Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham."— Presentation transcript:

1 Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham

2 Acknowledgments NSF ANI-0330543 “NMI Enabled Open Source Collaboration Tools for Virtual Organizations” (Jill Gemmill, John-Paul Robinson ) N01-LM-3-3513 Advanced Network Infrastructure for Health & Disaster Management (Orthner, Terndrup, Grimes, Gemmill) Office of the VPIT and IT Academic Computing Von Welch, Tom Scavo- NCSA/UIUC Internet2 MACE and MLIST Working Group members Serge Aumont, Olivier Salaun, CRU Members of MACE-MLIST Working Group

3 A little background UAB history in centralized identity management & early interest in PKI but is today LDAP-based username/password UAB participation in NMI Testbed Met Shibboleth and Globus Toolkit What would it take to integrate these tools with applications in a manner useful to research collaborations? (ie, VO’s) UAB entering High-Performance Computing community via faculty acquisitions: an application focused group and a computing research group.

4 What’s a Virtual Organization? A set of collaborators bound together by a project of common interest very large scale science projects eg: Teragrid Half a dozen or so collaborators in a funded multidisciplinary project Physicians at 60 cancer centers wanting to share clinical data to increase N or focus on special sub- populations An Internet2 Working Group; a conference planning committee. In general, VO members are from different institutions

5 About Grid Security Infrastructure (GSI) Grids (Foster, Kesselman) Purpose: to support research VO’s Implementation: NMI GRIDS Globus Toolkit Keys distributed to each end user; client-server, non-web requirements PKI based security infrastructure uses X.509 Certificate Surely global PKI is almost here Authorization to be dealt with later KEY INSIGHT: separation of identity from system-specific account.

6 Grid Authorization Today, Globus Toolkit provides identity-based authorization mechanisms: Access control lists (called grid- mapfiles) map DNs to local identity (e.g., Unix logins) Community Authorization Service (CAS) PERMIS and VOMS

7 Early UAB NMI Testbed work: Using pubcookie (web-enabled single sign on) for grid authentication – similar to UVa Components: Web-based grid portal (OGCE) Web-based CA (PHPKI) Secure end-user certificate repository Details: Robinson, J.-P., Gemmill, J., et al. (2005). Web-Enabled Grid Authentication in a Non-Kerberos Environment. In 6th IEEE/ACM International Workshop on Grid Computing. 6th IEEE/ACM International Workshop on Grid Computing.

8 Central Challenges: Authorization based on VO-membership requires: Cross-domain authentication (leverage distributed identity management) Certainly “member of VO XYZ” attribute central for access control VO is authoritative for its own membership assignment & roles Should work for both web and non-web applications

9 What Cross-Domain Security Architectures Exist? GRIDS Digital Certificates (X.509 / PKI) Cross-domain trust can be managed scalably thru Bridged CA’s Carry only a user identifier (DN) FEDERATIONS (SAML, Shibboleth, WS- Security) Digitally signed security assertions Carry Identity, AuthN method, other attributes

10 Don’t Existing Solutions Provide What Is Needed by VO’s? (No!) Single Domain solutions inadequate End-user certificate distribution and management has proven to be troublesome and non-scalable Essential VO (Group) Membership information not provided consistently by either one Most collaboration tools accessed by web browser (not client software w. certificate)

11 Observation 1 The size and vast number of VOs makes it difficult for administrators to manage the identity of each user in the VO (and VO members don’t want more passwords to remember) Goal: Leverage existing identity management infrastructure eduPerson/Shibboleth infrastructure appeared promising for identity management

12 Observation 2 Identity-based access control methods are inflexible and do not scale Goal: Use attribute-based access control Shibboleth, an attribute transport mechanism linked to identity management, appeared promising

13 Observation 3 The most important attribute for VOs is: “member of VO-XYZ” Who is authoritative for VO attributes? The enterprise? (No) The VO? (Yes!) How are VO attributes created? Where are VO attributes stored?

14 myVocs Overview (my Virtual Organization Collaboration System) myVocs Manages Attributes

15 A look inside myVocs Attributes Users VO Roles VO Members VOs

16 A Look Inside myVocs VO Attribute Authority Users VO Roles VO Membe rs VOs App Mail List Your App CMSWiki VO IdP VO SP

17 A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space

18 A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space Shibboleth SP

19 myVocs A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space Shibboleth SP UAB IdP UIUC IdP openidp.org IdP U. Chicago IdP

20 myVocs Membership Management Tool: Sympa Mailing lists are central to Collaborations Specify a collection of individuals Define useful member roles Generally autonomous Sympa mailing list software supports Shibboleth Sympa has an excellent web-based user interface Sympa developers were active collaborators

21 Shibboleth Drives myVocs Client Web Browser CMS Some IdP VO Attribs WAYF VO SPVO IdP ID SP

22 Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs Shib

23 Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

24 Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

25 Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

26 Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

27 Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

28 Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

29 Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

30 Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

31 Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib Identity Attributes

32 Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

33 Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib VO Attribs

34 Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

35 myVocs automatically provisons Application Instances  (one set per VO) Accounts  Based on VO membership and roles

36 What is GridShib? Authentication: GridShib leverages the existing authentication mechanisms in GT GridShib provides attribute-based authorization based on Shibboleth GridShib adds attribute-based authorization to Globus Toolkit

37 Software Components GridShib for Globus Toolkit A plugin for GT 4.0 GridShib for Shibboleth A plugin for Shibboleth 1.3 IdP GridShib CA A web-based CA for new grid users Visit the GridShib Downloads page: http://gridshib.globus.org/download.html http://gridshib.globus.org/download.html

38 GridShib CA The GridShib Certificate Authority is a web-based CA for new grid users: https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority The GridShib CA is protected by a Shib SP and backended by the MyProxy Online CA The CA issues short-term credentials suitable for authentication to a Grid SP Credentials are downloaded to the desktop via Java Web Start

39 Results of Integration

40 What we have enabled Turn-key Grid VO creation through the integration of GridShib and myVocs myVocs used to create and manage VOs GridShib allows myVocs users to create Grid credentials and access Grid resources Grid resources obtains, and allows access, based on attributes from myVocs

41

42 User Registers with myVocs Identity Auth

43 VO Admin Adds User to VO

44 Grid Logon Identity Auth Identity Grid Creds. Grid Id

45 Grid Service Invocation VO Attributes Grid Creds. Grid Id

46 Remaining Challenges Name binding on global scale Attribute Aggregation Defining VO membership, roles and attributes Group and role management UAB Currently working on Shibbolized, GridShibCA integrated version of GridSphere Portal (also in Australia)

47 Questions? For more information: GridShib: http://gridshib.globus.org/http://gridshib.globus.org/ myVocs: http://www.myvocs.org/http://www.myvocs.org/ Email: jgemmill@uab.edu jpr@uab.edu tscavo@ncsa.uiuc.edu vwelch@ncsa.uiuc.edu

Download ppt "Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham."

Similar presentations

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.

Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.

Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
MyVOCS My Virtual Organization Collaboration System John-Paul Robinson Jill Gemmill Jason Lynn Universty of Alabama at Birmingham Office of the Vice President.

MyVOCS My Virtual Organization Collaboration System John-Paul Robinson Jill Gemmill Jason Lynn Universty of Alabama at Birmingham Office of the Vice President.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
Constructing Campus Grids Experiences adapting myVocs to UABgrid John-Paul Robinson High Performance Computing Services Office of the Vice President for.

Constructing Campus Grids Experiences adapting myVocs to UABgrid John-Paul Robinson High Performance Computing Services Office of the Vice President for.

Similar presentations

Ads by Google