An e-voyage showing Single Sign-on via Shibboleth in Action

Size: px

Start display at page:

Download "An e-voyage showing Single Sign-on via Shibboleth in Action"

Dinah Bruce
6 years ago
Views:

1 An e-voyage showing Single Sign-on via Shibboleth in Action Prof Richard Sinnott Technical Director National e-science Centre University of Glasgow

2 Grid Security What do we really want? Ease of use for end users Single sign-on to distributed resources Site autonomy Manageability for local sys-admins Scalability for large scale virtual organisations Fine grained security as/when needed Dynamicity Shibboleth + Grid + advanced authorisation infrastructures can address many of these issues

3 Ease of Use For Grids/e-Research to be truly successful (ubiquitous) have to be made as seamless to access and use as the internet Forget training, education for some (most?) users! have to be based on research pull and not middleware push experiences in various projects have shown that users don t like digital certificates The majority most certainly won t jump through hoops to get on the Grid

4 Step 1 In UK e-science community X.509 PKI based on centralised CA with direct single hierarchy to users Typical scenario for getting Grid certificate 2. Check details of request RA 3. Ok? CA 1. Request certificate ( 4. Download and install certificate in browser 5. Download and install CRL User 6. Export certificate to various formats e.g. as Grid certificate $> openssl pkcs12 -in cert.p12 -clcerts -nokeys -out usercert.pem!!!! This is off-putting for end users!!! Typically not available on Windows!!! Root access? Local sys-admin?

5 But Identity management issues Certificate Revocation Lists When revoked? By whom? How timely? Strong passwords for private keys Users write them down, share them, forget them Privilege Management Numerous domains where never get access to local account to do stuff User classification Tinkerers vs much larger e-research Community they want services to point their browser at and point click to run things on the Grid I don t want an account on a cluster, I m a biologist who wants to run BLAST on a free National Grid resource

6 As a result ~3500 UK e-science certs 1000 for Manchester cluster But over 3 Million Athens accounts in UK HE/FE Iceberg is not to scale!!!!

7 How Can we Improve Things? We don t want each domain reinventing their own security solutions Best to exploit local authentication Sites know best if users still at institution and are best placed to state what their privileges are/should be

8 Introducing Shibboleth Shibboleth ( Definition Shibboleth [Hebrew for an ear of corn, or a stream or flood] 1. A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. 2. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. ] Shibboleth will replace Athens as access mgt system across UK academia Federations based on trust or more accurately trust but verify numerous international federations exist MAMS, SWITCH, HAKA, SDSS

9 Typical Shibboleth Scenario Identity Provider LDAP AuthN 4. Home site authenticates user Home Institution 3.User selects their home institution Federation Service provider 2. Shibboleth redirects user to W.A.Y.F. service 5. User accesses resource W.A.Y.F. User 1. User points browser at Grid resource/portal (or non-grid resource) Grid resource / portal

10 It s a start, but Benefit from local authentication but really want finer grained control I know you have authenticated, but I need to know that you have sufficient/correct privileges to access my VO resources can also return various other information needed to support authorisation decisions

11 Authorization Technologies Various technologies for authorization including PERMIS PrivilEge and Role Management Infrastructure Standards Validation Community Authorisation Service AKENTI CARDEA VOMS abstract.html At NeSC we have been working extensively with PERMIS

12 Role Based Access Controls Basic idea is to define: roles applicable to specific VO roles often hierarchical Role X Role Y Role Z Manager can do everything (and more) than an employee can do who can do everything (and more) than a trainee can do actions allowed/not allowed for VO members resources comprising VO infrastructure (computers, data resources etc) A policy then consists of sets of these rules { Role x Action x Target } Can user with VO role X invoke service Y on resource Z? Policy itself can be represented in many ways, e.g. XML, XACML, Tools available for policy editing, associating users with roles, signing policies etc Policies stored as attribute certificates in LDAP server (New tools/wizards presented at OGF18 Washington)

Home site authenticates user and pushes attributes to the service provider 3.User selects their home institution W.A.

13 Finer Grained Shibboleth Scenario Identity Provider Service provider LDAP AuthN Shib Frontend Home Institution 6. Make final AuthZ decision Grid Application Federation 4. Home site authenticates user and pushes attributes to the service provider 3.User selects their home institution W.A.Y.F. 5. Pass authentication info and attributes to authz function 2. Shibboleth redirects user to W.A.Y.F. service User 1. User points browser at Grid resource/portal Grid Portal

14 Ok, but I can do authorisation but I want singlesign on to lots of distributed resources across my VO (or VOs) Browser allows to keep session information so can access other resources without signing in again Provided authorisation information valid for different service providers Each service provider completely autonomous Can configure attribute release/attribute acceptance policies per identity provider/service provider

15 Applications

16 Nucleotide sequences Cell signalling Grid Based Systems Biology BRIDGES VOTES Cell Protein functions Protein-protein interaction (pathways) Tissues Physiology Organisms Populations Organs Grid + Security Nucleotide structures Gene expressions Protein Structures

17 BRIDGES Project VO Authorisation Synteny Service Magna Vista Service blast Oxford Private data CFG Virtual Organisation Glasgow Edinburgh Private data Information Integrator DATA HUB OGSA-DAI London Private data Private data Leicester Private data Netherlands Private data Publically Curated Data Ensembl OMIM SWISS-PROT MGI HUGO RGD + + +

18 VOTES Virtual Organisations for Trials and Epidemiological Studies 3 year ( 2.8M) MRC funded project started October 2005 Plans to develop framework for producing Grid infrastructures to address key components of clinical trial/observational study Recruitment of potentially eligible participants Data collection during the study Study administration and coordination Involves Glasgow, Oxford, Leicester/Nottingham, Manchester, Imperial» Strong links with UK Biobank Clinical Virtual Organisation Framework Used to realise CVO-2 (e.g. for recruitment) CVO-1 (e.g. for data collection) Disease registries GPs GLA OX Transfer Grid Lei- Nott IMP Hospital databases Clinical trial data sets

19 Secondary Usage of Clinical Data Some domains (clinical) need to know how data will be used once collected, others not so restrictive ;o)

20 Demo

21 User tries to access Shibboleth protected BRIDGES portal

28 Grid Blast Interface Allows genome scale blasting Transparently uses NGS, ScotGrid, other GU clusters, Condor pools Many databases already deployed across nodes No user certificates Fine grained security at back-end

29 User now tries to access Shibboleth protected VOTES portal

37 Applications

40 Dynamicity, Scalability? UK Shibboleth federation based around small set of pre-agreed attributes based on eduperson schema edupersonscopedaffiliation: indicates the user s relationship (e.g., staff, student, etc) within the institution; edupersontargetedid: needed when an SP is presented with an anonymous assertion only, e.g. edupersonscopedaffiliation. This attribute provides a persistent user pseudonym; edupersonprincipalname: used where a persistent user identifier consistent across different services is needed; edupersonentitlement: enables an institution to assert that a user satisfies an additional set of specific conditions that apply for access to a particular resource Grid vision for dynamic virtual organisations Add, remove, change people, institutes, their privileges on the fly for changing sets of resources as required by the VO

41 Dynamicity, Scalability? Dynamic Virtual Organisations for e-science Education (DyVOSE) project Delegation issuing service I can trust remote Source of Authority to issue my local roles to their remote users Remote Source of Authority trusts me to assign their roles to my users

42 Trust Trust underpins Shibboleth/Grids What if remote site does not treat authentication as seriously as it should? University of Glasgow used to have Multiple usernames/passwords for staff students Now moved to single unified account management system based on Novell nsure active directory technology Identity management based on Human Resources information for staff Registry for students Based on this have Shib-enabled numerous non-grid resources WebSurf» Student/staff service, e.g. courses registered, credits earned etc Moodle» Glasgow virtual e-learning environment Various others

43 Future Plans Several other projects exploring this space Working with EDINA on Shibboleth access to Geographical Information Systems (project starts October 2006) Major EPSRC pilot project ( 5.3M) on Meeting the Design Challenges of nanocmos Electronics (project starts October 2006 Security essential in this domain including support for IP of data, simulations, processes, licenses, )

44 Questions?

Grid Computing (M) Richard Sinnott

Grid Security (2) Grid Computing (M) Richard Sinnott Grids in a nutshell and the security consequences Could be argued that Grid all boils down to dynamically establishing and managing Virtual Organisations