EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

Slides:

Advertisements

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Advertisements

Lousy Introduction into SWITCHaai

Introduction of Grid Security

A PPARC funded project Single Sign-On Proposal Guy Rixon IVOA Interoperability Meeting Cambridge MA, May 2004.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

PASSPrivacy, Security and Access Services Don Jorgenson Introduction to Security and Privacy Educational Session HL7 WG Meeting- Sept

MyProxy Jim Basney Senior Research Scientist NCSA

Federated Identity for Grid Architects Tom Scavo NCSA

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

OGSA Security Profile 2.0 (a.k.a. Express Authentication Profile) DUANE MERRILL October 18, 2007.

ScienceSoft is incubated by EMI, partially funded by the European Commission under Grant Agreement RI Interactive Workshop Morris Riedel – Jülich.

17 March 2010 Workshop on Efficient and Effective eGovernment FASTeTEN : a Flexible Technology in Different European Administrative Contexts

© ITU Telecommunication Development Bureau (BDT) – E-Strategy Unit.. Page - 1 Seminar on Standardization and ICT Development for the Information.

GT 4 Security Goals & Plans Sam Meder

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

CLARIN AAI, Web Services Security Requirements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security - the Grid View The Good, the Bad.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

A brief look at the WS-* framework Josh Howlett, JANET(UK) TF-EMC2 Prague, September 2007.

UDDI v3.0 (Universal Description, Discovery and Integration)

Contrail and Federated Identity Management

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

EMI INFSO-RI Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,

WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004.

EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.

Introduction to Implementing XML web services authentication John Messing Law-on-Line, Inc. Prepared for Maricopa County ICJIS May 17, 2006.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

Web Services Security Patterns Alex Mackman CM Group Ltd

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Project Moonshot Daniel Kouřil EGI Technical Forum

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.

Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)

Access Policy - Federation March 23, 2016

WLCG Update Hannah Short, CERN Computer Security.

HMA Identity Management Status

EMI Interoperability Activities

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Security Token Service (STS) Status Update

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK

EMI INFSO-RI Content Motivation – Questionnaires to potential customers – AAI use cases Technology – Introduction to WS-Trust – WS-Trust interoperability & token profiles Implementation – Security Token Service (STS) 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI Background AAI needs of the DCIs -workshop held at EGI Technical Forum (September / 2010) [1] Questionnaires for projects crossing national boundaries and NGIs – 3 User communities Biomed, Earth Sciences, HEP – 5 ESFRI projects CLARIN, Lifewatch, ELIXIR, EuroFEL, ILL – 2 NGIs Italy, U.K. 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI Results for the questionnaire [2] Grid users do not want to handle credentials themselves Grid users would like to obtain X.509 credentials and VOMS attributes from other credentials and vice-versa Projects would like to use federated identities Projects recognize that both national and international identity federations will become more important User identities and actions on a Grid should be protected (anonymized) Projects realize that access to the majority of Grid infrastructures requires and will require in the future X.509 credentials 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI AAI use cases [2] Use- case DescriptionStatus 1X.509 issuance based on AAI (another security domain) „Solved“ (but needs improvement!) 2AAI-enabled portals to Grid infrastructures Solutions exist SAML delegation new 3AAI-enabled Grid information portals Low priority 4Security Token ServiceNew, general purpose service, high priority 5Use of AAI attributes in GridInteresting, potentially very important 6VO registration using AAI (identity vetting) Low priority 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI WS-Trust specification [3] Builds on WS-Security specification – Methods for issuing, renewing, validating, and canceling security tokens – Trust relationships brokering Security token: a collection of statements (claims) about a user or resource – X.509 certificate, SAML assertion, Kerberos ticket, Username/Password, … Security Token Service (STS): a service used to issue, renew, validate and cancel tokens 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI WS-Trust schema fragment (1/2) Actual content model is non-deterministic, hence wildcard. The following shows intended content model: RequestSecurityToken (RST) 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI WS-Trust schema fragment (2/2) Actual content model is non-deterministic, hence wildcard. The following shows intended content model: RequestSecurityTokenResponse (RSTR) 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI WS-Trust profiles [4] The specification provides an open content model for messages – Provides maximal extensibility, but theoretically infinite number of messages can be compliant – Profiles need to be defined for achieving interoperability This effort was already started by Chad La Joie in the EGEE-III project – WS-Trust interoperability profile – Token-specific profiles (X.509, SAML, Username) 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI WS-Trust Interoperability profile Base protocol requirements – SOAP-binding, common message format requirements and processing rules Operation-specific requirements Also, profiles for – XML-Signature – XML-Encryption – Proof of key possession – Message security (integrity / confidentiality) 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI STS functionality overview Authenticates and “authorizes” users based on security tokens Transforms the security token into another security token Aggregates required information from external sources Establishes a trust relationship between different application domains 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI STS Example Use Case – SAML to X.509 – (1/2) 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI STS Example Use Case – SAML to X.509 – (2/2) 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI STS Implementation Plan (1/2) The first version will support the ISSUE operation Supported inbound tokens (used for the user authentication): – X.509, X.509 Proxy, SAML, Kerberos Supported outbound tokens: – X.509, using external online CA – X.509 Proxy, exploiting VOMS – SAML 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI STS Implementation Plan (2/2) Implementation is based on the upcoming Shibboleth IDP & OpenWS/SAML v3 (Shib3) – Existing building blocks for the service: Authentication Engine API Attribute Authority – Required extensions: WS-Trust Profile Handler Authentication Engine plug-ins for inbound tokens Token Authority for outbound tokens 07/07/2011Henri Moonshot, Grid and HPC Workshop

EMI INFSO-RI References [1] EGI TF 2010: AAI needs of the DCIs – =11&confId=48# =11&confId=48# [2] EMI AAI Working Group – [3] OASIS Standard: WS-Trust 1.3 – [4] Chad La Joie / SWITCH: WS-Trust 1.3 Interoperability profile – /07/2011Henri Moonshot, Grid and HPC Workshop

EMI is partially funded by the European Commission under Grant Agreement RI Thank you!