Federated access to e-infrastructures worldwide

Similar documents
Introduction on Science Gateway

Federated Identities and Services: the CHAIN-REDS vision

A Simplified Access to Grid Resources for Virtual Research Communities

Regional e-infrastructures

South African Science Gateways

The role of e-infrastructure for the preservation of cultural heritage. Federico Ruggieri Head of Distributed Computing and Storage Deparment of GARR

INDIGO AAI An overview and status update!

PoS(ISGC 2011 & OGF 31)023

Storage Management in INDIGO

INDIGO-DataCloud Architectural Overview

2. HDF AAI Meeting -- Demo Slides

European Grid Infrastructure

Options for Joining edugain. Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

SLCS and VASH Service Interoperability of Shibboleth and glite

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

The CHAIN-REDS Project

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Outline 18/12/2014. Accessing GROMACS on a Science Gateway. GROMACS in a nutshell. GROMACS users in India. GROMACS on GARUDA

AAI in EGI Current status

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Warm Up to Identity Protocol Soup

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Topics of Discussion

Introduction to Identity Management Systems

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

Cloud Standards: Vincent Franceschini CTO Intelligent Data Fabrics, Hitachi Data Systems Chairman Emeritus, SNIA

The EGI AAI CheckIn Service

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Using EUDAT services to replicate, store, share, and find cultural heritage data

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Cloud Essentials for Architects using OpenStack

UNIVERSITÁ DEGLI STUDI DI CATANIA FACOLTÀ DI SCIENZE MATEMATICHE FISICHE NATURALI. Dott. Antonio Salvatore Calanducci

The Modern Web Access Management Platform from on-premises to the Cloud

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

The adoption of cloud services

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

bwsync&share: A cloud solution for academia in the state of Baden-Württemberg

Open Grid Forum. OGF s Role in the Community

Science-as-a-Service

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017

High Performance Computing from an EU perspective

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

GrIDP: Grid IDentity Pool Federation

The challenges of (non-)openness:

AARC Blueprint Architecture

e-infrastructures in FP7: Call 7 (WP 2010)

* Inter-Cloud Research: Vision

The EPIKH, GILDA and GISELA Projects

Europe and its Open Science Cloud: the Italian perspective. Luciano Gaido Plan-E meeting, Poznan, April

Securing an Oracle Private Cloud using Oracle Directory Suite

Sentinet for Microsoft Azure SENTINET

Liferay Security Features Overview. How Liferay Approaches Security

A Welcome to Federated Identity Nate Klingenstein, Internet2, USA. Prepared for the Matsuyama University, December 2013

Federated XDMoD Requirements

National R&E Networks: Engines for innovation in research

An integrated IaaS and PaaS architecture for scientific computing

Higher Education external Attribute Authority. Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015

CA SSO Cloud-Enabled with SSO/Rest

BUILDING AN ON-PREM APPLICATION-AWARE CLOUD

1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7

EGI-InSPIRE. Cloud Services. Steven Newhouse, EGI.eu Director. 23/05/2011 Cloud Services - ASPIRE - May EGI-InSPIRE RI

The Pathway to the Cloud Using Azure SQL Managed Instance

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

THE INTEROPERATION BETWEEN CASIDP AND INCOMMON ETC. JIWU JING

OATH : An Initiative for Open AuTHentication

GÉANT Community Programme

What Does Logout Mean?

Parallel computing, data and storage

Hosting DesktopNow in Amazon Web Services. Ivanti DesktopNow powered by AppSense

Architecting for Greater Security in AWS

WP JRA1: Architectures for an integrated and interoperable AAI

CAS s IDP system and resources in Education Cloud

EUDAT - Open Data Services for Research

BYOD Success Kit. Table of Contents. Current state of BYOD in enterprise Checklist for BYOD Success Helpful Pilot Tips

An Introduction to Cloud Computing with OpenNebula

e-infrastructures in FP7 INFO DAY - Paris

Enhanced Privacy ID (EPID), 156

Easy Access to Grid Infrastructures

Security Models for Cloud

Some thoughts on the evolution of Grid and Cloud computing

OpenIAM Identity and Access Manager Technical Architecture Overview

Does Research ICT KALRO? Transforming education using ICT

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

On the EGI Operational Level Agreement Framework

ArcGIS Online A Security, Privacy, and Compliance Overview. Andrea Rosso Michael Young

Moonshot. Workshop on Federated Identity and (OpenStack) Cloud Services - SWITCH

The EUDAT Collaborative Data Infrastructure

Smart Cities and Communities and Social Innovation

Challenges in Authenticationand Identity Management

Application Centric Microservices Ken Owens, CTO Cisco Intercloud Services. Redhat Summit 2015

e-infrastructure: objectives and strategy in FP7

EUDAT. Towards a pan-european Collaborative Data Infrastructure

EUDAT. Towards a pan-european Collaborative Data Infrastructure

A European Cloud federation

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Best Practices in Securing a Multicloud World

Beyond Status and plans

Workflow applications on EGI with WS-PGRADE. Peter Kacsuk and Zoltan Farkas MTA SZTAKI

Developing Microsoft Azure Solutions (70-532) Syllabus

Transcription:

Federated access to e-infrastructures worldwide Marco Fargetta, INFN Catania - Italy (marco.fargetta@ct.infn.it)

DCIs developed in the last decade 2

Evolution Research organisations are moving to cloud computing Internal services and research applications Many different cloud models Public vs Private vs Commercial IaaS, PaaS, SaaS Grid paradigm still adopted by many projects Grid and cloud will co-exist for a while Many mixed approach are under investigation and testing 3

e-infrastructures problems Different authentication/authorisation Username/password, X509, others Different tools to interact with GUI, CLI, API, Web Apps, Web Services, etc Different middleware and workflows to execute applications Very little standard adoption Lack of interoperability Difficult for users to move from a system to another 4

Science Gateways A Science Gateway is a community-developed set of tools, applications, and data that is integrated via a portal or a suite of applications, usually in a graphical user interface, that is further customized to meet the needs of a specific community. Teragrid/XSEDE 5

Sc. Gtwy A Sc. Gtwy B Sc. Gtwy C Sc. Gtwy D Sc. Gtwy E Primary requirement: building Science Gateways should be like playing with Lego bricks Standards Simplicity Easiness of use Re-usability 6

Catania Science Gateway Framework architecture... App. 1 App. 2 MyCloud Grid/Cloud Engine (based on SAGA) Embedded Services CLEVER Orchestrator (based on OCCI) Catania Science Gateway Administrator(s) Scientists Cloud tenants HPC Clusters Cloud #1 Cloud #2 Cloud #n Users belonging to Identity Federations Single logical domain 7

Unified authentication system Users have to use only one account for all the systems The account is generally provided by the home institution SAML2.0 used Authentication to e-infrastructure is performed by the Science Gateway e-infrastructures do not distinguish Science Gateway users User tracking DB implemented for accounting and auditing purposes, compliant with EGI policies 8

AuthN/AuthZ Schema Federation 2. Forwarded to the IdP Science Gateway Retrieve e-infrastructure credentials e-infrastructures 10

Science Gateways deployed 12 SGs in production and others in development VRCs supported either by region or discipline Africa Grid aginfra CHAIN-REDS COGITO-MED DCH-RP e-culture DECIDE EarthServer EUMEDGRID Very easy and intuitive access procedure User-driven development Surveys to propose applications are available in Italian and other languages GARR GISELA IGI KLIOS 11

Official Identity (Inter-)Federations currently Enabling supported Grids for E-sciencE by Catania Science Gateways 12

https://confluence.terena.org/display/aaastudy/aaa+study+home+page The TERENA AAA Study (Objectives) The goal has been broken down into two objectives: 1. A collection of users access requirements coming from different communities; 2. A gap analysis of the existing AAIs used in the realm of research and education, the use-cases they support and the associated challenges. 13

The TERENA AAA Study (Findings) 14

The TERENA AAA Study (Recommendations) Recommendation Action Required Main Stakeholder(s) Area 15

DCH-RP AAI Survey (www.dch-rp.eu) Digital Cultural Heritage Roadmap for Preservation (DCH-RP) is a coordination action supported by the European Commission under the e-infrastructure Capacities Programme of Seventh Framework Programme for Research (FP7) A survey about the AAI performed both within and outside the project community Mainly research and cultural organisations 20 organisations already filled the survey http://dch-rp.eu/index.php?en/71/news-archive/6/dch-rp-questionnaire 16

DCH-RP AAI Survey (Current findings) Are you aware of federated access or of Identity Federations? 40% 60% Is your institution part of a national Identity Federation? 15% 10% Yes No 75% I don't know No Yes 17

DCH-RP AAI Survey (Current findings) Are you aware that in many European countries Identity Federations are operated by the NRENs? 45% 55% Do you think your users would benefit if your service would be part of an existing Identity Federation? 20% 5% 5% 5% 5% Yes No 60% No Yes Possibly but not necessarily. I don't know maybe. on the other side, many users could not appreciate auth, Not applicable 18

DCH-RP AAI Survey (Current findings) Do you see any problems if users, in order to access to your service, are authenticated by a "catch-all" Identity Provider? 5% 5% 5% 20% 5% 5% Would you like to get support to create an Identity Provider to manage users accounts for your organization? 15% 30% 10% 55% Yes No I dont see any problems, but for sure others in my organization will. I don't know Our users need to be authenticated by us Pssible issue related to spred of personal data Not applicable 45% No Yes I don't know Not applicable 19

The GrIDP catch-all federation (http://gridp.garr.it) v 20

The Open and Social IdP s 21

REST API Mobile Support (Both Android and ios) DCH-RP ecsg Mobile Science Gateway glibrary.ct.infn. it Call glibrary REST API through API Server Gateway Authorization service Authentication service E-Infrastructure 22

Implementation Discovery service modified to provide a JSON with federations and IdPs Based on Shibboleth DS Federations and IdPs selection developed as native apps both for Android and ios IdP login page shown in a web view After the login, the native app catches the SAML token and closes the web view The token is used for the communication with RESTful services 23

Mobile Authentication Web views Native apps 24

IdP Management Catch-all IdP does not have a user DB to access Users need to ask for registration Anonymous selfregistration not supported A web application has been developed to manage the registration workflow LDAP as back-end DB 25

IdP Management 26

Science Gateway Authorisation At first access users are sent to an authorisation request form Fields are automatically populated with information from SAML token If not available, users must provide information If different roles are available users can select one or more of them Users can apply for new roles at any time 27

Science Gateway Authorisation 28

After Signing-in accessing Digital Repositories 29

After Signing-in accessing Digital Repositories 30

After Signing-in managing services in federated clouds 31

After Signing-in running jobs on different infrastructures 32

Support to other organisations Some organisations are deploying SGs using our framework and tools Including those for authentication/authorisation Federations are not everywhere Many project partners are located in countries without a national identity federation No know-how on SAML is present We are supporting organisations to deploy their IdPs They are starting with catch-all ones for their local communities 33

Some of the IdPs supported 34

Implementation and status IdPs deployed use the same tools and web application of our catch-all IdP They use Shibboleth, LDAP and the web application developed by INFN Catania for user management 3 IdPs currently under test and 1 already included in the GrIDP federation Some NRENs are also planning to create their federation and add more IdPs IdPs for own users are also foreseen in the short term 35

Summary Identity federations make authentication on distributed systems easy and safe Still many organisations are not federated and tools for not-federated users are needed We built a catch-all federation and IdPs Catch-all IdPs important for services whose users are distributed in many countries and belonging to many organisations Many organisations supported to implement their services (IdPs and SGs) Tools for user management could be integrated in the main SAML implementations (e.g. Shibboleth) 36

Outlook Finalise the deployment of IdPs and integrate them the in GrIDP federation Foresee the use of SAML for the authentication to clouds OpenStack based clouds allow the use of SAML Investigate the integration with OAuth protocol for mobile authentication and authorisation Current approach has several limitations 37

38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback