Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-031688 Enabling Grids for E-sciencE - II www.eu-egee.org VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007.

Published byBryan Paul Modified over 8 years ago

Similar presentations

Presentation on theme: "INFSO-RI-031688 Enabling Grids for E-sciencE - II www.eu-egee.org VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007."— Presentation transcript:

1 INFSO-RI-031688 Enabling Grids for E-sciencE - II www.eu-egee.org VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007

2 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 2 Motivation Shibboleth: Grid, yet another resource? –highly attractive (typically for academia) –*but* ‘resource’ protected by different authN/authZ concepts and mechanisms Grid: get/use authZ information from authoritative sources outside of the grid-universe –permitting more granular authorization –decouple management & maintenance responsibilities –common understanding of semantics of authZ info (open issue) Common to both: leverage of existing identity management and allow easy access to grid ‘resource’

3 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 3 Grid, yet another Shib resource? Phase 1: SLCS service 2.authN 3.handle 4. SAML attributes 1. ‘access’ SAML attributes

4 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 4 SLCS Service (Status) Presented in Abingdon CP/CPS accredited –Accredited by EuGridPMA –http://www.switch.ch/pki/gridhttp://www.switch.ch/pki/grid Operation of SLCS TEST CA in test-bed since November –http://www.switch.ch/pki/grid/testhttp://www.switch.ch/pki/grid/test Production infrastructure ready (Online CA, HSM) Admin interface finished –User management (ACL based activation of users etc.) MJRA1.4 document: https://edms.cern.ch/document/770102/1 https://edms.cern.ch/document/770102/1 Todo’s : finish documentation, ETICS integration CP/CPS: Certificate Policy and Certification Practice Statement

5 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 5 SWITCHslcs: CA Setup

6 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 6 SLCS Admin

7 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 7 Consolidation of authZ info Grid: get/use authZ information from authoritative sources outside of the grid-universe –permitting more granular authorization –decouple management & maintenance responsibilities –common understanding of semantics of authZ info (open issue) Consolidate/integrate authZ information provided by different sources (IdPs) –transparent integration of authZ info from ‘non-Grid’ authorization information providers –alternative; explicit awareness of grid resource for external authZ information. –feature since VOMS 1.7.10 permitting to define attributes besides user/role/group concept

8 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 8 VOMS Attributes from Shibboleth Scenario. User already registered on VOMS Note: not anymore Shibboleth attributes, but VOMS attributes ? access visit SAML attributes LCAS Plug-in

9 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 9 VASH Service

10 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 10 VASH Key Features transparent integration of Shibboleth attributes in Grid (as VOMS attributes) no changes on existing Grid code…just add plug-ins decoupled administrative domains from point of view of Shibboleth, VASH is just another service (web resource) identity mapping done by user (low admin. burden) no IGTF certificates on Shibboleth IdP no performance penalties Notice: everything VASH puts on VOMS, VASH does also maintain

11 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 11 VASH Tasks push Shibboleth attributes to VOMS enforce Shibboleth and VOMS conform security standards. enforce up-to-date attributes on VOMS (expiration of records) inform users auditing (to a certain degree) defines set of Shibboleth attributes that can be pushed provide administration facilities ease usage of SLCS certificates (not a task but a goody) Open: SLCS pre-registration feature (work in progress) conversion of attribute names (for common understanding)

12 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 12 VASH Service Detailed

13 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 13 VASH Viewer Servlet

14 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 14 VASH Admin interface(1)

15 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 15 VASH Admin interface(2)

16 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 16 VASH Admin interface(3)

17 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 17 LCAS Plug-in – LCAS plug-in written; currently testing it – ACL xml file – todo: documentation Example: bigBoss master studies unizh.ch staff

18 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 18 Status Software implementation done, – integration of ‘existing’ SLCS admin features to be done – improve look’n’feel (strutifying viewer servlet) finish testing finish documentation ETICS MJRA1.5 document: https://edms.cern.ch/document/807849/1 https://edms.cern.ch/document/807849/1

19 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 19 Questions?

20 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 20 Attributes sent to VASH swissEduPersonUniqueID: 12343@flury.switch.ch12343@flury.switch.ch Surname: Flury givenName: Placi E-mail: flury@switch.chflury@switch.ch swissEduPersonGender: male swissEduPersonHomeOrganization: ethz.ch telephoneNumber: 012 345 67 89 swissEduPersonStudyBranch1: electrical engineering eduPersonAffiliation: student swissEduPersonStudyLevel: master studies

21 Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 21 Attributes pushed to VOMS Need common understanding of attributes given within a federation but inter-federation access (?) In Grid, interpretation of attribute meaning still open issue. Experience in Shibboleth may promote a consens. swissEduPersonHomeOrganization: ethz.ch swissEduPersonStudyBranch1: electrical engineering eduPersonAffiliation: student swissEduPersonStudyLevel: master studies

Download ppt "INFSO-RI-031688 Enabling Grids for E-sciencE - II www.eu-egee.org VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.

INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.

WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Similar presentations

Ads by Google