Presentation is loading. Please wait.

Presentation is loading. Please wait.

Single sign-on authentication: introduction GWS-WG session, IVOA interop meeting, Kyoto, May 2005 Guy Rixon.

Published byPaige Dawson Modified over 10 years ago

Similar presentations

Presentation on theme: "Single sign-on authentication: introduction GWS-WG session, IVOA interop meeting, Kyoto, May 2005 Guy Rixon."— Presentation transcript:

1 Single sign-on authentication: introduction GWS-WG session, IVOA interop meeting, Kyoto, May 2005 Guy Rixon

2 SSO: what does it mean? 1. Allow the user to exercise all pre-agreed rights in the VO by signing on once, per UI, per interactive session, to any conforming UI. 2. As above, but signing on once per session to any conforming UI is sufficient to make all rights available via all conforming UIs.

3 Basic requirements Let resource providers make authorization decisions. Let resource providers make authorization decisions. Follow natural patterns of access based on agreements between communities and groups. Follow natural patterns of access based on agreements between communities and groups. Supply credentials to inform auth. decisions. Supply credentials to inform auth. decisions. Unlock all user credentials with one sign-on per session. Unlock all user credentials with one sign-on per session. Make it as simple as possible (but no simpler!) Make it as simple as possible (but no simpler!)

4 Axiom: users are registered User has to establish an identity once (single registration) to use the VO. User has to establish an identity once (single registration) to use the VO. Have to authenticate this identity to resources to get in. Have to authenticate this identity to resources to get in. Registration generates credentials for authenticating to services. Registration generates credentials for authenticating to services.

5 Issue: where are users registered? Separately by each service provider (e.g. each archive site)? Separately by each service provider (e.g. each archive site)? Centrally in the IVO? Centrally in the IVO? Centrally in regional VO project? Centrally in regional VO project? In their natural community (e.g. university department)? In their natural community (e.g. university department)?

6 Issue: when are credentials issued? At registration, direct to human user? At registration, direct to human user? At session sign-on, to users agent? At session sign-on, to users agent?

7 Axiom: we support groups Service provider grants access to groups of users Service provider grants access to groups of users S/w making auth. decision needs access to group details and membership. S/w making auth. decision needs access to group details and membership.

8 Issue: where are groups defined? Separately at each service provider? Separately at each service provider? By user communities? By user communities? Same place as users are registered? Same place as users are registered? Somewhere else? Somewhere else?

9 Axiom: we use digital signatures For s/w agents authenticating to services: For s/w agents authenticating to services: We use public-key cryptography We use public-key cryptography We use X.509 identity certificates We use X.509 identity certificates Certificates issued by CAs Certificates issued by CAs C.f. human users signing on to VO at start of session C.f. human users signing on to VO at start of session Probably use passwords for that Probably use passwords for that

10 Issue: how are certificate issued? Who by? Who by? National/commercial CAs (outside IVO)? National/commercial CAs (outside IVO)? Central CA for IVO? Central CA for IVO? CAs in regional VO projects? CAs in regional VO projects? CAs in user communities? CAs in user communities? To whom? To whom? To human users (reusable, long-term cert.) To human users (reusable, long-term cert.) To s/w agents (single-session proxy cert.) To s/w agents (single-session proxy cert.)

11 Axiom: we support delegation Some work is delegated between a chain of services Some work is delegated between a chain of services e.g. Application -> workflow engine -> DAL -> VOStore. e.g. Application -> workflow engine -> DAL -> VOStore. Delegation of work implies delegation of access rights. Delegation of work implies delegation of access rights.

12 Issue: is delegation controlled? Use of service implies delegation of all users access? Use of service implies delegation of all users access? User can veto delegation? User can veto delegation? User can specify delegation of specific right User can specify delegation of specific right E.g. write once to particular file on particular VOStore. E.g. write once to particular file on particular VOStore.

Download ppt "Single sign-on authentication: introduction GWS-WG session, IVOA interop meeting, Kyoto, May 2005 Guy Rixon."

Similar presentations

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.

Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Introduction of Grid Security

Introduction of Grid Security
A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004.

A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004.
IVOA Interop, May 2006 Slide 1 GWS-WG agenda and goals.

IVOA Interop, May 2006 Slide 1 GWS-WG agenda and goals.
VOStore meetings, 2005-03-07 Slide 1 Ticket-based access control for VOStore? Guy Rixon March 2005.

VOStore meetings, Slide 1 Ticket-based access control for VOStore? Guy Rixon March 2005.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
IVOA interop meeting, Kyoto, May 2005 GWS-WG status (1) ► VOStore (Friday)  Spec v0.18 WD + WSDL  Next steps: ► Review operation set, WSDL, metadata.

IVOA interop meeting, Kyoto, May 2005 GWS-WG status (1) ► VOStore (Friday)  Spec v0.18 WD + WSDL  Next steps: ► Review operation set, WSDL, metadata.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.
Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Generic AAA model in Grids IRTF - AAAARCH meeting IETF 52 – Dec 14 th Salt Lake City Leon Gommans Advanced Internet Research Group.

Similar presentations

Ads by Google