CILogon. Federating Non-Web Applications: An Update. Terry Fleury

Transcription

1 Federating Non-Web Applications: An Update Terry Fleury This material is based upon work supported by the National Science Foundation under grant number Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

2 Project Goal Enable campus logon to CyberInfrastructure (CI) Use researchers existing security credentials at their home institution Ease credential management for researchers and CI providers

3 Example Non-Web Apps in CI Remote Login: SSH/GSISSH Remote File transfer: GridFTP, SCP/SFTP Remote Compute: GRAM, BES, Condor-G Data Management: SRM, irods/srb Remote Instrument Management: ESB

4 Our Approach (1) Work with existing infrastructure Leverage the federated authentication supported by campuses today SAML Web Browser Single Sign-On Leverage the PKI supported by grids today Bridge via online Certification Authority (CA) Examples: SWITCH SLCS ( DFN SLCS ( NGS Shibboleth Login ( TERENA Certificate Service ( TeraGrid Federated Login ( (

5 Our Approach (2) Identity Providers OpenID User s Desktop SAML X.509 Certificate Id, IdP

6 One Year Ago Oct 2010 Basic JWS Client Short-lived certificates only Max liftetime of 10 days PEM formatted only

7 Incremental Additions (1) Nov 2010 JWS Client Extend max lifetime of cert to 13 months Download both PEM and PKCS12 versions Private key encrypted

8 Incremental Additions (2) Dec 2010 Activation Code Short lived token can be used with command line clients to fetch credential $ python gridshibca-client.py Please enter your Activation Code: *********************** Using GridShib CA server at Generating private keys and certificate request. Credential written to /tmp/x509up_u28064 Success. $ openssl x509 -in /tmp/x509up_u noout -subject -issuer -dates subject= /DC=org/DC=cilogon/C=US/O=ProtectNetwork/CN=Terrence Fleury A263 issuer= /DC=org/DC=cilogon/C=US/O=/CN= Basic CA 1 notbefore=sep 21 21:15: GMT notafter=sep 22 09:20: GMT

9 Incremental Additions (3) Feb Certificate Download Link Both public and private keys generated server-side Link can be fetched with curl/wget

10 Incremental Additions (4) Jun 2011 ECP Client Perl-based CLI for fetching credential Utilizes ECP-enabled IdPs $ curl -sso $ perl ecp.pl --get cert -c create -k userkey.pem -o usercert.pem -t 12 Select an Identity Provider (IdP): 1> LTER Network 2> ProtectNetwork 3> University of Chicago 4> University of Washington 5> Specify the URL of another IdP Choose [2]: 2 Enter a username for the Identity Provider: jbasney Enter a password for the Identity Provider: ************ $ grid-proxy-init -cert usercert.pem -key userkey.pem -hours 4 Your identity: /DC=org/DC=cilogon/C=US/O=ProtectNetwork/CN=Jim Basney A685 Creating proxy... Done $ gsissh citest.example.edu

11 Support for Non-Web Apps Option #1 Use browser-based authentication (SAML, OpenID) Get URL for certificate download (wget/curl) Or use Java Web Start, Activation Code, etc. Use certificate for non-browser authentication Unfortunately still requires a browser Option #2 Use SAML Enhanced Client or Proxy (ECP) authentication outside the browser to download certificate ECP adoption by InCommon campuses beginning Successfully tested with U Washington, U Chicago, LTER, and ProtectNetwork For more info:

12 Evaluation Benefits: It works! Command-line SSO RFC 3820 proxy certificate delegation Drawbacks: Limited number of ECP-enabled IdPs SAML+PKI = complex Only for certificateenabled apps Federated Login to TeraGrid

13 Conclusions provides a bridge from federated authentication to non-web CI apps Using online CAs to bridge SAML to PKI Working with today s infrastructure We look forward to campus deployment of solutions without browser dependencies (i.e., SAML ECP and Project Moonshot)

14 Thank You For more information: