Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMI is partially funded by the European Commission under Grant Agreement RI-261611 Security Token Service (STS) Simplified Credential Management Henri.

Published byAmy Harmon Modified over 7 years ago

Similar presentations

Presentation on theme: "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Security Token Service (STS) Simplified Credential Management Henri."— Presentation transcript:

1 EMI is partially funded by the European Commission under Grant Agreement RI-261611 Security Token Service (STS) Simplified Credential Management Henri Mikkonen, Helsinki Institute of Physics EGI Technical Forum 2012 18.9.2012, Prague, Czech Republic

2 EMI INFSO-RI-261611 Motivation Related Work Technology Some Use Cases Current State Contents 18/09/2012Henri Mikkonen @ EGI Technical Forum 20122

3 EMI INFSO-RI-261611 Grid users do not want to handle multiple credentials – Users would like to initialize their Grid identity using their existing user credentials DCIs would like to use federated identities – It is recognized that (inter)national federations are becoming more and more important X.509 certificates are and will be required by the majority of the Grid infrastructures for the foreseeable future Motivation 18/09/2012Henri Mikkonen @ EGI Technical Forum 20123

4 EMI INFSO-RI-261611 Solutions to X.509 issuance based on existing credentials exist – SLCS profile: gLite SLCS, MyProxy, … – MICS profile: Terena TCS, CERN CA, … Most of them are Web-based, even though Grid users often use command-line tools – I.e. Web-browser must be used as a client, or – Non-web client-tools need to parse the login forms manually Related work 18/09/2012Henri Mikkonen @ EGI Technical Forum 20124

5 EMI INFSO-RI-261611 Security Token? – WS-Security: A collection of statements (claims) about a user or resource Any digital identity that can be attached into a SOAP message: X.509, SAML assertion, Kerberos ticket, … Security Token Service? – WS-Trust: A Web service used to issue, renew, validate and cancel security tokens Establishes a trust relationship between different application / security domains Technology 18/09/2012Henri Mikkonen @ EGI Technical Forum 20125

6 EMI INFSO-RI-261611 Use Case 1 18/09/2012Henri Mikkonen @ EGI Technical Forum 20126 STS CA Username/Password -token Verifies the token X.509 certificate -token User Database Requests a certificate Issues a certificate STS Client Tool Username & Password X.509 & Private key to the filesystem User attributes (public key + proof)

7 EMI INFSO-RI-261611 Use Case 2 18/09/2012Henri Mikkonen @ EGI Technical Forum 20127 STS CA SAML assertion -token Requests a certificate Issues a certificate STS Client Tool Username, Password, Home Institute Home Institute Username, Password SAML assertion X.509 & Private key to the filesystem X.509 certificate -token (public key + proof)

8 EMI INFSO-RI-261611 Use Case 2 18/09/2012Henri Mikkonen @ EGI Technical Forum 20128 STS SAML assertion -token X.509 certificate -token Requests a certificate Issues a certificate STS Client Tool Username, Password, Home Institute Home Institute SAML Trust Domain Username, Password SAML assertion X.509 & Private key to the filesystem X.509 Trust Domain CA (public key + proof)

9 EMI INFSO-RI-261611 Use Case 3 18/09/2012Henri Mikkonen @ EGI Technical Forum 20129 STS SAML assertion -token X.509 proxy certificate -token Requests a certificate Issues a certificate STS Client Tool Username, Password, Home Institute Home Institute SAML Trust Domain Username, Password SAML assertion X.509 proxy certificate chain & private key to the filesystem VOMS Requests attributes Issues an attribute certificate X.509 Trust Domain CA (public key + proof + VO-info)

10 EMI INFSO-RI-261611 Use Case 4 18/09/2012Henri Mikkonen @ EGI Technical Forum 201210 SAML assertion -token Grid Portal Home Institute SAML Trust Domain Username, Password SAML assertion Access Grid Services using the user’s proxy Web browser access X.509 proxy certificate -token STS VOMS CA Requests a certificate Issues a certificate Requests attributes Issues an attribute certificate X.509 Trust Domain (public key + proof + VO-info)

11 EMI INFSO-RI-261611 The server-side for the presented use cases is mostly implemented (Issue-operation) – Incoming token formats: Username/Password, SAML assertion – Outgoing token formats: X.509, X.509 proxy – See live demonstrations at this event The first official release will be a part of EMI-3 Monte Bianco Current State 18/09/2012Henri Mikkonen @ EGI Technical Forum 201211

12 EMI INFSO-RI-261611 Wednesday 19.9.2012: AAI Workshop – Henri Mikkonen: “EMI STS – Transforming the Existing User Credentials for the Grid” Thursday 20.0.2012: EMI Security for Grids and Clouds – Henri Mikkonen: “EMI STS – Status Update” – Carolina Lindqvist: “Exploring the SAML 2.0 ECP- Profile” More at two other sessions 18/09/2012Henri Mikkonen @ EGI Technical Forum 201212

13 EMI is partially funded by the European Commission under Grant Agreement RI-261611 Thank you! Questions? Henri Mikkonen

Download ppt "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Security Token Service (STS) Simplified Credential Management Henri."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Similar presentations

Ads by Google