ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Size: px
Start display at page:

Download "ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS"

Transcription

1 ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS Joseph Olufemi Dada & Andrew McNab School of Physics and Astronomy, University of Manchester, Manchester UK Abstract The GridSite relies on the Grid credentials for user authentication and authorization. It does not support username/password pair and attribute based authorization. Since Public Key Infrastructure (PKI) certificate cannot be installed on all the devices a user will use, access to GridSite protected resources by users while attending conferences, at airport kiosk, working in Internet Café, on holidays etc. is not possible without exposing the certificate's private key on multiple locations. Exposing the private key on multiple locations poses a security risk. This paper describes our work in progress, called ShibVomGSite: a framework that integrates Shibboleth, VOMS and GridSite to solve this problem. ShibVomGSite issues to users a username and Time Limited Password bind to their Distinguished Name (DN) and Certificate Authority s DN in a database, which the users can later use to gain access to their attributes that are used for authorization. 1 Introduction GridSite [1 3] is a certificate based website management system that allows members of an organization to collaborate in maintaining web pages etc. It was originally developed for the management of GridPP project's web site [4]. Authentication is based on Grid credentials, but with unmodified web browsers such as Netscape and Internet Explorer. To access the GridSite protected resources, users must apply and obtain certificate from the Certificate Authority (CA). The certificate and private key protected by a pass phrase must be installed on every devices that users will use to access the GridSite protected resources. Installing certificate and its private key on multiple locations poses a security risk. This limitation prevents users having access to GridSite protected resources while attending conferences, at airport kiosk, working in Internet Café, on holidays etc. This paper describes a framework called ShibVomGSite; we developed to overcome this limitation. Our framework provides a shibbolized access to GridSite resources. Users use a Time Limited Password associated with their Public Key Infrastructure (PKI) certificates [5] to gain access to the their attributes that are used for authorization. We developed the service to handle the issuing of username and Time Limited Password to users at their home institution. service also allows users to manage their identities in the database. The GridPP collaboration involves a community of many particle physicists, computer scientists and site administrators with members located at UK universities and international laboratories. These various affiliations make it imperative to link Shibboleth Attribute Authority at the origin site with Virtual Organization Membership (VOMS) [6, 7] in order to get relevant member's VOMS Attributes necessary for authorization. To achieve this, we developed the Voms Attribute for GridSite and Shibboleth (VASGS) that integrates VOMS with Shibboleth. Shibboleth uses VASGS to retrieve users attributes from VOMS, which it then passes together with other attributes to GridSite for authorization purposes. For the authorization, we introduce the concept of GridSite Authorization Module for Shibboleth and Apache Server (GAMAS). GAMAS integrates with Shibboleth at the resource provider or target site. The rest of this paper is organised as follows: Section 2 briefly describes the GridSite authentication and

2 authorization process, VOMS and Shibboleth. ShibVomGSite system is described in section 3 along with a description of how its components work together to achieve the objective of our work. A brief description of the prototype of service, VASGS service and GAMAS is presented in section 4, and section 5 gives the conclusion and further work. 2 Background In this section we present a brief description of authentication and authorization in GridSite and provide an overview of the two technologies that are relevant to our work: Shibboleth and VOMS. A detailed description of Shibboleth, VOMS and GridSite can be found on the individual websites [1, 6 8]. 2.1 GridSite Authentication and Authorization Mutual authentication in GridSite is established based on Grid credentials that require the use of X.509 identity certificates [5]. A user needs to have a valid X.509 certificate together with the corresponding private key in order to proof his/her identity to the GridSite resources. After the proof of identity, the user needs to be authorized to gain access to the GridSite resources based on the resource provider access policy. The GridSite Apache module (mod_gridsite) implements authorization based on X.509, Grid Security Infrastructure (GSI) [9] and VOMS credentials. It uses GACL, the Grid Access Control Language [3] provided by the GridSite/GACL library. This allows access control to be specified in terms of attributes found in Grid Credentials. The Access Control Lists (ACLs) consist of a list of one or more Entry blocks. When a user's credentials are compared to the ACL, the permissions given to the user by Allow blocks are recorded, along with those forbidden by Deny blocks. When all entries have been evaluated, any forbidden permissions are removed from those granted. 2.2 Shibboleth Shibboleth is standards based, open source middleware software, which provides Web Single Sign On (SSO) across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy preserving manner [4]. Shibboleth consists of two major software components: the Identity Provider (IdP) and Provider (SP). The two components are deployed separately but work together to provide secure access to Web based resources. The operation of Shibboleth is based on the Security Assertion Markup Language (SAML) standard [10], published by the OASIS [11]. The principle behind SAML s design and Shibboleth s is federated identity. Federated identity technology permits organization with disparate authentication and authorization methods to interoperate thereby extending the capability of each organization s existing services rather than replacing them. Shibboleth exchanges attributes across domains for authorization purposes. Its architecture is dependent on PKI, which it uses to build trust relationship between the several Shibboleth components of the Federation members. Figure 1 shows the authentication and authorization process in Shibboleth. As shown in the figure, an IdP normally located at the origin site identifies the users while SP at the target site protects the resources. When a user accesses a shibbolized resource at the target site for the first time, the Shibboleth Indexical Reference Establisher (SHIRE) directs the user to go to Where Are You From (WAYF) to pick his/her domain (origin site). The user's browser is then redirected to the authentication server at the origin site for user authentication. After the user is authenticated, the browser is redirected back to the target site along with the user's handle and authentication assertion. The authentication assertion is a proof to the target site that the user has been successfully authenticated. The Shibboleth Attribute Requester (SHAR) at the target site uses the user's handle to request for attributes of the user from the Attribute Authority (AA) at the origin site. The attributes are then passed to the Shibboleth Authorization (ShibAuthZ) module, which will make an access control decision based on these attributes. GAMAS takes over the function of ShibAuthZ in ShibVomGSite system.

3 Authentication Server Handle 4a. User s handle registration User 3. User s authentication 1. User s request 4b. User s handle & Authentication Assertion WAYF 6. User s handle & attributes request 2. User s domain? SHIRE 5. User s handle & user s AA info SHAR 8. AuthZ request + user s attributes Attribute Authority IdP/Origin Site 7. User s attributes ShibAuthZ SP/Target Site Figure 1: Architecture of Shibboleth 2.3 Virtual Organization Membership (VOMS) Virtual Organization Membership provides information on the user's relationship with her Virtual Organization: her groups, roles and capabilities. The service is basically a simple account database, which serves the information in a special format (VOMS credential). The VO manager can administrate it remotely using command line tools or a web interface. An authenticated user (or any principal) can request membership of a VO, and request group membership, role, and capability entitlements [6]. Once the user has been granted the appropriate VO membership and attributes within a VO, he may request a short lived credential. The user runs voms proxy init with optional arguments relating to which VOs, groups, roles, and capabilities he wishes for his current credential. VOMS issues a short lived Attribute Certificate [12] to the authenticated user, which the user may then present to resources on the Grid. However, its present implementation doesn't support issuing of user's attributes or authorization data to a third party on behalf of the user. We have developed a web service that can be plugged into VOMS to enable a trusted third party (e.g. Shibboleth IdP) requests user's attributes on behalf of the user, which are then passed to the Provider for authorization purposes. 3 ShibVomGSite System In this section, we present the ShibVomGSite system that addresses the problems enumerated in the introduction. ShibVomGSite consists of three major components that integrate Shibboleth, VOMS and GridSite to enable GridSite supports username/password and attribute based authorization:, VASGS service, and GAMAS. We describe these components in the sub sections that follow. Figure 2 shows these components, their interactions and how they interact with Shibboleth to achieve the objective of this work. The steps shown in the figure are explained below: 1. The user contacts Shibboleth/GridSite protected resource site with a browser, requesting to access a Shibboleth GAMAS protected target service. 2. The user is redirected to the IdP for authentication. 3. IdP calls the service for user authentication.

4 VASGS GAMAS 3. User authentication 5. Retrieves user's DN & Insurer's DN 6. Request for user's attributes 9. Authorization decision 8. User s attributes & authorization decision request IdP 7. User's attributes 4. Request for attributes using Handle SP Origin site 2. Redirect user for authentication 1. Resource access request user 10. Access to resources Target Resource Target site Figure 2: ShibVomGSite Architecture 4. After successful authentication, the browser is redirected to the SP together with handle. The SP at the target site gets the handle and sends the handle to the IdP of the origin site for attributes query. 5. The IdP retrieves the user DN and CA's DN from DB. 6. The IdP authenticates to the VASGS using host PKI certificate, and uses user's DN and CA s DN as parameters to request for user's attributes from VOMS through the VASGS service. The VASGS service returns the user's attributes to the IdP. 7. The IdP sends the attributes together with the user's DN if required back to the SP. 8. The SP uses the user's attributes to request for authorization decision from GAMAS. 9. GAMAS carries out authorization process and passes its decision back to SP. 10. SP grants or denies access to the Target Resource depending on the authorization decision from GAMAS. 3.1 service carries out authentication of users using certificate and enables them to manage their username and password bind to their DN. It is simply a database with an interface developed in C. Unlike MyProxy [13] that stores proxy credentials, only stores users' DN and CA s DN bind to the username/password, which are later used by Shibboleth to retrieve user's attributes from VOMS server. The components of the service are shown in Figure 3. The first operation a user must perform in order to get access to GridSite resources without using certificate is to request for a username and Time Limited Password from the. The steps involve are described below: 1. The user and the authenticate each other with their certificates using HTTPS protocol. 2. service extracts the user's DN and CA's DN from his/her certificate and issues a username and time limited password to the user through the same web browser the user used for the authentication. User can change his/her password immediately or within 6 days. 3. service saves the username and password in encryption form together with the DN and CA's DN in database.

5 CertAuthT User DBInterface DB Password AuthTModule Figure 3: User interaction with The user has the opportunity of managing his/her information in the DB using the Password module. Shibboleth IdP uses AuthT Apache module for the authentication of users anytime users attempt to access GridSite protected resources on the target site. AuthT Apache module is based on Apache module (mod_auth_mysql) [14]. The module is integrated into the DB that contains the username/password and other user's information. A full paper on service is in preparation. 3.2 Voms Attribute for GridSite and Shibboleth (VASGS) VASGS service is made up of two components: VASGS VOMAttribute Web and VASGS ConnectorPlugIn for IdP. Figure 4 shows the interaction between Shibboleth IdP and VASGS service. IdP connects VASGS VOMAttribute Web to get user's attributes (groups, roles, capabilities etc.) from VOMS server using VASGS ConnectorPlugIn. The attributes are combined with the others, which are then pass to the SP for authorization. The advantage of VASGS is that, users don't need to apply for Attribute Certificate to access GridSite resources; attributes are pull directly from the VOMS. Our VASGS service therefore allows IdP to use VOMS as an Attribute Repository. VASGS ConnectorPlugIn VASGS VomsAttribute Web VOMS API Web Container (Tomcat) IdP VOMS DB Figure 4: Structure of VASGS

6 user IdP/Origin Site AuthT Module SHIRE SP/Target Site SHAR VASGS VOMAttribute VASGS Connector PlugIn Handle Attribute Authority (1) (2) mod_shib _gridsite ShibAuthZ (3) (4) GAMAS GridSite Library Figure 5: Integration of GAMAS with Provider 3.3 GridSite Authorization Module for Shibboleth and Apache Server (GAMAS) Figure 5 shows the structure of GAMAS and how it integrates with SP to carry out the authorization process. The mod_shib_gridsite is the core module of GAMAS. It interfaces with Shibboleth and Apache server to collect all the attributes necessary for making authorization decision and passing these attributes to the GridSite/GACL/XACML library. Authorization decision is passed back to the mod_shib_gridsite, which translates it to OK or HTTP_UNAUTHORIZED error codes. Apache will either send the requested resource or a page with the error information back to the user web browser depending on the result. Since GAMAS returns a definite result when mod_shib_gridsite is active, Shibboleth authorization module (ShibAuthZ) is not invoked. The mod_shib_gridsite must appear before the Shibboleth Apache module (mod_shib) in the Apache 2.0 configuration file. Since each location in Apache configuration file may use a different form of authorization, GAMAS is only active if the GridSiteAuth directive is present for the location. If it's not present, mod_shib_gridsite will return DECLINED, so that Shibboleth or any configured authorization module will be invoked. To explain how GAMAS integrates with SP at the target site, the interactions between SP and GAMAS during the authorization phase (shown with numbers in Figure 5) are explained as follows: 1. The authorization phase begins after SHAR component of the SP successfully received user's attributes from Attribute Authority component of the IdP as earlier explained in section 3. In this phase, mod_shib_gridsite is invoked first by the Apache server. 2. If requested location is not being protected by GAMAS, the mod_shib_gridsite will return DECLINED and the Shibboleth authorization function ShibAuthZ or any other authorization function for the location will be invoked, otherwise the user's attributes and DN are acquired by the mod_shib_gridsite from the HTTP headers. 3. Mod_shib_gridsite calls the gridsite/gacl/ XACML library to make an authorization decision, which is based on user's attributes and DN.

7 4. After the decision, the granted/denied decision is returned back to mod_shib_gridsite. 5. Mod_shib_gridsite returns the decision to Apache server. The user is then granted or denied access to the target resource according to the result of the decision. 4 Prototype Implementation We have implemented the prototype of service, VASGS service and GAMAS. In this section, we briefly describe our implementation. service prototype is implemented in C. The database server used is MySQL. Users can login with their certificates and obtain username and password. CertAuthT module is a Common Gateway Interface (CGI) script that connects to the DB using DBInterface. Password, which allows users to manage their records, is also a CGI script that uses DBInterface to interact with the DB. AuthT module is the authentication server for the Shibboleth, which is based on the Apache module: mod_auth_mysql [14]. VASGS service is implemented in JAVA. It is based on Web technology. It has two sub components as earlier described: VASGS VOMAttribute that resides with VOMS server and the VASGS ConnectorPlugIn that Shibboleth uses to invoke the VASGS VOMAttribute on the VOMS server. VOMAttribute runs inside a Tomcat web container just like the others services provided by the VOMS server while ConnectorPlugIn is a JAVA class that Shibboleth invokes to connect to the VOMAttribute. GAMAS (mod_shib_gridsite and gridsite library) is implemented in C as Apache module. It is an extension of the mod_gridsite. As earlier described, it receives users' attributes from Shibboleth to make authorization decision. 5 Conclusion and Further Work We have presented a ShibVomGSite framework that provides username/password support and attribute based authorization to GridSite. This framework allows users access to GridSite protected resources anywhere and anytime using time limited password. service binds user s DN and CA's DN with the username and Time Limited Password in a database (DB). It also serves as an attribute repository for the IdP, and provides DN and CA s DN used as parameter to obtain VOMS attributes for users with the help of the VASGS service. We also described GAMAS that uses the VOMS attributes received from Shibboleth for authorization. GAMAS receives the attributes through the Shibboleth SP (mod_shib), carries out authorization process and returns decision result to the Apache Server, which grants or denies user s request depending on the result of the authorization decision. The work presented in this paper is a work in progress. Efforts are continue to further develop the existing prototype to a full working system suitable for deployment. We are also working on integrating ShibVomGSite system with Flexible Access Middleware Extension (FAME) [15]. 6 Acknowledgements This work was funded by the Particle and Astronomy Research Council through their GridPP programme. Our thanks also go to other members of the various EDG and EGEE security working groups for providing much of the wider environments for this work. 7 References [1] Grid Security for the Grid, Web Platform for Gird, [2] McNab, A., The GridSite Web/Grid Security System, Software Practice. Exper., 35: , [3] McNab, A., Grid Based Access Control and User Management for Unix Environments, File systems, Web Sites and Virtual Organizations, in Proceedings of CHEP 2003, La Jolla, CA, [4] UK Computing for Particle Physics, [5] Houseley, R., Polk, W., Ford, W. and Solo, D., Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 3280, IETF, [6] Alfieri, R., Cechini, R., Ciaschini, V., Spataro, F., dell' Agnello, L., Frohner, A. and Lörentey, K., From gridmap file to VOMS: managing authorization in a Grid environment,

8 ~ferrari/ seminari/gri glie05/lezione02/voms FGCS.pdf, [7] EDG VOM ADMIN Developer Guide, security/ voms/edg voms admin dev guide.pdf. [8] Shibboleth Project, Internet2, [9] Welch, V., Siebenlist, F., Foster, I., Bresnahan, J., Czajkowski, K., Gawor, J., Kesselman, C., Meder, S., Pearlman, L. and Tuecke, S. Security for Grid s. In International Symposium High Performance Distributed Computing, [10] Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML)V1.1, sis sstc saml core 1.1.pdf. [11] OASIS, open.org/. [12] Ciaschini, V., A VOMS Attribute Certificate Profile for authorization, p/7/58/ac RFC.pdf, 2004 [13] Novotny, J., Tuecke, J. and Welch, V., An Online Credential Repository for the Grid: MyProxy, papers/myproxy.pdf [14] Mod_auth_mysql: [15] FAME PERMIS Flexible Access Middleware Extension to PERMIS, permis.org/.

Introduction to Grid Security

Introduction to Grid Security Introduction to Grid Security Mika Silander Helsinki Institute of Physics www.hip.fi T-106.5820 Grid Technologies and Applications TKK, Outline Background Functionality overview Virtual Organisations Certification

More information

SLCS and VASH Service Interoperability of Shibboleth and glite

SLCS and VASH Service Interoperability of Shibboleth and glite SLCS and VASH Service Interoperability of Shibboleth and glite Christoph Witzig, SWITCH (witzig@switch.ch) www.eu-egee.org NREN Grid Workshop Nov 30th, 2007 - Malaga EGEE and glite are registered trademarks

More information

GAMA: Grid Account Management Architecture

GAMA: Grid Account Management Architecture GAMA: Grid Account Management Architecture Karan Bhatia, Sandeep Chandra, Kurt Mueller San Diego Supercomputer Center {karan,chandras,kurt}@sdsc.edu Abstract Security is a critical component of grid systems

More information

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies Sergio Maffioletti Grid Computing Competence Centre, University of Zurich http://www.gc3.uzh.ch/

More information

Integrating Legacy Authorization Systems into the Grid: A Case Study Leveraging AzMan and ADAM

Integrating Legacy Authorization Systems into the Grid: A Case Study Leveraging AzMan and ADAM Integrating Legacy Authorization Systems into the Grid: A Case Study Leveraging AzMan and ADAM Weide Zhang, David Del Vecchio, Glenn Wasson and Marty Humphrey Department of Computer Science, University

More information

ShibGrid: Shibboleth Access for the UK National Grid Service

ShibGrid: Shibboleth Access for the UK National Grid Service ShibGrid: Shibboleth Access for the UK National Grid Service David Spence, Neil Geddes, Jens Jensen, Andrew Richards and Matthew Viljoen CCLRC Rutherford Appleton Laboratory D.R.Spence@rl.ac.uk, J.Jensen@rl.ac.uk,

More information

Credentials Management for Authentication in a Grid-Based E-Learning Platform

Credentials Management for Authentication in a Grid-Based E-Learning Platform Credentials Management for Authentication in a Grid-Based E-Learning Platform Felicia Ionescu, Vlad Nae, Alexandru Gherega University Politehnica of Bucharest {fionescu, vnae, agherega}@tech.pub.ro Abstract

More information

A Guanxi Shibboleth based Security Infrastructure for e-social Science

A Guanxi Shibboleth based Security Infrastructure for e-social Science A Guanxi Shibboleth based Security Infrastructure for e-social Science Wei Jie 1 Alistair Young 2 Junaid Arshad 3 June Finch 1 Rob Procter 1 Andy Turner 3 1 University of Manchester, UK 2 UHI Millennium

More information

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN Grid Authentication and Authorisation Issues Ákos Frohner at CERN Overview Setting the scene: requirements Old style authorisation: DN based gridmap-files Overview of the EDG components VO user management:

More information

An authorization Framework for Grid Security using GT4

An authorization Framework for Grid Security using GT4 www.ijcsi.org 310 An authorization Framework for Grid Security using GT4 Debabrata Singh 1, Bhupendra Gupta 2,B.M.Acharya 3 4, Sarbeswar Hota S O A University, Bhubaneswar Abstract A Grid system is a Virtual

More information

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan Grids and Security Ian Neilson Grid Deployment Group CERN TF-CSIRT London 27 Jan 2004-1 TOC Background Grids Grid Projects Some Technical Aspects The three or four A s Some Operational Aspects Security

More information

Authorization Strategies for Virtualized Environments in Grid Computing Systems

Authorization Strategies for Virtualized Environments in Grid Computing Systems Authorization Strategies for Virtualized Environments in Grid Computing Systems Xinming Ou Anna Squicciarini Sebastien Goasguen Elisa Bertino Purdue University Abstract The development of adequate security

More information

Policy Based Dynamic Negotiation for Grid Services Authorization

Policy Based Dynamic Negotiation for Grid Services Authorization Policy Based Dynamic Negotiation for Grid Services Authorization Ionut Constandache, Daniel Olmedilla, and Wolfgang Nejdl L3S Research Center and University of Hannover, Germany {constandache,olmedilla,nejdl}@l3s.de

More information

A Multipolicy Authorization Framework for Grid Security

A Multipolicy Authorization Framework for Grid Security A Multipolicy Authorization Framework for Grid Security Bo Lang,,2 Ian Foster,,3 Frank Siebenlist,,3 Rachana Ananthakrishnan, Tim Freeman,3 Mathematics and Computer Science Division, Argonne National Laboratory,

More information

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy Why the Grid? Science is becoming increasingly digital and needs to deal with increasing amounts of

More information

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014 Identity management Tuomas Aura CSE-C3400 Information security Aalto University, autumn 2014 Outline 1. Single sign-on 2. SAML and Shibboleth 3. OpenId 4. OAuth 5. (Corporate IAM) 6. Strong identity 2

More information

GLOBUS TOOLKIT SECURITY

GLOBUS TOOLKIT SECURITY GLOBUS TOOLKIT SECURITY Plamen Alexandrov, ISI Masters Student Softwarepark Hagenberg, January 24, 2009 TABLE OF CONTENTS Introduction (3-5) Grid Security Infrastructure (6-15) Transport & Message-level

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 Single Sign on Single Service Provider Agreement, page 2 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 3 Cisco Unified Communications Applications

More information

A Simplified Access to Grid Resources for Virtual Research Communities

A Simplified Access to Grid Resources for Virtual Research Communities Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA A Simplified Access to Grid Resources for Virtual Research Communities Roberto BARBERA (1-3), Marco FARGETTA (3,*) and Riccardo ROTONDO (2) (1) Department

More information

A Roadmap for Integration of Grid Security with One-Time Passwords

A Roadmap for Integration of Grid Security with One-Time Passwords A Roadmap for Integration of Grid Security with One-Time Passwords April 18, 2004 Jim Basney, Von Welch, Frank Siebenlist jbasney@ncsa.uiuc.edu, franks@mcs.anl.gov, vwelch@ncsa.uiuc.edu 1 Introduction

More information

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Goal. TeraGrid. Challenges. Federated Login to TeraGrid Goal Federated Login to Jim Basney Terry Fleury Von Welch Enable researchers to use the authentication method of their home organization for access to Researchers don t need to use -specific credentials

More information

DIRAC Distributed Secure Framework

DIRAC Distributed Secure Framework DIRAC Distributed Secure Framework A Casajus Universitat de Barcelona E-mail: adria@ecm.ub.es R Graciani Universitat de Barcelona E-mail: graciani@ecm.ub.es on behalf of the LHCb DIRAC Team Abstract. DIRAC,

More information

USING SAML TO LINK THE GLOBUS TOOLKIT TO THE PERMIS AUTHORISATION INFRASTRUCTURE

USING SAML TO LINK THE GLOBUS TOOLKIT TO THE PERMIS AUTHORISATION INFRASTRUCTURE USING SAML TO LINK THE GLOBUS TOOLKIT TO THE PERMIS AUTHORISATION INFRASTRUCTURE David Chadwick 1, Sassa Otenko 1, Von Welch 2 1 ISI, University of Salford, Salford, M5 4WT, England. 2 National Center

More information

Globus Toolkit Firewall Requirements. Abstract

Globus Toolkit Firewall Requirements. Abstract Globus Toolkit Firewall Requirements v0.3 8/30/2002 Von Welch Software Architect, Globus Project welch@mcs.anl.gov Abstract This document provides requirements and guidance to firewall administrators at

More information

SAML-Based SSO Solution

SAML-Based SSO Solution About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,

More information

A Grid Authorization Model for Science Gateways

A Grid Authorization Model for Science Gateways A Grid Authorization Model for Science Gateways Tom Scavo National Center for Supercomputing Applications 1205 W. Clark St., Room 1008 Urbana, IL 61801 USA +1 217 265 8759 tscavo@ncsa.uiuc.edu Von Welch

More information

3rd UNICORE Summit, Rennes, Using SAML-based VOMS for Authorization within Web Services-based UNICORE Grids

3rd UNICORE Summit, Rennes, Using SAML-based VOMS for Authorization within Web Services-based UNICORE Grids 3rd UNICORE Summit, Rennes, 28.08.2007 Using SAML-based VOMS for Authorization within Web Services-based UNICORE Grids Valerio Venturi, Morris Riedel, Shiraz Memon, Shahbaz Memon, Frederico Stagni, Bernd

More information

U.S. E-Authentication Interoperability Lab Engineer

U.S. E-Authentication Interoperability Lab Engineer Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S. E-Authentication Interoperability Lab Engineer Agenda U.S. Federal E-Authentication Background Current State of PKI

More information

A Service Oriented Architecture for Authorization of Unknown Entities in a Grid Environment

A Service Oriented Architecture for Authorization of Unknown Entities in a Grid Environment A Service Oriented Architecture for Authorization of Unknown Entities in a Grid Environment J. RIVINGTON, R. KENT, A. AGGARWAL, P. PRENEY Computer Science Department University of Windsor 401 Sunset Avenue,

More information

Liberty Alliance Project

Liberty Alliance Project Liberty Alliance Project Federated Identity solutions to real world issues 4 October 2006 Timo Skyttä, Nokia Corporation Director, Internet and Consumer Standardization What is the Liberty Alliance? The

More information

SAP Security in a Hybrid World. Kiran Kola

SAP Security in a Hybrid World. Kiran Kola SAP Security in a Hybrid World Kiran Kola Agenda Cybersecurity SAP Cloud Platform Identity Provisioning service SAP Cloud Platform Identity Authentication service SAP Cloud Connector & how to achieve Principal

More information

DIRAC distributed secure framework

DIRAC distributed secure framework Journal of Physics: Conference Series DIRAC distributed secure framework To cite this article: A Casajus et al 2010 J. Phys.: Conf. Ser. 219 042033 View the article online for updates and enhancements.

More information

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011

Identity management. Tuomas Aura T Information security technology. Aalto University, autumn 2011 Identity management Tuomas Aura T-110.4206 Information security technology Aalto University, autumn 2011 Outline 1. Single sign-on 2. OpenId 3. SAML and Shibboleth 4. Corporate IAM 5. Strong identity 2

More information

Identity Provider for SAP Single Sign-On and SAP Identity Management

Identity Provider for SAP Single Sign-On and SAP Identity Management Implementation Guide Document Version: 1.0 2017-05-15 PUBLIC Identity Provider for SAP Single Sign-On and SAP Identity Management Content 1....4 1.1 What is SAML 2.0.... 5 SSO with SAML 2.0.... 6 SLO with

More information

Report for the GGF 16 BoF for Grid Developers and Deployers Leveraging Shibboleth

Report for the GGF 16 BoF for Grid Developers and Deployers Leveraging Shibboleth GFD-I.079 Von Welch, NCSA Individual submission March 6, 2006 Report for the GGF 16 BoF for Grid Developers and Deployers Leveraging Shibboleth Copyright Open Grid Forum (2006). All Rights Reserved. Abstract

More information

SAML-Based SSO Configuration

SAML-Based SSO Configuration Prerequisites, page 1 SAML SSO Configuration Task Flow, page 5 Reconfigure OpenAM SSO to SAML SSO Following an Upgrade, page 9 SAML SSO Deployment Interactions and Restrictions, page 9 Prerequisites NTP

More information

Single Sign-On in In-VIGO: Role-based Access via Delegation Mechanisms Using Short-lived User Identities

Single Sign-On in In-VIGO: Role-based Access via Delegation Mechanisms Using Short-lived User Identities Single Sign-On in In-VIGO: Role-based Access via Delegation Mechanisms Using Short-lived User Identities Sumalatha Adabala, Andréa Matsunaga, Maurício Tsugawa, Renato Figueiredo, José A. B. Fortes ACIS

More information

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief Qualys provides its customers the option to use SAML 2.0 Single SignOn (SSO) authentication with their Qualys subscription. When implemented, Qualys

More information

Entrust Connector (econnector) Venafi Trust Protection Platform

Entrust Connector (econnector) Venafi Trust Protection Platform Entrust Connector (econnector) For Venafi Trust Protection Platform Installation and Configuration Guide Version 1.0.5 DATE: 17 November 2017 VERSION: 1.0.5 Copyright 2017. All rights reserved Table of

More information

UNICORE Globus: Interoperability of Grid Infrastructures

UNICORE Globus: Interoperability of Grid Infrastructures UNICORE : Interoperability of Grid Infrastructures Michael Rambadt Philipp Wieder Central Institute for Applied Mathematics (ZAM) Research Centre Juelich D 52425 Juelich, Germany Phone: +49 2461 612057

More information

PoS(EGICF12-EMITC2)150

PoS(EGICF12-EMITC2)150 Linking Authenticating and Authorising Infrastructures in the UK NGI (SARoNGS) The University of Manchester E-mail: mike.jones@manchester.ac.uk Jens JENSEN Science and Technologies Facility Council E-mail:

More information

Authentication. Katarina

Authentication. Katarina Authentication Katarina Valalikova @KValalikova k.valalikova@evolveum.com 1 Agenda History Multi-factor, adaptive authentication SSO, SAML, OAuth, OpenID Connect Federation 2 Who am I? Ing. Katarina Valaliková

More information

J. Basney, NCSA Category: Experimental October 10, MyProxy Protocol

J. Basney, NCSA Category: Experimental October 10, MyProxy Protocol GWD-E J. Basney, NCSA Category: Experimental October 10, 2005 MyProxy Protocol Status of This Memo This memo provides information to the Grid community. Distribution is unlimited. Copyright Notice Copyright

More information

A Mechanism for Federated Identification Services for Public Access Portals Using Access-Cards

A Mechanism for Federated Identification Services for Public Access Portals Using Access-Cards A Mechanism for Federated Identification Services for Public Access Portals Using Access-Cards Sylvia Encheva Stord/Haugesund University College Bjørnsonsg. 45 5528 Haugesund, Norway sbe@hsh.no Sharil

More information

CA SiteMinder Federation

CA SiteMinder Federation CA SiteMinder Federation Legacy Federation Guide 12.52 SP1 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

David Chadwick, University of Kent Linying Su, University of Kent 9 July 2008

David Chadwick, University of Kent Linying Su, University of Kent 9 July 2008 GWD-R-P OGSA-Authz David Chadwick, University of Kent Linying Su, University of Kent 9 July 2008 Use of WS-TRUST and SAML to access a Credential Validation Service Status of This Document This document

More information

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server... Oracle Access Manager Configuration Guide for On-Premises Version 17 October 2017 Contents Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing

More information

XPOLA An Extensible Capability-based Authorization Infrastructure for Grids

XPOLA An Extensible Capability-based Authorization Infrastructure for Grids XPOLA An Extensible Capability-based Authorization Infrastructure for Grids Liang Fang and Dennis Gannon Computer Science Department, Indiana University, Bloomington, IN 47405 Frank Siebenlist Mathematics

More information

EXPERIENCE WITH PKI IN A LARGE-SCALE DISTRIBUTED ENVIRONMENT

EXPERIENCE WITH PKI IN A LARGE-SCALE DISTRIBUTED ENVIRONMENT EXPERIENCE WITH PKI IN A LARGE-SCALE DISTRIBUTED ENVIRONMENT Daniel Kouřil, Michal Procházka, Luděk Matyska CESNET z. s. p. o., Zikova 4, 160 00 Praha 6, Czech Republic, and Masaryk University, Botanická

More information

Guidelines on non-browser access

Guidelines on non-browser access Published Date: 13-06-2017 Revision: 1.0 Work Package: Document Code: Document URL: JRA1 AARC-JRA1.4F https://aarc-project.eu/wp-content/uploads/2017/03/aarc-jra1.4f.pdf 1 Table of Contents 1 Introduction

More information

INDIGO AAI An overview and status update!

INDIGO AAI An overview and status update! RIA-653549 INDIGO DataCloud INDIGO AAI An overview and status update! Andrea Ceccanti (INFN) on behalf of the INDIGO AAI Task Force! indigo-aai-tf@lists.indigo-datacloud.org INDIGO Datacloud An H2020 project

More information

A VO-friendly, Community-based Authorization Framework

A VO-friendly, Community-based Authorization Framework A VO-friendly, Community-based Authorization Framework Part 1: Use Cases, Requirements, and Approach Ray Plante and Bruce Loftis NCSA Version 0.1 (February 11, 2005) Abstract The era of massive surveys

More information

Shibboleth as a Tool for Authorized Access Control to the Subversion Repository System

Shibboleth as a Tool for Authorized Access Control to the Subversion Repository System Clemson University TigerPrints Publications School of Computing 9-2007 Shibboleth as a Tool for Authorized Access Control to the Subversion Repository System Linh B. Ngo Clemson University, lngo@clemson.edu

More information

New trends in Identity Management

New trends in Identity Management New trends in Identity Management Peter Gietz, DAASI International GmbH peter.gietz@daasi.de Track on Research and Education Networking in South East Europe, Yu Info 2007, Kopaionik, Serbia 14 March 2007

More information

Oracle Utilities Opower Solution Extension Partner SSO

Oracle Utilities Opower Solution Extension Partner SSO Oracle Utilities Opower Solution Extension Partner SSO Integration Guide E84763-01 Last Updated: Friday, January 05, 2018 Oracle Utilities Opower Solution Extension Partner SSO Integration Guide Copyright

More information

Technical Background Information

Technical Background Information Technical Background Information Ueli Kienholz, SWITCH Rolf Gartmann, SWITCH Claude Lecommandeur, EPFL December 2, 2002 2002 SWITCH PAPI Rolf Gartmann, SWITCH Security Group December 2, 2002 2002 SWITCH

More information

Federated Authentication with Web Services Clients

Federated Authentication with Web Services Clients Federated Authentication with Web Services Clients in the context of SAML based AAI federations Thomas Lenggenhager thomas.lenggenhager@switch.ch Mannheim, 8. March 2011 Overview SAML n-tier Delegation

More information

EUROPEAN MIDDLEWARE INITIATIVE

EUROPEAN MIDDLEWARE INITIATIVE EUROPEAN MIDDLEWARE INITIATIVE VOMS CORE AND WMS SECURITY ASSESSMENT EMI DOCUMENT Document identifier: EMI-DOC-SA2- VOMS_WMS_Security_Assessment_v1.0.doc Activity: Lead Partner: Document status: Document

More information

The Community Authorization Service: Status and Future

The Community Authorization Service: Status and Future The Authorization Service: Status and Future L. Pearlman, C. Kesselman USC Information Sciences Institute, Marina del Rey, CA V. Welch, I. Foster, S. Tuecke Argonne National Laboratory, Argonne, IL Virtual

More information

Security in distributed metadata catalogues

Security in distributed metadata catalogues Security in distributed metadata catalogues Nuno Santos 1, and Birger Koblitz 2 1 Distributed Systems Laboratory, Swiss Federal Institute of Technology (EPFL), Lausanne, Switzerland 2 European Organization

More information

DDS Identity Federation Service

DDS Identity Federation Service DDS Identity Federation Service Sharing Identity across Organisational Boundaries Executive Overview for UK Government Company Profile Daemon Directory Services Ltd. (DDS) is an application service provider

More information

A AAAA Model to Support Science Gateways with Community Accounts

A AAAA Model to Support Science Gateways with Community Accounts A AAAA Model to Support Science Gateways with Community Accounts Von Welch 1, Jim Barlow, James Basney, Doru Marcusiu NCSA 1 Introduction Science gateways have emerged as a concept for allowing large numbers

More information

Deposited on: 10 September 2009

Deposited on: 10 September 2009 Watt, J. and Sinnott, R.O. and Jiang, J. and Doherty, T. and Stell, A. and Martin, D. and Stewart, G. (2007) Federated authentication and authorisation for e-science. In: APAC Conference and Exhibition,

More information

Role-Based Access Control for the Open Grid Services Architecture - Data Access and Integration (OGSA-DAI)

Role-Based Access Control for the Open Grid Services Architecture - Data Access and Integration (OGSA-DAI) Wright State University CORE Scholar Browse all Theses and Dissertations Theses and Dissertations 2007 Role-Based Access Control for the Open Grid Services Architecture - Data Access and Integration (OGSA-DAI)

More information

Using the MyProxy Online Credential Repository

Using the MyProxy Online Credential Repository Using the MyProxy Online Credential Repository Jim Basney National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu What is MyProxy? Independent Globus Toolkit add-on

More information

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On Configuration Guide E84772-01 Last Update: Monday, October 09, 2017 Oracle Utilities Opower Energy Efficiency Web Portal -

More information

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5 CA SiteMinder Federation Manager Guide: Legacy Federation r12.5 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation

More information

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD) Participant Name:_Unversity of Regina Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert

More information

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November 3th, 2005 Von Welch vwelch@ncsa.uiuc.edu Outline

More information

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017 ENTRUST CONNECTOR Installation and Configuration Guide Version 0.5.1 April 21, 2017 2017 CygnaCom Solutions, Inc. All rights reserved. Contents What is Entrust Connector... 4 Installation... 5 Prerequisites...

More information

Stell, A.J. and Sinnott, R.O. and Watt, J.P. (2005) Comparison of advanced authorisation infrastructures for grid computing. In, International Symposium on High Performance Computing Systems and Applications

More information

Attribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent

Attribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent Acknowledgements Project originally funded by UK JISC, called Shintau http://sec.cs.kent.ac.uk/shintau/

More information

Introducing Shibboleth. Sebastian Rieger

Introducing Shibboleth. Sebastian Rieger Introducing Shibboleth Sebastian Rieger sebastian.rieger@gwdg.de Gesellschaft für wissenschaftliche Datenverarbeitung mbh Göttingen, Germany CLARIN AAI Hands On Workshop, 25.02.2009, Oxford eresearch Center

More information

Deploying the TeraGrid PKI

Deploying the TeraGrid PKI Deploying the TeraGrid PKI Grid Forum Korea Winter Workshop December 1, 2003 Jim Basney Senior Research Scientist National Center for Supercomputing Applications University of Illinois jbasney@ncsa.uiuc.edu

More information

Connect-2-Everything SAML SSO (client documentation)

Connect-2-Everything SAML SSO (client documentation) Connect-2-Everything SAML SSO (client documentation) Table of Contents Summary Overview Refined tags Summary The Connect-2-Everything landing page by Refined Data allows Adobe Connect account holders to

More information

CILogon Project

CILogon Project CILogon Project GlobusWORLD 2010 Jim Basney jbasney@illinois.edu National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by

More information

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials Best practices and recommendations for attribute translation from federated authentication to X.509 credentials Published Date: 13-06-2017 Revision: 1.0 Work Package: Document Code: Document URL: JRA1

More information

FUSION REGISTRY COMMUNITY EDITION SETUP GUIDE VERSION 9. Setup Guide. This guide explains how to install and configure the Fusion Registry.

FUSION REGISTRY COMMUNITY EDITION SETUP GUIDE VERSION 9. Setup Guide. This guide explains how to install and configure the Fusion Registry. FUSION REGISTRY COMMUNITY EDITION VERSION 9 Setup Guide This guide explains how to install and configure the Fusion Registry. FUSION REGISTRY COMMUNITY EDITION SETUP GUIDE Fusion Registry: 9.2.x Document

More information

Assurance Enhancements for the Shibboleth Identity Provider 19 April 2013

Assurance Enhancements for the Shibboleth Identity Provider 19 April 2013 Assurance Enhancements for the Shibboleth Identity Provider 19 April 2013 This document outlines primary use cases for supporting identity assurance implementations using multiple authentication contexts

More information

An OGSI CredentialManager Service Jim Basney a, Shiva Shankar Chetan a, Feng Qin a, Sumin Song a, Xiao Tu a, and Marty Humphrey b

An OGSI CredentialManager Service Jim Basney a, Shiva Shankar Chetan a, Feng Qin a, Sumin Song a, Xiao Tu a, and Marty Humphrey b UK Workshop on Grid Security Experiences, Oxford 8th and 9th July 2004 An OGSI CredentialManager Service Jim Basney a, Shiva Shankar Chetan a, Feng Qin a, Sumin Song a, Xiao Tu a, and Marty Humphrey b

More information

Novell Access Manager

Novell Access Manager Setup Guide AUTHORIZED DOCUMENTATION Novell Access Manager 3.1 SP3 February 02, 2011 www.novell.com Novell Access Manager 3.1 SP3 Setup Guide Legal Notices Novell, Inc., makes no representations or warranties

More information

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

DocuSign Single Sign On Implementation Guide Published: June 8, 2016 DocuSign Single Sign On Implementation Guide Published: June 8, 2016 Copyright Copyright 2003-2016 DocuSign, Inc. All rights reserved. For information about DocuSign trademarks, copyrights and patents

More information

Managing Certificates

Managing Certificates CHAPTER 12 The Cisco Identity Services Engine (Cisco ISE) relies on public key infrastructure (PKI) to provide secure communication for the following: Client and server authentication for Transport Layer

More information

Introduction to Identity Management Systems

Introduction to Identity Management Systems Introduction to Identity Management Systems Ajay Daryanani Middleware Engineer, RedIRIS / Red.es Kopaonik, 13th March 2007 1 1 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and

More information

Network Security Essentials

Network Security Essentials Network Security Essentials Fifth Edition by William Stallings Chapter 4 Key Distribution and User Authentication No Singhalese, whether man or woman, would venture out of the house without a bunch of

More information

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012 RealMe Version: Author: 1.0 APPROVED Richard Bergquist Datacom Systems (Wellington) Ltd Date: 15 November 2012 CROWN COPYRIGHT This work is licensed under the Creative Commons Attribution 3.0 New Zealand

More information

A solution for Access Delegation based on SAML. Ciro Formisano Ermanno Travaglino Isabel Matranga

A solution for Access Delegation based on SAML. Ciro Formisano Ermanno Travaglino Isabel Matranga A solution for Access Delegation based on SAML Ciro Formisano Ermanno Travaglino Isabel Matranga Access Delegation in distributed environments SAML 2.0 Condition to Delegate Implementation Future plans

More information

Federated Authentication for E-Infrastructures

Federated Authentication for E-Infrastructures Federated Authentication for E-Infrastructures A growing challenge for on-line e-infrastructures is to manage an increasing number of user accounts, ensuring that accounts are only used by their intended

More information

The Trusted Attribute Aggregation Service (TAAS)

The Trusted Attribute Aggregation Service (TAAS) The Trusted Attribute Aggregation Service (TAAS) Privacy Protected Identity Management with User Consent, Minimum Dislosure and Unlinkability George Inman, David Chadwick, Kristy Siu What problems does

More information

Oman Research & Education Network (OMREN)

Oman Research & Education Network (OMREN) Oman Research & Education Network (OMREN) Presented By: Said Al-Mandhari The Research Council Sultanate of Oman said.mandhari@trc.gov.om http://www.trc.gov.om 1 Table of Content OMREN Definition OMREN

More information

Grid Computing Fall 2005 Lecture 16: Grid Security. Gabrielle Allen

Grid Computing Fall 2005 Lecture 16: Grid Security. Gabrielle Allen Grid Computing 7700 Fall 2005 Lecture 16: Grid Security Gabrielle Allen allen@bit.csc.lsu.edu http://www.cct.lsu.edu/~gallen Required Reading Chapter 16 of The Grid (version 1), freely available for download

More information

Warm Up to Identity Protocol Soup

Warm Up to Identity Protocol Soup Warm Up to Identity Protocol Soup David Waite Principal Technical Architect 1 Topics What is Digital Identity? What are the different technologies? How are they useful? Where is this space going? 2 Digital

More information

2. HDF AAI Meeting -- Demo Slides

2. HDF AAI Meeting -- Demo Slides 2. HDF AAI Meeting -- Demo Slides Steinbuch Centre for Computing Marcus Hardt KIT University of the State of Baden-Wuerttemberg and National Research Center of the Helmholtz Association www.kit.edu Introduction

More information

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes Attributes for Apps How mobile Apps can use SAML Authentication and Attributes Lukas Hämmerle lukas.haemmerle@switch.ch TNC 2013, Maastricht Introduction App by University of St. Gallen Universities offer

More information

A New Security Model for Collaborative Environments

A New Security Model for Collaborative Environments A New Security Model for Collaborative Environments D. Agarwal, M. Thompson, M. Perry Lawrence Berkeley Lab DAAgarwal@lbl.gov, MRThompson@lbl.gov, MPerry@lbl.gov M. Lorch Virginia Tech mlorch@vt.edu Abstract

More information

Integrated Security Context Management of Web Components and Services in Federated Identity Environments

Integrated Security Context Management of Web Components and Services in Federated Identity Environments Integrated Security Context Management of Web Components and Services in Federated Identity Environments Apurva Kumar IBM India Research Lab. 4, Block C Vasant Kunj Institutional Area, New Delhi, India-110070

More information

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min.

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min. 1z0-479 oracle Number: 1z0-479 Passing Score: 800 Time Limit: 120 min Exam A QUESTION 1 What is the role of a user data store in Oracle Identity Federation (OIF) 11g when it is configured as an Identity

More information

AAI in EGI Current status

AAI in EGI Current status AAI in EGI Current status Peter Solagna EGI.eu Operations Manager www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 User authentication

More information

1. Federation Participant Information DRAFT

1. Federation Participant Information DRAFT INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES [NOTE: This document should be considered a as MIT is still in the process of spinning up its participation in InCommon.] Participation in InCommon

More information

The AAF - Supporting Greener Collaboration

The AAF - Supporting Greener Collaboration SPUSC 2008 SOUTH PACIFIC USER SERVICES CONFERENCE The AAF - Supporting Greener Collaboration Stuart Allen MAMS MELCOE Macquarie University sallen@melcoe.mq.edu.au What is the AAF? The Australian Access

More information