We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJeremiah Neal
Modified over 2 years ago
2008 © SWITCH Lousy Introduction into SWITCHaai Pragma UZH Summit March 17, 2008 Christoph Witzig SWITCH
2008 © SWITCH 2 University A Library B University C Without AAI Student Admin Web Mail e-Learning Literature DB e-Learning Research DB Authorization User Administration Authentication Resource Credentials Tedious user registration at all resources Unreliable and outdated user data at resources Different login processes Many different passwords Many resources not protected due to difficulties Often IP-based authorization Costly implementation of inter-institutional access e-Journals
2008 © SWITCH 3 University A Library B University C AAI With AAI Student Admin Web Mail e-Learning Literature DB e-Learning Research DB Authorization User Administration Authentication Resource Credentials No user registration and user data maintenance at resource needed Single login process for the users Many new resources available for the users Enlarged user communities for resources Authorization independent of location Efficient implementation of inter-institutional access e-Journals
2008 © SWITCH 4 SWITCHaai Federation Jan % coverage in higher education # Resources# AAI enabled accounts # Home Organizations
2008 © SWITCH Implemen- tation PilotProductionStudy Architecture Evaluation Shibboleth Shibboleth 2.0 Nov 1999: Term AAI first time mentioned in a document Nov 2000: AAI Workshop 2008 AAI Subsidies AAA/SWITCH Shibboleth 1.3 SWITCHaai Project Timeline
2008 © SWITCH 6 Shibboleth Open Source Developed by Internet2 Federated Approach Privacy National deployment projects in the US, UK and Finland, growing interest in other European countries Currenty for web resources only - will be extended Based on SAML Cooperations with Liberty Alliance Cooperations with Content Providers (e-journals)
2008 © SWITCH 7 How it works
2008 © SWITCH 8 Virtual Home Organization - VHO Federation Member Identity Provider Resource Owner End User Admin Some end users without Identity Provider VHO User Dir VHO Policy Identity Providers Integrate End Users without Identity Provider Resource Owner AAI-enabled accounts for users without an Identity Provider A VHO account is only usable for that resource managed by the Resource Owner
2008 © SWITCH 9 Organisational Framework SWITCH acts as SWITCHaai Federation Service Provider Federation membership based on signed service agreements Organisation
2008 © SWITCH 10 Overview of SLCS and VASH SLCS = Short Lived Credential Service VASH = VOMS attributes from Shibboleth gLite UI
2008 © SWITCH 11 Outlook: SAML Support in Grids
2008 © SWITCH 12 Phase 3: SAML Support Goal of phase 3: Extend use of SAML in grids beyond what is already provided by phase 1 and 2 Benefits: – (Average) User has no certificates anymore – Introduce SAML gently beyond phase 1 and 2, gain experience – Compatible with Shibboleth roadmap (2.0, 2.1) and WS-Trust STS implementation – Options open for future Requires: A mean for service to transform a security tokens it has into a security token it needs
2008 © SWITCH 13 Security Token Service WS-Trust defines mechanisms for brokering trust to an authority called Security Token Service (STS) The Security Token Service have a trust relationship with both the client and the service.
2008 © SWITCH 14 Multiple Security Domains A client may need to communicate with services that operate across trust boundaries (i.e. Shibboleth SAML vs Grid X.509) Multiple STS can be used in a trust chain across security domains (delegated trust)
2008 © SWITCH 15 Use Cases Grid: – Shibboleth user wants to access a Grid resource (e.g. WMS, File Catalogue, Storage Element…) – He needs to obtains security token that the Grid services understand (X.509) Non-browser based Shibboleth applications: – User agent contacts Shibboleth IdP with credential (e.g. username, password) – User agent receives SAML assertion to be sent to a Shibboleth SP
2008 © SWITCH 16 Issue a proxy X.509 User authenticates with his credential to a Shibboleth IdP STS and receives a SAML security token He requests a proxy X.509 from a Grid STS using the SAML token
2008 © SWITCH 17 Summary Interoperability Shibboleth - gLite – Phase 1: SLCS Online CA issuing short-lived X.509 certificates based upon authentication at Shibboleth IdP Operative and in production – Phase 2: VASH Transfers Shibboleth attributes into VOMS Shib attributes are available to grid resources as part of VOMS AC Software development finished – Phase 3: SAML Actual phase: design of a WS-Trust STS for SAML and (proxy) X.509 Grid use-case should be the same as the non-Browser-based use-case Leverage the existing SWITCHaai Shibboleth federation
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
Using VO based federation model for dynamic resource provisioning or VO devirtualised TF-EMC2 – 8-9 September 2005, Barcelona Yuri Demchenko Advanced Internet.
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Shibboleth Access Management Federations as an Organisational Model for SDI C.I.Higgins, M.Koutroumpas, A.Seales, EDINA National Datacentre, Scotland A.Matheus,
Joint Information Systems Committee 01/04/2014 | slide 1 Support e-Research at JISC Access Management and Security Joint Information Systems CommitteeSupporting.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security - the Grid View The Good, the Bad.
MATU: Middleware Assisted Take Up Service For JISC Funded Early Adopters Steve Edwards - MATU - Windermere 14 – 15 November 2005.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
WORKSHOP: Shibboleth Federations and Secure SDI: Outcomes and Demonstrations from the OGC Web Service Shibboleth Interoperability Experiment Chris Higgins,
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
MyProxy Jim Basney Senior Research Scientist NCSA
Tecnologia dei Servizi Grid e cloud computing - Lezione 005b 0 Lezione 5B - 18 Novembre 2009 Il materiale didattico usato in questo corso è stato mutuato.
National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
INFSO-RI Enabling Grids for E-sciencE EGEE and gLite Slides by: Erwin Laure EGEE Deputy Middleware Manager.
Joint Information Systems Committee The JISCs Core Middleware Programme Terry Morrow JISC Consultant.
0 Tech Day VI Reston, Virginia 19 April 2006 IEEE Computer Society Identity Federation in Cancer Biomedical Informatics Grid (caBIG TM ) A Federated Identity.
Internet2 Shibboleth Project TERENA Networking Conference 2002, Limerick, Ireland RL Bob Morgan, Washington Steven Carmody, Brown Scott Cantor, Ohio.
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Nov 5-6, 2005 SEE-GRID Banjaluka Training Session Introduction to Linux Clusters and Grids Design and Basic Services of LCG Grid Middleware SEE-GRID Infrastructure.
GT 4 Security Goals & Plans Sam Meder
Tecnologia dei Servizi Grid e cloud computing - Lezione 7b 0 Lezione 7b - 9 Dicembre 2009 Il materiale didattico usato in questo corso è stato mutuato.
Federation management A mess? Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science.
Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Experiences with using the EGEE grid infrastructure.
© 2016 SlidePlayer.com Inc. All rights reserved.