SLCS and VASH Service Interoperability of Shibboleth and glite

Similar documents
Enabling Grids for E-sciencE. EGEE security pitch. Olle Mulmo. EGEE Chief Security Architect KTH, Sweden. INFSO-RI

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Integrating Federations in the International Grid Trust Fabric

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

THEBES: THE GRID MIDDLEWARE PROJECT Project Overview, Status Report and Roadmap

Improving Grid User's Privacy with glite Pseudonymity Service

A solution for Access Delegation based on SAML. Ciro Formisano Ermanno Travaglino Isabel Matranga

Introduction to Identity Management Systems

MyProxy Server Installation

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

CILogon. Federating Non-Web Applications: An Update. Terry Fleury

EUROPEAN MIDDLEWARE INITIATIVE

SAML-Based SSO Configuration

AAI in EGI Current status

g-eclipse A Framework for Accessing Grid Infrastructures Nicholas Loulloudes Trainer, University of Cyprus (loulloudes.n_at_cs.ucy.ac.

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Federated Authentication with Web Services Clients

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min.

Report for the GGF 16 BoF for Grid Developers and Deployers Leveraging Shibboleth

INDIGO AAI An overview and status update!

APAN 25 Middleware Session, Hawaii Jan.24, 2008 Japanese University PKI (UPKI) Update and Shibboleth using PKI authentication

Thebes, WS SAML, and Federation

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

Canadian Access Federation: Trust Assertion Document (TAD)

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Federated access to e-infrastructures worldwide

Grid Computing Security

RCauth.eu / MasterPortal update

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

Public Key Infrastructure PKI. National Digital Certification Center Information Technology Authority Sultanate of Oman

A Concept for Attribute-Based Authorization on D-Grid Resources

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

One small step for the Shib admin, one giant leap for the SAML community?

4.2. Authenticating to REST Services. Q u i c k R e f e r e n c e G u i d e. 1. IdentityX 4.2 Updates

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

International Grid Trust Federation

The challenges of (non-)openness:

New trends in Identity Management

Hardware Tokens in META Centre

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Introduction to Grid Security

THE INTEROPERATION BETWEEN CASIDP AND INCOMMON ETC. JIWU JING

glite Java Authorisation Framework (gjaf) and Authorisation Policy coordination

SAML-Based SSO Configuration

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.

O365 Solutions. Three Phase Approach. Page 1 34

FedLine Web Certificate Retrieval Procedures

Liberty Alliance Project

Single Sign-On Architectures. Jan De Clercq Senior Member of Technical Staff Technology Leadership Group Hewlett-Packard

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Assurance Enhancements for the Shibboleth Identity Provider 19 April 2013

SAML Admin Guide. Version 1.0

CAS, Shibboleth, And an evolving SSO approach

AXIAD IDS CLOUD SOLUTION. Trusted User PKI, Trusted User Flexible Authentication & Trusted Infrastructure

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Higher Education PKI Initiatives

National Identity Exchange Federation. Terminology Reference. Version 1.0

Authorization Strategies for Virtualized Environments in Grid Computing Systems

Greek Research and Technology Network. Authentication & Authorization Infrastructure. Faidon Liambotis. grnet

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

A Simplified Access to Grid Resources for Virtual Research Communities

Grid services. Enabling Grids for E-sciencE. Dusan Vudragovic Scientific Computing Laboratory Institute of Physics Belgrade, Serbia

CILogon Project

DDS Identity Federation Service

Introducing Shibboleth. Sebastian Rieger

Leveraging the InCommon Federation to access the NSF TeraGrid

Géant-TrustBroker Dynamic inter-federation identity management

WP JRA1: Architectures for an integrated and interoperable AAI

EGEE and Interoperation

SSO Integration Overview

Warm Up to Identity Protocol Soup

Grid Technologies for AAI*

AARC Blueprint Architecture

Edge Device Manager Quick Start Guide. Version R15

Guidelines on non-browser access

Configure Unsanctioned Device Access Control

Identity and capability management and federation

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Setup Desktop Grids and Bridges. Tutorial. Robert Lovas, MTA SZTAKI

Cloud Access Manager Overview

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Interfacing Operational Grid Security to Site Security. Eileen Berman Fermi National Accelerator Laboratory

glite Grid Services Overview

CA SiteMinder Federation

Connect. Communicate. Collaborate. GN2 JRA5 update. Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille. JRA5 Team

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

GLOBUS TOOLKIT SECURITY

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Service Providers, Identity Providers and Grid Community Survey on Levels of Assurance

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

Oman Research & Education Network (OMREN)

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Certificate Retrieval Procedures

Transcription:

SLCS and VASH Service Interoperability of Shibboleth and glite Christoph Witzig, SWITCH (witzig@switch.ch) www.eu-egee.org NREN Grid Workshop Nov 30th, 2007 - Malaga EGEE and glite are registered trademarks

Content Introduction Interoperability Shibboleth - glite Short-Lived Credential Service (SLCS) (Phase 1) VOMS Attributes for SHibboleth (VASH) (Phase 2) Outlook: SAML Support in Grids (Phase 3) Summary NREN Grid Workshop - Nov 30th, 2007 2

Federated Identity Identity Providers (IdP) authenticate their users Service Providers (SP) trust the Identity Providers (IdP) and authorize the users Cross domain authentication and authorization based on trust relation NREN Grid Workshop - Nov 30th, 2007 3

Real and Virtual Organizations Enabling Grids for E-sciencE Real organizations have built AAIs Grids are being built around Virtual Organizations (VO) How do you relate the member of the real organization to the member of the organization?? Username password Dora as member of University of Malaga Dora as member of the VO Woman In Art X.509 CA NREN Grid Workshop - Nov 30th, 2007 4

Interoperability Shibboleth - glite Enabling Grids for E-sciencE Interoperability Shibboleth - glite by SWITCH Part of EGEE-II Focus is on Interoperability (NO replacement for X.509) Specific for EGEE II infrastructure (VOMS etc) Integrate, re-use, re-engineer existing code, write new code only as needed Key Concepts: Home institution of the user should be the Identity Provider Home institution provides some attributes But VO is needed for (grid specific) attributes NREN Grid Workshop - Nov 30th, 2007 5

Overview of SLCS and VASH glite UI SLCS = Short Lived Credential Service VASH = VOMS attributes from Shibboleth NREN Grid Workshop - Nov 30th, 2007 6

Short Lived Credential Service (SLCS) NREN Grid Workshop - Nov 30th, 2007 7

SLCS Profile SLCS = Short Lived Credential Service International Grid Trust Federation (IGTF) Profile Minimum requirements: SLCS Certificate is generated based on Identity Management system X.509 Certificate traditional Registration Authority (e.g. passport) Lifetime < 1mio sec Lifetime < 1 year + 1 month Revocation handling optional Revocation handling mandatory NREN Grid Workshop - Nov 30th, 2007 8

SLCS Design Private key is never transferred Use commercial CA and only standard protocols Modular design such that other people can use their own components Shibboleth attributes determine DN NREN Grid Workshop - Nov 30th, 2007 9

SLCS Operation For the user: Command line: slcs-init --idp <providerid> Part of glite User Interface (glite-ui 3.1) (can also be installed independently) For the RA from web-based admin tool: Can enable or disable individual users (only for his institution) Requirements formulated in CP/CPS Can obtain log information (audit) SWITCH: Operates the service for the SWITCHaai federation NREN Grid Workshop - Nov 30th, 2007 10

SWITCH SLCS Setup 3 separate servers in increasingly secure environment (network and physical access) Front End Shibboleth SP SLCS Server Tomcat web app Online CA Microsoft Certificate Server Hardware Security Module (HSM) Offline CA Sign the Online CA Stored in a bank safe NREN Grid Workshop - Nov 30th, 2007 11

Status SLCS Software development finished in 2006 SWITCH SLCS Root CA accredited by EuGridPMA in February 2007 SWITCH SLCS in production since April 2007 http://www.switch.ch/grid/slcs NREN Grid Workshop - Nov 30th, 2007 12

VOMS attributes from Shibboleth (VASH) NREN Grid Workshop - Nov 30th, 2007 13

Problem SLCS ties AAI authentication to issuance of X.509 certificate AAI attributes are used to construct the DN SLCS intends to make AAI attributes available to grid resources for authorization decisions Which AAI attributes are of interest to grid resource? How does resource obtain attributes? (pull vs push) Relation to VO attributes Deployment issues NREN Grid Workshop - Nov 30th, 2007 14

VASH Design (1) VASH: VOMS Attributes from Shibboleth Shibboleth SP Browser-based Specific for Federation VO lightweight SP No administrator duties No management of attributes Simply transfers attributes upon user request NREN Grid Workshop - Nov 30th, 2007 15

VASH Design (2) X.509 and proxy X.509 with VOMS AC unchanged No change in VOMS Requires VOMS version 1.7.10 or higher VO registration not changed Administrative domain between Shibboleth federation and VOMS fully decoupled User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509) NREN Grid Workshop - Nov 30th, 2007 16

Web Interface VASH Service NREN Grid Workshop - Nov 30th, 2007 17

Deployment Options Option 1: As an add-on to an existing VOMS-based VO Option 2: As a registration tool which allows the member of a Shibboleth IdP become a member of a VOMS-based VO Suitable for production VOs as well as temporary VOs (e.g. summer schools, grid classes) NREN Grid Workshop - Nov 30th, 2007 18

Status VASH Software implementation done MJRA1.5 document: https://edms.cern.ch/document/807849/1 Plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource available Access to VOMS AC LCAS/LCMAPS plugin NREN Grid Workshop - Nov 30th, 2007 19

Outlook: SAML Support in Grids NREN Grid Workshop - Nov 30th, 2007 20

Phase 3: SAML Support Goal of phase 3: Extend use of SAML in grids beyond what is already provided by phase 1 and 2 SAML-enable those services, with which the user interacts directly WMS File access Benefits: (Average) User has no certificates anymore Introduce SAML gently beyond phase 1 and 2, gain experience Compatible with Shibboleth roadmap (2.0, 2.1) and WS-Trust STS implementation Options open for future Requires: A mean for service to transform a security tokens it has into a security token it needs NREN Grid Workshop - Nov 30th, 2007 21

Security Token Service (STS) Based on OASIS WS-Trust Standard Converts one security token into another Initial focus on username/password SAML SAML X.509 Supports token request, renewal, validity check, destruction Capable of obtaining attributes from different sources (e.g. Shibboleth IdP, VOMS) NREN Grid Workshop - Nov 30th, 2007 22

Use Cases Grid: A central Grid resource (e.g. resource broker) obtains a user job with a SAML assertion as credential Conversion into a security token that the other Grid services understand (X.509) Non-browser based Shibboleth applications: User agent contacts Shibboleth IdP with credential (e.g. username, password) User agent receives SAML assertion to be sent to a Shibboleth SP NREN Grid Workshop - Nov 30th, 2007 23

Summary Interoperability Shibboleth - glite Phase 1: SLCS Online CA issuing short-lived X.509 certificates based upon authentication at Shibboleth IdP Operative and in production Phase 2: VASH Transfers Shibboleth attributes into VOMS Shib attributes are available to grid resources as part of VOMS AC Software development finished Phase 3: SAML Actual phase: design of a WS-Trust STS for SAML and proxy X.509 Idea to SAML-enable a selected (small) number of grid services (those close to the user: WMS, ) Leverage the existing SWITCHaai Shibboleth federation NREN Grid Workshop - Nov 30th, 2007 24

Q & A NREN Grid Workshop - Nov 30th, 2007 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback