CILogon Project

Similar documents
Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Leveraging the InCommon Federation to access the NSF TeraGrid

Federated Services for Scientists Thursday, December 9, p.m. EST

CILogon. Federating Non-Web Applications: An Update. Terry Fleury

Federated access to Grid resources

Using the MyProxy Online Credential Repository

Managing Grid Credentials

Deploying the TeraGrid PKI

Guidelines on non-browser access

Report for the GGF 15 Community Activity: Leveraging Site Infrastructure for Multi-Site Grids

A Roadmap for Integration of Grid Security with One-Time Passwords

XSEDE Software and Services Table For Service Providers and Campus Bridging

Authorization Strategies for Virtualized Environments in Grid Computing Systems

Grid Security: The Globus Perspective

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

A Grid Authorization Model for Science Gateways

Pittsburgh Supercomputing Center MyProxy Certificate Authority Short Lived Credential Service (PSC MyProxy CA)

Trusting External Identity Providers for Global

Leveraging Globus Identity for the Grid. Suchandra Thapa GlobusWorld, April 22, 2016 Chicago

SLCS and VASH Service Interoperability of Shibboleth and glite

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

Introduction to Grid Security

Higher Education PKI Initiatives

XSEDE Software and Services Table For Service Providers and Campus Bridging

The SciTokens Authorization Model: JSON Web Tokens & OAuth

SA1 CILogon pilot - motivation and setup

Introduction to SciTokens

A VO-friendly, Community-based Authorization Framework

ShibGrid: Shibboleth Access for the UK National Grid Service

UGP and the UC Grid Portals

VOMS Support, MyProxy Tool and Globus Online Tool in GSISSH-Term Siew Hoon Leong (Cerlane) 23rd October 2013 EGI Webinar

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Virtual Organizations in Academic Settings

Network Device Provisioning

GSI Online Credential Retrieval Requirements. Jim Basney

A Guanxi Shibboleth based Security Infrastructure for e-social Science

IVOA/AstroGrid SSO system and Grid standards

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Leveraging the Globus Platform in your Web Applications. GlobusWorld April 26, 2018 Greg Nawrocki

Assurance Enhancements for the Shibboleth Identity Provider 19 April 2013

UCLA Grid Portal (UGP) A Globus Incubator Project

J. Basney, NCSA Category: Experimental October 10, MyProxy Protocol

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

Hardware Tokens in META Centre

IAM Project Overview & Milestones

Enabling Grids for E-sciencE. EGEE security pitch. Olle Mulmo. EGEE Chief Security Architect KTH, Sweden. INFSO-RI

Troubleshooting Grid authentication from the client side

Getting Started with XSEDE. Dan Stanzione

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

UAB IT Academic Computing

XSEDE Canonical Use Case 4 Interactive Login

ACCI Recommendations on Long Term Cyberinfrastructure Issues: Building Future Development

FeduShare Update. AuthNZ the SAML way for VOs

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

Report for the GGF 16 BoF for Grid Developers and Deployers Leveraging Shibboleth

A Simplified Access to Grid Resources for Virtual Research Communities

Building the Modern Research Data Portal. Developer Tutorial

AAI in EGI Current status

An Introduction to The Americas Grid Policy Management Authority (TAGPMA) and the International Grid Trust Federation (IGTF)

Internet2 Overview, Services and Activities. Fall 2007 Council Briefings October 7, 2007

Identity management and distributed computing: What LIGO wants from Condor

Extending Services with Federated Identity Management

Experiences using Bridge CAs for Grids Jim Jokl a, Jim Basney b, and Marty Humphrey a

CCNP Security VPN

Grid Programming: Concepts and Challenges. Michael Rokitka CSE510B 10/2007

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Moonshot. Workshop on Federated Identity and (OpenStack) Cloud Services - SWITCH

Index Introduction Setting up an account Searching and accessing Download Advanced features

Globus Toolkit Firewall Requirements. Abstract

International Grid Trust Federation

SDN/DANCES Project Update Developing Applications with Networking Capabilities via End-to-end SDN (DANCES)

A Multipolicy Authorization Framework for Grid Security

SAML-Based SSO Solution

EXPERIENCE WITH PKI IN A LARGE-SCALE DISTRIBUTED ENVIRONMENT

Nancy Wilkins-Diehr San Diego Supercomputer Center (SDSC) University of California at San Diego

Balabit s Privileged Session Management and Remote Desktop Protocol Scenarios

DDS Identity Federation Service

Michigan Grid Research and Infrastructure Development (MGRID)

Tutorial: Building the Services Ecosystem

SAML-Based SSO Solution

ArcGIS for Server: Security

The Long, Long Road to True Single Sign On at Fermilab. Al Lilianstrom and Dr. Olga Terlyga NLIT 2018 May 22 nd, 2018

NMI Component Testing Guidelines Pertaining to: NMI Release 1 (released May 7, 2002)

ArcGIS Server and Portal for ArcGIS An Introduction to Security

SSH with Globus Auth

This PDF Document was generated for free by the Aloaha PDF Suite If you want to learn how to make your own PDF Documents visit:

Evolving the trust fabric with AARC and EGI

By Ian Foster. Zhifeng Yun

A AAAA Model to Support Science Gateways with Community Accounts

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

INDIGO AAI An overview and status update!

OGCE User Guide for OGCE Release 1

Trust and Identity Services an introduction

An OGSI CredentialManager Service Jim Basney a, Shiva Shankar Chetan a, Feng Qin a, Sumin Song a, Xiao Tu a, and Marty Humphrey b

SimPortal. Overview. Frank McKenna. What is SimpPortal Simple Example of Job Submission. UC Berkeley. OpenSees Parallel Workshop Berkeley, CA

Now SAML takes it all:

irods Security Aspects Willem Elbers CLARIN-ERIC, Netherlands

Xceedium Xsuite. Secured by RSA Implementation Guide for 3rd Party PKI Applications. Partner Information. Last Modified: February 10 th, 2014

New trends in Identity Management

Transcription:

CILogon Project GlobusWORLD 2010 Jim Basney jbasney@illinois.edu National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science Foundation under grant numbers 0850557 and 0943633. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation.

Talk Outline CILogon project overview Software component updates and highlights (MyProxy, GridShib CA, GSI-SSHTerm) Introduction to the CILogon Service A federated certification authority

CILogon Project Goals Foster secure, usable authentication for cyberinfrastructure (CI) Provide community-driven software support: MyProxy (http://myproxy.ncsa.uiuc.edu) GridShib (http://gridshib.globus.org) Now focused on GridShib CA GSI-OpenSSH (http://grid.ncsa.uiuc.edu/ssh) Provide a new service that issues digital credentials to the NSF research community

Software Highlights MyProxy MyProxy CA Trust Root Provisioning VOMS support GridShib CA GSI-SSHTerm Usage Reporting

MyProxy CA Online Certification Authority (CA) Integrates with external identity management systems via PAM, SASL, LDAP, and call-out interfaces Integrates with web authentication (SAML/Shibboleth, OpenID) via GridShib CA Integrates with Hardware Security Modules (HSMs) and other CA back-ends International Grid Trust Federation (IGTF) accredited deployments at NCSA, PSC (in progress), and NERSC Meeting IGTF requirements for certificate extensions, logging, revocation, etc. http://myproxy.ncsa.uiuc.edu/ca

MyProxy Trust Root Provisioning MyProxy clients support bootstrapping and maintaining trust root configuration: CA certificates, CRLs, etc. myproxy-logon T obtains trust roots with credential myproxy-get-trustroots installs/updates trust roots for users and services Supported by C and Java clients http://myproxy.ncsa.uiuc.edu/trustroots

MyProxy VOMS Support VOMS: Virtual Organization Membership Service MyProxy supports: Storing credentials containing VOMS extensions Adding VOMS extensions on the client-side ( myproxy-init/myproxy-logon --voms ) Adding VOMS extensions on the server-side Avoids need for client-side VOMS software/configuration VOMS authorization in the myproxy-server Setting myproxy-server access control policies based on VOMS attributes http://myproxy.ncsa.uiuc.edu/voms

GridShib CA GridShib CA 2.0 Support for multiple web authentication systems OpenID in addition to Shibboleth Support for different credential retriever clients Python client provided in addition to Java Web Start Use of one-time sessions for credential retriever client authentication Instead of Shibboleth-specific cookies Framework that allows for easy addition of modules for additional functionality. http://gridshibca.cilogon.org

GSI-SSHTerm Full-featured Java GSISSH client Applet integrates well with portals Java Web Start application runs on the desktop Integrated with MyProxy Developed by UK National Grid Service Recent fixes/improvements: Support gssapi-keyex and gssapi-with-mic methods (RFC 4462) Improved error messages and error handling Ability to force GSI methods only http://sourceforge.net/projects/gsi-sshterm/

Usage Reporting Globus Usage Metrics added to MyProxy and GSI-OpenSSH http://myproxy.ncsa.uiuc.edu/privacy http://grid.ncsa.illinois.edu/ssh/privacy.html Default behavior: Servers send UDP packets to usage-stats.cilogon.org (port 4810) No user identifying information is reported To opt-out: set GLOBUS_USAGE_OPTOUT=1 in server environment You can configure your own listener to collect usage statistics for your organization Optionally including user information if desired

CILogon Service Facilitate campus login to NSF CI Leverage researchers existing identities at their home institution Ease identity management for researchers and CI providers Bridge from: Identity credentials issued by research institutions participating in the InCommon Federation using Shibboleth/SAML web browser single sign-on Bridge to: X.509 PKI credentials that satisfy the requirements of NSF CI projects

CILogon Service: Timeline September 2009: Federated Login to TeraGrid Deployed (https://go.teragrid.org) CILogon Project Start April 2010 (Planned): Prototype Service Deployed TAGPMA Accreditation September 2010 (Planned): Operational Service Deployed

Thanks For more information: Contact: jbasney@illinois.edu Visit:

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback