IAM Online Federated Services for Scientists Thursday, December 9, 2010 1 p.m. EST Rachana Ananthakrishnan Argonne National Laboratory & University of Chicago Jim Basney National Center for Supercomputing Applications University of Illinois IAM Online is brought to you by InCommon, in cooperation with Internet2 and! the EDUCAUSE Identity and Access Management Working Group 1
Scientific & Scholarly Collaboration Online Should be as easy as current social networking, but with suitable security & attribution To do that we need Valuable services to be online Integrated wholes, not toolkits remaining to be assembled Scale up access to them Federated access, both SAML and OpenID as appropriate InCommon & other federations to grow, and to support LoA Get IT out of the way Campuses must up their game, implement Silver & uapprove Collaboration frameworks with standardized interfaces that make it easy to dock domesticated applications
Two Steps Along the Road Rachana Ananthakrishnan Principal Software Development Specialist, Argonne National Lab/University of Chicago Globus Online An integrated online cyber infrastructure service Jim Basney Senior Research Scientist, National Center for Supercomputing Applications, University of Illinois CI Logon Providing federated access to cyber infrastructure
globus online Reliable File Transfer. No IT Required. Federated Access to Science Services and Infrastructures Rachana Ananthakrishnan Argonne National Laboratory & University of Chicago
Globus" www.globus.org Globus Toolkit Build the Grid Components for building custom grid solutions globustoolkit.org Globus Online Use the Grid Cloud-hosted" file transfer service 5
Problem Space Examples User Data loca,on 1 Nuclear Scien-st Oakridge to NERSC Characteris,cs Two security domains, blocked by transfer, repe--ve task 2 Visualiza-on Specialist TeraGrid (Kraken) to NERSC Two security domains, no dedicated high bandwidth network, ad hoc task 3 System Administrator To GFDL Many security domains, administra-ve task, deadline bound 4 System Builder To and from NERSC 6 Many security domains, support adhoc users, legacy code integra-on, mul-ple science domains
Globus Online Solution Hosted file transfer management capabilities Transfers and synchronizes files and directories Asynchronous interfaces for Transfer Monitoring Notification Multiple interfaces for integration REST API CLI 2.0 using SSH/GSISSH Website 7
Benefits of Globus Online Easy fire and forget file transfers Automatic fault recovery High performance Simplify use of multiple security domains No client software installation New features automatically available Consolidated support and troubleshooting Data Data 8
User Workflow Creates a new profile Configures profile Adds or discovers endpoints Activates endpoints Submits transfers Monitors transfers Receives notification of events 9
Profile Management User creates a profile at registration Uses an existing identity Can associate multiple identities with the profile Website logins: OpenID Identity Provider MyProxy servers CLI logins: SSH Public key X.509 Certificate 10
Login 11
Login Accounts 12
CLI Accounts 13
Endpoint Management Configure endpoints: Host/port Default MyProxy server Public endpoints Discover endpoints: Add to personal list Endpoint activation: MyProxy or GSI SSH delegation Pause transfer and notify on credential expiration Resume transfer on credential renewal 14
Transfer 15
Activation using MyProxy 16
Planned Features Transfer: 17 Light-weight transfer agent Support for other transfer protocols Integration with Condor Security: Accept campus credentials (InCommon Identity Providers) Support OAuth based delegation - Facilitate sharing of transfer tasks o Group and policy management
Future Work Higher-level data management capabilities Data publication Replication Job management capabilities Provisioning of collaboration tools 18
Thank You! For more information: www. support@globus.org 19
CILogon Federated Access to Science Services and Infrastructures Jim Basney jbasney@ncsa.uiuc.edu This material is based upon work supported by the National Science Foundation under grant number 0943633. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
CILogon Goal Facilitate campus logon to CI Leverage researchers existing credentials at their home institution Ease credential management for researchers and CI providers Bridge from: Credentials issued by InCommon Federation members using SAML web browser single sign-on Bridge to: X.509 certificates that satisfy the requirements of CI projects CILogon 21 www.cilogon.org
Prior Work: go.teragrid.org Campus login to TeraGrid 31 campuses so far (including all CIC schools) In production since September 2009 1000+ certificates issued so far to 65+ users Integration with portal.teragrid.org underway IDtrust 2010 paper: Federated Login to TeraGrid (http://middleware.internet2.edu/ idtrust/2010/) CILogon 22 www.cilogon.org
New Service: cilogon.org No TeraGrid account required Delivers certificates to desktop, browser, and portals Available certificate lifetimes: from 1 hour to 13 months 3 Certification Authorities: Silver: InCommon Silver IDs Basic: any InCommon IDs OpenID: any OpenIDs Available now! CILogon 23 www.cilogon.org
CILogon Portal Delegation Grid Portals and Science Gateways provide web interfaces to CI Portals/Gateways need certificates to access CI on researchers behalf CILogon Delegation Service allows researchers to approve certificate issuance to portals (via OAuth) www.cilogon.org/portal-delegation authenticate & approve CILogon Web Browser request certificate access Portal access CI CILogon 24 www.cilogon.org
Why certificates? Command-line apps, non-web apps Multi-stage, unattended batch workflows Significant worldwide CI investment in PKI Software, operations, standards, etc. CILogon 25 www.cilogon.org
International Grid Trust Federation Worldwide accreditation of grid CAs Relying Parties: TeraGrid, Open Science Grid, European Grid Infrastructure, Worldwide LHC Computing Grid, and others Standards: CA operations, key management, subscriber identity vetting, certificate profiles www.igft.net CILogon 26 www.cilogon.org
CILogon and IGTF CILogon CA operations, key management, and certificate profiles meet IGTF standards Issue: subscriber ID vetting & authentication Goal: rely on campuses for this Need minimum standards for campus practices Approach: rely on InCommon Identity Assurance Status: CILogon Silver CA accredited October 2010 Now waiting for InCommon Silver campuses CILogon Basic & OpenID CAs operating w/o IGTF accreditation CILogon 27 www.cilogon.org
Attribute Release The boarding process challenge: CI users are spread across many campuses Often few CI users on each campus Each campus must approve release of attributes to cilogon.org / go.teragrid.org CILogon needs eptid/eppn, mail, givenname and surname Self-service sign-up: https://cilogon.org/secure/testidp/ Good application for user consent based attribute release (uapprove) CILogon 28 www.cilogon.org
Conclusions We re leveraging campus credentials for access to cyberinfrastructure SAML to PKI bridges: go.teragrid.org & cilogon.org We re looking forward to new InCommon capabilities Identity Assurance (Silver) Consent-based attribute release (uapprove) CILogon 29 www.cilogon.org
Thanks For more information: www.cilogon.org info@cilogon.org CILogon 30 www.cilogon.org
Survey Please complete the survey about today s IAM Online: http://www.surveymonkey.com/s/iamonline12 Next IAM Online www.incommon.org/iamonline Wednesday, January 12, 2010 3 p.m. EST Tentative Topic Panel Discussion on Identifiers Thank you to InCommon Affiliates for helping to make IAM Online possible. Brought to you by InCommon, in cooperation with Internet2! and the EDUCAUSE Identity and Access Management Working Group 31