Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Similar documents
Leveraging the InCommon Federation to access the NSF TeraGrid

CILogon Project

Federated Services for Scientists Thursday, December 9, p.m. EST

CILogon. Federating Non-Web Applications: An Update. Terry Fleury

SAML-Based SSO Solution

New trends in Identity Management

Using the MyProxy Online Credential Repository

SAML-Based SSO Solution

Integrating Federations in the International Grid Trust Fabric

SLCS and VASH Service Interoperability of Shibboleth and glite

Guidelines on non-browser access

Federated access to Grid resources

Managing Grid Credentials

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Canadian Access Federation: Trust Assertion Document (TAD)

Extending Services with Federated Identity Management

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

SOCIAL IDENTITIES IN HIGHER ED: WHY AND HOW WITH REAL-WORLD EXAMPLES

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

SAP Security in a Hybrid World. Kiran Kola

Network Security Essentials

Canadian Access Federation: Trust Assertion Document (TAD)

All about SAML End-to-end Tableau and OKTA integration

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Warm Up to Identity Protocol Soup

Introducing Shibboleth. Sebastian Rieger

ArcGIS Server and Portal for ArcGIS An Introduction to Security

13241 Woodland Park Road, Suite 400 Herndon, VA USA A U T H O R : E X O S T A R D ATE: M A R C H V E R S I O N : 3.

Smart Grid Security. Selected Principles and Components. Tony Metke Distinguished Member of the Technical Staff

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

FeduShare Update. AuthNZ the SAML way for VOs

Trusting External Identity Providers for Global

IAM Project Overview & Milestones

1. Federation Participant Information DRAFT

Canadian Access Federation: Trust Assertion Document (TAD)

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

UGP and the UC Grid Portals

Canadian Access Federation: Trust Assertion Document (TAD)

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

International Grid Trust Federation

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Pittsburgh Supercomputing Center MyProxy Certificate Authority Short Lived Credential Service (PSC MyProxy CA)

Enterprise Access Gateway Management for Exostar s IAM Platform June 2018

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Canadian Access Federation: Trust Assertion Document (TAD)

Canadian Access Federation: Trust Assertion Document (TAD)

KEY DISTRIBUTION AND USER AUTHENTICATION

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

InCommon Federation: Participant Operational Practices

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Access Manager Applications Configuration Guide. October 2016

Liberty Alliance Project

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Credentialing for InCommon

Canadian Access Federation: Trust Assertion Document (TAD)

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Case Study Identity Management at Texas A&M University

Canadian Access Federation: Trust Assertion Document (TAD)

Morningstar ByAllAccounts SAML Connectivity Guide

RCauth.eu / MasterPortal update

Canadian Access Federation: Trust Assertion Document (TAD)

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Canadian Access Federation: Trust Assertion Document (TAD)

Introduction to application management

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Shibboleth authentication for Sync & Share - Lessons learned

The Long, Long Road to True Single Sign On at Fermilab. Al Lilianstrom and Dr. Olga Terlyga NLIT 2018 May 22 nd, 2018

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL

A Mechanism for Federated Identification Services for Public Access Portals Using Access-Cards

Canadian Access Federation: Trust Assertion Document (TAD)

Report for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Five9 Plus Adapter for Agent Desktop Toolkit

LionShare: A Hybrid Secure Network for Academic Collaboration. Michael J. Halm, Marek Hatala, Derek Morr and Alex Valentine

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Canadian Access Federation: Trust Assertion Document (TAD)

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Canadian Access Federation: Trust Assertion Document (TAD)

CLI users are not listed on the Cisco Prime Collaboration User Management page.

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Configuration Guide - Single-Sign On for OneDesk

Do I Really Need Another Account? External Identities for Campus Applications

Transcription:

Goal Federated Login to Jim Basney Terry Fleury Von Welch Enable researchers to use the authentication method of their home organization for access to Researchers don t need to use -specific credentials Avoid distribution of -specific passwords Avoid password reset requests Better integrate with campus resources Provision resources according to campus-based identity vetting and authorization National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science Foundation under Grant No. 0503697 Challenges Support usage models Interactive browser and command-line access Multi-stage, unattended batch workflows Establish trust among campuses, members, and peer grids (OSG, EGEE) 1

Allocations Single Sign-On Resources allocated by peer review Project principal investigators add user accounts via the User Portal Central Database (TGCDB) contains records for all users -wide username and password assigned to every user User UI User Portal Central Database look up user distinguished name obtain user certificate Kerberos KDC verify password MyProxy CA Client Toolkit access Resources PKI InCommon Federation PKI consists of CAs operated by member institutions and other partners resource providers trust a consistent set of Cas Provides consistent experience for users Determined by consensus through Security Working Group CAs accredited by International Grid Trust Federation (IGTF) InCommon facilitates use of campus identity with external service providers By supporting adoption of standard mechanisms and policies By distributing metadata that identifies members Uses SAML Web Browser Single Sign-On protocols Shibboleth implementation from Internet2 Work well for browser-based applications, but not command-line or batch workflows InCommon represents >200 institutions (>4m users) Of 38 institutions with over 50 TG users, 24 (67%) are currently InCommon members 2

InCommon Federation Our Approach member Web Browser User InCommon Federation WWW member member Campus Authentication System User Attributes (e.g., Kerberos or (e.g., LDAP) Active Directory Account Linking Bind the researcher s campus identity (conveyed via InCommon/ SAML) to his/her existing identity (TGCDB) InCommon motivates our use of SAML Rely on the existing allocations process for identity vetting and authorization Rely on campus for authentication of a persistent user identifier Credential Translation Convert from a browser-based (SAML) credential to a certificate for command-line, workflow, and batch processes Deliver certificate to desktop and web session Rely on the existing PKI Adding a new certificate authority Our Approach Campus InCommon/SAML SSO/X.509 Web Browser User Verify Campus SAML Authn Web Portal/ Trusted s Account Linking DB User Experience Access X.509 Campus Authn InCommon Metadata MyProxy CA TG Resources 3

(one-time only) 4

Federated Login System User Desktop Applet Web Browser GridShib CA Credential Retriever SAML SAML Federated Login Web Application GridShib CA Web App (customized) Account Link Database Kerberos KDC MyProxy CA (Kerberos) MyProxy CA (Federated) Central Database Trust Establishment Campus and InCommon PKI Trust Establishment Process: Campus Join the InCommon Federation Add service provider to InCommon metadata Request identity providers to release identity information (a manual, campus-by-campus process) Some released identifiers automatically to all InCommon members Some released identifiers on email request Some required local sponsorship and review Current status: Targeted 38 campuses with over 50 users 24 (67%) are InCommon members 16 (of the 24) successfully federated to-date 11 additional campuses federated outside the target list 5

Trust Establishment Process: PKI Publish Certificate Policy and Certification Practices Statement (CP/CPS) according to RFC 3647 Present CA to regional IGTF policy management authority The Americas Grid PMA (TAGPMA) Checklist-based review by TAGPMA of CA s policies and operations Vote for acceptance by TAGPMA members Current status: Submitted to TAGPMA (March 2009) Approved by TAGPMA (May 2009) CA certificate included in TERENA Academic CA Repository (TACAR) Security Considerations Security Considerations Security Considerations Changes to trust architecture Adding InCommon identity providers as trusted entities Adding web authentication as a trusted method Peering with identity providers (IdPs) IdP decides whether to release identifiers to decides to accept IdP assertions review includes: IdP serves users IdP is operated by a known and respected organization IdP operates a trustworthy authentication service IdP provides globally-unique and non-reassigned identifiers Web application security Use HTTPS for privacy and authentication Cross-Site Request Forgery (CSRF) attack protections (cookies and hidden form fields) Locked down servers (firewalls, OTP for admin access, etc.) CA security FIPS 140 level 2 rated hardware security modules Locked down servers 6

Security Considerations Related Work Disallowing account sharing Account sharing complicates incident response Allow only one identifier per identity provider to be linked with a given identity Incident response Actions may include: Disable account links Disable identity provider trust Revoke certificates Coordinate response with security working group, InCommon, and IGTF Federated CAs (some accredited by IGTF) in Europe: Switzerland: SWITCH SLCS CA for SWITCHaai federation Germany: DFN-SLCS CA for DFN-AAI federation UK: SARoNGS Credential Translation for UK Access Management federation TERENA Certificate for national federations (Denmark, Finland, Netherlands, Norway, Sweden, and more) Science Gateways Web-based community access to resources Gateways manage their own user registration and authentication May independently support federated login Status In production at https://go.teragrid.org since Sep 2009 Supporting logins from 27 institutions Issued >800 certificates so far Work in progress: Integrate with User Portal (https://portal.teragrid.org) CILogon Project (www.cilogon.org) Provide certificates to all InCommon members (not just users) Other possible future work for : Phase out passwords Attribute-based authorization Support for OpenID Questions? Comments? Contact: jbasney@illinois.edu 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback