National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Authentication Policy David Kelsey CCLRC/RAL 15 April 2004, Dublin

Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign InCommon and TeraGrid Campus Champions Jim Basney

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Federated Incident Response Jim Basney

The InCommon Federation The U.S. Access and Identity Management Federation

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Secure Access to Research Infrastructure via the InCommon Federation.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

TeraGrid Privacy Policy: What is it and why are we doing it… Von Welch TeraGrid Quarterly Meeting March 6, 2008.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

Challenges of Federated Authentication to TeraGrid and Open Science Grid Jim Basney

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney, Terry Fleury, Von Welch TeraGrid Round Table Update May 21, 2009.

Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.

1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.

Access Policy - Federation March 23, 2016

Using Your Own Authentication System with ArcGIS Online

WLCG Update Hannah Short, CERN Computer Security.

2NCSA/University of Illinois

Shibboleth Roadmap

ESA Single Sign On (SSO) and Federated Identity Management

Federated Environments and Incident Response: The Worst of Both Worlds

A Grid Authorization Model for Science Gateways

Federated Incident Response

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science Foundation under Grant No Federated Login to TeraGrid Jim Basney Terry Fleury Jon Siwek Von Welch

Work Previously Presented Jim Basney, Terry Fleury, and Von Welch, “Federated Login to TeraGrid,” 9th Symposium on Identity and Trust on the Internet (IDtrust 2010), Gaithersburg, MD, April Federated Login to TeraGrid

Goal Enable researchers to use the authentication method of their home organization for access to TeraGrid Researchers don’t need to use TeraGrid-specific credentials Avoid distribution of TeraGrid-specific passwords Avoid TeraGrid password reset requests Better integrate TeraGrid with campus resources Provision TeraGrid resources according to campus-based identity vetting and authorization Federated Login to TeraGrid

Challenges Support TeraGrid usage models Interactive browser and command-line access Multi-stage, unattended batch workflows Establish trust among campuses, TeraGrid members, and peer grids (OSG, EGEE) Federated Login to TeraGrid

TeraGrid Allocations Resources allocated by peer review Project principal investigators add user accounts via the User Portal Central Database (TGCDB) contains records for all users TeraGrid-wide username and password assigned to every user Federated Login to TeraGrid

TeraGrid Single Sign-On Federated Login to TeraGrid

TeraGrid PKI TeraGrid PKI consists of CAs operated by TeraGrid member institutions and other partners TeraGrid resource providers trust a consistent set of Cas Provides consistent experience for users Determined by consensus through Security Working Group CAs accredited by International Grid Trust Federation (IGTF) Federated Login to TeraGrid

InCommon Federation InCommon facilitates use of campus identity with external service providers By supporting adoption of standard mechanisms and policies By distributing metadata that identifies members Uses SAML Web Browser Single Sign-On protocols Shibboleth implementation from Internet2 Work well for browser-based applications, but not command-line or batch workflows InCommon represents >200 institutions (>4m users) Of 38 institutions with over 50 TG users, 24 (67%) are currently InCommon members Federated Login to TeraGrid

InCommon Federation Federated Login to TeraGrid

Our Approach Account Linking Bind the researcher’s campus identity (conveyed via InCommon/SAML) to his/her existing TeraGrid identity (TGCDB) InCommon motivates our use of SAML Rely on the existing TeraGrid allocations process for identity vetting and authorization Rely on campus for authentication of a persistent user identifier Credential Translation Convert from a browser-based (SAML) credential to a certificate for command-line, workflow, and batch processes Deliver certificate to desktop and web session Rely on the existing TeraGrid PKI Adding a new certificate authority Federated Login to TeraGrid

Our Approach Federated Login to TeraGrid

User Experience Federated Login to TeraGrid

(one-time only) Federated Login to TeraGrid

TeraGrid Federated Login System Federated Login to TeraGrid

Trust Establishment Campus and InCommon TeraGrid PKI Federated Login to TeraGrid

Trust Establishment Process: Campus Join the InCommon Federation Add service provider to InCommon metadata Request identity providers to release identity information (a manual, campus-by-campus process) Some released identifiers automatically to all InCommon members Some released identifiers on request Some required local sponsorship and review Current status: Targeted 38 campuses with over 50 TeraGrid users 24 (67%) are InCommon members 17 (of the 24) successfully federated to-date 13 additional campuses federated outside the target list Federated Login to TeraGrid

Trust Establishment Process: PKI Publish Certificate Policy and Certification Practices Statement (CP/CPS) according to RFC 3647 Present CA to regional IGTF policy management authority – The Americas Grid PMA (TAGPMA) Checklist-based review by TAGPMA of CA’s policies and operations Vote for acceptance by TAGPMA members Current status: Submitted to TAGPMA (March 2009) Approved by TAGPMA (May 2009) Added to TeraGrid CA distribution (May 2009) CA certificate included in TERENA Academic CA Repository (TACAR) Federated Login to TeraGrid

Security Considerations Federated Login to TeraGrid

Security Considerations Changes to TeraGrid trust architecture Adding InCommon identity providers as trusted entities Adding web authentication as a trusted method Peering with identity providers (IdPs) IdP decides whether to release identifiers to TeraGrid TeraGrid decides to accept IdP assertions – review includes: IdP serves TeraGrid users IdP is operated by a known and respected organization IdP operates a trustworthy authentication service IdP provides globally-unique and non-reassigned identifiers Federated Login to TeraGrid

Security Considerations Web application security Use HTTPS for privacy and authentication Cross-Site Request Forgery (CSRF) attack protections (cookies and hidden form fields) Locked down servers (firewalls, OTP for admin access, etc.) CA security FIPS 140 level 2 rated hardware security modules Locked down servers Federated Login to TeraGrid

Security Considerations Disallowing account sharing Account sharing complicates incident response Allow only one identifier per identity provider to be linked with a given TeraGrid identity Incident response Actions may include: Disable account links Disable identity provider trust Revoke certificates Coordinate response with TeraGrid security working group, InCommon, and IGTF Federated Login to TeraGrid

Related Work Federated CAs (some accredited by IGTF) in Europe: Switzerland: SWITCH SLCS CA for SWITCHaai federation Germany: DFN-SLCS CA for DFN-AAI federation UK: SARoNGS Credential Translation Service for UK Access Management federation TERENA Certificate Service for national federations (Denmark, Finland, Netherlands, Norway, Sweden, and more) TeraGrid Science Gateways Web-based community access to TeraGrid resources Gateways manage their own user registration and authentication May independently support federated login Federated Login to TeraGrid

Status Available at since Sep 2009 Supporting logins from >30 institutions Issued >1000 certificates so far Work in progress: Integrate with TeraGrid User Portal ( CILogon Project ( Provide certificates to all InCommon members (not just TeraGrid users) Other possible future work for TeraGrid: Phase out TeraGrid passwords Attribute-based authorization Support for OpenID Federated Login to TeraGrid

Questions? Comments? Contact: Federated Login to TeraGrid Thanks!