SA1 CILogon pilot - motivation and setup

Similar documents
RCauth.eu / MasterPortal update

Guidelines on non-browser access

Evolving the trust fabric with AARC and EGI

Deliverable DSA1.4: Pilots to improve access to R&E-relevant resources

2. HDF AAI Meeting -- Demo Slides

Hardware Tokens in META Centre

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

DIRAC Distributed Secure Framework

GSI Online Credential Retrieval Requirements. Jim Basney

Using the MyProxy Online Credential Repository

DIRAC distributed secure framework

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

INDIGO AAI An overview and status update!

Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway

VOMS Support, MyProxy Tool and Globus Online Tool in GSISSH-Term Siew Hoon Leong (Cerlane) 23rd October 2013 EGI Webinar

Authentication & Authorization systems developed for CTA

Troubleshooting Grid authentication from the client side

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

The EGI AAI CheckIn Service

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

CILogon Project

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Managing Grid Credentials

INDIGO-Datacloud Identity and Access Management Service

Introduction to SciTokens

Prototype DIRAC portal for EISCAT data Short instruction

Deliverable DJRA1.1. Use-Cases for Interoperable Cross- Infrastructure AAI

dcache integration into HDF

openid connect all the things

SLCS and VASH Service Interoperability of Shibboleth and glite

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

INDIGO-DataCloud Architectural Overview

Warm Up to Identity Protocol Soup

EUROPEAN MIDDLEWARE INITIATIVE

XSEDE Canonical Use Case 4 Interactive Login

The LGI Pilot job portal. EGI Technical Forum 20 September 2011 Jan Just Keijser Willem van Engen Mark Somers

Beyond X.509: Token-based Authentication and Authorization with the INDIGO Identity and Access Management Service

review of the potential methods

Federated Services for Scientists Thursday, December 9, p.m. EST

User Authentication Principles and Methods

Trusted identities for the cloud using open source technologies where Open ecard App meets SkIDentity

Globus Online: File Transfer Made Easy!

CILogon. Federating Non-Web Applications: An Update. Terry Fleury

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

Cloud Access Manager Configuration Guide

Interfacing Operational Grid Security to Site Security. Eileen Berman Fermi National Accelerator Laboratory

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Identity Management In Red Hat Enterprise Linux. Dave Sirrine Solutions Architect

Creating relying party clients using the Nimbus OAuth 2.0 SDK with OpenID Connect extensions

XSEDE Iden ty Management Use Cases

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

Managing AON Security

ForgeRock Access Management Customization and APIs

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Technical Overview. Version March 2018 Author: Vittorio Bertola

irods Security Aspects Willem Elbers CLARIN-ERIC, Netherlands

Building the Modern Research Data Portal. Developer Tutorial

VMware Horizon Workspace Security Features WHITE PAPER

SAP Security in a Hybrid World. Kiran Kola

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

EGI AAI Platform Architecture and Roadmap

Federated Authentication with Web Services Clients

Services. Service descriptions. Cisco HCS services

LCG User Registration & VO management

Higher Education external Attribute Authority. Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015

A VOSpace deployment: interoperability and integration in big infrastructure

User Directories. Overview, Pros and Cons

Globus GTK and Grid Services

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

CernVM-FS. Catalin Condurache STFC RAL UK

Access Manager 4.2 Service Pack 2 (4.2.2) supersedes Access Manager 4.2 Service Pack1 (4.2.1).

How to use or not use the AWS API Gateway for Microservices

In Section 4 we discuss the proposed architecture and analyse how it can match the identified 2

Deploying OAuth with Cisco Collaboration Solution Release 12.0

API Gateway. Version 7.5.1

SSSD: FROM AN LDAP CLIENT TO SYSTEM SECURITY SERVICES DEAMON

Access Manager 4.4 Service Pack 3 Release Notes

Release 3.0. Delegated Admin Application Guide

Leveraging Globus Identity for the Grid. Suchandra Thapa GlobusWorld, April 22, 2016 Chicago

CIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products

/****************************************************************************\ DAS Release for Solaris, Linux, and Windows

Deliver and manage customer VIP POCs. The lab will be directed and provide you with step-by-step walkthroughs of key features.

Member Impacting Project Overview PR Two-Factor Authentication V3

MyProxy Server Installation

Member Impacting Project Overview PR Two-Factor Authentication V3

Single Sign-On Best Practices

Grid Documentation Documentation

Understanding StoRM: from introduction to internals

Cloud Access Manager Overview

Course Outline: Linux Professional Institute-LPI 202. Learning Method: Instructor-led Classroom Learning. Duration: 5.00 Day(s)/ 40 hrs.

Table of Contents. I. How do I register for a new account? II. How do I log in? (I already have a MyJohnDeere.com account.)

glite Grid Services Overview

Grid services. Enabling Grids for E-sciencE. Dusan Vudragovic Scientific Computing Laboratory Institute of Physics Belgrade, Serbia

AARC Blueprint Architecture

dcache: challenges and opportunities when growing into new communities Paul Millar on behalf of the dcache team

DCCKI Interface Design Specification. and. DCCKI Repository Interface Design Specification

EMS Platform Services Installation & Configuration Guides

SAS Viya 3.4 Administration: Authentication

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Transcription:

SA1 CILogon pilot - motivation and setup Tamas Balogh & Mischa Sallé tamasb@nikhef.nl msalle@nikhef.nl AARC General Meeting, Milan 4 November 2015 Tamas Balogh & Mischa Sallé (Nikhef) 1 / 11

Outline 1 Scenario 2 CILogon 3 Pilot Setup 4 Master Portal 5 Next steps and conclusions Tamas Balogh & Mischa Sallé (Nikhef) 2 / 11

Typical Setup: wishlist Science Gateway typical user does not see any certificate jobs run with personal user certificate (traceability) some users need command line usage Science Gateway adaptations must be simple Scenario Tamas Balogh & Mischa Sallé (Nikhef) 3 / 11

CILogon Pilot CILogon widely used in US Different portals for OpenID-Connect/OAuth-for-MyProxy TCS/DigiCert portal-like: PKCS12 download portal delegation... Actually OAuth-for-MyProxy (OA4MP) pilot OA4MP essentially a frontend for MyProxy server MyProxy server: online CA or credential store (or both) CILogon Tamas Balogh & Mischa Sallé (Nikhef) 4 / 11

Pilot Setup https://wiki.nikhef.nl/grid/cilogon_pre-pilot_work Pilot Setup Tamas Balogh & Mischa Sallé (Nikhef) 5 / 11

Main features certificate hidden from user safe and cached storage of credentials (private key is safe) flexible online CA: easily moved to HSM modular (European/Global, NGI, SG) already or to be standardised protocols VOMS integration: attribute provider SSH backdoor for non-web: next slide Pilot Setup Tamas Balogh & Mischa Sallé (Nikhef) 6 / 11

SSH backdoor VO Portal can upload user s SSH pubkey to Master Portal Master Portal can store in e.g. LDAP SSH Server runs cron job and creates authorized keys file: special account, runs myproxy-logon wrapper SSH-agent forwarding: workernode, UI, laptop retrieves proxy wrapper to save proxy: similar to kerberos ticket No need for either extra password, ECP, Moonshot etc. Very similar to GitHub, CERN, etc. Pilot Setup Tamas Balogh & Mischa Sallé (Nikhef) 7 / 11

Master Portal: heavy lifting - high level 1 entry point 2 redirect to Master Portal 3 redirect to DS/CILogon receive code, token, userinfo 4 * initiate MyProxy PUT 5 * request certificate 6 * store certificate 7 redirect back to VO portal 8 request VOMS proxy 9 MyProxy GET for proxy 10 retrieve VOMS proxy Master Portal Tamas Balogh & Mischa Sallé (Nikhef) 8 / 11

Master Portal: heavy lifting - details 1 user enters VO portal 2 VO portal starts authz flow 3 /authorize endpoint: 1 server servlet needs authz 2 client servlet: initiate authz flow 4 redirect to DS 5 back to /authorize endpoint 1 client /token DS 2 client /userinfo DS 3 * client initiates PUT 4 * client /getcert DS 5 * client finalises PUT 6 server returns his code 6 return to VO portal 7 VO-p. /token MP 8 VO-p. /getcert MP 9 server servlet retrieves proxy 10 VO-p. receives VOMS proxy Master Portal Tamas Balogh & Mischa Sallé (Nikhef) 9 / 11

Open issues and next (pilot) steps Further implement Master Portal (interface with VO portal): /authorize servlet and integrating OIDC servlet API endpoint for uploading SSH keys Small extensions to profile http://goo.gl/vnmkxs /getcert without CSR for proxies /getcert with VOMS-string request parameter Need to adapt OIDC servlet (upstream) build an online CA perhaps look at alternative: Unity-IdM (EUDAT scenario): also OIDC + Online CA look at integration with DigiCert portal EGI pilot: Master Portal as a Token Translation Service Next steps and conclusions Tamas Balogh & Mischa Sallé (Nikhef) 10 / 11

Conclusion Work in progress but looking good! Next steps and conclusions Tamas Balogh & Mischa Sallé (Nikhef) 11 / 11

Some References Our setup: https://wiki.nikhef.nl/grid/cilogon_pre-pilot_work OpenID Connect for MyProxy: http://goo.gl/vnmkxs CILogon docs: http://www.cilogon.org/portal-delegation MyProxy: http://grid.ncsa.illinois.edu/myproxy/ OA4MP: http://grid.ncsa.illinois.edu/myproxy/oauth/ protocol: http://grid.ncsa.illinois.edu/myproxy/protocol/ VOMS: e.g. http://italiangrid.github.io/voms/ ssh authorized keys: man sshd Tamas Balogh & Mischa Sallé (Nikhef) 12 / 11

Extra: (VOMS) Proxy Certificates Authentication standard for Grid, PRACE,... Standard: RFC3820 end-entity (user) certificate functions as mini CA used as delegated authentication token can embed e.g. Attribute Certificates: RFC3281, updated to RFC5755 used by VOMS: bind attributes to proxy (e.g. roles and groups) VOMS proxy certificates can be verified off-line Tamas Balogh & Mischa Sallé (Nikhef) 13 / 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback