Thebes, WS SAML, and Federation

Similar documents
THEBES: THE GRID MIDDLEWARE PROJECT Project Overview, Status Report and Roadmap

AIM Enterprise Platform Software IBM z/transaction Processing Facility Enterprise Edition 1.1.0

SLCS and VASH Service Interoperability of Shibboleth and glite

SAML-Based SSO Solution

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Project Moonshot. IETF 77, Anaheim. Sam Hartman, Painless Security LLC Josh Howlett, JANET(UK) Image Viatour Luc (

SMOA Computing approach to HPC Basic Profile DRMAA + gsoap

Kerberos on the Web Thomas Hardjono

SAML-Based SSO Solution

Dissecting NIST Digital Identity Guidelines

Kerberos for the Web Current State and Leverage Points

Schedule Identity Services

Identity Provider for SAP Single Sign-On and SAP Identity Management

Cloud Access Manager Overview

Federated Web Services with Mobile Devices

Lesson 13 Securing Web Services (WS-Security, SAML)

Report for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids

HPCP-WG, OGSA-BES-WG March 20, Smoa Computing HPC Basic Profile Adoption Experience Report

Identity Assurance Framework: Realizing The Identity Opportunity With Consistency And Definition

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

INDIGO AAI An overview and status update!

Grid Computing Security

Identity Federation Requirements

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

U.S. E-Authentication Interoperability Lab Engineer

Warm Up to Identity Protocol Soup

Setting Up Resources in VMware Identity Manager

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Potential for Technology Innovation within the Internet2 Community: A Five-Year View

Should You Use Liberty or Passport for Digital Identities?

Oman Research & Education Network (OMREN)

Application Developer at US Department of Education - Office of Federal Student Aid

Digital Identity Guidelines aka NIST SP March 1, 2017 Ken Klingenstein, Internet2

DirectTrust Governmental Trust Anchor Bundle Standard Operating Procedure

Introduction of the Identity Assurance Framework. Defining the framework and its goals

Dell One Identity Cloud Access Manager 8.0. Overview

UNIT IV PROGRAMMING MODEL. Open source grid middleware packages - Globus Toolkit (GT4) Architecture, Configuration - Usage of Globus

A solution for Access Delegation based on SAML. Ciro Formisano Ermanno Travaglino Isabel Matranga

Presented by Wolfgang Ziegler, Open Grid Forum

Network Security Essentials

Security analysis of OpenID, followed by a reference implementation of an npabased OpenID provider

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

SMOA Computing HPC Basic Profile adoption Experience Report

Technical Overview. Version March 2018 Author: Vittorio Bertola

Grid Middleware and Globus Toolkit Architecture

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Assurance Enhancements for the Shibboleth Identity Provider 19 April 2013

Novell Access Manager 3.1

SHAREPOINT 2016 ADMINISTRATOR BOOTCAMP 5 DAYS

Identity-Enabled Web Services

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

Managing Trust in e-health with Federated Identity Management

Open Grid Forum. OGF s Role in the Community

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Independent Software Vendors (ISV) Remote Computing Usage Primer

Identity and capability management and federation

Leveraging the LincPass in USDA

CA SiteMinder Federation

Liferay Security Features Overview. How Liferay Approaches Security

Blockchain for Enterprise: A Security & Privacy Perspective through Hyperledger/fabric

Key Management Challenge, Issues, and Scale. How to make Encryption Management operationally relevant

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Winter Salesforce.com, inc. All rights reserved.

GLOBUS TOOLKIT SECURITY

Addressing Security, Governance and Performance Issues with an XML Gateway as part of a Service Oriented Architecture. Vic Morris CEO Vordel

FeduShare Update. AuthNZ the SAML way for VOs

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Security Requirements for Crypto Devices

Sentinet for Microsoft Azure SENTINET

IBM SmartCloud Engage Security

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.

OPENID CONNECT 101 WHITE PAPER

[GSoC Proposal] Securing Airavata API

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Canadian Access Federation: Trust Assertion Document (TAD)

Measuring Authentication: NIST and Vectors of Trust

SWAMID Identity Assurance Level 2 Profile

REST/SOAP Harmonization proposal for Identity-based Web-Services

MITA s approach to Open Standards. Presented by: Noel Cuschieri 24 th November 2015

TIBCO ActiveMatrix Policy Director Administration

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

Authentication. Katarina

An Overview of Draft SP Derived PIV Credentials and Draft NISTIR 7981 Mobile, PIV, and Authentication

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

Interagency Advisory Board Meeting Agenda, August 25, 2009

zentrale Sicherheitsplattform für WS Web Services Manager in Action: Leitender Systemberater Kersten Mebus

TECHNOLOGY SOLUTIONS BRIEF

Canadian Access Federation: Trust Assertion Document (TAD)

A VO-friendly, Community-based Authorization Framework

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

1 IAM Program Launch. 2 Agenda. 3 Introductions. Managing the User Lifecycle Across On-Premises and Cloud-Hosted Applications

Enterprise Privacy and Federated Identity Management

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

DCCKI Interface Design Specification. and. DCCKI Repository Interface Design Specification

Copy-Resistant Credentials with Minimum Information Disclosure

Configure Centralized Deployment

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

The Identity Web An Overview of XNS and the OASIS XRI TC

Transcription:

Thebes, WS SAML, and Federation Internet2 Fall Member Meeting November 3, 2010 Thebes Consortium Georgetown University Arnie Miles adm35@georgetown.edu http://code.google.com/p/thebes/

Back story I haven't been a developer since grad school If you try hard enough, you will trip me up on technical details! As a systems administrator for high performance computing at GU, ran into problems that Grid Computing should have solved Leveraging identities across 'administrative domains' Load balancing HPC devices Migrating load off over-subscribed machines Filling up under-subscribed machines

Back story Turned to grid technologies for solution Existing software did not deliver what was needed Scalability and complexity complaints Referred to SAML v 1.x The SAML (and Shibboleth) use case was for libraries Shibboleth was designed solely for web users Built the Condor-Shib proof of concept Successful, but very limited in scope, never released SAML v 2.0 and WS SAML opened the door to new possibilities

What we discovered... Attribute based access control are a good thing Higher Ed and Internet2 have demonstrated this Shibboleth promulgated the use of attributes in cross domain Federated security for Web Single Sign-on We chose to extend this notion of attribute based access control to the Web Services world We didn't know yet that WS SAML would be the solution

Where we ended up HPC Client and Service These are our first client and service deployment Beginnings of a Security Token Service Extended uses for attribute assertions Making use of the Shibboleth Attribute Resolver We are NOT in the business of making an STS! Understanding of further work to implement vision of policy engine interaction for authorization Oracle OEM? Argus?

Security Token Service A Security Token Service typically Queries local Identity Store Accepts user credentials Verifies user credentials Returns signed assertion containing user attributes Handles various security tokens in and out A hard thing to build, and not what we're in business to do

SAML with Web Services Use WS-Trust protocol to obtain security token Primary motivating use case is SAML assertion Thebes Security Token Service queries local identity store and creates assertion Token is conveyed to some service using WS-Security Security tokens and crypto mechanisms with SOAP Thebes complies with the WS SAML Token Profile Now we need to examine WS Federation

High Performance Computing Service and Client This is the problem we initially set out to solve, before we were even aware of WS SAML Still in pre-release state while a few more features are added Available for download

Example Application: HPC Client Collects job submission file data Collects user name and password Submits credentials and client IP address to STS Receives signed assertion Translates job submission data to JSDL Sends JSDL and SAML assertion to service Includes mechanisms for collecting results

Example Application: HPC Service Accepts JSDL and SAML from Client Filters SAML; submits SAML to policy engine Accepts results from policy engine: Go/NoGo Creates DRMAA file to submit to any DRM Interacts with DRM via DRMAA to return results, check job status, etc.

ThebesDemo.mov

Status of HPC Client/Service Next steps: Enable jobs to run as the submitting user Currently under construction Enable DRM specific tasks, such as Oracle Grid Engine supporting projects and queues Add Holder of Key functionality Waiting on selection of existing STS to work with

Potential for HPC Client/Service Enable projects and queues, and other DRM-specific features not covered by DRMAA Resource publication and discovery One we can discover services, a metascheduler would be a logical next step Potential for spawning, populating, and destroying virtual machines with proper authorization Potential for launching any work on remote machines, not limited to HPC

User Bearer vs. Holder of Key Certs User bearer: IP address of client is included in the signed cert, with a limited life Potentially vulnerable to IP address spoofing causing replay by unauthorized parties Because we started as a proof of concept, this is the current state of Thebes STS Not suitable for production

User Bearer vs. Holder of Key Certs Holder of Key: Client must be able to prove possession of key Client submits public key to STS in a signed request STS verifies client possesses private key by verifying signature STS includes Client public key in assertion STS signs assertion with Client public key Client signs soap message with assertion and job and sends to service

Summary, slide 1 Thebes provides a potential common security infrastructure for handling authentication to web services Thebes authentication mechanism is scalable Because Thebes leverages SAML and Federation, user identities are maintained in home institutions for superior curation and control Identity assertions comply with SAML standards, assuring compatibility across enterprises

Summary, slide 2 Often, publishing resources is a matter of creating a web service A standardized way to authenticate to a web service can encourage publication of secure services Creation of Federations for Web Services can only help grow web user SAML adoption Rich attributes support complex policies

Thebes Arnie Miles adm35@georgetown.edu http://code.google.com/p/thebes/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback