On todennäköistä että tulee luetellulle joukolle suunnattuja palveluita, joissa shibboleth attribuuttien AND ja OR operaatiot eivät riitä tai ainakin ovat vaikeasti hallittavissa. Koska tälläisiä palveluita on näkyvissä useita (clarin, Arin BoF 5.9), on tärkeää miettiä CSC:n laajuinen ratkaisu.

Ideani mukaan tietokannassa on kunkin resurssin kohdalla tieto, kuka/ketkä siihen pääsevät käsiksi. Pääsyoikeustieto voi olla eri muotoista: yksittäinen shibboleth attribuutti tyyliin HTTP_SHIB_EP_PRINCIPALNAME=pj@csc.fi, HTTP_SHIB_EP_PRINCIPALNAME kuuluu ryhmään rämä, jota ryhmää ylläpitävät geoluokkien opettajat tai kieliaineistojen omistajat CSC:n ulkopuolla, tai monimutkaisempia sääntöjä tyyyliin tiedoston ACL:n mukaan tai tähtitieteilijät 2009 toisen uuden kuun jälkeiseen maanantaihin saakka. Kiitos Seppolle tästä sääntö ideasta!

Controlled access

If the owner of a corpus requires access control, Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. Modern authentication methods can be a part of electronic customer processes. CSC has already made plans for new electronic user account applications, and purchased the Sun Identity Manager (IdM) software for identity management.

A data model should be defined that describes the objects Customer, Project and Resource, and states their relationships (simplified model):

  • Customer
    • Firstname Lastname
    • Email address
    • Address
    • Phone
    • is a member of Project (1... n)
    • has a Resource (1 ... n)
  • Project
    • Name
    • Description
    • has Customer as a member (1 ... n)
    • has a Resource (1 ... n)
  • Resource
    • rights to use certain corpora, software or databases
    • user account on a server (e.g. corpus.csc.fi)
    • disk space on various servers
    • CPU quota

The customer is always a member of a project; at the minimum of an individual research project. The project description is a ground for granting resources. It describes the purpose of research for which the resources are applied. The project description table already exists in CSC's customer database Askare and it's user editable via the Personal Information section of the Scientist's interface.

Resources are partly associated with the customer, partly shared by members of a project. Resources represent sets of corpora or other resources the access to which are granted with a single authentication with CSC user account. Technically, each resource corresponds to a UNIX group.

 

Referees

An applying user becomes trusted by being approved by a referee. Referees will be nominated and referee lists maintained by the Helsinki University Department of General Linguistics. CSC's customer database Askare can store the referee lists. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well. Information about the referee should be stored with application data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.

Revision 482008-08-28 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 56 to 56
 

Certificates

Added:
>
>
A certificate is a file that uniquely identifies its owner. Certificates contains information identifying the owner of the certificate, a public key itself, the expiration date of the certificate, the name of the CA (certification authority) that signed the certificate, and some other data.
 The grids are based on X.509 Public Key certificates described by rfc3280. Some countries and universities have very secure identification cards with smart cards, but because they require a special smart card reader, they are widely used in Estonia only.

Revision 472008-08-27 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 90 to 90
 For a series of technical explanations of how Shibboleth works, from easy to expert, refer to the SWITCH Federation site

Shibboleth has two major halves: an identity provider (IdP), which authenticates users and releases selected information about them, and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources.

Changed:
<
<
The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java, and operates in any standard servlet container like tomcat.
>
>
The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java, and operates in any standard servlet container like tomcat.
  Shibboleth will release the user information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and new one and test service.
Line: 157 to 157
 
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"
Changed:
<
<
META FILEATTACHMENT attachment="customer_process_draft.png" attr="" comment="Customer process plan" date="1219758844" name="customer_process_draft.png" path="customer_process_draft.png" size="121252" stream="customer_process_draft.png" user="Main.SatuTorikka" version="6"
>
>
META FILEATTACHMENT attr="" autoattached="1" comment="Customer process plan" date="1219758845" name="customer_process_draft.png" path="customer_process_draft.png" size="121252" user="Main.SatuTorikka" version="6"

Revision 462008-08-26 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 157 to 157
 
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"
Changed:
<
<
META FILEATTACHMENT attr="" autoattached="1" comment="Customer process plan" date="1219409888" name="customer_process_draft.png" path="customer_process_draft.png" size="117216" user="Main.SatuTorikka" version="5"
>
>
META FILEATTACHMENT attachment="customer_process_draft.png" attr="" comment="Customer process plan" date="1219758844" name="customer_process_draft.png" path="customer_process_draft.png" size="121252" stream="customer_process_draft.png" user="Main.SatuTorikka" version="6"

Revision 452008-08-26 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 52 to 52
 

AAI Technologies

Changed:
<
<
Currently available electronic technologies for Authentication and Authorisation Infrastructures (AAI) are presented: Certificates, Saml2/Shibboleth and EduGain.
>
>
Currently available electronic technologies for Authentication and Authorisation Infrastructures (AAI) which CSC is involved are presented: Certificates, Saml2/Shibboleth and EduGain. There is more similar technologies compared Report on comparison and assessment of eID management solutions interoperability.
 

Certificates

Line: 85 to 85
 

SAML2/Shibboleth federation

Changed:
<
<
SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for single web sign-on across or within organizational boundaries. A user authenticates with his or her organizational credentials. A single password is required for multiple applications.
>
>
SAML (Security Assertion Markup Language) is an OASIS standard for XML exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for web single sign-on across or within organizational boundaries. A user authenticates with his or her organizational credentials. A single password is required for multiple applications.
 In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. For a series of technical explanations of how Shibboleth works, from easy to expert, refer to the SWITCH Federation site

Shibboleth has two major halves: an identity provider (IdP), which authenticates users and releases selected information about them, and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources.

Changed:
<
<
The SP runs in Apache as a module. The IdP is a web service written in Java, and operates in any standard servlet container like tomcat.
>
>
The SP runs in Apache as a module or in IIS as a filter. The IdP is a web service written in Java, and operates in any standard servlet container like tomcat.
 
Changed:
<
<
Shibboleth will release the information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and new one and test service.
>
>
Shibboleth will release the user information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and new one and test service.
  The mandatory attributes are:
  • cn, commonName, displayName + sn
Line: 118 to 118
  In order to be granted access to protected resources and services from other federations, the users first need to be successfully authenticated by their home AAI and authorized by the visited Service Provider (usually based on attributes expressing a special role of the user). eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.
Changed:
<
<
eduGAIN is not yet a production-level service. The software is on the second release candidate level. The 1.0 version will be published soon.
>
>
eduGAIN is not yet a production-level service. The software is on the second release candidate level. The 1.0 version will be published soon. Only pilot projects will be possible before April 2010, when policy development is dated to be ready. It's planned to start in April 2009.
 

Referees

Revision 442008-08-26 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 24 to 24
 

Data model for customer processes

Changed:
<
<
Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. Modern authentication methods can be a part of electronic customer processes. CSC has already made plans for new electronic user account applications, and purchased the Sun Identity Manager (IdM) software for identity management.
>
>
Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. Modern authentication methods can be a part of electronic customer processes. CSC has already made plans for new electronic user account applications, and purchased the Sun Identity Manager (IdM) software for identity management.
  A data model should be defined that describes the objects Customer, Project and Resource, and states their relationships (simplified model):
Line: 85 to 85
 

SAML2/Shibboleth federation

Changed:
<
<
SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for single web sign-on across or within organizational boundaries. A user authenticates with his or her organizational credentials. A single password is required for multiple applications.
>
>
SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for single web sign-on across or within organizational boundaries. A user authenticates with his or her organizational credentials. A single password is required for multiple applications. In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. For a series of technical explanations of how Shibboleth works, from easy to expert, refer to the SWITCH Federation site
 
Changed:
<
<
In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. Shibboleth will release the information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and new one and test service.
>
>
Shibboleth has two major halves: an identity provider (IdP), which authenticates users and releases selected information about them, and a service provider (SP) that accepts and processes the user data before making access control decisions or passing the information to protected applications. These entities trust each other to properly safeguard user data and sensitive resources. The SP runs in Apache as a module. The IdP is a web service written in Java, and operates in any standard servlet container like tomcat.

Shibboleth will release the information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and new one and test service.

  The mandatory attributes are:
  • cn, commonName, displayName + sn
Line: 99 to 104
  The schema also contains the funetEduPersonProgram, which is an educational degree program. Privacy is guaranteed by controlled Attribute Release Policies for Haka federation.
Changed:
<
<
Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The federation consists of the users' home organizations providing the user identities according to common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science. Haka has over 20 home organizations and about 50 services.
>
>
Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The federation consists of the users' home organizations providing the user identities according to common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science. Haka has over 20 home organizations and about 50 services. Similar Higher Education federation in the USA is InCommon which has an annual fee of $1000. Although the software encourages federation bilateral agreements are of course possible.
  Kalmar Union is a project connecting Nordic countries' academic communities to establish a Nordic cross-federation.

Revision 432008-08-25 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 70 to 70
 
  • contain only name and email information
  • difficult infrastructure, user certificates used only by the grid
  • difficult to use, one or two more passwords or pins
Added:
>
>
  • difficult to program, most common C/Python-Application Programming Interface openssl isn't well documented.
 
  • hardware ones are expensive, 40 ¤ and require reader (windows only driver) about same cost
  • trust issues

Revision 422008-08-25 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 86 to 86
  SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for single web sign-on across or within organizational boundaries. A user authenticates with his or her organizational credentials. A single password is required for multiple applications.
Changed:
<
<
In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. Shibboleth will release the information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and new draft and test service.
>
>
In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. Shibboleth will release the information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and new one and test service.
  The mandatory attributes are:
  • cn, commonName, displayName + sn
Line: 98 to 98
  The schema also contains the funetEduPersonProgram, which is an educational degree program. Privacy is guaranteed by controlled Attribute Release Policies for Haka federation.
Changed:
<
<
Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The federation consists of the users' home organizations providing the user identities according to common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science.
>
>
Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The federation consists of the users' home organizations providing the user identities according to common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science. Haka has over 20 home organizations and about 50 services.
  Kalmar Union is a project connecting Nordic countries' academic communities to establish a Nordic cross-federation.
Line: 151 to 151
 
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"
Changed:
<
<
META FILEATTACHMENT attachment="customer_process_draft.png" attr="" comment="Customer process plan" date="1219409887" name="customer_process_draft.png" path="customer_process_draft.png" size="117216" stream="customer_process_draft.png" user="Main.SatuTorikka" version="5"
>
>
META FILEATTACHMENT attr="" autoattached="1" comment="Customer process plan" date="1219409888" name="customer_process_draft.png" path="customer_process_draft.png" size="117216" user="Main.SatuTorikka" version="5"

Revision 412008-08-22 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 151 to 151
 
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"
Changed:
<
<
META FILEATTACHMENT attr="" autoattached="1" comment="Customer process plan" date="1219161311" name="customer_process_draft.png" path="customer_process_draft.png" size="114120" user="Main.SatuTorikka" version="4"
>
>
META FILEATTACHMENT attachment="customer_process_draft.png" attr="" comment="Customer process plan" date="1219409887" name="customer_process_draft.png" path="customer_process_draft.png" size="117216" stream="customer_process_draft.png" user="Main.SatuTorikka" version="5"

Revision 402008-08-21 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 145 to 145
  The cost consists of the estimated amount of work required to set up the production service. The usefulness comprises quantity, quality and the scope of information about the potential customers available. For example, the SAML2/Shibboleth technology grants a lot of high-quality information but only in the Finnish or Nordic scope, while eduGAIN hopefully covers most European academic users, but so much information can't be expected. For this reason, a rough guess can be made that SAML2/Shibboleth and eduGAIN are equally useful.
Added:
>
>
Referees process usefulness depends on the proportion of applications it scopes, majority of applicants must be know by referee to ensure usefulness. Well organized referees group will be very useful and technical requirements are quite low, only some web forms and data in database.
 

META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"

Revision 392008-08-21 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 24 to 24
 

Data model for customer processes

Changed:
<
<
Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. Modern authentication methods can be a part of electronic customer processes. CSC has already made plans for new electronic user account applications, and purchased the Sun Identity Manager software for identity management.
>
>
Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. Modern authentication methods can be a part of electronic customer processes. CSC has already made plans for new electronic user account applications, and purchased the Sun Identity Manager (IdM) software for identity management.
  A data model should be defined that describes the objects Customer, Project and Resource, and states their relationships (simplified model):

Revision 382008-08-21 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 92 to 92
 
  • cn, commonName, displayName + sn
  • sn, surName, family name
  • displayName, used givenName, the name the individual has registered as the one (s)he uses
Changed:
<
<
  • eduPersonPrincipalName, It should be represented in the form "user@scope" where scope defines a local security domain
  • schacHomeOrganization, Specifies a person´s home organization using the domain name of the organization.
>
>
  • eduPersonPrincipalName, should be represented in the form user@scope, where scope defines a local security domain
  • schacHomeOrganization, specifies a person´s home organization using the domain name of the organization.
 
  • schacHomeOrganizationType, countrycode:string, fi:university

The schema also contains the funetEduPersonProgram, which is an educational degree program. Privacy is guaranteed by controlled Attribute Release Policies for Haka federation.

Revision 372008-08-21 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 75 to 75
  The organization accepting Public Key certificates needs a trust policy. The EUGridPMA (Policy Management Authority) is the international organization coordinating the trust fabric for e-Science Grid authentication within Europe. This table lists all members of the EUGridPMA. There is also a map.
Changed:
<
<
Also TERENA has a repository which contains verified root-CA certificates called TACAR (TERENA Academic CA Repository). Note that there is no Finnish operators nor NorduGrid, which is used Nordic grid operations. It's NOT possible to get
>
>
Also TERENA has a repository which contains verified root-CA certificates called TACAR (TERENA Academic CA Repository). Note that there is no Finnish operators nor NorduGrid, which is used Nordic grid operations. It's NOT possible to get
 TACAR accepted certificates in Finland. TACAR is list of certificates NOT know browsers by default. CSC and HAKA use TeliaSonera certificates, because they are known by most browsers and cost are much lower than setup own Public Key Infrastructure.
Line: 89 to 89
 In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. Shibboleth will release the information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and new draft and test service.

The mandatory attributes are:

Changed:
<
<
  • cn
  • sn
  • displayName
  • eduPersonPrincipalName
  • schacHomeOrganization
  • schacHomeOrganizationType
>
>
  • cn, commonName, displayName + sn
  • sn, surName, family name
  • displayName, used givenName, the name the individual has registered as the one (s)he uses
  • eduPersonPrincipalName, It should be represented in the form "user@scope" where scope defines a local security domain
  • schacHomeOrganization, Specifies a person´s home organization using the domain name of the organization.
  • schacHomeOrganizationType, countrycode:string, fi:university
  The schema also contains the funetEduPersonProgram, which is an educational degree program. Privacy is guaranteed by controlled Attribute Release Policies for Haka federation.
Line: 112 to 112
  In order to be granted access to protected resources and services from other federations, the users first need to be successfully authenticated by their home AAI and authorized by the visited Service Provider (usually based on attributes expressing a special role of the user). eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.
Changed:
<
<
eduGAIN is not yet a production-level service. The software is on the first release candidate level.
>
>
eduGAIN is not yet a production-level service. The software is on the second release candidate level. The 1.0 version will be published soon.
 

Referees

Revision 362008-08-20 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 15 to 15
 

CSC user account management

Changed:
<
<
When the online application is approved, the applicant signs and sends a paper form. A signature is required to authenticate the applicant. After receiving the signed paper form, the CSC user manager opens a new CSC user account for the new customer with the required permissions, and joins him/her to a new or an existing project. User accounts are administered manually by CSC. Customer information will be stored in CSC's customer database Askare, and the UADM system.
>
>
When the online application is approved, the applicant signs and sends a paper form. A signature is required to authenticate the applicant. After receiving the signed paper form, the CSC user manager opens for the new customer a new CSC user account with appropriate rights, and joins him/her to a new or an existing project. User accounts are administered manually by CSC. Customer information will be stored in CSC's customer database Askare, and the UADM system.
 

Challenges

Line: 26 to 26
  Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. Modern authentication methods can be a part of electronic customer processes. CSC has already made plans for new electronic user account applications, and purchased the Sun Identity Manager software for identity management.
Deleted:
<
<
Figure: Customer process model using electronic applications, AAI technologies and referees
 A data model should be defined that describes the objects Customer, Project and Resource, and states their relationships (simplified model):

  • Customer
Line: 119 to 116
 

Referees

Changed:
<
<
An applying user becomes trusted by being approved by a referee. Referees will be nominated and referee lists maintained by the Helsinki University Department of General Linguistics. Askare can store the referee lists. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well, wherefore information about the active referee should be stored with each user's data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.
>
>
An applying user becomes trusted by being approved by a referee. Referees will be nominated and referee lists maintained by the Helsinki University Department of General Linguistics. CSC's customer database Askare can store the referee lists. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well. Information about the referee should be stored with application data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.

Model for practical implementation

 
Changed:
<
<

Model for practical implementation

>
>
This model is a practical implementation using electronic applications, AAI technologies and referees. The procedure for an applicant to become a new customer of the Language Bank of Finland could be as follows:
 
Changed:
<
<
  1. The applicant fills one of the two electronic application forms: SAML2/Shibboleth-secured or non-secured (open for everyone).
  2. Applications submitted non-secured require an e-mail address verification.
    • Unverified applications are daily dropped from the database.
  3. The applicant is forwarded to a page containing a list of referees ordered by country: Does anybody know the applicant?
  4. If the applicant expects someone to know him/her, the application is sent up to two referees with accept and deny links.
    1. If applicant does not know any referee, the application will be forwarded straight to the owner (or contact person) of the corpus and the Language Bank administrator (normal procedure).
    2. What will happen if the referees fail to reply?
    3. If the referee clicks the deny link, a rejection message will be sent to the applicant. Should it be stored?
  5. If the referee accepts the application, CSC will create the account with the appropriate rights.
>
>
  1. The applicant fills one of the two electronic application forms: SAML2/Shibboleth-secured or open (non-secured, open to everyone).
  2. Open applications require an e-mail address verification when submitted.
  3. The applicant is forwarded to a page containing a list of referees ordered by country: Does any referee know the applicant? A part of the applications may skip the referee procedure.
  4. If the applicant expects that one or two referees know him/her, the application will be sent by email to up to two referees with recommend and deny links.
    1. If the applicant does not know any referee, the application will be forwarded straight to the owner (or contact person) of the corpus and the Language Bank administrator (normal procedure).
    2. If the referee clicks the deny link, a rejection message will be sent to the applicant.
  5. If the referee recommends that the application be accepted, CSC will create a new user account with appropriate rights.

Figure: Customer process model using electronic applications, AAI technologies and referees

 
Changed:
<
<
The same application forms can also be used to collect new referee information. Each form needs a check-box for the user to confirm his/her willingness to function as a referee.
>
>
The same application forms can also be used to collect new referee information. The forms need to contain a check-box for the referee candidate to express his/her willingness to function as a referee.
 

Conclusion

Revision 352008-08-20 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 33 to 33
 
  • Customer
    • Firstname Lastname
Added:
>
>
    • Email address
 
    • Address
    • Phone
    • is a member of Project (1... n)
Line: 50 to 51
 The customer is always a member of a project; at the minimum of an individual research project. The project description is a ground for granting resources. It describes the purpose of research for which the resources are applied. The project description table already exists in CSC's customer database Askare and it's user editable via the Personal Information section of the Scientist's interface.
Changed:
<
<
Resources are partly associated with the customer, partly shared by members of a project. Resources represent sets of corpora or other resources the access to which is granted with a single authentication??. Technically, each resource corresponds to a UNIX group.
>
>
Resources are partly associated with the customer, partly shared by members of a project. Resources represent sets of corpora or other resources the access to which are granted with a single authentication with CSC user account. Technically, each resource corresponds to a UNIX group.
 

AAI Technologies

Changed:
<
<
Currently available technologies for Authentication and Authorisation Infrastructures (AAI) are presented: Certificates, Saml2/Shibboleth and EduGain.
>
>
Currently available electronic technologies for Authentication and Authorisation Infrastructures (AAI) are presented: Certificates, Saml2/Shibboleth and EduGain.
 

Certificates

Line: 63 to 64
 

Pros

Changed:
<
<
  • available to everybody for free (grid organizations, http://www.cacert.org/), in commercial supply
  • reasonably priced (for example, 1,5 ¤ from TeliaSonera for members of the Funet)
>
>
  • available to everybody for free (grid organizations, http://www.cacert.org/)
  • in commercial supply reasonably priced (for example, 1,5 ¤ from TeliaSonera for members of the Funet)
 

Cons

Line: 82 to 83
 CSC and HAKA use TeliaSonera certificates, because they are known by most browsers and cost are much lower than setup own Public Key Infrastructure.
Changed:
<
<
Commercial certificates based on credit cards suffer large scale market for stolen credit cards.
>
>
Commercial certificates based on credit cards may not be vary reliable, because there is some evidence of black market for stolen credit cards.
 

SAML2/Shibboleth federation

Line: 98 to 99
 
  • schacHomeOrganization
  • schacHomeOrganizationType
Changed:
<
<
The schema also contains the funetEduPersonProgram, which is an educational degree program. Privacy is guaranteed by controlled information releases.
>
>
The schema also contains the funetEduPersonProgram, which is an educational degree program. Privacy is guaranteed by controlled Attribute Release Policies for Haka federation.
  Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The federation consists of the users' home organizations providing the user identities according to common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science.

Revision 342008-08-19 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 13 to 13
  If both the administrator and the corpus's owner accept the application, the administrator requests the CSC user manager to add the applicant to the group granting the required permissions. If the application is rejected, the administrator informs the applicant personally. As the number of corpora grows, the application form may have to be split into two or more parts.
Changed:
<
<

CSC account management

>
>

CSC user account management

 
Changed:
<
<
When the online application is approved, the applicant signs and sends a paper form. A signature is required to authenticate the applicant. After receiving the signed paper form, the CSC user manager opens a new CSC user account for the new customer with the required permissions, and joins him/her to a new or existing project. User accounts are administered manually by CSC. Customer information will be stored in CSC's customer database Askare, and the UADM system.
>
>
When the online application is approved, the applicant signs and sends a paper form. A signature is required to authenticate the applicant. After receiving the signed paper form, the CSC user manager opens a new CSC user account for the new customer with the required permissions, and joins him/her to a new or an existing project. User accounts are administered manually by CSC. Customer information will be stored in CSC's customer database Askare, and the UADM system.
 
Changed:
<
<

Authentication challenges

>
>

Challenges

  As the research network expands, previously used authentication methods become inadequate. The current systems in use within single countries are not as such suitable for international purposes. It's neither possible for administrators to reliably assess the applicants and monitor the users. Individual countries also have their own conventions and methods, making their systems incompatible with each other. The growing number of users with various needs puts pressure on automatisation of customer processes.
Changed:
<
<

Data model for customer processes

>
>

Data model for customer processes

 
Changed:
<
<
Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. Modern authentication methods could be combined with electronic user accounts. CSC has made plans for new electronic application forms, and purchased the Sun Identity Manager software for identity management.
>
>
Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. Modern authentication methods can be a part of electronic customer processes. CSC has already made plans for new electronic user account applications, and purchased the Sun Identity Manager software for identity management.
 
Changed:
<
<
  • The plan to set up a new CSC project via web forms:
>
>
Figure: Customer process model using electronic applications, AAI technologies and referees
 
Changed:
<
<
Perusprojekti.png Please don't include this image if you delivery this document outside CSC and University of Helsinki. It's just an example of the plan to develop electronic user applications at CSC.

A data model should be defined that describes the objects Customer, Project and Resource, and states their relationships:

>
>
A data model should be defined that describes the objects Customer, Project and Resource, and states their relationships (simplified model):
 
  • Customer
    • Firstname Lastname
Line: 46 to 43
 
    • has a Member (1 ... n)
    • has a Resource (1 ... n)
  • Resource
Changed:
<
<
    • corpora
>
>
    • rights to use certain corpora, software or databases
 
    • account on a server
    • disk space on various servers
    • CPU quota
Deleted:
<
<
    • rights to use certain software or databases
 The customer is always a member of a project; at the minimum of an individual research project. The project description is a ground for granting resources. It describes the purpose of research for which the resources are applied. The project description table already exists in CSC's customer database Askare and it's user editable via the Personal Information section of the Scientist's interface.

Resources are partly associated with the customer, partly shared by members of a project. Resources represent sets of corpora or other resources the access to which is granted with a single authentication??. Technically, each resource corresponds to a UNIX group.

Changed:
<
<

Technologies

>
>

AAI Technologies

Currently available technologies for Authentication and Authorisation Infrastructures (AAI) are presented: Certificates, Saml2/Shibboleth and EduGain.

 

Certificates

Line: 87 to 84
  Commercial certificates based on credit cards suffer large scale market for stolen credit cards.
Changed:
<
<

The SAML2/Shibboleth federation

>
>

SAML2/Shibboleth federation

  SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for single web sign-on across or within organizational boundaries. A user authenticates with his or her organizational credentials. A single password is required for multiple applications.
Line: 107 to 104
  Kalmar Union is a project connecting Nordic countries' academic communities to establish a Nordic cross-federation.
Changed:
<
<
It would be easy to integrate the Haka authentication in the electronic application form, join as Service Provider. Kalmar Union will also probably be available at spring 2009.
>
>
CSC could easily integrate the Haka authentication in the electronic application form, where the application form would serve as Service Provider. Haka will most probably join the Kalmar Union in spring 2009.
 

eduGAIN

Line: 139 to 136
 

Conclusion

Changed:
<
<
  • technology cost/usefulness diagram:
    techcostusefullness.png
>
>
The cost/usefulness diagram below compares available AAI technologies: Certificates, EduGain, Saml2/Shibboleth and Referees.

techcostusefullness.png
Figure: Technology cost/usefulness diagram (Pekka Järveläinen, CSC)

The cost consists of the estimated amount of work required to set up the production service. The usefulness comprises quantity, quality and the scope of information about the potential customers available. For example, the SAML2/Shibboleth technology grants a lot of high-quality information but only in the Finnish or Nordic scope, while eduGAIN hopefully covers most European academic users, but so much information can't be expected. For this reason, a rough guess can be made that SAML2/Shibboleth and eduGAIN are equally useful.

 
Deleted:
<
<
The cost consists of the estimated amount of work required to set up the production service. The usefulness comprises quantity, quality and the scope of information about the potential customers available. For example, the SAML2/Shibboleth technology grants a lot of high-quality information but only in the Finnish or Nordic scope, while eduGAIN hopefully covers most European academic users, but so much information can't be expected. For this reason, the rough guess can be made that SAML2/Shibboleth and eduGAIN are equally useful.
 
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"
Added:
>
>
META FILEATTACHMENT attr="" autoattached="1" comment="Customer process plan" date="1219161311" name="customer_process_draft.png" path="customer_process_draft.png" size="114120" user="Main.SatuTorikka" version="4"

Revision 332008-08-19 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 119 to 119
  eduGAIN is not yet a production-level service. The software is on the first release candidate level.
Changed:
<
<

Other solutions

>
>

Referees

 
Changed:
<
<

Referees

>
>
An applying user becomes trusted by being approved by a referee. Referees will be nominated and referee lists maintained by the Helsinki University Department of General Linguistics. Askare can store the referee lists. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well, wherefore information about the active referee should be stored with each user's data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.
 
Changed:
<
<
An applying user becomes trusted by being approved by a referee. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well, wherefore information about the active referee should be stored with each user's data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.
>
>

Model for practical implementation

 
Changed:
<
<

Practical implementation

  1. The applicant fills one of the two online forms: one SAML2/Shibboleth-secured and the other open for everyone.
  2. Applications submitted via the open form require an e-mail confirmation.
    • Unconfirmed applications are daily dropped from the database.
  3. The user is forwarded to a page containing a list of referees ordered by country: does anybody know the applicant?
  4. If the applicant expects someone to know him/her, the application and project plan are sent to up to two referees with accept and deny links.
    1. If nobody knows the applicant, the process will continue.
    2. What will be done if the referees fail to reply?
>
>
  1. The applicant fills one of the two electronic application forms: SAML2/Shibboleth-secured or non-secured (open for everyone).
  2. Applications submitted non-secured require an e-mail address verification.
    • Unverified applications are daily dropped from the database.
  3. The applicant is forwarded to a page containing a list of referees ordered by country: Does anybody know the applicant?
  4. If the applicant expects someone to know him/her, the application is sent up to two referees with accept and deny links.
    1. If applicant does not know any referee, the application will be forwarded straight to the owner (or contact person) of the corpus and the Language Bank administrator (normal procedure).
    2. What will happen if the referees fail to reply?
 
    1. If the referee clicks the deny link, a rejection message will be sent to the applicant. Should it be stored?
  1. If the referee accepts the application, CSC will create the account with the appropriate rights.
Changed:
<
<
The same forms can also be used to collect new referee information. Each form needs a check-box for the user to confirm his/her willingness to function as a referee.
>
>
The same application forms can also be used to collect new referee information. Each form needs a check-box for the user to confirm his/her willingness to function as a referee.
 

Conclusion

Revision 322008-08-19 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 7 to 7
 

The Language Bank of Finland

User applications to the Language Bank of Finland are delivered via an

Changed:
<
<
online application form. Upon submission, the form sends the application to the Language Bank administrator. Many corpora further require a personal permission from their owner. A single person can be responsible for a single language or even only a single text within the language. The application form also sends a copy of the application to the owner (or contact person) of the corpus the applicant has expressed interest in.
>
>
web-based application form. Upon submission, the form sends the application to the Language Bank administrator by email.

Many corpora further require a personal permission from their owner. A single person can be responsible for a single language or even only for a single text within the language. The application form also sends an email copy of the application to the owner (or contact person) of the corpus the applicant has expressed interest in.

  If both the administrator and the corpus's owner accept the application, the administrator requests the CSC user manager to add the applicant to the group granting the required permissions. If the application is rejected, the administrator informs the applicant personally. As the number of corpora grows, the application form may have to be split into two or more parts.

Revision 312008-08-18 - AnttiArppe

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 101 to 101
  The schema also contains the funetEduPersonProgram, which is an educational degree program. Privacy is guaranteed by controlled information releases.
Changed:
<
<
Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The federation consists of the users' home organizations providing the user identities by according common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science.
>
>
Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The federation consists of the users' home organizations providing the user identities according to common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science.
  Kalmar Union is a project connecting Nordic countries' academic communities to establish a Nordic cross-federation.

Revision 302008-08-18 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 7 to 7
 

The Language Bank of Finland

User applications to the Language Bank of Finland are delivered via an

Changed:
<
<
online form. Upon submission, the form sends the application to the Language Bank administrator. Many corpora further require a personal permission from their owner. A single person can be responsible for a single language or even only a single text within the language. The application form also sends a copy of the application to the owner (or contact person) of the corpus the applicant has expressed interest in.
>
>
online application form. Upon submission, the form sends the application to the Language Bank administrator. Many corpora further require a personal permission from their owner. A single person can be responsible for a single language or even only a single text within the language. The application form also sends a copy of the application to the owner (or contact person) of the corpus the applicant has expressed interest in.
  If both the administrator and the corpus's owner accept the application, the administrator requests the CSC user manager to add the applicant to the group granting the required permissions. If the application is rejected, the administrator informs the applicant personally. As the number of corpora grows, the application form may have to be split into two or more parts.

CSC account management

Changed:
<
<
When the user application is approved, the applicant will become a CSC customer. Personal information will be stored in CSC's customer database Askare, He/she will receive a Unix account. Unix accounts are administered manually at CSC. The customer is always a member of a project. Resources are partly associated with the project, partly with the customer. At the minimum, the customer has "Right to see and modify customer information about him/herself". Current data model that shows the objects Customer, Project and Resource, and states their relationships:
>
>
When the online application is approved, the applicant signs and sends a paper form. A signature is required to authenticate the applicant. After receiving the signed paper form, the CSC user manager opens a new CSC user account for the new customer with the required permissions, and joins him/her to a new or existing project. User accounts are administered manually by CSC. Customer information will be stored in CSC's customer database Askare, and the UADM system.
 
Deleted:
<
<
  • Customer
    • Firstname Lastname
    • Address
    • Phone
    • is a member of Project (1... n)
    • has a Resource (1 ... n)
  • Project
    • Name
    • Description
    • has a Member (1 ... n)
    • has a Resource (1 ... n)
  • Resource
    • corpora
    • account on a server
    • disk space on various servers
    • CPU quota
    • rights to use certain software or databases

Project description is a ground for resources. It explains what customer is doing. The project description table already exist in CSC customer database Askare and it's user editable via the Personal Information section of the Scientist's interface.

 
Changed:
<
<
Resources represent sets of corpora or other material the access to which is granted with a single authentication. Technically, each resource corresponds to a UNIX group.
>
>

Authentication challenges

 
Added:
>
>
As the research network expands, previously used authentication methods become inadequate. The current systems in use within single countries are not as such suitable for international purposes. It's neither possible for administrators to reliably assess the applicants and monitor the users. Individual countries also have their own conventions and methods, making their systems incompatible with each other. The growing number of users with various needs puts pressure on automatisation of customer processes.
 
Changed:
<
<

Challenges

>
>

Data model for customer processes

 
Changed:
<
<
CSC has purchased the Sun Identity Manager software, and the Electronic User Accounts project is planning a new customer registration web form.
>
>
Automatisation of customer processes can raise the quality of service to customers, save money by eliminating duplicate work, decrease the possibility of human errors, increase safety, and give better tools for monitoring. Modern authentication methods could be combined with electronic user accounts. CSC has made plans for new electronic application forms, and purchased the Sun Identity Manager software for identity management.
 
  • The plan to set up a new CSC project via web forms:
Changed:
<
<
Perusprojekti.png
>
>
Perusprojekti.png
 Please don't include this image if you delivery this document outside CSC and University of Helsinki. It's just
Changed:
<
<
example of the plan to develope User accounts management of the CSC.
>
>
an example of the plan to develop electronic user applications at CSC.
 
Changed:
<
<

Data model for customer processes

A data model should be defined that describes the objects Customer, Project and Resource, and states their relationships.

>
>
A data model should be defined that describes the objects Customer, Project and Resource, and states their relationships:
 
  • Customer
    • Firstname Lastname
    • Address
    • Phone
    • is a member of Project (1... n)
Added:
>
>
    • has a Resource (1 ... n)
 
  • Project
    • Name
    • Description
    • has a Member (1 ... n)
    • has a Resource (1 ... n)
  • Resource
Changed:
<
<
    • the tough question, these can be seen as roles (related to usage rights)
    • the account on a server, disk space on various servers, CPU quota, rights to use certain software or databases

The customer is always a member of a project, every CSC's customer is a member of the project "CSC customer". The computing resources are always associated with a project. The minimal customer is a member of "CSC customer" project, and this projects has the minimal resource of "Right to see and modify customer information about him/herself".

Project description is a ground for resources. It explains what customer is doing. The project description table already exist in CSC customer database Askare and it's user editable via the Personal Information section of the Scientist's interface.

Resources represent sets of corpora or other material the access to which is granted with a single authentication. Technically, each resource corresponds to a UNIX group.

>
>
    • corpora
    • account on a server
    • disk space on various servers
    • CPU quota
    • rights to use certain software or databases
 
Changed:
<
<

Challenges

>
>
The customer is always a member of a project; at the minimum of an individual research project. The project description is a ground for granting resources. It describes the purpose of research for which the resources are applied. The project description table already exists in CSC's customer database Askare and it's user editable via the Personal Information section of the Scientist's interface.
 
Changed:
<
<
As the research network expands, previously used authentication methods become inadequate. The current systems in use within single countries are not as such suitable for international purposes. It's neither possible for the administrators to reliably assess the applicants and monitor the users. The countries also have their own conventions and methods, making their systems incompatible with each other.
>
>
Resources are partly associated with the customer, partly shared by members of a project. Resources represent sets of corpora or other resources the access to which is granted with a single authentication??. Technically, each resource corresponds to a UNIX group.
 

Technologies

Certificates

Changed:
<
<
The grids are based on X.509 Public Key certificates described by rfc3280. Some countries and universities have very secure identification cards with smart card, but because they require special smart card reader, they are widely used only in Estonia.
>
>
The grids are based on X.509 Public Key certificates described by rfc3280. Some countries and universities have very secure identification cards with smart cards, but because they require a special smart card reader, they are widely used in Estonia only.
 

Pros

Changed:
<
<
  • reasonably priced (for example, 1,5 ¤ from TeliaSonera for members of the Funet)
>
>
  • reasonably priced (for example, 1,5 ¤ from TeliaSonera for members of the Funet)
 

Cons

  • not widely used
Changed:
<
<
  • contains only name and email information
>
>
  • contain only name and email information
 
  • difficult infrastructure, user certificates used only by the grid
  • difficult to use, one or two more passwords or pins
  • hardware ones are expensive, 40 ¤ and require reader (windows only driver) about same cost
  • trust issues
Changed:
<
<
The organization accepting Public Key certificates needs a trust policy. The EUGridPMA (Policy Management Authority) is the international organization coordinating the trust fabric for e-Science Grid authentication within Europe. This table lists all members of the EUGridPMA. There is also a map.
>
>
The organization accepting Public Key certificates needs a trust policy. The EUGridPMA (Policy Management Authority) is the international organization coordinating the trust fabric for e-Science Grid authentication within Europe. This table lists all members of the EUGridPMA. There is also a map.
 
Changed:
<
<
Also TERENA has repository which contain verified root-CA certificates called TACAR (TERENA Academic CA Repository). Note that there is no Finnish operators nor NorduGrid, which is used Nordic grid operations. It's NOT possible to get
>
>
Also TERENA has a repository which contains verified root-CA certificates called TACAR (TERENA Academic CA Repository). Note that there is no Finnish operators nor NorduGrid, which is used Nordic grid operations. It's NOT possible to get
 TACAR accepted certificates in Finland. TACAR is list of certificates NOT know browsers by default.
Changed:
<
<
CSC and HAKA use TeliaSonera certificates, because they are known by most browsers and cost are much lower than setup own
>
>
CSC and HAKA use TeliaSonera certificates, because they are known by most browsers and cost are much lower than setup own
 Public Key Infrastructure.

Commercial certificates based on credit cards suffer large scale market for stolen credit cards.

The SAML2/Shibboleth federation

Changed:
<
<
SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for single web sign-on across or within organizational boundaries. A user authenticates with his or her organizational credentials, a single passwords is required for multiple applications.
>
>
SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for single web sign-on across or within organizational boundaries. A user authenticates with his or her organizational credentials. A single password is required for multiple applications.
 
Changed:
<
<
In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. Shibboleth will release the information called attributes. User attributes in Haka federation are provided according to funetEduPerson schema and new draft and test service.
>
>
In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. Shibboleth will release the information called attributes. User attributes in the Haka federation are provided according to the funetEduPerson schema and new draft and test service.
  The mandatory attributes are:
  • cn
Line: 122 to 99
 
  • schacHomeOrganization
  • schacHomeOrganizationType
Changed:
<
<
Schema contains also funetEduPersonProgram, which is the educational degree program. Privacy is guaranteed by controlled information release.
>
>
The schema also contains the funetEduPersonProgram, which is an educational degree program. Privacy is guaranteed by controlled information releases.
  Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The federation consists of the users' home organizations providing the user identities by according common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science.
Changed:
<
<
Kalmar Union is a project connecting the Nordic countries' academic communities to establish a Nordic cross-federation.
>
>
Kalmar Union is a project connecting Nordic countries' academic communities to establish a Nordic cross-federation.
 
Changed:
<
<
It would be easy to integrate the online user applications form to the Haka federation, join as Service Provider. Kalmar Union will also probably be available at spring 2009.
>
>
It would be easy to integrate the Haka authentication in the electronic application form, join as Service Provider. Kalmar Union will also probably be available at spring 2009.
 

eduGAIN

Line: 144 to 121
 

Referees

Changed:
<
<
An applying user becomes trusted by being approved by a referee. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well, wherefore information about the active referee should be stored with each user's data. In this model, a referee losing its status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.
>
>
An applying user becomes trusted by being approved by a referee. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well, wherefore information about the active referee should be stored with each user's data. In this model, a referee losing status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.
 

Practical implementation

Changed:
<
<
  1. The user fills one of the two online forms: one SAML2/Shibboleth-secured and the other open for everyone.
  2. Applications submitted via the open form require an e-mail confirmation.
>
>
  1. The applicant fills one of the two online forms: one SAML2/Shibboleth-secured and the other open for everyone.
  2. Applications submitted via the open form require an e-mail confirmation.
 
    • Unconfirmed applications are daily dropped from the database.
Changed:
<
<
  1. The user is forwarded to a page containing a list of referees ordered by country: does anybody know the applicant?
  2. If the applicant expects someone to know him/her, the application and project plan are sent to up to two referees with accept and deny links.
    1. If nobody knows the applicant, the process will continue.
    2. What will be done if the referees fail to reply?
    3. If the referee clicks the deny link, a rejection message will be sent to the applicant. Should it be stored?
  3. If the referee accepts the application, CSC will create the account with the appropriate rights.
>
>
  1. The user is forwarded to a page containing a list of referees ordered by country: does anybody know the applicant?
  2. If the applicant expects someone to know him/her, the application and project plan are sent to up to two referees with accept and deny links.
    1. If nobody knows the applicant, the process will continue.
    2. What will be done if the referees fail to reply?
    3. If the referee clicks the deny link, a rejection message will be sent to the applicant. Should it be stored?
  3. If the referee accepts the application, CSC will create the account with the appropriate rights.
  The same forms can also be used to collect new referee information. Each form needs a check-box for the user to confirm his/her willingness to function as a referee.

Conclusion

Changed:
<
<
  • technology cost/usefulness diagram:
    techcostusefullness.png
>
>
  • technology cost/usefulness diagram:
    techcostusefullness.png
  The cost consists of the estimated amount of work required to set up the production service. The usefulness comprises quantity, quality and the scope of information about the potential customers available. For example, the SAML2/Shibboleth technology grants a lot of high-quality information but only in the Finnish or Nordic scope, while eduGAIN hopefully covers most European academic users, but so much information can't be expected. For this reason, the rough guess can be made that SAML2/Shibboleth and eduGAIN are equally useful.

Revision 292008-08-18 - SatuTorikka

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 13 to 13
 

CSC account management

Changed:
<
<
The Unix accounts are administered manually at CSC. CSC has purchased the Sun Identity Manager software, and the Electronic User Accounts project is planning a new customer registration web form.
>
>
When the user application is approved, the applicant will become a CSC customer. Personal information will be stored in CSC's customer database Askare, He/she will receive a Unix account. Unix accounts are administered manually at CSC. The customer is always a member of a project. Resources are partly associated with the project, partly with the customer. At the minimum, the customer has "Right to see and modify customer information about him/herself". Current data model that shows the objects Customer, Project and Resource, and states their relationships:

  • Customer
    • Firstname Lastname
    • Address
    • Phone
    • is a member of Project (1... n)
    • has a Resource (1 ... n)
  • Project
    • Name
    • Description
    • has a Member (1 ... n)
    • has a Resource (1 ... n)
  • Resource
    • corpora
    • account on a server
    • disk space on various servers
    • CPU quota
    • rights to use certain software or databases

Project description is a ground for resources. It explains what customer is doing. The project description table already exist in CSC customer database Askare and it's user editable via the Personal Information section of the Scientist's interface.

Resources represent sets of corpora or other material the access to which is granted with a single authentication. Technically, each resource corresponds to a UNIX group.

Challenges

CSC has purchased the Sun Identity Manager software, and the Electronic User Accounts project is planning a new customer registration web form.

 
  • The plan to set up a new CSC project via web forms:

Revision 282008-08-18 - TeroAalto

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 9 to 9
 User applications to the Language Bank of Finland are delivered via an online form. Upon submission, the form sends the application to the Language Bank administrator. Many corpora further require a personal permission from their owner. A single person can be responsible for a single language or even only a single text within the language. The application form also sends a copy of the application to the owner (or contact person) of the corpus the applicant has expressed interest in.
Changed:
<
<
If both the administrator and the corpus's owner accept the application, the administrator requests the CSC user manager to add the applicant to the group granting the required permissions. The variety of owners may require several forms or more advanced form technology to maintain the usability. If the application is rejected, the administrator informs the applicant personally.
>
>
If both the administrator and the corpus's owner accept the application, the administrator requests the CSC user manager to add the applicant to the group granting the required permissions. If the application is rejected, the administrator informs the applicant personally. As the number of corpora grows, the application form may have to be split into two or more parts.
 

CSC account management

Revision 272008-08-15 - TeroAalto

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 7 to 7
 

The Language Bank of Finland

User applications to the Language Bank of Finland are delivered via an

Changed:
<
<
online form. Upon submission, the form sends a copy of the application to the contact persons responsible for the corpora the applicant has expressed interest in, in addition to the main administration. The contact persons evaluate the applications and inform the administrator of their decision. In the case of an accepted application, the administrator then requests the user manager to add the user in question to the group(s) granting the required permissions. If the application is rejected, the administrator informs the applicant personally.
>
>
online form. Upon submission, the form sends the application to the Language Bank administrator. Many corpora further require a personal permission from their owner. A single person can be responsible for a single language or even only a single text within the language. The application form also sends a copy of the application to the owner (or contact person) of the corpus the applicant has expressed interest in.
 
Changed:
<
<
Many corpora require acquiring personal permission from their owner. A single person can be responsible for a single language or even only a single text within the language. The application form automatically sends a copy of the application to the owner(s) concerned. If the owner confirms the application, the information is forwarded to the CSC user manager. The variety of owners may require several forms or more advanced form technology to maintain usability.
>
>
If both the administrator and the corpus's owner accept the application, the administrator requests the CSC user manager to add the applicant to the group granting the required permissions. The variety of owners may require several forms or more advanced form technology to maintain the usability. If the application is rejected, the administrator informs the applicant personally.
 

CSC account management

Revision 262008-08-15 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 73 to 73
  The organization accepting Public Key certificates needs a trust policy. The EUGridPMA (Policy Management Authority) is the international organization coordinating the trust fabric for e-Science Grid authentication within Europe. This table lists all members of the EUGridPMA. There is also a map.
Changed:
<
<
Also TERENA has repository which contain verified root-CA certificates called TACAR (TERENA Academic CA Repository). Note that there is no Finnish operators nor Nordunet, which is used Nordic grid operations. It's NOT possible to get
>
>
Also TERENA has repository which contain verified root-CA certificates called TACAR (TERENA Academic CA Repository). Note that there is no Finnish operators nor NorduGrid, which is used Nordic grid operations. It's NOT possible to get
 TACAR accepted certificates in Finland. TACAR is list of certificates NOT know browsers by default. CSC and HAKA use TeliaSonera certificates, because they are known by most browsers and cost are much lower than setup own Public Key Infrastructure.
Line: 84 to 84
  SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for single web sign-on across or within organizational boundaries. A user authenticates with his or her organizational credentials, a single passwords is required for multiple applications.
Changed:
<
<
In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. Shibboleth will release the information called attributes. User attributes in Haka federation are provided according to funetEduPerson schema and new draft.
>
>
In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. Shibboleth will release the information called attributes. User attributes in Haka federation are provided according to funetEduPerson schema and new draft and test service.
  The mandatory attributes are:
  • cn

Revision 252008-08-14 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 84 to 84
  SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for single web sign-on across or within organizational boundaries. A user authenticates with his or her organizational credentials, a single passwords is required for multiple applications.
Changed:
<
<
In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. Shibboleth will release the information called attributes. User attributes in Haka federation are provided according to funetEduPerson schema.
>
>
In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. Shibboleth will release the information called attributes. User attributes in Haka federation are provided according to funetEduPerson schema and new draft.
  The mandatory attributes are:
  • cn

Revision 242008-08-14 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 73 to 73
  The organization accepting Public Key certificates needs a trust policy. The EUGridPMA (Policy Management Authority) is the international organization coordinating the trust fabric for e-Science Grid authentication within Europe. This table lists all members of the EUGridPMA. There is also a map.
Added:
>
>
Also TERENA has repository which contain verified root-CA certificates called TACAR (TERENA Academic CA Repository). Note that there is no Finnish operators nor Nordunet, which is used Nordic grid operations. It's NOT possible to get TACAR accepted certificates in Finland. TACAR is list of certificates NOT know browsers by default. CSC and HAKA use TeliaSonera certificates, because they are known by most browsers and cost are much lower than setup own Public Key Infrastructure.
 Commercial certificates based on credit cards suffer large scale market for stolen credit cards.

The SAML2/Shibboleth federation

Revision 232008-08-12 - TeroAalto

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 9 to 9
 User applications to the Language Bank of Finland are delivered via an online form. Upon submission, the form sends a copy of the application to the contact persons responsible for the corpora the applicant has expressed interest in, in addition to the main administration. The contact persons evaluate the applications and inform the administrator of their decision. In the case of an accepted application, the administrator then requests the user manager to add the user in question to the group(s) granting the required permissions. If the application is rejected, the administrator informs the applicant personally.
Added:
>
>
Many corpora require acquiring personal permission from their owner. A single person can be responsible for a single language or even only a single text within the language. The application form automatically sends a copy of the application to the owner(s) concerned. If the owner confirms the application, the information is forwarded to the CSC user manager. The variety of owners may require several forms or more advanced form technology to maintain usability.
 

CSC account management

The Unix accounts are administered manually at CSC. CSC has purchased the Sun Identity Manager software, and the Electronic User Accounts project is planning a new customer registration web form.

Revision 222008-07-31 - TeroAalto

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 121 to 123
 
    1. If the referee clicks the deny link, a rejection message will be sent to the applicant. Should it be stored?
  1. If the referee accepts the application, CSC will create the account with the appropriate rights.
Changed:
<
<
The same forms can? also used to collect new referee information, the forms have to have one check box user confirming that she/he can work as referee.
>
>
The same forms can also be used to collect new referee information. Each form needs a check-box for the user to confirm his/her willingness to function as a referee.
 

Conclusion

Changed:
<
<
  • technology cost/usefulness digram:
>
>
  • technology cost/usefulness diagram:
  techcostusefullness.png

The cost consists of the estimated amount of work required to set up the production service. The usefulness comprises quantity, quality and the scope of information about the potential customers available. For example, the SAML2/Shibboleth technology grants a lot of high-quality information but only in the Finnish or Nordic scope, while eduGAIN hopefully covers most European academic users, but so much information can't be expected. For this reason, the rough guess can be made that SAML2/Shibboleth and eduGAIN are equally useful.

Revision 212008-07-30 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 121 to 121
 
    1. If the referee clicks the deny link, a rejection message will be sent to the applicant. Should it be stored?
  1. If the referee accepts the application, CSC will create the account with the appropriate rights.
Added:
>
>
The same forms can? also used to collect new referee information, the forms have to have one check box user confirming that she/he can work as referee.
 

Conclusion

  • technology cost/usefulness digram:

Revision 202008-07-29 - TeroAalto

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 42 to 42
 Project description is a ground for resources. It explains what customer is doing. The project description table already exist in CSC customer database Askare and it's user editable via the Personal Information section of the Scientist's interface.
Changed:
<
<
Resource represent sets of corpora or other material the access to which is granted with a single authentication. Technically, each resource corresponds to a UNIX group.
>
>
Resources represent sets of corpora or other material the access to which is granted with a single authentication. Technically, each resource corresponds to a UNIX group.
 

Challenges

Line: 85 to 85
 
  • eduPersonPrincipalName
  • schacHomeOrganization
  • schacHomeOrganizationType
Changed:
<
<
Schema contains also funetEduPersonProgram, which is the educational degree program. Privacy is guaranteed by controlled Information release.
>
>
Schema contains also funetEduPersonProgram, which is the educational degree program. Privacy is guaranteed by controlled information release.
 
Changed:
<
<
Haka is the identity federation of the Finnish universities, polytechnics and research institutions. Federation means that the user identities are provided by the users home organizations according common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science.
>
>
Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The federation consists of the users' home organizations providing the user identities by according common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science.
 
Changed:
<
<
Kalmar Union is a project connecting the Nordic country academic communities to establish Nordic cross-federation.
>
>
Kalmar Union is a project connecting the Nordic countries' academic communities to establish a Nordic cross-federation.
 
Changed:
<
<
It would be easy to integrate the online user applications form to the Haka federation, join as Service Provider. Also Kalmar Union will probably be available at the spring 2009.
>
>
It would be easy to integrate the online user applications form to the Haka federation, join as Service Provider. Kalmar Union will also probably be available at spring 2009.
 

eduGAIN

Line: 101 to 101
  In order to be granted access to protected resources and services from other federations, the users first need to be successfully authenticated by their home AAI and authorized by the visited Service Provider (usually based on attributes expressing a special role of the user). eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.
Changed:
<
<
eduGAIN is not yet production level service. The software is on the first release candidate level.
>
>
eduGAIN is not yet a production-level service. The software is on the first release candidate level.
 

Other solutions

Line: 111 to 111
 

Practical implementation

Changed:
<
<
  1. User fill online form. There should be two online forms. One secured by SAML2/shibboleth and other open for everyone.
  2. Case open form user email address will checked by reply required challenge.
    1. Case missing reply applications dropped from database daily
  3. User forwarded web page containing list of referees ordered by country, Does anybody know you?
  4. If applicant expect someone know him/her the application with project plan emailed to referee(s) (max two) with accept and deny links
    1. If nobody know applicant process shall continue as now
    2. What shall we do if referee will not reply???
    3. If referee click Deny link, rejection will send to applicant. Should we store it?
  5. If referee accept the application, CSC will create the account with right rights
>
>
  1. The user fills one of the two online forms: one SAML2/Shibboleth-secured and the other open for everyone.
  2. Applications submitted via the open form require an e-mail confirmation.
    • Unconfirmed applications are daily dropped from the database.
  3. The user is forwarded to a page containing a list of referees ordered by country: does anybody know the applicant?
  4. If the applicant expects someone to know him/her, the application and project plan are sent to up to two referees with accept and deny links.
    1. If nobody knows the applicant, the process will continue.
    2. What will be done if the referees fail to reply?
    3. If the referee clicks the deny link, a rejection message will be sent to the applicant. Should it be stored?
  5. If the referee accepts the application, CSC will create the account with the appropriate rights.
 

Conclusion

Revision 192008-07-29 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 91 to 91
  Kalmar Union is a project connecting the Nordic country academic communities to establish Nordic cross-federation.
Changed:
<
<
It would be easy to integrate the online user applications form to the Haka federation, join as Service Provider. Also Kalmar Union will probably available at the spring 2009.
>
>
It would be easy to integrate the online user applications form to the Haka federation, join as Service Provider. Also Kalmar Union will probably be available at the spring 2009.
 

eduGAIN

The purpose of eduGAIN is to provide the means for achieving interoperation between different Authentication and Authorisation Infrastructures (AAI).

Changed:
<
<
There are a number of AAI systems developed and used on the national (NREN) level. Shibboleth (Internet2) is the federation technology used in the US, Switzerland, Finland, Germany, Great Britain, Hungary and Greece (more under development). PAPI is used in Spain, A-Select in The Netherlands, simpleSAMLphp in Norway. There is also a RADIUS-based AAI used in Croatia.
>
>
There are a number of AAI systems developed and used on the national (NREN, National Research and Education Network) level. Shibboleth (Internet2) is the federation technology used in the US, Switzerland, Finland, Germany, Great Britain, Hungary and Greece (more under development). PAPI is used in Spain, A-Select in The Netherlands, simpleSAMLphp in Norway. There is also a RADIUS-based AAI used in Croatia.
  In order to be granted access to protected resources and services from other federations, the users first need to be successfully authenticated by their home AAI and authorized by the visited Service Provider (usually based on attributes expressing a special role of the user). eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.
Line: 109 to 109
  An applying user becomes trusted by being approved by a referee. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well, wherefore information about the active referee should be stored with each user's data. In this model, a referee losing its status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.
Added:
>
>

Practical implementation

  1. User fill online form. There should be two online forms. One secured by SAML2/shibboleth and other open for everyone.
  2. Case open form user email address will checked by reply required challenge.
    1. Case missing reply applications dropped from database daily
  3. User forwarded web page containing list of referees ordered by country, Does anybody know you?
  4. If applicant expect someone know him/her the application with project plan emailed to referee(s) (max two) with accept and deny links
    1. If nobody know applicant process shall continue as now
    2. What shall we do if referee will not reply???
    3. If referee click Deny link, rejection will send to applicant. Should we store it?
  5. If referee accept the application, CSC will create the account with right rights
 

Conclusion

  • technology cost/usefulness digram:

Revision 182008-07-25 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 6 to 6
 

The Language Bank of Finland

Changed:
<
<
User applications to the Language Bank of Finland are delivered via an online form. Upon submission, the form sends a copy of the application to the contact persons responsible for the corpora the applicant has expressed interest in, in addition to the main administration. The contact persons evaluate the applications and inform the administrator of their decision. In the case of an accepted application, the administrator then requests the user manager to add the user in question to the group(s) granting the required permissions. If the application is rejected, the administrator informs the applicant personally.
>
>
User applications to the Language Bank of Finland are delivered via an online form. Upon submission, the form sends a copy of the application to the contact persons responsible for the corpora the applicant has expressed interest in, in addition to the main administration. The contact persons evaluate the applications and inform the administrator of their decision. In the case of an accepted application, the administrator then requests the user manager to add the user in question to the group(s) granting the required permissions. If the application is rejected, the administrator informs the applicant personally.
 

CSC account management

Line: 74 to 75
 

The SAML2/Shibboleth federation

Changed:
<
<
SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for single web sign-on across or within organizational boundaries. Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The user identities are provided by the users home organizations. The Haka federation is operated by CSC, the Finnish IT center for science.
>
>
SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for single web sign-on across or within organizational boundaries. A user authenticates with his or her organizational credentials, a single passwords is required for multiple applications.

In addition to providing single sign-on functionality, Shibboleth can control access to licensed resources. Shibboleth will release the information called attributes. User attributes in Haka federation are provided according to funetEduPerson schema. The mandatory attributes are:

  • cn
  • sn
  • displayName
  • eduPersonPrincipalName
  • schacHomeOrganization
  • schacHomeOrganizationType
Schema contains also funetEduPersonProgram, which is the educational degree program. Privacy is guaranteed by controlled Information release.

Haka is the identity federation of the Finnish universities, polytechnics and research institutions. Federation means that the user identities are provided by the users home organizations according common rules and contracts. The Haka federation is operated by CSC, the Finnish IT center for science.

  Kalmar Union is a project connecting the Nordic country academic communities to establish Nordic cross-federation.
Changed:
<
<
It would be easy to integrate the online user applications form to the Haka federation. Also Kalmar Union will probably available at the spring 2009.
>
>
It would be easy to integrate the online user applications form to the Haka federation, join as Service Provider. Also Kalmar Union will probably available at the spring 2009.
 

eduGAIN

Revision 172008-07-25 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 38 to 38
  The customer is always a member of a project, every CSC's customer is a member of the project "CSC customer". The computing resources are always associated with a project. The minimal customer is a member of "CSC customer" project, and this projects has the minimal resource of "Right to see and modify customer information about him/herself".
Added:
>
>
Project description is a ground for resources. It explains what customer is doing. The project description table already exist in CSC customer database Askare and it's user editable via the Personal Information section of the Scientist's interface.
 Resource represent sets of corpora or other material the access to which is granted with a single authentication. Technically, each resource corresponds to a UNIX group.

Challenges

Revision 162008-07-24 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 48 to 48
 

Certificates

Changed:
<
<
The grids are based on X.509 Public Key certificates described by rfc3280.
>
>
The grids are based on X.509 Public Key certificates described by rfc3280. Some countries and universities have very secure identification cards with smart card, but because they require special smart card reader, they are widely used only in Estonia.
 

Pros

Changed:
<
<
  • available to everybody for free (grid organizations), in commercial supply
>
>
 
  • reasonably priced (for example, 1,5 ¤ from TeliaSonera for members of the Funet)

Cons

Line: 60 to 61
 
  • not widely used
  • contains only name and email information
  • difficult infrastructure, user certificates used only by the grid
Changed:
<
<
  • difficult to use, one or two more passwords
>
>
  • difficult to use, one or two more passwords or pins
  • hardware ones are expensive, 40 ¤ and require reader (windows only driver) about same cost
 
  • trust issues

The organization accepting Public Key certificates needs a trust policy. The EUGridPMA (Policy Management Authority) is the international organization coordinating the trust fabric for e-Science Grid authentication within Europe. This table lists all members of the EUGridPMA. There is also a map.

Added:
>
>
Commercial certificates based on credit cards suffer large scale market for stolen credit cards.
 

The SAML2/Shibboleth federation

SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for single web sign-on across or within organizational boundaries. Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The user identities are provided by the users home organizations. The Haka federation is operated by CSC, the Finnish IT center for science.

Revision 152008-07-24 - TeroAalto

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 10 to 10
 

CSC account management

Changed:
<
<
The Unix accounts are administered manually at CSC. CSC has purchased the Sun Identity Manager software and the Electronic User Accounts project is planning a new customer registration web form.
>
>
The Unix accounts are administered manually at CSC. CSC has purchased the Sun Identity Manager software, and the Electronic User Accounts project is planning a new customer registration web form.
 
  • The plan to set up a new CSC project via web forms:
Line: 34 to 34
 
    • has a Resource (1 ... n)
  • Resource
    • the tough question, these can be seen as roles (related to usage rights)
Changed:
<
<
    • the account on a server, disk space on various servers, cpu quota, rights to use certain software or database
>
>
    • the account on a server, disk space on various servers, CPU quota, rights to use certain software or databases
  The customer is always a member of a project, every CSC's customer is a member of the project "CSC customer". The computing resources are always associated with a project. The minimal customer is a member of "CSC customer" project, and this projects has the minimal resource of "Right to see and modify customer information about him/herself".
Added:
>
>
Resource represent sets of corpora or other material the access to which is granted with a single authentication. Technically, each resource corresponds to a UNIX group.
 

Challenges

As the research network expands, previously used authentication methods become inadequate. The current systems in use within single countries are not as such suitable for international purposes. It's neither possible for the administrators to reliably assess the applicants and monitor the users. The countries also have their own conventions and methods, making their systems incompatible with each other.

Line: 50 to 52
 

Pros

Changed:
<
<
  • available to everybody for free (grid organizations) and commercial supply
>
>
  • available to everybody for free (grid organizations), in commercial supply
 
  • reasonably priced (for example, 1,5 ¤ from TeliaSonera for members of the Funet)

Cons

Line: 65 to 67
 

The SAML2/Shibboleth federation

Changed:
<
<
SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML based, open source software package for single web sign-on across or within organizational boundaries. Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The user identities are provided by the users home organizations. The Haka federation is operated by CSC, the Finnish IT center for science.
>
>
SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML-based, open source software package for single web sign-on across or within organizational boundaries. Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The user identities are provided by the users home organizations. The Haka federation is operated by CSC, the Finnish IT center for science.
  Kalmar Union is a project connecting the Nordic country academic communities to establish Nordic cross-federation.
Changed:
<
<
It would be easy to integrate online user applications form to Haka federation. Also Kalmar Union will probably available at the spring 2009.
>
>
It would be easy to integrate the online user applications form to the Haka federation. Also Kalmar Union will probably available at the spring 2009.
 

eduGAIN

Line: 80 to 81
  In order to be granted access to protected resources and services from other federations, the users first need to be successfully authenticated by their home AAI and authorized by the visited Service Provider (usually based on attributes expressing a special role of the user). eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.
Changed:
<
<
eduGAIN is not yet production level service. The software is first release candidate level.
>
>
eduGAIN is not yet production level service. The software is on the first release candidate level.
 

Other solutions

Referees

Changed:
<
<
An applying user becomes trusted by being approved by a referee. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well, wherefore information about the active referee should be stored with each user's data. In this model, a referee losing its status would affect the associated users as well.
>
>
An applying user becomes trusted by being approved by a referee. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well, wherefore information about the active referee should be stored with each user's data. In this model, a referee losing its status would affect the associated users as well. Loss of status due to natural reasons (e.g. retirement, transition) lacks this effect.
 

Conclusion

  • technology cost/usefulness digram:
    techcostusefullness.png
Changed:
<
<
The costs consists of the estimated amount of work required to set up the production service. The usefulness comprises quantity, quality and the scope of information about the potential customers available. For example, the SAML2/Shibboleth technology grants a lot of high-quality information but only in the Finnish or Nordic scope, while eduGAIN hopefully covers most European academic users, but so much information can't be expected. For this reason, we make the rough guess that SAML2/Shibboleth and eduGAIN are equally useful.
>
>
The cost consists of the estimated amount of work required to set up the production service. The usefulness comprises quantity, quality and the scope of information about the potential customers available. For example, the SAML2/Shibboleth technology grants a lot of high-quality information but only in the Finnish or Nordic scope, while eduGAIN hopefully covers most European academic users, but so much information can't be expected. For this reason, the rough guess can be made that SAML2/Shibboleth and eduGAIN are equally useful.
 
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"

Revision 142008-07-22 - TeroAalto

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 42 to 42
  As the research network expands, previously used authentication methods become inadequate. The current systems in use within single countries are not as such suitable for international purposes. It's neither possible for the administrators to reliably assess the applicants and monitor the users. The countries also have their own conventions and methods, making their systems incompatible with each other.
Deleted:
<
<

Solutions

Referees

An applying user becomes trusted by being approved by a referee. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well, wherefore information about the active referee should be stored with each user's data. In this model, a referee losing its status would affect the associated users as well.

 

Technologies

Certificates

Line: 88 to 82
  eduGAIN is not yet production level service. The software is first release candidate level.
Changed:
<
<

Conclusion

>
>

Other solutions

 
Changed:
<
<
* technology cost usefulness digram:
techcostusefullness.png
>
>

Referees

 
Changed:
<
<
The costs are estimated amount of the work required to set up production service. The usefulness is quantity, quality and scope of information about potential customer we can get. For example SAML2/Shibboleth technology grants a lot of high quality information but only Finnish or Nordic scope when eduGAIN scopes hopefully most european academic users but we cann't expect so much information. Because of this we make a rough guess that SAML2/Shibboleth and eduGAIN are equally useful.
>
>
An applying user becomes trusted by being approved by a referee. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well, wherefore information about the active referee should be stored with each user's data. In this model, a referee losing its status would affect the associated users as well.
 
Changed:
<
<
-- PekkaJarvelainen - 02 Jul 2008
>
>

Conclusion

 
Added:
>
>
  • technology cost/usefulness digram:
    techcostusefullness.png
 
Added:
>
>
The costs consists of the estimated amount of work required to set up the production service. The usefulness comprises quantity, quality and the scope of information about the potential customers available. For example, the SAML2/Shibboleth technology grants a lot of high-quality information but only in the Finnish or Nordic scope, while eduGAIN hopefully covers most European academic users, but so much information can't be expected. For this reason, we make the rough guess that SAML2/Shibboleth and eduGAIN are equally useful.
 
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"

Revision 132008-07-22 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 88 to 88
  eduGAIN is not yet production level service. The software is first release candidate level.
Added:
>
>

Conclusion

* technology cost usefulness digram:
techcostusefullness.png

The costs are estimated amount of the work required to set up production service. The usefulness is quantity, quality and scope of information about potential customer we can get. For example SAML2/Shibboleth technology grants a lot of high quality information but only Finnish or Nordic scope when eduGAIN scopes hopefully most european academic users but we cann't expect so much information. Because of this we make a rough guess that SAML2/Shibboleth and eduGAIN are equally useful.

 -- PekkaJarvelainen - 02 Jul 2008
Deleted:
<
<
* technology cost usefullness digram:
techcostusefullness.png
 
Changed:
<
<
META FILEATTACHMENT attachment="Perusprojekti.png" attr="" comment="Plan to set up new CSC project via web forms" date="1215073764" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" stream="Perusprojekti.png" user="Main.PekkaJarvelainen" version="1"
META FILEATTACHMENT attachment="techcostusefullness.png" attr="" comment="technology cost usefullness digram" date="1216725659" name="techcostusefullness.png" path="techcostusefullness.png" size="5073" stream="techcostusefullness.png" user="Main.PekkaJarvelainen" version="1"
>
>
META FILEATTACHMENT attr="" autoattached="1" comment="technology cost usefullness digram" date="1216729707" name="techcostusefullness.png" path="techcostusefullness.png" size="15143" user="Main.PekkaJarvelainen" version="2"
META FILEATTACHMENT attr="" autoattached="1" comment="Plan to set up new CSC project via web forms" date="1215073765" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" user="Main.PekkaJarvelainen" version="1"

Revision 122008-07-22 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 90 to 90
  -- PekkaJarvelainen - 02 Jul 2008
Added:
>
>
* technology cost usefullness digram:
techcostusefullness.png
 
META FILEATTACHMENT attachment="Perusprojekti.png" attr="" comment="Plan to set up new CSC project via web forms" date="1215073764" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" stream="Perusprojekti.png" user="Main.PekkaJarvelainen" version="1"
Added:
>
>
META FILEATTACHMENT attachment="techcostusefullness.png" attr="" comment="technology cost usefullness digram" date="1216725659" name="techcostusefullness.png" path="techcostusefullness.png" size="5073" stream="techcostusefullness.png" user="Main.PekkaJarvelainen" version="1"

Revision 112008-07-21 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Revision 102008-07-18 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 73 to 73
  SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML based, open source software package for single web sign-on across or within organizational boundaries. Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The user identities are provided by the users home organizations. The Haka federation is operated by CSC, the Finnish IT center for science.
Changed:
<
<
It would be easy to integrate online user applications form to Haka federation.
>
>
Kalmar Union is a project connecting the Nordic country academic communities to establish Nordic cross-federation.

It would be easy to integrate online user applications form to Haka federation. Also Kalmar Union will probably available at the spring 2009.

 

eduGAIN

Line: 83 to 86
  In order to be granted access to protected resources and services from other federations, the users first need to be successfully authenticated by their home AAI and authorized by the visited Service Provider (usually based on attributes expressing a special role of the user). eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.
Added:
>
>
eduGAIN is not yet production level service. The software is first release candidate level.
  -- PekkaJarvelainen - 02 Jul 2008

Revision 92008-07-17 - TeroAalto

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 8 to 8
  User applications to the Language Bank of Finland are delivered via an online form. Upon submission, the form sends a copy of the application to the contact persons responsible for the corpora the applicant has expressed interest in, in addition to the main administration. The contact persons evaluate the applications and inform the administrator of their decision. In the case of an accepted application, the administrator then requests the user manager to add the user in question to the group(s) granting the required permissions. If the application is rejected, the administrator informs the applicant personally.
Deleted:
<
<

The SAML2/Shibboleth federation

SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML based, open source software package for single web sign-on across or within organizational boundaries. Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The user identities are provided by the users home organizations. The Haka federation is operated by CSC, the Finnish IT center for science.

It would be easy to integrate online user applications form to Haka federation.

eduGAIN

The purpose of eduGAIN is to provide the means for achieving interoperation between different Authentication and Authorisation Infrastructures (AAI).

There are a number of AAI systems developed and used on the national (NREN) level. Shibboleth (Internet2) is the federation technology used in the US, Switzerland, Finland, Germany, Great Britain, Hungary and Greece (more under development). PAPI is used in Spain, A-Select in The Netherlands, simpleSAMLphp in Norway. There is also a RADIUS-based AAI used in Croatia.

In order to be granted access to protected resources and services from other federations, the users first need to be successfully authenticated by their home AAI and authorized by the visited Service Provider (usually based on attributes expressing a special role of the user). eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.

 

CSC account management

The Unix accounts are administered manually at CSC. CSC has purchased the Sun Identity Manager software and the Electronic User Accounts project is planning a new customer registration web form.

Line: 32 to 18
 Please don't include this image if you delivery this document outside CSC and University of Helsinki. It's just example of the plan to develope User accounts management of the CSC.
Changed:
<
<

Data model for customer processes

>
>

Data model for customer processes

  A data model should be defined that describes the objects Customer, Project and Resource, and states their relationships.
Line: 52 to 38
  The customer is always a member of a project, every CSC's customer is a member of the project "CSC customer". The computing resources are always associated with a project. The minimal customer is a member of "CSC customer" project, and this projects has the minimal resource of "Right to see and modify customer information about him/herself".
Changed:
<
<

Referees

>
>

Challenges

As the research network expands, previously used authentication methods become inadequate. The current systems in use within single countries are not as such suitable for international purposes. It's neither possible for the administrators to reliably assess the applicants and monitor the users. The countries also have their own conventions and methods, making their systems incompatible with each other.

Solutions

Referees

  An applying user becomes trusted by being approved by a referee. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well, wherefore information about the active referee should be stored with each user's data. In this model, a referee losing its status would affect the associated users as well.
Changed:
<
<

Certificates

>
>

Technologies

Certificates

  The grids are based on X.509 Public Key certificates described by rfc3280.
Changed:
<
<

Pros

>
>

Pros

 
  • available to everybody for free (grid organizations) and commercial supply
  • reasonably priced (for example, 1,5 ¤ from TeliaSonera for members of the Funet)

Changed:
<
<

Cons

>
>

Cons

 
  • not widely used
  • contains only name and email information
Line: 75 to 69
  The organization accepting Public Key certificates needs a trust policy. The EUGridPMA (Policy Management Authority) is the international organization coordinating the trust fabric for e-Science Grid authentication within Europe. This table lists all members of the EUGridPMA. There is also a map.
Added:
>
>

The SAML2/Shibboleth federation

SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML based, open source software package for single web sign-on across or within organizational boundaries. Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The user identities are provided by the users home organizations. The Haka federation is operated by CSC, the Finnish IT center for science.

It would be easy to integrate online user applications form to Haka federation.

eduGAIN

The purpose of eduGAIN is to provide the means for achieving interoperation between different Authentication and Authorisation Infrastructures (AAI).

There are a number of AAI systems developed and used on the national (NREN) level. Shibboleth (Internet2) is the federation technology used in the US, Switzerland, Finland, Germany, Great Britain, Hungary and Greece (more under development). PAPI is used in Spain, A-Select in The Netherlands, simpleSAMLphp in Norway. There is also a RADIUS-based AAI used in Croatia.

In order to be granted access to protected resources and services from other federations, the users first need to be successfully authenticated by their home AAI and authorized by the visited Service Provider (usually based on attributes expressing a special role of the user). eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.

  -- PekkaJarvelainen - 02 Jul 2008

Revision 82008-07-17 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 12 to 12
  SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML based, open source software package for single web sign-on across or within organizational boundaries. Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The user identities are provided by the users home organizations. The Haka federation is operated by CSC, the Finnish IT center for science.
Added:
>
>
It would be easy to integrate online user applications form to Haka federation.
 

eduGAIN

The purpose of eduGAIN is to provide the means for achieving interoperation between different Authentication and Authorisation Infrastructures (AAI).

Revision 72008-07-16 - TeroAalto

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 8 to 8
  User applications to the Language Bank of Finland are delivered via an online form. Upon submission, the form sends a copy of the application to the contact persons responsible for the corpora the applicant has expressed interest in, in addition to the main administration. The contact persons evaluate the applications and inform the administrator of their decision. In the case of an accepted application, the administrator then requests the user manager to add the user in question to the group(s) granting the required permissions. If the application is rejected, the administrator informs the applicant personally.
Changed:
<
<

Referee

>
>

The SAML2/Shibboleth federation

 
Changed:
<
<

Certificates

Grids are based on X.509 Public Key certificates which are described by rfc3280.

pros

>
>
SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. Shibboleth is a SAML based, open source software package for single web sign-on across or within organizational boundaries. Haka is the identity federation of the Finnish universities, polytechnics and research institutions. The user identities are provided by the users home organizations. The Haka federation is operated by CSC, the Finnish IT center for science.
 
Changed:
<
<
  • everybody can get, free (grid organizations) and commercial supply
  • reasonable priced, for example 1.5euro from TeliaSonera for members of the Funet.

cons

  • nobody have
  • contains only name and email information
  • difficult infrastructure, User certificates used only by grid
  • difficult to use, one or two more password
  • to whom to trust

Organization accepting Public Key certificates have to have policy to whom to trust The EUGridPMA (Policy Management Authority) is the international organisation that coordinates the trust fabric for e-Science Grid authentication within Europe. http://www.eugridpma.org/members/ table lists all members of the EUGridPMA. There is also http://www.eugridpma.org/members/worldmap/ map.

SAML2/Shibboleth federation

SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. The Shibboleth is a SAML based, open source software package for web single sign-on across or within organizational boundaries. Haka is the identity federation of the Finnish universities, polytechnics and research institutions. User identities are provided by the users home organizations. Haka federation is operated by CSC, the Finnish IT center for science.

eduGAIN

>
>

eduGAIN

  The purpose of eduGAIN is to provide the means for achieving interoperation between different Authentication and Authorisation Infrastructures (AAI).
Changed:
<
<
There are a number of AAI systems developed and in use on the national (NREN) level. Shibboleth (Internet2) is the federation technology used in the US, Switzerland, Finland, Germany, Great Britain, Hungary and Greece (more under development). PAPI is used in Spain, A-Select in The Netherlands, simpleSAMLphp in Norway. There is also a RADIUS based AAI used in Croatia.

In order to be granted access to protected resources and services from other federations, users need to first be successfully authenticated by their home AAI and authorised by the visited Service Provider (usually based on attributes expressing a special role of the user). eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.

>
>
There are a number of AAI systems developed and used on the national (NREN) level. Shibboleth (Internet2) is the federation technology used in the US, Switzerland, Finland, Germany, Great Britain, Hungary and Greece (more under development). PAPI is used in Spain, A-Select in The Netherlands, simpleSAMLphp in Norway. There is also a RADIUS-based AAI used in Croatia.
 
Added:
>
>
In order to be granted access to protected resources and services from other federations, the users first need to be successfully authenticated by their home AAI and authorized by the visited Service Provider (usually based on attributes expressing a special role of the user). eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.
 
Added:
>
>

CSC account management

 
Changed:
<
<

CSC account management

>
>
The Unix accounts are administered manually at CSC. CSC has purchased the Sun Identity Manager software and the Electronic User Accounts project is planning a new customer registration web form.
 
Changed:
<
<
Unix accounts are administered manually at CSC. CSC has purchased Sun Identity Manager software and there is "Electronic User Accounts" project, which is planning new customer registration via web Form.
>
>
  • The plan to set up a new CSC project via web forms:
 
Deleted:
<
<
* Plan to set up new CSC project via web forms:
  Perusprojekti.png Please don't include this image if you delivery this document outside CSC and University of Helsinki. It's just
Changed:
<
<
example of the plan to develope User accounts management of the CSC . It
>
>
example of the plan to develope User accounts management of the CSC.
 
Changed:
<
<

Data model for customer processes

>
>

Data model for customer processes

 
Changed:
<
<
A data model should be defined that describes the objects Customer, Project and Resource and states their relationships.
>
>
A data model should be defined that describes the objects Customer, Project and Resource, and states their relationships.
 
  • Customer
    • Firstname Lastname
Line: 71 to 45
 
    • has a Member (1 ... n)
    • has a Resource (1 ... n)
  • Resource
Changed:
<
<
    • The tought question, these can be seen as roles (related to usage rights)
    • account on a server, disk space on various servers, cpu quota, rights to use certain software or database
>
>
    • the tough question, these can be seen as roles (related to usage rights)
    • the account on a server, disk space on various servers, cpu quota, rights to use certain software or database

The customer is always a member of a project, every CSC's customer is a member of the project "CSC customer". The computing resources are always associated with a project. The minimal customer is a member of "CSC customer" project, and this projects has the minimal resource of "Right to see and modify customer information about him/herself".

Referees

An applying user becomes trusted by being approved by a referee. The members in the referee network share their knowledge about the users with each other in order to evaluate the incoming applications. Naturally, the referees need to be trusted as well, wherefore information about the active referee should be stored with each user's data. In this model, a referee losing its status would affect the associated users as well.

Certificates

The grids are based on X.509 Public Key certificates described by rfc3280.

Pros

  • available to everybody for free (grid organizations) and commercial supply
  • reasonably priced (for example, 1,5 ¤ from TeliaSonera for members of the Funet)

Cons

  • not widely used
  • contains only name and email information
  • difficult infrastructure, user certificates used only by the grid
  • difficult to use, one or two more passwords
  • trust issues
 
Changed:
<
<
Customer is always a member of a project, every CSC's customer is a member of the project "CSC customer". Computing resources are always associated with a Project. Minimal customer is a member of "CSC customer" project and this projects has the minimal resource of "Right to see and modify customer information about him/herself".
>
>
The organization accepting Public Key certificates needs a trust policy. The EUGridPMA (Policy Management Authority) is the international organization coordinating the trust fabric for e-Science Grid authentication within Europe. This table lists all members of the EUGridPMA. There is also a map.
 

-- PekkaJarvelainen - 02 Jul 2008

Revision 62008-07-15 - TeroAalto

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Added:
>
>

Current models

The Language Bank of Finland

User applications to the Language Bank of Finland are delivered via an online form. Upon submission, the form sends a copy of the application to the contact persons responsible for the corpora the applicant has expressed interest in, in addition to the main administration. The contact persons evaluate the applications and inform the administrator of their decision. In the case of an accepted application, the administrator then requests the user manager to add the user in question to the group(s) granting the required permissions. If the application is rejected, the administrator informs the applicant personally.

 

Referee

Certificates

Revision 52008-07-14 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 31 to 31
 The Shibboleth is a SAML based, open source software package for web single sign-on across or within organizational boundaries. Haka is the identity federation of the Finnish universities, polytechnics and research institutions. User identities are provided by the users home organizations. Haka federation is operated by CSC, the Finnish IT center for science.
Added:
>
>

eduGAIN

The purpose of eduGAIN is to provide the means for achieving interoperation between different Authentication and Authorisation Infrastructures (AAI).

There are a number of AAI systems developed and in use on the national (NREN) level. Shibboleth (Internet2) is the federation technology used in the US, Switzerland, Finland, Germany, Great Britain, Hungary and Greece (more under development). PAPI is used in Spain, A-Select in The Netherlands, simpleSAMLphp in Norway. There is also a RADIUS based AAI used in Croatia.

In order to be granted access to protected resources and services from other federations, users need to first be successfully authenticated by their home AAI and authorised by the visited Service Provider (usually based on attributes expressing a special role of the user). eduGAIN provides the technology necessary for carrying out these steps and thus interconnecting different AAI systems.

 

CSC account management

Unix accounts are administered manually at CSC. CSC has purchased Sun Identity Manager software and there is "Electronic User Accounts" project, which is planning new customer registration via web Form.

Revision 42008-07-03 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 6 to 6
 

Certificates

Added:
>
>
Grids are based on X.509 Public Key certificates which are described by rfc3280.
 

pros

  • everybody can get, free (grid organizations) and commercial supply
Line: 14 to 16
 

cons

  • nobody have
Added:
>
>
  • contains only name and email information
 
  • difficult infrastructure, User certificates used only by grid
  • difficult to use, one or two more password
Added:
>
>
  • to whom to trust
 
Added:
>
>
Organization accepting Public Key certificates have to have policy to whom to trust
 The EUGridPMA (Policy Management Authority) is the international organisation that coordinates the trust fabric for e-Science Grid authentication within Europe.
Changed:
<
<
http://www.eugridpma.org/members/ table lists all members of the EUGridPMA. There is also http://www.eugridpma.org/members/worldmap/ map
>
>
http://www.eugridpma.org/members/ table lists all members of the EUGridPMA. There is also http://www.eugridpma.org/members/worldmap/ map.
 

SAML2/Shibboleth federation

Line: 26 to 31
 The Shibboleth is a SAML based, open source software package for web single sign-on across or within organizational boundaries. Haka is the identity federation of the Finnish universities, polytechnics and research institutions. User identities are provided by the users home organizations. Haka federation is operated by CSC, the Finnish IT center for science.
Changed:
<
<
-- PekkaJarvelainen - 02 Jul 2008
>
>

CSC account management

Unix accounts are administered manually at CSC. CSC has purchased Sun Identity Manager software and there is "Electronic User Accounts" project, which is planning new customer registration via web Form.

  * Plan to set up new CSC project via web forms:
Perusprojekti.png
Added:
>
>
Please don't include this image if you delivery this document outside CSC and University of Helsinki. It's just example of the plan to develope User accounts management of the CSC . It

Data model for customer processes

A data model should be defined that describes the objects Customer, Project and Resource and states their relationships.

  • Customer
    • Firstname Lastname
    • Address
    • Phone
    • is a member of Project (1... n)
  • Project
    • Name
    • Description
    • has a Member (1 ... n)
    • has a Resource (1 ... n)
  • Resource
    • The tought question, these can be seen as roles (related to usage rights)
    • account on a server, disk space on various servers, cpu quota, rights to use certain software or database

Customer is always a member of a project, every CSC's customer is a member of the project "CSC customer". Computing resources are always associated with a Project. Minimal customer is a member of "CSC customer" project and this projects has the minimal resource of "Right to see and modify customer information about him/herself".

-- PekkaJarvelainen - 02 Jul 2008

 
META FILEATTACHMENT attachment="Perusprojekti.png" attr="" comment="Plan to set up new CSC project via web forms" date="1215073764" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" stream="Perusprojekti.png" user="Main.PekkaJarvelainen" version="1"

Revision 32008-07-03 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"

White paper

Line: 9 to 9
 

pros

  • everybody can get, free (grid organizations) and commercial supply
Changed:
<
<
  • reasonable priced, for example 1.5euro from TeliaSonera for members of he Funet.
>
>
  • reasonable priced, for example 1.5euro from TeliaSonera for members of the Funet.
 

cons

Line: 17 to 17
 
  • difficult infrastructure, User certificates used only by grid
  • difficult to use, one or two more password
Added:
>
>
The EUGridPMA (Policy Management Authority) is the international organisation that coordinates the trust fabric for e-Science Grid authentication within Europe. http://www.eugridpma.org/members/ table lists all members of the EUGridPMA. There is also http://www.eugridpma.org/members/worldmap/ map
 

SAML2/Shibboleth federation

SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information.

Line: 24 to 27
 Haka is the identity federation of the Finnish universities, polytechnics and research institutions. User identities are provided by the users home organizations. Haka federation is operated by CSC, the Finnish IT center for science.

-- PekkaJarvelainen - 02 Jul 2008

Added:
>
>
* Plan to set up new CSC project via web forms:
Perusprojekti.png

META FILEATTACHMENT attachment="Perusprojekti.png" attr="" comment="Plan to set up new CSC project via web forms" date="1215073764" name="Perusprojekti.png" path="Perusprojekti.png" size="84998" stream="Perusprojekti.png" user="Main.PekkaJarvelainen" version="1"

Revision 22008-07-02 - PekkaJarvelainen

Line: 1 to 1
 
META TOPICPARENT name="KieliaineistojenK"
Added:
>
>

White paper

 

Referee

Certificates

Added:
>
>

pros

  • everybody can get, free (grid organizations) and commercial supply
  • reasonable priced, for example 1.5euro from TeliaSonera for members of he Funet.

cons

  • nobody have
  • difficult infrastructure, User certificates used only by grid
  • difficult to use, one or two more password
 

SAML2/Shibboleth federation

Added:
>
>
SAML (Security Assertion Markup Language) is an XML standard for exchanging authentication, access rights and attribute information. The Shibboleth is a SAML based, open source software package for web single sign-on across or within organizational boundaries. Haka is the identity federation of the Finnish universities, polytechnics and research institutions. User identities are provided by the users home organizations. Haka federation is operated by CSC, the Finnish IT center for science.
 -- PekkaJarvelainen - 02 Jul 2008 \ No newline at end of file

Revision 12008-07-02 - PekkaJarvelainen

Line: 1 to 1
Added:
>
>
META TOPICPARENT name="KieliaineistojenK"

Referee

Certificates

SAML2/Shibboleth federation

-- PekkaJarvelainen - 02 Jul 2008

 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback