RCauth.eu / MasterPortal update

Similar documents
SA1 CILogon pilot - motivation and setup

Deliverable DSA1.4: Pilots to improve access to R&E-relevant resources

Guidelines on non-browser access

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

The EGI AAI CheckIn Service

AARC. Christos Kanellopoulos AARC Architecture WP Leader GRNET. Authentication and Authorisation for Research and Collaboration

2. HDF AAI Meeting -- Demo Slides

Recommendations on the grouping of entities and their deployment mechanisms in scalable policy negotiation

AARC Blueprint Architecture

WP JRA1: Architectures for an integrated and interoperable AAI

Deliverable DJRA1.1. Use-Cases for Interoperable Cross- Infrastructure AAI

INDIGO-Datacloud Identity and Access Management Service

WP3: Policy and Best Practice Harmonisation

INDIGO AAI An overview and status update!

EGI AAI Platform Architecture and Roadmap

The challenges of (non-)openness:

Policy and Best Practice Harmonisation ( NA3 ) from the present to the future

Evolving the trust fabric with AARC and EGI

AARC Overview. Licia Florio, David Groep. 21 Jan presented by David Groep, Nikhef.

Higher Education external Attribute Authority. Mihály Héder István Tétényi (MTA SZTAKI) 19-May-2015

Can R&E federations trust Research Infrastructures? - The Snctfi Trust Framework

Scalable Negotiator for a Community Trust Framework in Federated Infrastructures (Snctfi)

Federated Authentication with Web Services Clients

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

SLCS and VASH Service Interoperability of Shibboleth and glite

AAI in EGI Current status

Pilots to support guest users solutions

In Section 4 we discuss the proposed architecture and analyse how it can match the identified 2

DARIAH Update. 9th FIM4R Workshop. Vienna, Novemer 30, Peter Gietz, DAASI International GmbH.

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

EUDAT. Towards a pan-european Collaborative Data Infrastructure

EUDAT - Open Data Services for Research

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

Moonshot. Workshop on Federated Identity and (OpenStack) Cloud Services - SWITCH

Beyond X.509: Token-based Authentication and Authorization with the INDIGO Identity and Access Management Service

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Authentication & Authorization systems developed for CTA

GÉANT Community Programme

INDIGO-DataCloud Architectural Overview

Géant-TrustBroker Project Overview

Géant-TrustBroker Dynamic inter-federation identity management

Integrating YuJa Active Learning into Google Apps via SAML

Introduction to SciTokens

SELF SERVICE INTERFACE CODE OF CONNECTION

irods Security Aspects Willem Elbers CLARIN-ERIC, Netherlands

Google SAML Integration

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017

LCG User Registration & VO management

openid connect all the things

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Warm Up to Identity Protocol Soup

Challenges in Authenticationand Identity Management

Integrating Federations in the International Grid Trust Fabric

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

Grid Authentication and Authorisation Issues. Ákos Frohner at CERN

FeduShare Update. AuthNZ the SAML way for VOs

Identity Management In Red Hat Enterprise Linux. Dave Sirrine Solutions Architect

LionShare: A Hybrid Secure Network for Academic Collaboration. Michael J. Halm, Marek Hatala, Derek Morr and Alex Valentine

A Simplified Access to Grid Resources for Virtual Research Communities

Configuration Guide - Single-Sign On for OneDesk

TCS SAML demo background

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Introducing Shibboleth. Sebastian Rieger

CIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products

APM Proxy with Workspace One

Federated Identities and Services: the CHAIN-REDS vision

Configuring Single Sign-on from the VMware Identity Manager Service to Trumba

Globus Online: File Transfer Made Easy!

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Sirtfi for Security Incidents in a Federated Context. Tom Barton, UChicago & Internet2

Federated Services and Data Management in PRACE

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

SAP Security in a Hybrid World. Kiran Kola

DSIT WP1 WP2. Federated AAI and Federated Storage Report for the Autumn 2014 All Hands Meeting

Identity Harmonisation. Nicole Harris REFEDS Coordinator GÉANT.

Administering Jive Mobile Apps

Connect. Communicate. Collaborate. GN2 JRA5 update. Jürgen Rauschenbach (DFN), JRA5 team 04/02/08 Marseille. JRA5 Team

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

Securing ArcGIS for Server. David Cordes, Raj Padmanabhan

Identity Provider for SAP Single Sign-On and SAP Identity Management

CILogon Project

O365 Solutions. Three Phase Approach. Page 1 34

Federated Services for Scientists Thursday, December 9, p.m. EST

SafeNet Authentication Manager

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

eidas cross-sector interoperability

GN2 JRA5: Roaming and Authorisation

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.

Access Manager Appliance 4.4 Service Pack 2 Release Notes

Integrating YuJa Active Learning with ADFS (SAML)

Distributing Secrets. Securely? Simo Sorce. Presented by. Red Hat, Inc.

education federation CUC 2005, Dubrovnik High-quality Internet for higher education and research

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

TextExpander Okta SCIM Configuration

dcache: challenges and opportunities when growing into new communities Paul Millar on behalf of the dcache team

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Transcription:

RCauth.eu / MasterPortal update Mischa Sallé msalle@nikhef.nl 5 th AARC face-to-face meeting, Aθηνα 21 March 2017 Mischa Sallé (Nikhef) 1 / 11

Reminder of motivation Access to X.509 resources made easy 1 Science Gateway scenario (browser-central) need simple api to get user certificates Compared to US Europe decentralized/multi-federated: need layered setup intermediaries: MasterPortals between central CA and O(many) science gateways similar position as IdP/SP proxies in einfras/researchinfras 1 https://aarc-project.eu/digital-certificates-behind-the-scenes-the-aarc-cilogon-pilot/ Introduction Mischa Sallé (Nikhef) 2 / 11

Ingredients Single RCauth.eu single, fully IGTF accredited online CA edugain + R&S + Sirtfi Few Master Portals Scalable trust model Handling the complexity (end-entity-cert to proxy-cert) Caches the credentials VOMS integration Many Science gateways / VO portals Easy integration using OIDC authz flows access Architecture Mischa Sallé (Nikhef) 3 / 11

Architecture Architecture Mischa Sallé (Nikhef) 4 / 11

Software status Use new upstream code, now (also) on github (used both in MasterPortal and RCauth.eu itself) Upstream has improved OIDC support (towards CIlogon-2) signed id token /.well-known/openid-configuration Generic MasterPortal ansible scripts now also on github https://github.com/rcauth-eu/ Status update Mischa Sallé (Nikhef) 5 / 11

Sustainability & Support Software support: Try to push back our patches joint RCauth proposal (EGI, EUDAT, GÉANT...?): e.g. HA setups Integration Master Portals (next slides) Training in AARC2? Status update Mischa Sallé (Nikhef) 6 / 11

Position in the Blue Print Architecture R Reputation Service AA: OTHER AA: OIDC AA:SAML Step up AuthN SAML SP X.509 SP National federations (edugain) OIDC SP OAuth2 SP Authenticated User X.509 OIDC SAML SAML X.509 Other SP X.509 OIDC Token Translation Service OIDC OAuth2 SAML NonWeb Other Other Social ID Other Other egovid Other AARC Blueprint Architecture User Unauthenticated User Authenticated User Authorisation Information Flow Attribute Information Flow User Identitiy User Attribute Services Identity Access Management Authorisation "Proxy" Community Authorisation Policy Repository End Services Attribute Authorities Status update Mischa Sallé (Nikhef) 7 / 11

Infrastructure integration (MasterPortals) MasterPortal TTS, close to or inside IdP/SP proxy Infra Integrations (order of appearance): ELIXIR is running our implementation of a MasterPortal EGI is also running our implementation: next to CheckIn, looking e.g. at HA INDIGO is integrating MasterPortal within WaTTS 2 EUDAT is testing our implementation, considering integration within Unity-IdM 3 PRACE: ongoing discussions, need to look at the use-cases. 2 Demo/talk Uros 3 Demo from Shiraz/Nicolas Status update Mischa Sallé (Nikhef) 8 / 11

VOMS integration MasterPortal can already return VOMS proxies, but user must be provisioned Need user attributes, but also DN IdP/SP proxy is ideal location acting as OIDC client to RCauth (like a MasterPortal) get cert subject dn VOMS provisioning @IdP/SP proxy: create e.g. a COmanage plugin useful discussions and planning with Benn, Peter, Nicolas at plugfest basic provisioning/deprovisioning plugin planned soon (before end AARC1?) no changes needed to existing VOMS servers, but do need VO-admin mapping of e.g. Role is not yet fully clear Status update Mischa Sallé (Nikhef) 9 / 11

Open issue: account linking How to deal with multiple identities in RCauth? (Different IdP gives different DN: epuid DN token translation) could link DNs at every SP (bad) could link DNs inside VOMS (ok but depends on how) could link all epuids (or similar) in central IdP/SP proxy: use preferred IdP as default idphint for RCauth can do VOMS provisioning for all identities alternative: linking in MasterPortal: idphint-per-user list multiple identities are known and sufficient for returning proxy cert but one is preferred and used for end-entity cert creation Status update Mischa Sallé (Nikhef) 10 / 11

Some References Demos: https://rcdemo.nikhef.nl/ email me your RCauth DN for provisioning into rcdemo.aarc-project.eu test VO Blog post: https://aarc-project.eu/digital-certificates-behind-the-scenes-the-aarc-cilogon-pilot/ Our setup: https://wiki.nikhef.nl/grid/aarc_pilot also contains links to CIlogon code, MyProxy protocol etc. Pilot ICA 1 (e.g. CP/CPS): https://rcauth.eu/ VOMS: e.g. http://italiangrid.github.io/voms/ Status update Mischa Sallé (Nikhef) 11 / 11

More open issues Need IOTA support on production X.509 resources: compute: EMI: LCMAPS ok, Argus unofficially ok, ARC: needs to implement storage: dcache partially, DPM needs to implement Might need support for OIDC IdPs at central RCauth CA Mischa Sallé (Nikhef) 12 / 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback