Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Published byWhitney Brown Modified over 8 years ago

Similar presentations

Presentation on theme: "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph."— Presentation transcript:

1 EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph Witzig, SWITCH TNC 2007 - Copenhagen 22.5.2007

2 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 2 Content Introduction –Motivation for interoperability Shibboleth - Grids –Authentication and authorization (AA) in Grids and Shibboleth –General approach Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Other activities in interoperability Shibboleth - Grids Summary

3 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 3 Why Interoperability AAI - Grid ? For AAI Federations: Add grid resources to federation For Grids: Add huge user base (campus network) For e-Science: Unified user base Bring stakeholders together (NRENs - Grids) For Users: Simpler management of credentials Easy access to grids

4 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 4 AAI Models AAI solve the old problem of access control to resources There are various technologies in use - their usefulness depends on the underlying infrastructure 1.Passport Model (PKI / Grids) 2.Federated Identity (Shibboleth)

5 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 5 Passport Model (PKI) Resource Broker Computing Element (CE) Worker Node (WN) X.509 Proxy X.509 w/ VOMS AC job submission VO attributes VOMS = virtual organization management system AC = attribute certificate

6 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 6 Federated Identity Model Home Organization / Identity Provider 2. authN 3. SAML 1. Attempts access ? 4. authZ Service Provider authN = authentication authZ = authorization SAML = security assertion markup language

7 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 7 Topics authN at grid resource Attribute-based authZ Federation attributes vs VO attributes Delegation Renewal of credentials

8 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 8 General Approach EGEE-II: –April 2006 - Mar 2008 –Year 1: Phase 1 and 2  Add interoperability by starting “small” with minimal changes to gLite –Year 2: Phase 3: Extend SAML to selected grid services EGEE-III: –Continuation in EGEE-III

9 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 9 Overview Phase 1 and 2 SLCS = Short lived credential service VASH = VOMS attributes from Shibboleth

10 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 10 Design Decisions SLCS CA and “VOMS SP” independent of each other –Separate Service Providers –Deployed independently SLCS CA independent of the Grid middleware VOMS SP only dependent on VOMS

11 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 11 Content Introduction –Motivation for interoperability Shibboleth - Grids –Authentication and authorization (AA) in Grids and Shibboleth –General approach Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Other activities Summary

12 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 12 SLCS Profile SLCS = short lived credential service IGTF profile Minimum requirements: SLCSX.509 Certificate Certificate is generated based on Identity Management system “traditional” Registration Authority (e.g. passport) Lifetime < 1mio secLifetime < 1 year + 1 month Revocation handling optional Revocation handling

13 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 13 SWITCHslcs: Operation For the user: from the command line: invisible part of gLite User Interface [UI] (3.1) (can also be installed independently) For the RA from web-based admin tool: Can enable or disable individual users (only for his institution) Requirements formulated in CP/CPS Can obtain log information SWITCH: Operates the service

14 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 14 SWITCHslcs Private key is never transferred Use commercial CA and only standard protocols Modular design such that other people can use their own components Shibboleth attributes determine DN

15 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 15 Status SLCS Software development is finished in 2006 Accredited by EuGridPMA in February 2007 Production operation since April 2007 http://www.switch.ch/grid/slcs

16 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 16 Content Introduction –Motivation for interoperability Shibboleth - Grids –Authentication and authorization (AA) in Grids and Shibboleth –General approach Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Other activities in interoperability Shibboleth - Grids Summary

17 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 17 The Problem Phase 1 ties –AAI authentication to issuance of X.509 certificate –AAI attributes are used to construct the DN Phase 2 intends to make AAI attributes available to grid resources for authorization decisions –Which AAI attributes are of interest to grid resource? –How does resource obtain attributes? (pull vs push) –Relation to VO attributes –Deployment issues

18 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 18 Shibboleth Attributes Need common understanding of attributes given within a federation but inter-federation access (?) In SWITCHaai: Attributes are derived from eduPerson Only a subset of attributes is really interesting for grid resources Home Organization (IdP) Affiliation Study level and branch Staff Member of

19 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 19 Design (1) VASH: –VOMS Attributes from Shibboleth Shibboleth SP –Browser-based –Specific for  Federation  VO “lightweight” SP –No administrator duties –No management of attributes –Simply transfers attributes upon user request

20 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 20 Design (2) X.509 and proxy X.509 with VOMS AC unchanged No change in VOMS –Needs version 1.7.10 or higher VO registration not changed Administrative domain between Shibboleth federation and VOMS fully decoupled User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509) Becomes a service which knows the mapping Shibboleth userid - DN Has to respect data privacy laws

21 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 21 Web Interface VASH Service

22 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 22 Status Software implementation done MJRA1.5 document: https://edms.cern.ch/document/807849/1 https://edms.cern.ch/document/807849/1 Currently in process to develop plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource –Access to VOMS AC –LCAS/LCMAPS

23 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 23 Content Introduction –Motivation for interoperability Shibboleth - Grids –Authentication and authorization (AA) in Grids and Shibboleth –General approach Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Other activities in interoperability Shibboleth - Grids Summary

24 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 24 Phase 3 Goal of phase 3: Extend use of SAML in grids beyond what is already provided by phase 1 and 2 SAML-enable those services, with which the user interacts directly –WMS –File access Benefits: –(Average) User has no certificates any more –Introduce SAML gently beyond phase 1 and 2, gain experience –No modifications on most grid software (--> deployment) –Compatible with Shibboleth roadmap (2.0, 2.1) and ID-WSF implementation –All options open for future

25 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 25 Content Introduction –Motivation for interoperability Shibboleth - Grids –Authentication and authorization (AA) in Grids and Shibboleth –General approach Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Other activities in interoperability Shibboleth - Grids Summary

26 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 26 Other Activities GridShib –Globus –Community Access to TeraGrid through gateways Activities in UK –Shebangs and ShibGrid –Shintau: attribute aggregation from multiple IdPs OMII-Europe: –SAML assertions from VOMS

27 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 27 Summary Interoperability gLite - Shibboleth: –Phase 1: SLCS service  Online CA issuing X.509 certificates based upon authN at Shibboleth IdP  In operation –Phase 2: VASH  Transfers Shibboleth attributes into VOMS  Shib attributes are available to grid resources as part of VOMS AC  Software development finished –Phase 3:  Is starting now  Idea to SAML-enable a selected (small) number of grid services (those close to the user)

28 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 TNC2007, Kopenhagen, 22.5.2007 28 Q & A

Download ppt "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

Similar presentations

Ads by Google