globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

Similar documents
globus online Endpoint Setup with Globus Connect Multiuser

Federated Services for Scientists Thursday, December 9, p.m. EST

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

Building the Modern Research Data Portal. Developer Tutorial

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Tutorial: Building the Services Ecosystem

globus online Software-as-a-Service for Research Data Management

Climate Data Management using Globus

Leveraging the Globus Platform in your Web Applications. GlobusWorld April 26, 2018 Greg Nawrocki

Authentication in the Cloud. Stefan Seelmann

Guidelines on non-browser access

SAP Security in a Hybrid World. Kiran Kola

Globus Research Data Management: Campus Deployment and Configuration. Steve Tuecke Vas Vasiliadis

XSEDE Iden ty Management Use Cases

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

Managing Protected and Controlled Data with Globus. Vas Vasiliadis

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Warm Up to Identity Protocol Soup

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Sentinet for BizTalk Server SENTINET

Leveraging the Globus Platform in your Web Applications

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

Standards-based Secure Signon for Cloud and Native Mobile Agents

COMPUTE CANADA GLOBUS PORTAL

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

CILogon. Federating Non-Web Applications: An Update. Terry Fleury

Azure Active Directory from Zero to Hero

Unified Secure Access Beyond VPN

Developing Microsoft Azure Solutions (70-532) Syllabus

SAML-Based SSO Solution

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017

Federated access to e-infrastructures worldwide

SAML-Based SSO Solution

Design patterns for data-driven research acceleration

EXPERTS LIVE SUMMER NIGHT. Close your datacenter and give your users-wings

Unity Connection Version 10.5 SAML SSO Configuration Example

Single Sign-On for PCF. User's Guide

Globus Platform Services for Data Publication. Greg Nawrocki University of Chicago & Argonne National Lab GeoDaRRS August 7, 2018

Federated AAI and the World of Tomorrow. Rion Dooley

Horizon Workspace Administrator's Guide

INDIGO AAI An overview and status update!

SAML-Based SSO Configuration

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

VMware Identity Manager Administration

Exam : Implementing Microsoft Azure Infrastructure Solutions

Leveraging Globus Identity for the Grid. Suchandra Thapa GlobusWorld, April 22, 2016 Chicago

CAS s IDP system and resources in Education Cloud

Introduction to SciTokens

Integration Patterns for Legacy Applications

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Sentinet for Microsoft Azure SENTINET

2018 GLOBALSCAPE TRAINING OVERVIEW

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

The EGI AAI CheckIn Service

Welcome! Presenters: STFC January 10, 2019

Challenges in Authenticationand Identity Management

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Expertise that goes beyond experience.

Index Introduction Setting up an account Searching and accessing Download Advanced features

5 OAuth EssEntiAls for APi AccEss control layer7.com

SAML-Based SSO Configuration

FeduShare Update. AuthNZ the SAML way for VOs

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Administering Jive Mobile Apps for ios and Android

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Introducing. Secure Access. for the Next Generation. Bram De Blander Sales Engineer

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.

API Security Management SENTINET

SOFTWARE DEMONSTRATION

Configuring Apache Knox SSO

5 OAuth Essentials for API Access Control

[GSoC Proposal] Securing Airavata API

U.S. E-Authentication Interoperability Lab Engineer

The Materials Data Facility

Setting Up the Server

Configuring Microsoft ADFS for Oracle Fusion Expenses Mobile Single Sign-On

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

ForgeRock Access Management Customization and APIs

VIEVU Solution AD Sync and ADFS Guide

EUDAT - Open Data Services for Research

XSEDE Architecture Level 3 Decomposition

Related Labs: Introduction to Universal Access and F5 SAML IDP (Self-paced)

Deploying OAuth with Cisco Collaboration Solution Release 12.0

Office 365 and Azure Active Directory Identities In-depth

Configure Centralized Deployment

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Configuring Apache Knox SSO

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Jim Reavis CEO and Founder Cloud Security Alliance December 2017

SHAREPOINT 2016 ADMINISTRATOR BOOTCAMP 5 DAYS

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.

The Future of Galaxy. Nate Coraor galaxyproject.org

Transcription:

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

Computation Institute (CI) Apply to challenging problems Accelerate by building the research cloud Promulgate via new educational methods

Apply computation: Examples Understand supernovae to measure universe Extract meaning from scientific images DTI for TBI Diffusion tensor imaging ASC FLASH Transform digital media into art Create better models for climate & energy policy CIM-EARTH Map human knowledge in the humanities and science ARTFL CMTS Center for multiscale theory and simulation Conte Center Explain cellular structur

Accelerate discovery via research cloud Millions of researchers worldwide need advanced IT to tackle important and urgent problems The Research Cloud Accelerate discovery and innovation worldwide by providing research IT as a service

Why SaaS? Software-as-a-Service (SaaS) Platform-as-a-Service (PaaS) Deliver advanced functionality that: Requires no user software installation or operation Minimal IT proficiency required Can be cheaply and incrementally adopted Usage-based subscription pricing; no big up-front costs Consolidates troubleshooting and support An expert group can proactively detect and correct problems Utilizes an efficient software delivery lifecycle Updates developed, tested and deployed quickly Dominates commercial & consumer markets What about the research market? Infrastructure-as-a-Service (IaaS)

Globus Transfer: For when you want to Transfer and synchronize files Easy fire-and-forget transfers Automatic fault recovery High performance Across multiple security domains Minimize IT costs Software as a Service (SaaS) No client software installation New features automatically available Consolidated support & troubleshooting Simple endpoint installation with Globus Connect and GridFTP >5,000 registered users, 6PB / 500M files transferred 7

Globus Storage: For when you want to Place your data where you want Access it from anywhere via different protocols Update it, version it, and take snapshots Share versions with who you want Synchronize among locations Globus Transfer, HTTP/REST, Desktop sync Globus Storage volume Commercial storage service provider National research center Campus computin g center

Globus Collaborate: For when you want to Join with a few or many people to: Share documents Track tasks Communicate Share data Work together With: Common groups Delegated management

PaaS for Research Software-as-a-Service (SaaS) Platform-as-a-Service (PaaS) No one SaaS provider can deliver it all Must create ecosystem that: Infrastructure-as-a-Service (IaaS) Allows any SaaS provider to easily participate Dramatically reduces the cost of creating and operating services within the ecosystem Provides seamless user experience across services Agnostic to / works across any cloud IaaS provider Integrates with (existing) research infrastructure Ecosystem requires Platform as a Service Target the unique needs of the research community 10

Globus Integrate: For when you want to Integrate with the Globus research cloud ecosystem Write programs that leverage: user identities, profiles, groups (Globus Nexus) data, compute and collaboration Globus Transfer Globus Storage Globus Collaborate Globus Compute Globus Integrate Globus Toolkit Globus Connect Multi User Globus Connect Globus Nexus via REST APIs and command line programs

Manage groups Globus Nexus: For when you want to Manage profiles Manage identities 12

Globus Nexus: Manage Identities Nexus is a federated identity relying party Multiple federated identities linked to Globus account Supports: InCommon/CILogon, OpenID, MyProxy, OAuth for MyProxy Nexus is a (federated) identity provider Native or federated identity provider to Globus and 3 rd party services User authenticates to Globus account with username/password or via 3 rd party federated identity provider Uses OAuth 2 profile (future: SAML, OpenID?) Auth provider for Globus REST APIs 13

14

Globus Nexus use of OAuth 2 User authentication Web browser: Globus account name and password Federated identity providers linked to Globus account Native application: RSA (using SSL key) X.509 client auth Username/password (Globus account, SAML ECP?) Client authentication using RSA (SSL key) Globus account name is valid client id Bearer access token for resource access 15

Delegated X.509 credential management Various (Globus) services require delegated X.509 client credentials to access resources Nexus federated authentication supports X.509 credential retrieval from Oauth for MyProxy Authenticate with OAuth Use access token to get X.509 credentials E.g., CILogon, GCMU, XSEDE Nexus REST API allows authorized services (OAuth clients) to get credential 16

Integration of new and old Campus Cluster Step 1 Access Endpoints Step 3 Username password OAuth Server Redirect Step 2 Certificate 1 Step 4 Username password Certificate 1 Step 6 Globus Online (Hosted Service) Step 7 Step 8 Globus Connect Multi User Username password MyProxy Online CA Step 5 PAM Step 9 Transfer request Certificate 1 GridFTP Server Step 10 Authorization Access files Certifficate 1 Redirect Certificate 2 Transfer request Certificate 2 Step 11 certificates Authentication & Data Transfer CILogon (OAuth) SAML InCommon IdP GridFTP Server Campus 2 Local Authentication System (LDAP, RADIUS, Kerberos etc) Local Storage

18

OAuth client vs resource Globus Transfer is OAuth client to Globus Nexus OAuth resource provider to 3 rd party client Goal: Allow full participation by 3 rd parties Use Globus Online services as OAuth client Use Globus Nexus OAuth as resource server How to implement resource servers as a relying party to the Nexus OAuth service? OAuth is silent on resource and OAuth server interaction Make it easy for SaaS developers to use Nexus OAuth 19

Delegated, scoped OAuth access Ecosystem of communicating services Any service can be client to any other service s resource Communication may be chained: user->s1->s2->s3 Use OAuth scope to limit resources accessible by an access token Must maintain scope dependency tree Delegation: client1 delegating to client2 Bearer access token can be passed from client1 to client2 for full delegation Or, allow client1 access token to be used to retrieve a new authorization code with narrow scope that is passed to client2, which client2 20 uses to get its own access token

Globus Nexus: Manage Groups User centric group management Create group Set policies (e.g., visibility, admins) Control admission workflows Approach: Keep identity issuance light-weight Move vetting from identity creation to group admission Allow each group to control own admission policy REST APIs Manage, query, etc. Import/export (into specified identity namespace) 21

Globus Nexus: Manage User Profiles Attribute/value information associated with Globus account Group admission can require an extensible set of attributes, which are drawn from and stored in the user profile REST APIs Future: Integrate with SAML attribute release and social network profiles 22

Domestication Goal: Common tools should be able to leverage federated identities, groups, profiles Wikis, issue tracking, science gateways, etc. Community effort to domesticate applications and services? What APIs? Identity: OAuth 2, SAML?, X.509 certs? Groups: LDAP? REST? Profile: OpenID Connect? 23

For More Information Visit https:///signup to: Get a free account and start moving files Visit for: Tutorials, FAQs, Pro Tips, Troubleshooting Papers, Case Studies Contact support@globusonline.org for: Help getting started & using the service Follow us at @globusonline on Twitter and Globus Online on Facebook 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback