Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Slides:

Advertisements

Similar presentations

Secure Single Sign-On Across Security Domains

Advertisements

Lousy Introduction into SWITCHaai

RadSec – A better RADIUS protocol

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

MyProxy Jim Basney Senior Research Scientist NCSA

Abfab use-cases draft-ietf-abfab-usecases-00.txt Rhys Smith Mark Tysom Simon Cooper IETF80.

GT 4 Security Goals & Plans Sam Meder

Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.

Project Moonshot February Background Project Moonshot 2.

John Chapman, Janet Fall 2012 Internet 2 Member Meeting 3 October 2012 Trust me, I’m an engineer: Engineering trust using a Trust Router infrastructure.

Contrail and Federated Identity Management

MyProxy: A Multi-Purpose Grid Authentication Service

Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

WebFTS as a first WLCG/HEP FIM pilot

Project Moonshot TF-MNM. Use cases Project Moonshot 2.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

Module 9: Fundamentals of Securing Network Communication.

Introduction Moonshot workshop

Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

Shibboleth: An Introduction

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

Image © Viatour Luc ( Project Moonshot TNC 2010 Vilnius, 1 June 2010 Josh Howlett, JANET(UK)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Improved X.509 Management Using PKCS11 Daniel Kouřil, Michal Procházka CESNET.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

Project Moonshot Daniel Kouřil EGI Technical Forum

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht.

Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.

CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.

Moonshot, in a nutshell SAML IdP Client Server AAA EAP RADIUS.

Identity and Access Management

Accessing the VI-SEEM infrastructure

CALIPSOplus JRA2 Kickoff: Task 6 – Authentication + Identity

WLCG Update Hannah Short, CERN Computer Security.

Using Umbrella with other technologies at Diamond

Shibboleth Architecture

Federation Systems, ADFS, & Shibboleth 2.0

European AFS & Kerberos Conference 2010

Server-to-Client Remote Access and DirectAccess

Public Key Infrastructure from the Most Trusted Name in e-Security

NetIQ Access Manager v4.3 Sales Enablement

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011

Identity federation Goal: to allow users in one organisation to access resources in another, using their home credentials Requires additional infrastructure, trust and policy; this is often known as a “federation”. Significant benefits for users, and identity and service providers – Makes it easier for identity providers to adhere to data protection legislation. – SSO reduces helpdesk burden for identity and service providers. – Simpler credentials management (which also poses new problems) Several identity federations exist nowadays

Project Moonshot Using federated identity in broad range non-web environment Authentication and attributes management done on IdP Targets at commonly deployed services – Mail, file stores, remote access, instant messaging, … – Also focus on clouds, grids, HPC, … Built on tested and proven components – EAP, RADIUS, SAML, GSS-API – Strong focus on standardization

Moonshot Architecture

Moonshot project Started in Spring 2010, led by JANET (UK) Co-funded by Geant and JANET Basic cornerstone(s) delivered recently Basic developers/deployers docs available Several applications moonshot‘ed – Jabber server/client, openLDAP, OpenSSH, – Apache, Firefox – MyProxy – With no or minimal changes to the code-base

IETF Standardization Application Bridging for Federated Access Beyond web (ABFAB) WG „… a federated mechanism for use by other Internet protocols not based on HTML/HTTP…“ Several IETF drafts under development – Use-cases, architecture, missing technology Standards to be delivered by Dec 2011

Moonshot opportunities for Grids Easier access to the infrastructure for users – no need to obtain PKI credentials in advance (transparetnt conversions) – using „friendly“ credentials (native federated authN) Simpler VO establishment and management – based (at least partly) on users‘ „home“ attributes – attractive for small (starting) VO (Pseudo)anonymity

Moonshoting MyProxy Matter of configuration and tiny code changes – Not Moonshot-specific, hopefully fixed in main- stream Both CA and repository mode supported – Attributes count be added to X.509 Grid credentials can be obtained using federated identity: myproxy-logon –l –s server -n

Future moonshoting L&B L&B is a job monitoring service collecting information about jobs Security layer written using GSS-API – Easy transition to other security mechs No PKI needed to access moonshot-enabled L&B User mapping needed (not done)

Identity Federation Federated Access Allow access from Org1 and Org2 Resources of Org1 and Org2 (CE, SE,...) SSH, NFSv4 L&B WMS, CREAM Org 2Org 1 Users‘ passwords are NOT exposed to the services Users don‘t need new credentials Authorization rules can utilize users‘ „home“ attributes Information about users is up-to- date Users do not need to register in advance - „home“ credentials (e.g., passwords) MyProxy - „grid“ credentials (X.509 )

Questions?