Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enabling Collaborations via a Transformative Virtual Organization Platform Dr. Gordon K. Springer University of Missouri-Columbia CS Department Seminar.

Published byThomas Wood Modified over 8 years ago

Similar presentations

Presentation on theme: "Enabling Collaborations via a Transformative Virtual Organization Platform Dr. Gordon K. Springer University of Missouri-Columbia CS Department Seminar."— Presentation transcript:

1 Enabling Collaborations via a Transformative Virtual Organization Platform Dr. Gordon K. Springer University of Missouri-Columbia CS Department Seminar Series Columbia, Missouri May 6, 2008

2 Overview  Problem and implications  Shibboleth Concepts and protocol overview Advantages and shortcomings  The entitlements repository Design and implementation Demonstration  Conclusion 5/06/20082

3 Introduction  Interconnected computing resources, data repositories, research tools and information sources are widespread  Research institutions develop research projects that access and share computing, information and research resources belonging to various other institutions, forming virtual organizations (VOs) 5/06/20083

4 Virtual Organization  A virtual organization is an umbrella organization that encompasses all the research institutions that share a common goal. They come together by sharing resources, by allowing for greater knowledge leveraging, and by providing access to research and learning tools  The goal of any virtual organization is to provide member institutions with a secure, robust and inter-operable problem free inter- institutional collaborative research environment 5/06/20084

5 The Great Plains Network The Great Plains Network (GPN) has created a virtual organization of Midwestern research universities working on providing an efficient collaborative research environment for their members 5/06/20085

6 6 The GPN Network 5/06/2008

7 7 GPN Today 5/06/2008

8 8 Mission Enhance competitiveness and economic benefit by providing leadership in advanced high performance applications and network technologies to enable the Great Plains region to lead in innovative learning/educational environments and collaborative research. 5/06/2008

9 9 GPN Collaborative Framework 5/06/2008

10 The Problem  What are the key issues involved in providing for a secure, robust and efficient inter-institutional collaborative environment?  What technologies satisfy these requirements? 5/06/200810

11 Key Issues  Security of computing resources, networks, communications and personal information  Authentication and authorization of users to remote resources are key issues in distributed computing 5/06/200811

12 Key Issues  Authentication The process of establishing if an entity (e.g., user, service) is the entity that they claim to be Usernames and passwords, public and private keys, smart cards combined with some type of knowledge possession (e.g., answering a question presumably answerable only by the entity)  Authorization The process of determining, after an entity is authenticated, if they are allowed to have access to a particular resource Authorization always implies the existence of a previous authentication 5/06/200812

13 Key Issues  Trust Member institutions need to establish a trusting relationship in order to share resources  Privacy User identity privacy Passive privacy – the user has no control upon its identity credentials Active privacy – the user has strict control upon its identity credentials 5/06/200813

14 Shibboleth  Shibboleth is an Internet2 standards-based architecture, policy framework and technology implementation used to support sharing of computing resources.  Shibboleth is a middleware initiative that offers a mechanism to authenticate and authorize inter-institutional user access to protected resources. 5/06/200814

15 Shibboleth  Shibboleth controls access to a resource without the need for the user’s identity credentials (username and password)  Shibboleth protects a resource in the same manner as a username and a password can protect a resource  Shibboleth protection is based on group membership and the attributes that describe that membership, rather than the identification of a particular entity 5/06/200815

16 Group Membership vs Individual Credentials  Individual credentials: each entity needs to have a username and a password for every shared resource  Group membership: is described by attributes, such as “student”, “manager”, “enrolled in CS 1001” or “member of the GPNVO group” 5/06/200816

17 Example  The University of Missouri wants to share access to its computing cluster  A group of researchers from other GPN VO member institutions want to use it  All authorized users from GPN VO institutions have the attribute “member of the GPN VO group”  The goal is to create & manage the attributes by VO administrators or delegates across institutional boundaries 5/06/200817

18 Shibboleth Key Concepts  Shibboleth requires one username and password pair for access to potentially a huge number of resources  Shibboleth reinforces the order of authentication followed by authorization The user’s home institution (IdP) is responsible to authenticate the user and to store the user’s institutional attributes The remote shared resource (SP) is responsible to authorize a user using attributes sent by the home institution. (Our system uses a separated Entitlement Server for VO attributes) 5/06/200818

19 Shibboleth Key Concepts  Shibboleth reinforces active privacy: a user can decide which of their attributes are revealed to the shared resources  Shibboleth provides the framework for establishing a trust fabric within a virtual organization Collaborative trust: negotiate attributes structure and values (e.g., eduPerson object class), level of security of the infrastructure, policies Certificate Authorities 5/06/200819

20 Shibboleth Components  An identity provider represents the Shibboleth entity that authenticates a user and answers attributes inquiries from the service provider  A service provider represents the Shibboleth entity that communicates with the user, the user’s identity provider at their home institution, and makes the access control decision based on the user’s attributes  A Where Are You From (WAYF) service is an independent service operated by a virtual organization. Its purpose is to identify a user’s home institution and to redirect the user to the home institution’s authentication system 5/06/200820

21 Shibboleth Protocol WAYF Identity Provider Service Provider Identity Directory Handle Service Attribute Authorit y SHIRE SHAR Resource Manager Reso urce Attributes C redentials Handle 5 2 3 4 5 1 6 6 7 8 9 10 5/06/200821

22 Attributes of Group Membership  Attributes are a central part of the Shibboleth architecture as they provide the group membership information  An attribute is a name - value pair  Attributes are stored in the identity provider  We have two types of attributes: institution related attributes and virtual organization related attributes  An entitlement is an attribute value that allows a user access to a specific resource or group of resources 5/06/200822

23 Institution Related Entitlements  eduPerson is an object class used by identity directories to describe attributes to be used by academic institutions eduPersonPrimaryAffiliation= “faculty”, eduPersonPrincipalName = “springer@missouri.edu”, or eduPersonEntitlement represent some of the defined eduPerson attributes  The “eduPersonEntitlement” is the only attribute whose values are not already defined. eduPersonPrimaryAffiliation can have only one of these values: “faculty”, “student”, “member” or “staff” 5/06/200823

24 Virtual Organization Entitlements  GPN registered the namespace urn:mace:greatplains.net to be used as a prefix in defining new VO related entitlements, such as urn:mace:greatplains.net:biosci  The suffix (“biosci”) is used at the service provider to allow fine-grained control to authorize access to different shared resources 5/06/200824

25 Example  A user may have the “faculty” or “enrolled in CS 1001” institution related attributes stored in its eduPerson object  In order to use a resource that requires membership in the “biogrid” group denoted by the “urn:mace:greatplains.net:biogrid” VO entitlement, the user needs to have an entry in a repository somewhere that links their identity to the VO entitlement 5/06/200825

26 Shibboleth Advantages  Shibboleth creates the policy framework to establish a trust fabric in a virtual organization  Shibboleth decouples authentication from authorization decreasing the usernames and passwords management overhead  Shibboleth reinforces user identity privacy across shared resources  Shibboleth is based on open standards and has an open-source implementation 5/06/200826

27 Shibboleth Shortcomings  There are security risks involved in allowing external entities to manage entitlements in the identity management system of another institution  The eduPerson object class does not support significant modifications in its format to allow for VO entitlements to be stored in its structure leading to reduced fine-grained authorization capabilities  Signet and Grouper simplify attribute management, but within the scope of a single IdP populating the eduPerson object class. In VOs there are multiple IdPs that would have to incorporate the VO entitlements in order to properly support the VO 5/06/200827

28 The Entitlements Repository  Defines, manages and uses virtual organization (VO) entitlements that do not refer to any particular user or institution They encompass the idea of a shared resource that needs to be made available to any entitled entity from any member organization  Allows refined authorization for any virtual organization 5/06/200828

29 The Entitlements Repository  Separates the VO entitlements (“member of the GPNVO group”) from institution related entitlements (“faculty”)  The entitlements repository maintains the VO entitlements separately from the institution entitlements maintained in the identity provider  The entitlements repository gives the virtual organization decision power over its own entitlements 5/06/200829

30 The Fine-Grained Authorization Design  The identity provider is in charge of authenticating the users  The service provider is in charge of the authorization decisions  The entitlements repository is in charge of defining, managing and providing access for VO entitlements queries and updates The identity provider, the service provider and the entitlements repository jointly provide for creating a secure and robust collaboration environment for use by any VO. 5/06/200830

31 Entitlements Repository Design VO Entitle- ment Server IdP 1 IdP 2 IdP n user nuser 2user 1 SP 1 SP 2 SP n... Authenticate Authz Assertion VO Entitlement based Authz 5/06/200831

32 The Entitlements Repository Components  The entitlements server is the main component of the repository. It maintains the VO entitlements database and communicates securely with the clients  The entitlements client connects to the server from a service provider to issue queries  The entitlements client is also used by administrative users to manage the VO entitlements stored by the server through a web interface 5/06/200832

33 Entitlement Server Integration with Shibboleth WAYF Identity Provider Service Provider Identity Directory Handle Service Attribute Authority SHIRE SHAR Resource Manager Reso urce Attributes Credentials Handle 5 2 3 4 5 1 6 6 13 14 Entitlement Server Administrative User Entitlement Client App 10 7 12 Command YES/NO Handle VO Entitlement Command Credentials 8 9 Command YES/NO 11 ES DB Entitlement Server 5/06/200833

34 5/06/200834 User Service Provider Entitlement Server Identity Provider Page 1: request by URL 2 3 4 5 6 TCP/IP uses public key encryption for authentication and privacy Simplified Design

35 5/06/200835 Getting Authenticated

36 5/06/200836 Entering the VO Environment

37 5/06/200837 A menu of Services

38 Not Everyone is Authorized When Peter asks for Biotools he is refused: 5/06/200838

39 5/06/200839 Bioinformatics Tools

40 Entitlements Server’s Users Roles  USER access: Low priority role that allows the service providers to assert a user’s VO entitlements in order to completely determine if a user can be granted access to its computing resources or not.  ADMIN access: Administrative users have access to the records of their own institution or virtual organization. They are able to add a new record, delete an already existing record, lookup or display VO entitlements.  ROOT access: The root level administrative users have access to the entire database and are able to add or delete a new record and also search the entire database for VO entitlements. 5/06/200840

41 The Entitlements Repository Protocol The Client Application The Entitlement Server AUTH/ AUTHN Commu nication AUTH/ AUTHZ SERVICE Entitle DB Auth Message 5 Service provider or administrative user Session ID Secured Message Exchange 1 2 3Session TimeDB Symkey DB Cmnds Credentials 4 5/06/200841

42 Entitlement Server Operation Types  SP_SETUP is the operation used initially to set up a secure communication channel between the service provider and the entitlement server  SP_LOOKUP is the operation used by the service provider to query the entitlement server  SP_USE is the operation used to carry back administrative user’s updates and queries to the entitlement server 5/06/200842

43 Entitlement Server Databases  The Entitlement Database stores all the VO entitlements that are managed by the server  The Time Database is used to store session time stamps  The Symkey Database is used to store the symmetric keys employed to communicate with various service providers 5/06/200843

44 Secure Communication Channel  Any communication with the entitlement server takes place over a 3DES encrypted channel  RSA private-public keys are used to establish a symmetric key  The symmetric key is generated during the SP_SETUP operation  The symmetric key is valid only for a limited period of time or session 5/06/200844

45 Entitlement Server Web Interfaces 5/06/200845

46 Entitlement Server Web Interfaces 5/06/200846

47 Entitlement Server Web Interfaces 5/06/200847

48 Entitlement Server Web Interfaces 5/06/200848

49 Entitlement Server Web Interfaces 5/06/200849

50 Entitlement Server Web Interfaces 5/06/200850

51 Conclusions  The entitlement repository and the prototype implementation facilitates secure and robust collaboration between groups of research institutions  The entitlement repository provides for refined access control decisions at the service provider  The entitlement repository allows the infrastructure of the virtual organization to control its VO entitlements  The entitlement repository is a complement to the identity provider 5/06/200851

52 Questions? A Live Tour https://osprey.rnet.missouri.edu/GPN 5/06/200852

53

Download ppt "Enabling Collaborations via a Transformative Virtual Organization Platform Dr. Gordon K. Springer University of Missouri-Columbia CS Department Seminar."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
Digital Identity Management Strategy, Policies and Architecture Kent Percival 2005 06 23 A presentation to the Information Services Committee.

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.

Similar presentations

Ads by Google