We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJeremiah Neal
Modified over 3 years ago
2008 © SWITCH Lousy Introduction into SWITCHaai Pragma UZH Summit March 17, 2008 Christoph Witzig SWITCH
2008 © SWITCH 2 University A Library B University C Without AAI Student Admin Web Mail e-Learning Literature DB e-Learning Research DB Authorization User Administration Authentication Resource Credentials Tedious user registration at all resources Unreliable and outdated user data at resources Different login processes Many different passwords Many resources not protected due to difficulties Often IP-based authorization Costly implementation of inter-institutional access e-Journals
2008 © SWITCH 3 University A Library B University C AAI With AAI Student Admin Web Mail e-Learning Literature DB e-Learning Research DB Authorization User Administration Authentication Resource Credentials No user registration and user data maintenance at resource needed Single login process for the users Many new resources available for the users Enlarged user communities for resources Authorization independent of location Efficient implementation of inter-institutional access e-Journals
2008 © SWITCH 4 SWITCHaai Federation Jan % coverage in higher education # Resources# AAI enabled accounts # Home Organizations
2008 © SWITCH Implemen- tation PilotProductionStudy Architecture Evaluation Shibboleth Shibboleth 2.0 Nov 1999: Term AAI first time mentioned in a document Nov 2000: AAI Workshop 2008 AAI Subsidies AAA/SWITCH Shibboleth 1.3 SWITCHaai Project Timeline
2008 © SWITCH 6 Shibboleth Open Source Developed by Internet2 Federated Approach Privacy National deployment projects in the US, UK and Finland, growing interest in other European countries Currenty for web resources only - will be extended Based on SAML Cooperations with Liberty Alliance Cooperations with Content Providers (e-journals)
2008 © SWITCH 7 How it works
2008 © SWITCH 8 Virtual Home Organization - VHO Federation Member Identity Provider Resource Owner End User Admin Some end users without Identity Provider VHO User Dir VHO Policy Identity Providers Integrate End Users without Identity Provider Resource Owner AAI-enabled accounts for users without an Identity Provider A VHO account is only usable for that resource managed by the Resource Owner
2008 © SWITCH 9 Organisational Framework SWITCH acts as SWITCHaai Federation Service Provider Federation membership based on signed service agreements Organisation
2008 © SWITCH 10 Overview of SLCS and VASH SLCS = Short Lived Credential Service VASH = VOMS attributes from Shibboleth gLite UI
2008 © SWITCH 11 Outlook: SAML Support in Grids
2008 © SWITCH 12 Phase 3: SAML Support Goal of phase 3: Extend use of SAML in grids beyond what is already provided by phase 1 and 2 Benefits: – (Average) User has no certificates anymore – Introduce SAML gently beyond phase 1 and 2, gain experience – Compatible with Shibboleth roadmap (2.0, 2.1) and WS-Trust STS implementation – Options open for future Requires: A mean for service to transform a security tokens it has into a security token it needs
2008 © SWITCH 13 Security Token Service WS-Trust defines mechanisms for brokering trust to an authority called Security Token Service (STS) The Security Token Service have a trust relationship with both the client and the service.
2008 © SWITCH 14 Multiple Security Domains A client may need to communicate with services that operate across trust boundaries (i.e. Shibboleth SAML vs Grid X.509) Multiple STS can be used in a trust chain across security domains (delegated trust)
2008 © SWITCH 15 Use Cases Grid: – Shibboleth user wants to access a Grid resource (e.g. WMS, File Catalogue, Storage Element…) – He needs to obtains security token that the Grid services understand (X.509) Non-browser based Shibboleth applications: – User agent contacts Shibboleth IdP with credential (e.g. username, password) – User agent receives SAML assertion to be sent to a Shibboleth SP
2008 © SWITCH 16 Issue a proxy X.509 User authenticates with his credential to a Shibboleth IdP STS and receives a SAML security token He requests a proxy X.509 from a Grid STS using the SAML token
2008 © SWITCH 17 Summary Interoperability Shibboleth - gLite – Phase 1: SLCS Online CA issuing short-lived X.509 certificates based upon authentication at Shibboleth IdP Operative and in production – Phase 2: VASH Transfers Shibboleth attributes into VOMS Shib attributes are available to grid resources as part of VOMS AC Software development finished – Phase 3: SAML Actual phase: design of a WS-Trust STS for SAML and (proxy) X.509 Grid use-case should be the same as the non-Browser-based use-case Leverage the existing SWITCHaai Shibboleth federation
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
MyProxy Jim Basney Senior Research Scientist NCSA
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.
Workshop Presentation  Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
2005 © SWITCH Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai Martin Sutter, Head of NetServices, SWITCH (Ueli Kienholz & Thomas.
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
The National Grid Service and OGSA-DAI Mike Mineter
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Community Sign-On and BEN. Table of Contents What is community sign-on? Benefits How it works (Shibboleth) Shibboleth components CSO workflow.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Federated Identity for Grid Architects Tom Scavo NCSA
AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
GT 4 Security Goals & Plans Sam Meder
Introduction to Shibboleth and the IAMSECT Project.
VO Support and directions in OMII-UK Steven Newhouse, Director.
Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
INFSO-RI Enabling Grids for E-sciencE - II VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007.
© 2017 SlidePlayer.com Inc. All rights reserved.