Presentation is loading. Please wait.

Presentation is loading. Please wait.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland."— Presentation transcript:

1 EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland r.sinnott@nesc.gla.ac.uk

2 EDINA 20 th March 2008 Shibboleth Scenario Service provider Shib Frontend 5. Pass authentication info and attributes to authZ function Grid Portal 6. Make final AuthZ decision Grid Application Identity Provider Home Institution W.A.Y.F. Federation User 1. User points browser at Grid resource/portal 2. Shibboleth redirects user to W.A.Y.F. service 3.User selects their home institution 4. Home site authenticates user and pushes attributes to the service provider AuthN LDAP AuthZ ? What sites + attributes to accept (trust)? What attributes to send? Only see/use what allowed to? uid Log-in once and roam

3 EDINA 20 th March 2008  Will develop four JSR-168 compliant portlets for VO admins:  scoped attributed management portlet (SCAMP)  done  dynamic portal configuration management (CCP) e.g. configure portal content based on user privileges (security attributes)  e.g. configure portal content based on user privileges (security attributes)  attribute release policies (ARP) e.g. only release my VO specific attributes to VO partners  e.g. only release my VO specific attributes to VO partners  attribute certificate portlet (ACP) securely push attributes out to collaborators (builds on DyVOSE project dynamic delegation of authority service)  securely push attributes out to collaborators (builds on DyVOSE project dynamic delegation of authority service) SPAM-GP Portlets

4 EDINA 20 th March 2008

5 EDINA 20 th March 2008 OMII SPAM-GP project: Scoped Attribute Management Portlet (SCAMP)

6 EDINA 20 th March 2008

7 EDINA 20 th March 2008

8 EDINA 20 th March 2008

9 EDINA 20 th March 2008

10 EDINA 20 th March 2008 PERMIS based Authorisation checks/decisions Glasgow Education VO policies GlasgowEdinburgh Grid BLAST Data Service Nucleotide + Protein Sequence DB Grid-data Client Grid BLAST Service Edinburgh Education VO policies LDAP Implemented by Students data input Protein/nucleotide data returned based on student team role Glasgow SoA using Glasgow DIS to issue Edin. roles Edinburgh SoA using Glasgow DIS to issue Edin. roles ACs created for Edin. roles DyVOSE - Dynamic Privilege Management Infrastructure OMII SPAM-GP project: ACP

11 EDINA 20 th March 2008 Centralised Shibboleth Scenario + VPman project Service provider 5. Pass authentication info and attributes to authZ function Grid Portal 6. Make final AuthZ decision Grid Application Identity Provider Home Institution W.A.Y.F. Federation User 1. User points browser at Grid resource/portal 2. Shibboleth redirects user to W.A.Y.F. service 3.User selects their home institution 4. Home site authenticates user and pushes attributes to the service provider AuthN LDAP AuthZ VO wide authZ

12 EDINA 20 th March 2008 VOMS

13 EDINA 20 th March 2008 VOMS

14 EDINA 20 th March 2008 Existing Demonstration (pushing attributes in SAML)

15 EDINA 20 th March 2008

16 EDINA 20 th March 2008

17 EDINA 20 th March 2008

18 EDINA 20 th March 2008

19 EDINA 20 th March 2008

20 EDINA 20 th March 2008

21 EDINA 20 th March 2008

22 EDINA 20 th March 2008 VOMS’ing

23 EDINA 20 th March 2008 The Scenario (1) A VOTES diabetes service is deployed on a GT4 infrastructure (2) A user runs “voms-proxy-init” to generate a proxy certificate including VOMS credentials (3) and tries to invoke the protected stored procedure (4) The PEP passes the user information (including proxy certificate) to the VOMS PIP (5) VOMS PIP validates the credentials and passes back the VOMS Fully Qualified Attribute Name (FQAN) within the subject attributes. (6) The PEP calls the PERMIS PDP pushing the request information and credentials (7) The PERMIS PDP according to the policy decides if this user with certain attributes is authorized to access the service. (8) If successful the stored procedure is invoked, the federated query run and returned results joined and returned to the end user

24 EDINA 20 th March 2008

25 EDINA 20 th March 2008 Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse Interaction Unuccessful Nurse Interaction => java -classpath./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSNurseClient security-configRichard.xml =>java -classpath./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSDoctorClient security-configRichard.xml

26 EDINA 20 th March 2008

27 EDINA 20 th March 2008 Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse Interaction Successful Doctor Interaction => java -classpath./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSNurseClient security-configRichard.xml =>java -classpath./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSDoctorClient security-configRichard.xml

28 EDINA 20 th March 2008 The Scenario with Permis (VPMan) (1) The client attempts to invoke the PERMIS protected Geronimo service. The PEP extracts the users DN and identifies that it needs attributes from a VOMS server (2) The PEP, via a Subject PIP, pulls back the relevant attributes from VOMS server (3)and passes them to the PDP (4) The permis PDP makes the decision (5) and if ok, submit job using via GridSAM to appropriate Grid Resource

Download ppt "EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland."

Similar presentations

Demonstrations at PRAGMA 13 10 demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
AHM 2006 September 2006 DyVOSE Project: Experiences in Applying Advanced Authorisation Infrastructures John Watt (

AHM 2006 September 2006 DyVOSE Project: Experiences in Applying Advanced Authorisation Infrastructures John Watt (
DyVOSE Status Report Dr Richard Sinnott Technical Director National e-Science Centre ||| Deputy Director Technical Bioinformatics Research Centre University.

DyVOSE Status Report Dr Richard Sinnott Technical Director National e-Science Centre ||| Deputy Director Technical Bioinformatics Research Centre University.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING 2008 8-11 September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,

Spatial Data e-Infrastructure UK e-Science ALL HANDS MEETING September, Edinburgh, UK Higgins, C., Koutroumpas, M., Sinnott, R.O., Watt, J.,
Joint Information Systems Committee 25/08/2014 | slide 1 JISC Core Middleware Programme Meeting Middleware in Development Joint Information Systems CommitteeSupporting.

Joint Information Systems Committee 25/08/2014 | slide 1 JISC Core Middleware Programme Meeting Middleware in Development Joint Information Systems CommitteeSupporting.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Security Approaches and Requirements John Watt NCeSS Conference 2008 - Workshop 3 Data Management through e-Social Science June 18th 2008.

Security Approaches and Requirements John Watt NCeSS Conference Workshop 3 Data Management through e-Social Science June 18th 2008.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, 2004. This work is the intellectual property of the.

Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
E-Science Education Workshop, 1-2 Nov 2004 Teaching Grid Computing Dr Richard Sinnott Technical Director National e-Science Centre ||| Deputy Director.

E-Science Education Workshop, 1-2 Nov 2004 Teaching Grid Computing Dr Richard Sinnott Technical Director National e-Science Centre ||| Deputy Director.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

Similar presentations

Ads by Google