VOMS & SAML Valerio Venturi MWSG 12 12-13/6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

Slides:



Advertisements
Similar presentations
Federated Identity for Grid Architects Tom Scavo NCSA
Advertisements

Project Overview Daniel Mallmann, Research Centre Juelich Alistair Dunlop, University of Southampton.
Interoperability and Usability of Grid Infrastructures Alistair Dunlop Achim Streit University of SouthamptonForschungszentrum Jülich.
The National Grid Service and OGSA-DAI Mike Mineter
Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.
VO Support and directions in OMII-UK Steven Newhouse, Director.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.
Security Standards (…and Competing Standards … and Implementations … and Interoperability) Marty Humphrey Assistant Professor Computer Science Department.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Authz work in GGF David Chadwick
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
ΗΛΕΚΤΡΟΝΙΚΟ ΕΜΠΟΡΙΟ Web Services Overview Mary Grammatikou 9/06/2009.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
WebFTS as a first WLCG/HEP FIM pilot
Web Service Standards, Security & Management Chris Peiris
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Building components for Grid Interoperability Stephen Brewer, Deputy Project Manager, OMII-Europe OGF 22 – Boston, MA.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
What is OMII-Europe? Qin Li Beihang University. EU project: RIO31844-OMII-EUROPE 1 What is OMII-Europe? Open Middleware Infrastructure Institute for Europe.
WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.
Web: Towards Grid Interoperability Richard Boardman, Stephen Crouch, Hugo Mills, Steven Newhouse, Juri Papay and.
Standards landscape and ARC development plans Péter Stefán KnowARC WP3 + NIIF.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
JRA1/Job Submission and Monitoring Moreno Marzolla on behalf of JRA1/Job Submission Task INFN Sezione di Padova,
SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
An XML based Security Assertion Markup Language
Andrew McNab - GGF Authz - 16 Dec 2003 GGF Authorization work Andrew McNab, University of Manchester
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
SAML in Authorization Policies draft-guenther-geopriv-saml-policy-01.
Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Towards Interoperability with OMII - Europe Morris Riedel, Forschungszentrum Juelich (FZJ). Germany Leader Infrastructure Integration (Interoperability)
Grids - the near future Mark Hayes NIEeS Summer School 2003.
Basics of Grid Middleware – 2 (with an introduction to OMII-Europe) Mike Mineter NeSC-TOE.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS SAML Vincenzo Ciaschini MWSG Zurich,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.
Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.
Grid Authorization Landscape and Futures Von Welch NCSA
Project Overview Dr Fredrik Hedman Royal Institute of Technology (PDC/KTH)
Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK
Security Assertion Markup Language (SAML) Interoperability Demonstration.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
ESRIN, 15 December 2009 Slide 1 Web Service Security in HMA-T HMA-T Final Presentation 14 December 2009 S. Gianfranceschi, Intecs.
OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
ETICS, EU-OMII and the Software Repository Andrea Caltroni, INFN Padova ETICS 1 st All-Hands Meeting, Budapest - May 29-31, 2006.
© 2008 Open Grid Forum PGI - Information Security in the UNICORE Grid Middleware Morris Riedel (FZJ – Jülich Supercomputing Centre & DEISA) PGI Co-Chair.
JRA1/Job Submission and Monitoring Moreno Marzolla on behalf of JRA1/Job Submission Task INFN Sezione di Padova, OMII-EU Meeting,
Guidelines for attribute translation to X.509
OGSA-WG Basic Profile Session #1 Security
SAML New Features and Standardization Status
EMI Interoperability Activities
Vincenzo Ciaschini JRA1 All-Hands Helsinki 18-20/06/07
Building Components for Grid Interoperability
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
OGF 21 Seattle Washington
Building components for Grid Interoperability
A Grid Authorization Model for Science Gateways
Grid Systems: What do we need from web service standards?
Presentation transcript:

VOMS & SAML Valerio Venturi MWSG /6/07

EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established to source key software components that can interoperate across several heterogeneous Grid middleware platforms The emphasis is on the re-engineering of software components rather than on the development of new technology. OMII-Europe will develop a repository of quality-assured Grid services running on these existing major Grid infrastructures. Component being re-engineered with relevant standard bodies –Job Submission (OGF OGSA-BES WG) –Database (OGF DAIS WG) –Virtual Organisation Management (OGF OGSA Authorization WG) –Accounting (OGF RUS WG)

EU project: RIO31844-OMII-EUROPE OMII-Europe JRA1 VOM Activity OMII-Europe is extending VOMS to support recommendation emerging from the OGF OGSA Authorization WG –Web Service –Using SAML V2.0 Deployment Profile for X.509 Subjects,OASIS Committee Draft (undergoing public comment) VOMS is being integrated in UNICORE –using the re-engineered service –UNICORE Job Submission with authorization based on VOMS attributes demonstrated at OGF 20 –Wider integration undergoing

EU project: RIO31844-OMII-EUROPE VOMS SAML Service Same semantic of the Attribute Certificate based service –Using SAML for protocols and assertions What was expressed using RFC 3821 Attribute Certificate is expressed using saml:Assertion elements SAML protocols elements are used for the interface Web Service exposing operation following “Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0” –A single operation AttributeQuery(samlp:AttributeQuery) returns: samlp:Response

EU project: RIO31844-OMII-EUROPE VOMS SAML Service AttributeQuery allows to specify –The subject whose attributes the requestor wants to know –The attributes requested CN=Valerio Venturi,L=CNAF,OU=Personal Certificate,O=INFN,C=IT CN=Valerio Venturi,L=CNAF,OU=Personal Certificate,O=INFN,C=IT Subject must match Issuer –Going to provide support for Query (attribute pull mode, third party request for a Subject's attributes) In parallel with AC based VOMS, discussing authorization issues

EU project: RIO31844-OMII-EUROPE VOMS SAML Service Response contains –An Assertion element (digitally signed) CN=omii002.cnaf.infn.it,L=CNAF,OU=Host,O=INFN,C=IT... signature data... CN=Valerio Venturi,L=CNAF,OU=Personal Certificate,O=INFN,C=IT... binding to subject's X.509 data... continue next pagehttp://

EU project: RIO31844-OMII-EUROPE VOMS SAML Service /omiieurope –Issuer –Subject Distinguished Name following RFC 2253 –Conditions element set duration –Attribute element contains FQAN and GA finalizing attribute naming (more in sequent slides)

EU project: RIO31844-OMII-EUROPE VOMS SAML Service Uses –Tomcat tested version used Tomcat default HTTPS connectors so far, plans to support Tomcat+TrustManager HTTPS in a few weeks –Axis version 1.4 –OpenSAML version 2.0 supporting SAML V2.0 is still Tecnology Preview, official release expected soon Built in ETICS under the OMII-Europe project Will undergo OMII-Europe QA process before released made public available Prototype available for testing and internal development in the OMII- Europe Evaluation Infrastructure at CNAF

EU project: RIO31844-OMII-EUROPE SAML VOMS Tokens Attribute Certificate normally used in conjunction with users' proxy certificates –Embedded in an extension of the users' proxies GridShib doing the same for SAML assertions –Bind an ASN.1 SEQUENCE of elements at a well-known, non-critical X.509 v3 certificate extension Exploring alternatives –WS-Security gives a way to transport security tokens with SOAP messages In the SOAP Header UNICORE OGSA-BES using WS-Security for the prototype and UNICORE planning to use it for VOMS integration Supported in the WS-I Basic Security Profile

EU project: RIO31844-OMII-EUROPE VOMS SAML Attributes MUST provide clear indications on how VOMS information are expressed using SAML –Going to have a SAML V2.0 VOMS Attributes Profile Synchronize with others using SAML Attributes Naregi guys post to OGSA AuthZ WG –They're using voName, group and role attributes (in their own namespace naregi:vo) VASH guys is going to face the same problem –Going to use XACML profile for SAML Attributes due to interoperability within OGSA AuthZ WG specs

EU project: RIO31844-OMII-EUROPE VOMS SAML FQANs Expressing FQANS as SAML Attribute elements –Natural to use AttributeValue elements with type xsd:string a FQAN another FQAN –Problems with SAML specs Going to differentiate FQANs expressing only group information

EU project: RIO31844-OMII-EUROPE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.