An e-voyage showing Single Sign-on via Shibboleth in Action
|
|
- Dinah Bruce
- 6 years ago
- Views:
Transcription
1 An e-voyage showing Single Sign-on via Shibboleth in Action Prof Richard Sinnott Technical Director National e-science Centre University of Glasgow
2 Grid Security What do we really want? Ease of use for end users Single sign-on to distributed resources Site autonomy Manageability for local sys-admins Scalability for large scale virtual organisations Fine grained security as/when needed Dynamicity Shibboleth + Grid + advanced authorisation infrastructures can address many of these issues
3 Ease of Use For Grids/e-Research to be truly successful (ubiquitous) have to be made as seamless to access and use as the internet Forget training, education for some (most?) users! have to be based on research pull and not middleware push experiences in various projects have shown that users don t like digital certificates The majority most certainly won t jump through hoops to get on the Grid
4 Step 1 In UK e-science community X.509 PKI based on centralised CA with direct single hierarchy to users Typical scenario for getting Grid certificate 2. Check details of request RA 3. Ok? CA 1. Request certificate ( 4. Download and install certificate in browser 5. Download and install CRL User 6. Export certificate to various formats e.g. as Grid certificate $> openssl pkcs12 -in cert.p12 -clcerts -nokeys -out usercert.pem!!!! This is off-putting for end users!!! Typically not available on Windows!!! Root access? Local sys-admin?
5 But Identity management issues Certificate Revocation Lists When revoked? By whom? How timely? Strong passwords for private keys Users write them down, share them, forget them Privilege Management Numerous domains where never get access to local account to do stuff User classification Tinkerers vs much larger e-research Community they want services to point their browser at and point click to run things on the Grid I don t want an account on a cluster, I m a biologist who wants to run BLAST on a free National Grid resource
6 As a result ~3500 UK e-science certs 1000 for Manchester cluster But over 3 Million Athens accounts in UK HE/FE Iceberg is not to scale!!!!
7 How Can we Improve Things? We don t want each domain reinventing their own security solutions Best to exploit local authentication Sites know best if users still at institution and are best placed to state what their privileges are/should be
8 Introducing Shibboleth Shibboleth ( Definition Shibboleth [Hebrew for an ear of corn, or a stream or flood] 1. A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. 2. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. ] Shibboleth will replace Athens as access mgt system across UK academia Federations based on trust or more accurately trust but verify numerous international federations exist MAMS, SWITCH, HAKA, SDSS
9 Typical Shibboleth Scenario Identity Provider LDAP AuthN 4. Home site authenticates user Home Institution 3.User selects their home institution Federation Service provider 2. Shibboleth redirects user to W.A.Y.F. service 5. User accesses resource W.A.Y.F. User 1. User points browser at Grid resource/portal (or non-grid resource) Grid resource / portal
10 It s a start, but Benefit from local authentication but really want finer grained control I know you have authenticated, but I need to know that you have sufficient/correct privileges to access my VO resources can also return various other information needed to support authorisation decisions
11 Authorization Technologies Various technologies for authorization including PERMIS PrivilEge and Role Management Infrastructure Standards Validation Community Authorisation Service AKENTI CARDEA VOMS abstract.html At NeSC we have been working extensively with PERMIS
12 Role Based Access Controls Basic idea is to define: roles applicable to specific VO roles often hierarchical Role X Role Y Role Z Manager can do everything (and more) than an employee can do who can do everything (and more) than a trainee can do actions allowed/not allowed for VO members resources comprising VO infrastructure (computers, data resources etc) A policy then consists of sets of these rules { Role x Action x Target } Can user with VO role X invoke service Y on resource Z? Policy itself can be represented in many ways, e.g. XML, XACML, Tools available for policy editing, associating users with roles, signing policies etc Policies stored as attribute certificates in LDAP server (New tools/wizards presented at OGF18 Washington)
13 Finer Grained Shibboleth Scenario Identity Provider Service provider LDAP AuthN Shib Frontend Home Institution 6. Make final AuthZ decision Grid Application Federation 4. Home site authenticates user and pushes attributes to the service provider 3.User selects their home institution W.A.Y.F. 5. Pass authentication info and attributes to authz function 2. Shibboleth redirects user to W.A.Y.F. service User 1. User points browser at Grid resource/portal Grid Portal
14 Ok, but I can do authorisation but I want singlesign on to lots of distributed resources across my VO (or VOs) Browser allows to keep session information so can access other resources without signing in again Provided authorisation information valid for different service providers Each service provider completely autonomous Can configure attribute release/attribute acceptance policies per identity provider/service provider
15 Applications
16 Nucleotide sequences Cell signalling Grid Based Systems Biology BRIDGES VOTES Cell Protein functions Protein-protein interaction (pathways) Tissues Physiology Organisms Populations Organs Grid + Security Nucleotide structures Gene expressions Protein Structures
17 BRIDGES Project VO Authorisation Synteny Service Magna Vista Service blast Oxford Private data CFG Virtual Organisation Glasgow Edinburgh Private data Information Integrator DATA HUB OGSA-DAI London Private data Private data Leicester Private data Netherlands Private data Publically Curated Data Ensembl OMIM SWISS-PROT MGI HUGO RGD + + +
18 VOTES Virtual Organisations for Trials and Epidemiological Studies 3 year ( 2.8M) MRC funded project started October 2005 Plans to develop framework for producing Grid infrastructures to address key components of clinical trial/observational study Recruitment of potentially eligible participants Data collection during the study Study administration and coordination Involves Glasgow, Oxford, Leicester/Nottingham, Manchester, Imperial» Strong links with UK Biobank Clinical Virtual Organisation Framework Used to realise CVO-2 (e.g. for recruitment) CVO-1 (e.g. for data collection) Disease registries GPs GLA OX Transfer Grid Lei- Nott IMP Hospital databases Clinical trial data sets
19 Secondary Usage of Clinical Data Some domains (clinical) need to know how data will be used once collected, others not so restrictive ;o)
20 Demo
21 User tries to access Shibboleth protected BRIDGES portal
22
23
24
25
26
27
28 Grid Blast Interface Allows genome scale blasting Transparently uses NGS, ScotGrid, other GU clusters, Condor pools Many databases already deployed across nodes No user certificates Fine grained security at back-end
29 User now tries to access Shibboleth protected VOTES portal
30
31
32
33
34
35
36
37 Applications
38
39
40 Dynamicity, Scalability? UK Shibboleth federation based around small set of pre-agreed attributes based on eduperson schema edupersonscopedaffiliation: indicates the user s relationship (e.g., staff, student, etc) within the institution; edupersontargetedid: needed when an SP is presented with an anonymous assertion only, e.g. edupersonscopedaffiliation. This attribute provides a persistent user pseudonym; edupersonprincipalname: used where a persistent user identifier consistent across different services is needed; edupersonentitlement: enables an institution to assert that a user satisfies an additional set of specific conditions that apply for access to a particular resource Grid vision for dynamic virtual organisations Add, remove, change people, institutes, their privileges on the fly for changing sets of resources as required by the VO
41 Dynamicity, Scalability? Dynamic Virtual Organisations for e-science Education (DyVOSE) project Delegation issuing service I can trust remote Source of Authority to issue my local roles to their remote users Remote Source of Authority trusts me to assign their roles to my users
42 Trust Trust underpins Shibboleth/Grids What if remote site does not treat authentication as seriously as it should? University of Glasgow used to have Multiple usernames/passwords for staff students Now moved to single unified account management system based on Novell nsure active directory technology Identity management based on Human Resources information for staff Registry for students Based on this have Shib-enabled numerous non-grid resources WebSurf» Student/staff service, e.g. courses registered, credits earned etc Moodle» Glasgow virtual e-learning environment Various others
43 Future Plans Several other projects exploring this space Working with EDINA on Shibboleth access to Geographical Information Systems (project starts October 2006) Major EPSRC pilot project ( 5.3M) on Meeting the Design Challenges of nanocmos Electronics (project starts October 2006 Security essential in this domain including support for IP of data, simulations, processes, licenses, )
44 Questions?
Grid Computing (M) Richard Sinnott
Grid Security (2) Grid Computing (M) Richard Sinnott Grids in a nutshell and the security consequences Could be argued that Grid all boils down to dynamically establishing and managing Virtual Organisations
More informationShibboleth-based Access to and Usage of Grid Resources
Shibboleth-based Access to and Usage of Grid Resources R. O. Sinnott 1, J. Jiang 2, J. Watt 3, O. Ajayi 4 National e-science Centre University of Glasgow United Kingdom 1 r.sinnott@nesc.gla.ac.uk 2 j.jiang@nesc.gla.ac.uk
More informationDeposited on: 7 September 2009
Watt, J. and Sinnott, R.O. and Jiang, J. (2007) The GLASS project: supporting secure shibboleth-based single sign-on to campus resources. In: Cox, S.J. (ed.) Proceedings of the UK e-science All Hands Meeting
More informationDeposited on: 10 September 2009
Watt, J. and Sinnott, R.O. and Jiang, J. and Doherty, T. and Stell, A. and Martin, D. and Stewart, G. (2007) Federated authentication and authorisation for e-science. In: APAC Conference and Exhibition,
More informationFuture of Grid Computing
Future of Grid Computing Dr Richard Sinnott http://csperkins.org/teaching/2004-2005/gc5/ Future of Grid Computing Overview Classifications of Grid Computing Future and challenges of different classifications
More informationReport for the GGF 16 BoF for Grid Developers and Deployers Leveraging Shibboleth
GFD-I.079 Von Welch, NCSA Individual submission March 6, 2006 Report for the GGF 16 BoF for Grid Developers and Deployers Leveraging Shibboleth Copyright Open Grid Forum (2006). All Rights Reserved. Abstract
More informationExperiences of Applying Advanced Grid Authorisation Infrastructures
Experiences of Applying Advanced Grid Authorisation Infrastructures R.O. Sinnott 1, A.J. Stell 1, D.W. Chadwick 2, O.Otenko 2 1 National e-science Centre, University of Glasgow {ros@dcs.gla.ac.uk, ajstell@dcs.gla.ac.uk}
More informationDeposited on: 10 September 2009
Sinnott, R.O. and Chadwick, D.W. and Doherty, T. and Martin, D. and Stell, A. and Stewart, G. and Su, L. and Watt, J. (2008) Advanced security for virtual organizations: the pros and cons of centralized
More informationEGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti
EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies Sergio Maffioletti Grid Computing Competence Centre, University of Zurich http://www.gc3.uzh.ch/
More informationSupporting Security-Oriented, Collaborative nanocmos Electronics Research
Supporting Security-Oriented, Collaborative nanocmos Electronics Research Richard O. Sinnott, Thomas Doherty, David Martin, Campbell Millar, Gordon Stewart, and John Watt National e-science Centre, University
More informationSINGLE SIGN-ON AND AUTHORIZATION FOR DYNAMIC VIRTUAL ORGANIZATIONS
SINGLE SIGN-ON AND AUTHORIZATION FOR DYNAMIC VIRTUAL ORGANIZATIONS R.O. Sinnott', O. Ajayi', A.J. Stelf, J. Watt', J. Jiang', J. Koetsier^ National e-science Centre 'University of Glasgow, Glasgow, SCOTLAND
More informationStell, A.J. and Sinnott, R.O. and Watt, J.P. (2005) Comparison of advanced authorisation infrastructures for grid computing. In, International Symposium on High Performance Computing Systems and Applications
More informationNew trends in Identity Management
New trends in Identity Management Peter Gietz, DAASI International GmbH peter.gietz@daasi.de Track on Research and Education Networking in South East Europe, Yu Info 2007, Kopaionik, Serbia 14 March 2007
More informationThe case for devolved authentication: over-centralised security doesn't work
The case for devolved authentication: over-centralised security doesn't work JISC Core Middleware meeting at NeSC: Developments within Security and Access Management Mark Norman This talk The DCOCE and
More informationA Simplified Access to Grid Resources for Virtual Research Communities
Consorzio COMETA - Progetto PI2S2 UNIONE EUROPEA A Simplified Access to Grid Resources for Virtual Research Communities Roberto BARBERA (1-3), Marco FARGETTA (3,*) and Riccardo ROTONDO (2) (1) Department
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Royal Society of Chemistry Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they
More informationTechnical Recommendations for Participants
UK Access Management Federation for Education and Research Technical Recommendations for Participants Ian A. Young 3 February 2012 Version 1.3 Table of Contents 1 Introduction... 3 1.1 Keeping Up To Date...
More informationThis talk aims to introduce the Shibboleth web authentication/authorization framework and its intended deployment in the UK academic community and
This talk aims to introduce the Shibboleth web authentication/authorization framework and its intended deployment in the UK academic community and the University. Shibboleth named after an event in the
More informationDARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,
DARIAH-AAI DASISH AAI Meeting Nijmegen, March 9th, 2014 www.dariah.eu What is DARIAH? DARIAH: Digital Research Infrastructure for the Arts and Humanities One of the few ESFRI research infrastructures for
More informationA Guanxi Shibboleth based Security Infrastructure for e-social Science
A Guanxi Shibboleth based Security Infrastructure for e-social Science Wei Jie 1 Alistair Young 2 Junaid Arshad 3 June Finch 1 Rob Procter 1 Andy Turner 3 1 University of Manchester, UK 2 UHI Millennium
More informationTechnical Recommendations for Participants
UK Access Management Federation for Education and Research Technical Recommendations for Participants Ian A. Young 13 September 2010 Version 1.2 ST/AAI/UKF/DOC/003 Table of Contents 1 Introduction... 3
More informationIntegrating Identity Management Aspirations and Issues
Integrating Identity Management Aspirations and Issues James Dalziel Professor of Learning Technology, MAMS CI and Director, Macquarie E-Learning Centre Of Excellence (MELCOE) Macquarie University james@melcoe.mq.edu.au
More informationINDIGO AAI An overview and status update!
RIA-653549 INDIGO DataCloud INDIGO AAI An overview and status update! Andrea Ceccanti (INFN) on behalf of the INDIGO AAI Task Force! indigo-aai-tf@lists.indigo-datacloud.org INDIGO Datacloud An H2020 project
More informationEnabling Grids for E-sciencE. EGEE security pitch. Olle Mulmo. EGEE Chief Security Architect KTH, Sweden. INFSO-RI
EGEE security pitch Olle Mulmo EGEE Chief Security Architect KTH, Sweden www.eu-egee.org Project PR www.eu-egee.org EGEE EGEE is the largest Grid infrastructure project in the World? : 70 leading institutions
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name:_Unversity of Regina Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS
ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS Joseph Olufemi Dada & Andrew McNab School of Physics and Astronomy,
More information70-742: Identity in Windows Server Course Overview
70-742: Identity in Windows Server 2016 Course Overview This course provides students with the knowledge and skills to install and configure domain controllers, manage Active Directory objects, secure
More informationIntroduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan
Introduction of Identity & Access Management Federation Motonori Nakamura, NII Japan } IP networking } The network enables a variety type of attractive applications } Communication E-mail Video conferencing
More informationAuthentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.
Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November 3th, 2005 Von Welch vwelch@ncsa.uiuc.edu Outline
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Submit Form Participant Name: Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources being accessed, and that Participants
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationAA Developers Meeting
AA Developers Meeting Attendees Alan Robiette Ali Odaci Bob Morgan David Chadwick David Orrell Diego Lopez Ingrid Melve Licia Florio Lyn Norris Maarten Koopmans Roland Hedberg Thomas Lenggenhager Ton Verschuren
More information30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy
Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy Why the Grid? Science is becoming increasingly digital and needs to deal with increasing amounts of
More informationThe IRISGrid Infrastructure Seamless Support for VOs. JRES2005, Marseille
The IRISGrid Infrastructure Seamless Support for VOs Virtual Organisations Why a support infrastructure s own and require resources Shared Collective Resource Resource Resource Resource Resource Resource
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: British Columbia Institute of Technology Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation
More informationLionShare: A Hybrid Secure Network for Academic Collaboration. Michael J. Halm, Marek Hatala, Derek Morr and Alex Valentine
LionShare: A Hybrid Secure Network for Academic Collaboration Michael J. Halm, Marek Hatala, Derek Morr and Alex Valentine Presentation Overview Brief LionShare Overview LionShare Security Overview Connecting
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Concordia University of Edmonton Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that
More informationExpires: 11 October April 2002
Internet-Draft AAAarch RG Intended Category: Informational David Chadwick University of Salford Expires: 11 October 2002 11 April 2002 The PERMIS X.509 Based Privilege Management Infrastructure
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources being accessed, and that Participants
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: CARLETON UNIVERSITY Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationIntroduction to Programming and Computing for Scientists
Oxana Smirnova (Lund University) Programming for Scientists Tutorial 4b 1 / 44 Introduction to Programming and Computing for Scientists Oxana Smirnova Lund University Tutorial 4b: Grid certificates and
More informationSLCS and VASH Service Interoperability of Shibboleth and glite
SLCS and VASH Service Interoperability of Shibboleth and glite Christoph Witzig, SWITCH (witzig@switch.ch) www.eu-egee.org NREN Grid Workshop Nov 30th, 2007 - Malaga EGEE and glite are registered trademarks
More informationTutorial 1: Introduction to Globus Toolkit. John Watt, National e-science Centre
Tutorial 1: Introduction to Globus Toolkit John Watt, National e-science Centre National e-science Centre Kelvin Hub Opened May 2003 Kelvin Building Staff Technical Director Prof. Richard Sinnott 6 RAs
More informationCanadian Access Federation: Trust Assertion Document (TAD)
1. Canadian Access Federation Participant Information 1.1.1. Organization name: DOUGLAS COLLEGE 1.1.2. Information below is accurate as of this date: November 16, 2017 1.2 Identity Management and/or Privacy
More informationInformation and monitoring
Information and monitoring Information is essential Application database Certificate Certificate Authorised users directory Certificate Certificate Grid tools Researcher Certificate Policies Information
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationA VO-friendly, Community-based Authorization Framework
A VO-friendly, Community-based Authorization Framework Part 1: Use Cases, Requirements, and Approach Ray Plante and Bruce Loftis NCSA Version 0.1 (February 11, 2005) Abstract The era of massive surveys
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 11: Public Key Infrastructure Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Public key infrastructure Certificates Trust
More informationArcGIS Server and Portal for ArcGIS An Introduction to Security
ArcGIS Server and Portal for ArcGIS An Introduction to Security Jeff Smith & Derek Law July 21, 2015 Agenda Strongly Recommend: Knowledge of ArcGIS Server and Portal for ArcGIS Security in the context
More informationGrid Computing Security
Anirban Chakrabarti Grid Computing Security With 87 Figures and 12 Tables Sprin g er Contents Preface Organization Acknowledgments v vi vii 1 Introduction 1 1.1 Background 1 1.2 Grid Computing Overview
More informationUAB IT Academic Computing
UAB IT Academic Computing David L Shealy, Director Jill Gemmill, Asst. Director John-Paul Robinson, System Programmer Lead Mission Provide leadership for UAB research community while interfacing important
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources being accessed, and that Participants
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Portage Network 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources
More information6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename
6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename Certificate formats (DER, PEM, PKCS #12) 6.2 Certificate Authorities
More informationRole-Based Access Control for the Open Grid Services Architecture - Data Access and Integration (OGSA-DAI)
Wright State University CORE Scholar Browse all Theses and Dissertations Theses and Dissertations 2007 Role-Based Access Control for the Open Grid Services Architecture - Data Access and Integration (OGSA-DAI)
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationGrids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan
Grids and Security Ian Neilson Grid Deployment Group CERN TF-CSIRT London 27 Jan 2004-1 TOC Background Grids Grid Projects Some Technical Aspects The three or four A s Some Operational Aspects Security
More information1. Federation Participant Information DRAFT
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES [NOTE: This document should be considered a as MIT is still in the process of spinning up its participation in InCommon.] Participation in InCommon
More informationEDINBURGH S TELFORD COLLEGE
Table of Contents Executive Summary 1 Background Information 1 Access Management 2 Methodology 2 Project Experience 4 References 4 Executive Summary This case study describes the experiences at Edinburgh
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and accurate identity attributes to resources being accessed, and that Participants
More informationManagement der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.
Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen 58. DFN- Betriebstagung, Berlin, 12.3.2013 Peter Gietz, DAASI International GmbH DARIAH EU VCC 1 e-infrastructure
More informationIntegrating Federations in the International Grid Trust Fabric
Integrating Federations in the International Grid Trust Fabric David Groep Nikhef Dutch national institute for sub-atomic physics Grids, Eduroam, Federations Different terms, same issues How to provide
More informationIntroduction to Identity Management Systems
Introduction to Identity Management Systems Ajay Daryanani Middleware Engineer, RedIRIS / Red.es Kopaonik, 13th March 2007 1 1 Outline 1. Reasons for IdM 2. IdM Roadmap 3. Definitions 4. Components and
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationFeduShare Update. AuthNZ the SAML way for VOs
FeduShare Update AuthNZ the SAML way for VOs FeduShare Goals: Provide transparent sharing of campus resources in support of (multiinstitutional) collaboration Support both HTTP and non-web access using
More informationThe safe share project John Chapman, Deputy head, information security, Jisc
John Chapman, Deputy head, information security, Jisc What: a pilot project enabling the secure exchange of data collected by Government and the NHS using an encrypted overlay over the Janet network to
More informationGreek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet
Greek Research and Technology Network Authentication & Authorization Infrastructure Faidon Liambotis faidon@.gr Networking Research and Education February 22 nd, 2011 1 Who am I? Servers & Services Engineer,
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative and
More informationAuthorization Strategies for Virtualized Environments in Grid Computing Systems
Authorization Strategies for Virtualized Environments in Grid Computing Systems Xinming Ou Anna Squicciarini Sebastien Goasguen Elisa Bertino Purdue University Abstract The development of adequate security
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Conestoga College Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationCertification Authority
Certification Authority Overview Identifying CA Hierarchy Design Requirements Common CA Hierarchy Designs Documenting Legal Requirements Analyzing Design Requirements Designing a Hierarchy Structure Identifying
More informationFederated access to Grid resources
Federated access to Grid resources http://tinyurl.com/loubf Keith Hazelton (hazelton@wisc.edu) Internet2 Middleware Architecture Comm. for Ed. APAN, Singapore, 19-July-06 Topics http://tinyurl.com/loubf
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name Wilfrid Laurier University Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they
More informationNext Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop
Next Generation Physical Access Control Systems A Smart Card Alliance Educational Institute Workshop PACS Integration into the Identity Infrastructure Salvatore D Agostino CEO, IDmachines LLC 8 th Annual
More informationPublic. Atos Trustcenter. Server Certificates + Codesigning Certificates. Version 1.2
Atos Trustcenter Server Certificates + Codesigning Certificates Version 1.2 20.11.2015 Content 1 Introduction... 3 2 The Atos Trustcenter Portfolio... 3 3 TrustedRoot PKI... 4 3.1 TrustedRoot Hierarchy...
More informationFederated Access Management Futures
Federated Access Management Futures Ian A. Young SDSS, Edina, University of Edinburgh ian@iay.org.uk Prediction is very difficult, especially about the future. Niels Bohr What to expect Prepared material
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: St. Thomas University Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in InCommon Federation ( Federation ) enables the participant to use Shibboleth identity attribute sharing technologies to manage access
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name:_Gale_Cengage Learning Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert
More informationAAI in EGI Current status
AAI in EGI Current status Peter Solagna EGI.eu Operations Manager www.egi.eu EGI-Engage is co-funded by the Horizon 2020 Framework Programme of the European Union under grant number 654142 User authentication
More informationShibboleth Mark Gavillet
ibboleth k Gavillet ackground - the SAPIR project essons learned hat is Shibboleth? ccess management enefits and implications emonstration Overview nable SSO access to the Metalib portal system eplace
More informationReport for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids
GFD-I.089 Von Welch, NCSA (Editor) October 6, 2005 Report for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids Copyright Open Grid Forum (2006-2007). All Rights Reserved.
More informationOdette CA Help File and User Manual
How to Order and Install Odette Certificates For a German version of this file please follow this link. Odette CA Help File and User Manual 1 Release date 31.05.2016 Contents Preparation for Ordering an
More informationInternet2 Overview, Services and Activities. Fall 2007 Council Briefings October 7, 2007
Internet2 Overview, Services and Activities Fall 2007 Council Briefings October 7, 2007 Agenda Building Community - Marianne Smith International Partnerships Heather Boyles Middleware and Security - Renee
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant") to use Shibboleth identity
More informationMOC 6232A: Implementing a Microsoft SQL Server 2008 Database
MOC 6232A: Implementing a Microsoft SQL Server 2008 Database Course Number: 6232A Course Length: 5 Days Course Overview This course provides students with the knowledge and skills to implement a Microsoft
More informationServer-based Certificate Validation Protocol
Server-based Certificate Validation Protocol Digital Certificate and PKI a public-key certificate is a digital certificate that binds a system entity's identity to a public key value, and possibly to additional
More informationThis help covers the ordering, download and installation procedure for Odette Digital Certificates.
This help covers the ordering, download and installation procedure for Odette Digital Certificates. Answers to Frequently Asked Questions are available online CONTENTS Preparation for Ordering an Odette
More informationINCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES (POP)
INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES (POP) GALLAUDET UNIVERSITY Participation in the InCommon Federation ( Federation ) enables a federation participating organization ("Participant")
More informationArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith
ArcGIS Enterprise Security: An Introduction Gregory Ponto & Jeff Smith Agenda ArcGIS Enterprise Security Model Portal for ArcGIS Authentication Authorization Building the Enterprise Encryption Collaboration
More informationLecture Notes 14 : Public-Key Infrastructure
6.857 Computer and Network Security October 24, 2002 Lecture Notes 14 : Public-Key Infrastructure Lecturer: Ron Rivest Scribe: Armour/Johann-Berkel/Owsley/Quealy [These notes come from Fall 2001. These
More informationCanadian Access Federation: Trust Assertion Document (TAD)
Participant Name: Lynda.com Canadian Access Federation: Trust Assertion Document (TAD) 1. Purpose A fundamental requirement of Participants in the Canadian Access Federation is that they assert authoritative
More informationJuliusz Pukacki OGF25 - Grid technologies in e-health Catania, 2-6 March 2009
Grid Technologies for Cancer Research in the ACGT Project Juliusz Pukacki (pukacki@man.poznan.pl) OGF25 - Grid technologies in e-health Catania, 2-6 March 2009 Outline ACGT project ACGT architecture Layers
More information