Federated Services for Scientists Thursday, December 9, p.m. EST

Transcription

1 IAM Online Federated Services for Scientists Thursday, December 9, p.m. EST Rachana Ananthakrishnan Argonne National Laboratory & University of Chicago Jim Basney National Center for Supercomputing Applications University of Illinois IAM Online is brought to you by InCommon, in cooperation with Internet2 and! the EDUCAUSE Identity and Access Management Working Group 1

2 Scientific & Scholarly Collaboration Online Should be as easy as current social networking, but with suitable security & attribution To do that we need Valuable services to be online Integrated wholes, not toolkits remaining to be assembled Scale up access to them Federated access, both SAML and OpenID as appropriate InCommon & other federations to grow, and to support LoA Get IT out of the way Campuses must up their game, implement Silver & uapprove Collaboration frameworks with standardized interfaces that make it easy to dock domesticated applications

3 Two Steps Along the Road Rachana Ananthakrishnan Principal Software Development Specialist, Argonne National Lab/University of Chicago Globus Online An integrated online cyber infrastructure service Jim Basney Senior Research Scientist, National Center for Supercomputing Applications, University of Illinois CI Logon Providing federated access to cyber infrastructure

4 globus online Reliable File Transfer. No IT Required. Federated Access to Science Services and Infrastructures Rachana Ananthakrishnan Argonne National Laboratory & University of Chicago

5 Globus" Globus Toolkit Build the Grid Components for building custom grid solutions globustoolkit.org Globus Online Use the Grid Cloud-hosted" file transfer service 5

6 Problem Space Examples User Data loca,on 1 Nuclear Scien-st Oakridge to NERSC Characteris,cs Two security domains, blocked by transfer, repe--ve task 2 Visualiza-on Specialist TeraGrid (Kraken) to NERSC Two security domains, no dedicated high bandwidth network, ad hoc task 3 System Administrator To GFDL Many security domains, administra-ve task, deadline bound 4 System Builder To and from NERSC 6 Many security domains, support adhoc users, legacy code integra-on, mul-ple science domains

7 Globus Online Solution Hosted file transfer management capabilities Transfers and synchronizes files and directories Asynchronous interfaces for Transfer Monitoring Notification Multiple interfaces for integration REST API CLI 2.0 using SSH/GSISSH Website 7

8 Benefits of Globus Online Easy fire and forget file transfers Automatic fault recovery High performance Simplify use of multiple security domains No client software installation New features automatically available Consolidated support and troubleshooting Data Data 8

9 User Workflow Creates a new profile Configures profile Adds or discovers endpoints Activates endpoints Submits transfers Monitors transfers Receives notification of events 9

10 Profile Management User creates a profile at registration Uses an existing identity Can associate multiple identities with the profile Website logins: OpenID Identity Provider MyProxy servers CLI logins: SSH Public key X.509 Certificate 10

11 Login 11

12 Login Accounts 12

13 CLI Accounts 13

14 Endpoint Management Configure endpoints: Host/port Default MyProxy server Public endpoints Discover endpoints: Add to personal list Endpoint activation: MyProxy or GSI SSH delegation Pause transfer and notify on credential expiration Resume transfer on credential renewal 14

15 Transfer 15

16 Activation using MyProxy 16

17 Planned Features Transfer: 17 Light-weight transfer agent Support for other transfer protocols Integration with Condor Security: Accept campus credentials (InCommon Identity Providers) Support OAuth based delegation - Facilitate sharing of transfer tasks o Group and policy management

18 Future Work Higher-level data management capabilities Data publication Replication Job management capabilities Provisioning of collaboration tools 18

19 Thank You! For more information: www. 19

20 CILogon Federated Access to Science Services and Infrastructures Jim Basney This material is based upon work supported by the National Science Foundation under grant number Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

21 CILogon Goal Facilitate campus logon to CI Leverage researchers existing credentials at their home institution Ease credential management for researchers and CI providers Bridge from: Credentials issued by InCommon Federation members using SAML web browser single sign-on Bridge to: X.509 certificates that satisfy the requirements of CI projects CILogon 21

22 Prior Work: go.teragrid.org Campus login to TeraGrid 31 campuses so far (including all CIC schools) In production since September certificates issued so far to 65+ users Integration with portal.teragrid.org underway IDtrust 2010 paper: Federated Login to TeraGrid ( idtrust/2010/) CILogon 22

23 New Service: cilogon.org No TeraGrid account required Delivers certificates to desktop, browser, and portals Available certificate lifetimes: from 1 hour to 13 months 3 Certification Authorities: Silver: InCommon Silver IDs Basic: any InCommon IDs OpenID: any OpenIDs Available now! CILogon 23

24 CILogon Portal Delegation Grid Portals and Science Gateways provide web interfaces to CI Portals/Gateways need certificates to access CI on researchers behalf CILogon Delegation Service allows researchers to approve certificate issuance to portals (via OAuth) authenticate & approve CILogon Web Browser request certificate access Portal access CI CILogon 24

25 Why certificates? Command-line apps, non-web apps Multi-stage, unattended batch workflows Significant worldwide CI investment in PKI Software, operations, standards, etc. CILogon 25

26 International Grid Trust Federation Worldwide accreditation of grid CAs Relying Parties: TeraGrid, Open Science Grid, European Grid Infrastructure, Worldwide LHC Computing Grid, and others Standards: CA operations, key management, subscriber identity vetting, certificate profiles CILogon 26

27 CILogon and IGTF CILogon CA operations, key management, and certificate profiles meet IGTF standards Issue: subscriber ID vetting & authentication Goal: rely on campuses for this Need minimum standards for campus practices Approach: rely on InCommon Identity Assurance Status: CILogon Silver CA accredited October 2010 Now waiting for InCommon Silver campuses CILogon Basic & OpenID CAs operating w/o IGTF accreditation CILogon 27

28 Attribute Release The boarding process challenge: CI users are spread across many campuses Often few CI users on each campus Each campus must approve release of attributes to cilogon.org / go.teragrid.org CILogon needs eptid/eppn, mail, givenname and surname Self-service sign-up: Good application for user consent based attribute release (uapprove) CILogon 28

29 Conclusions We re leveraging campus credentials for access to cyberinfrastructure SAML to PKI bridges: go.teragrid.org & cilogon.org We re looking forward to new InCommon capabilities Identity Assurance (Silver) Consent-based attribute release (uapprove) CILogon 29

30 Thanks For more information: CILogon 30

31 Survey Please complete the survey about today s IAM Online: Next IAM Online Wednesday, January 12, p.m. EST Tentative Topic Panel Discussion on Identifiers Thank you to InCommon Affiliates for helping to make IAM Online possible. Brought to you by InCommon, in cooperation with Internet2! and the EDUCAUSE Identity and Access Management Working Group 31