Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

Published byElfrieda Cole Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands."— Presentation transcript:

1 1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands Meeting Boulder, Colorado

2 2 Single Sign On (SSO) Solutions

3 3 Earth System Grid Center for Enabling Technologies: (ESG- CET) Single Sign On Solutions  PKI SSO Single Sign On for non-browser applications MyProxy Online CA Auto-provisioning of trust configuration  Web SSO Single sign on for http/https applications OpenID

4 4 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning 1.Login Username /Password 0. Trusted CA/CRLs Authentication DB Provisioning Database Attribute Service

5 5 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning 2. Authentication and Attributes retrieval 0. Trusted CA/CRLs Authentication DB Provisioning Database Attribute Service

6 6 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning 3. Short term X509 credentials with attributes, CAs, CRLs 0. Trusted CA/CRLs Authentication DB Provisioning Database Attribute Service

7 7 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning 0. Trusted CA/CRLs Authentication DB Provisioning Database Attribute Service 4. Access using X509 Credentials

8 8 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning 0. Trusted CA/CRLs Authentication DB Provisioning Database Attribute Service 5. Update trust roots

9 9 Browser Web SSO using OpenID Application Server Service Provider (SP) Identity Provider (IdP) Authentication DB Site Attribute Service

10 10 Browser Web SSO using OpenID Application Server Service Provider (SP/RP) 1. Client access application server Identity Provider (IdP) Authentication DB Site Attribute Service

11 11 Browser Web SSO using OpenID Application Server Service Provider (SP) 2. Redirected to Identity Provider Identity Provider (IdP) Authentication DB Site Attribute Service

12 12 Browser Web SSO using OpenID Application Server Service Provider (SP) 3. User authenticates with IdP Identity Provider (IdP) Authentication DB Site Attribute Service

13 13 Browser Web SSO using OpenID Application Server Service Provider (SP) 4. AuthN completed, user identity. Identity Provider (IdP) Authentication DB Site Attribute Service

14 14 Browser Web SSO usign OpenID 4. Authenticated Call. Identity Provider (IdP) Authentication DB Site Attribute Service Application Server Service Provider (SP)

15 15 Earth System Grid Center for Enabling Technologies: (ESG- CET) AuthN DB uname password PKI Client MyProxy Online-CA AuthN Svc OpenID IdP Browser Client Web SvcPKI App Svc u/p => X509 credsu/p => cookie http-redirect + cookie X509 PK-authN trusts CA =><= trusts IdP Integrated WebSSO & PKI-SSO

16 16 SSO Integration

17 17 Earth System Grid Center for Enabling Technologies: (ESG- CET) Gateway Integration: PKI SSO  PKI SSO Tested MyProxy Online CA with ESG user database  Next steps: Install MyProxy on Gateway Plan integration/shipping with Gateway software Bootstrap of MyProxy CA certificate  Download from ESG portal  Part of ESG client download  Investigate pre-configured web start application

18 18 Earth System Grid Center for Enabling Technologies: (ESG- CET) Gateway Integration: OpenID SP  OpenID Service Provider (SP) Provides SSO for gateway portal Prototyped Acegi filter (Gateway team)  Next steps: Session management in the portal? Configuration of trusted IdPs  Add support to OpenID4Java

19 19 Earth System Grid Center for Enabling Technologies: (ESG- CET) Gateway Integration: OpenID IdP  OpenID Identity Provider (IdP) IdP front-end to username/password database Must comply with following requirements:  SSL should be used for communication  Identifiers should be Yadis IDs  Next steps: Design and develop IdP service to host on gateway  IdP service shell (Gateway team)  OpenID specifics (Argonne team) Integrate with ESG user database

20 20 Gateway Integration: Open Issues  Approved list of IdPs Propagate and update white list of IdPs  Enforced at ESG-VO’s SPs Support for external IdPs?  Maybe commercial IdP with right “signing-policy”  Register with ESG?  Attribute handling Integrate with IdP

21 21 Earth System Grid Center for Enabling Technologies: (ESG- CET) Data Publishing Integration: OpenID SP  Desktop application to publish data  Two phase publishing Desktop application is unaware of OpenID  Integrated desktop application Handle OpenID redirect to IdP OpenID Python libraries Issue with IdP login page  Could be added to IdP profile  Would PKI based authentication be easier? PKI client authentication can be built in Investigate dual-client authN option on SPs?

22 22 Earth System Grid Center for Enabling Technologies: (ESG- CET) Data node Integration: PKI SSO  OPeNDAP server Integrate with PKI SSO solution and GridFTP Prototype integration completed (Jose/Stephan)  Next steps: MyProxy client/library added to ESG distribution Trusted CA installation  MyProxy to provision  Is OpenID integration required? Issue with delegation of rights for GridFTP?  SRM: user access to data servers that don’t trust ESG CA?

23 23 Earth System Grid Center for Enabling Technologies: (ESG- CET) Product server Integration: OpenID SP  Components: LAS and F-TDS  Use case: access via portal Token-authentication solutions can be adopted (Gateway team)  Use case: direct client access? OpenID SP tomcat filter  Integration with backend applications Identity push from LAS to OPeNDAP?

24 24 Attribute-based Authorization

25 25 Question  Current status: If a gateway is down, the user cannot access ESG infrastructure  Requirement It is acceptable for 24-48 hours down time  What does the single sign on solution buy?

26 26 Earth System Grid Center for Enabling Technologies: (ESG- CET) Attributes and Authorization  Two types of attributes: VO and Site attributes Maybe distinguish VO-Gateway attributes? Is the distinction needed for ESG?  VO attributes important with non-ESG IdP  Attribute service options Centralized, Gateway, VO level?  Attribute retrieval options: Push site attributes with authentication Pull VO attributes post-authentication Pull VO attributes during authorization

27 27 VO Attr group role Client Gateway ESG-VO Svcs Site IdP IdP Attr openID password affiliation Gateway Attr group role Client’s Domain Gateway’s Domain VO’s Domain Attributes and Domains

28 28 Attributes  October Test-bed target: Only site attributes Attribute store with IdP Push site attributes with authentication  OpenID and MyProxy allow for that  Post-test bed Define transition path to include external IdPs and VO attributes

29 29 Earth System Grid Center for Enabling Technologies: (ESG- CET) Attributes and Authorization  SAML Attribute format Signed SAML Assertions with Attribute Statements Can be independently sent on wire OpenSAML, open source library for SAML processing  Configuration of attribute release policy

30 30 Earth System Grid Center for Enabling Technologies: (ESG- CET) Attributes and Authorization  Push attributes as a part of authentication OpenID protocol allows push of attributes MyProxy Online CA can embed attributes in issued certificates  SAML Attribute format Signed SAML Assertions with Attribute Statements Can be independently sent on wire OpenSAML, open source library for SAML processing

31 31 Gateway Integration: SSO & Attributes  Attribute Provider Remote interface to pull down attributes SAML Attribute Query Interface?  PKI SSO Integrate to pull attributes from site attribute provider Embed in certificate SAML attribute assertion or X509 attribute cert?  Web SSO Pull from site attribute provider Interface in OpenID4Java to callout to attribute provider  SAML?

32 32 Gateway Integration: SSO & Attributes  PKI SSO Integrate to pull attributes from site attribute provider Embed in certificate SAML attribute assertion or X509 attribute cert?  Web SSO Pull from site attribute provider Interface in OpenID4Java to callout to attribute provider  SAML?

33 33 Gateway Integration: Open Issues  VO attributes Either if external IdPs are used or used in addition to site attributes Attribute service hosted by gateways Central ESG-VO attributes and attribute service? SPs pull down attributes from Attribute Service  Configuration of attribute release policy? Not required if IdP is set up for ESG use only  VO membership of SPs is implicit white-list

34 34 Service Providers and Attributes  Product services SP: Only relevant in direct access use case Might have to push attributes through to back end applications  Other SPs: Relevant for authorization filters only

35 35 Earth System Grid Center for Enabling Technologies: (ESG- CET) Attributes and Authorization  Authorization policy Centralized policy (or) Per gateway with only policy on resources owned by gateway’s site (or) Combination of both?  Centralized policy Replicate to gateway  Partitioned policy Gateway stores policy only about the resources it owns Does this improve reliability?

36 36 Earth System Grid Center for Enabling Technologies: (ESG- CET) Attributes and Authorization  Authorization policy How is it implemented today?

37 37 Attributes and Authorization  Authorization service interface for remote access Web services? Protocol needed?  Configuration for trusted authorization service(s) in application callbacks Endpoint of service Identity of service Trusted certificate

38 38 Service Providers and Authorization  Gateway Integration Acegi filter to callback to authorization service (embedded?)  Data node Integration Callback to authorization service Do we need to push attributes? GridFTP authorization callout can be used  Product services Integration Access through portal  Token based authorization Direct user access  Not relevant for now  Define transition path for post-test bed

39 39 Security Configuration for Deployment  OpenID Identity Providers: Attribute service endpoint White-list of SPs  OpenID Service Providers: White-list of IdPs Authorization (and Attribute) service endpoints  MyProxy server CA and CRLs Attribute service endpoint  PKI Service Providers: MyProxy server endpoint CA and CRLs Authorization service endpoints  PKI Clients: MyProxy Server endpoint and bootstrap trust-root VO’s CAs and CRLS

40 40 Attribute an Metadata Replication Breakout Session

41 41 Attribute and meta data replication  Meta data replication service Search meta data replication If gateway serves multiple VOs No replication  Remote query  Performance issues  Partial search results. Database based replication  No gateway dependency Replication Service (ISI)

42 42 Attribute and meta data replication  Security meta data -Replicate user membership and resource authz policies -Metrics reporting issues -Exchange all information except user credentials -Explore JMS as solution -Event driven system -Transaction based system - Eliminates gateway dependency

Download ppt "1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands."

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Gateway Node Security Block Diagram ESG Gateway Node Confluence Server OpenID Filter Authz Service Callout Authorization Service (SSL) F-TDS OpenID Filter.

Gateway Node Security Block Diagram ESG Gateway Node Confluence Server OpenID Filter Authz Service Callout Authorization Service (SSL) F-TDS OpenID Filter.
A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.

A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Similar presentations

Ads by Google