Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Slides:



Advertisements
Similar presentations
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Widely Distributed Access Management Tom Barton University of Chicago.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
MyVOCS My Virtual Organization Collaboration System John-Paul Robinson Jill Gemmill Jason Lynn Universty of Alabama at Birmingham Office of the Vice President.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
Constructing Campus Grids Experiences adapting myVocs to UABgrid John-Paul Robinson High Performance Computing Services Office of the Vice President for.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
1 myVOCS my Virtual Organization Collaboration Suite Jill Gemmill John-Paul Robinson Jason L. W. Lynn May 3, 2005.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
Internet2 Meeting 2006 UABgrid : A campus-wide distributed computational infrastructure University of Alabama at Birmingham UABgrid Architecture Team Jill.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Campus Experience: Pubcookie University of Alabama at Birmingham Academic Computing Zach Garner.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
17 December 2015 MACE-MLIST Working Group Jill Gemmill, UAB (chair) John-Paul Robinson, UAB Jim Phelps, UWisc Paul Russell, Notre Dame Serge Aumont, CRU.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
GridShib Grid-Shibboleth Integration An Overview Von Welch
More Allergic Reactions Some Potential Next Steps Tom Barton University of Chicago.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
An Integrated Collaboration Platform John-Paul Robinson Internet2 Member Meeting Fall 2006.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
2NCSA/University of Illinois
LIGO Identity and Access Management
Shibboleth for Non-Web-Based Applications: GridShib
NSF Middleware Initiative: GridShib
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
NSF Middleware Initiative: GridShib
Presentation transcript:

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham

Acknowledgments NSF ANI “NMI Enabled Open Source Collaboration Tools for Virtual Organizations” (Jill Gemmill, John-Paul Robinson ) N01-LM Advanced Network Infrastructure for Health & Disaster Management (Orthner, Terndrup, Grimes, Gemmill) Office of the VPIT and IT Academic Computing Von Welch, Tom Scavo- NCSA/UIUC Internet2 MACE and MLIST Working Group members Serge Aumont, Olivier Salaun, CRU Members of MACE-MLIST Working Group

A little background UAB history in centralized identity management & early interest in PKI but is today LDAP-based username/password UAB participation in NMI Testbed Met Shibboleth and Globus Toolkit What would it take to integrate these tools with applications in a manner useful to research collaborations? (ie, VO’s) UAB entering High-Performance Computing community via faculty acquisitions: an application focused group and a computing research group.

What’s a Virtual Organization? A set of collaborators bound together by a project of common interest very large scale science projects eg: Teragrid Half a dozen or so collaborators in a funded multidisciplinary project Physicians at 60 cancer centers wanting to share clinical data to increase N or focus on special sub- populations An Internet2 Working Group; a conference planning committee. In general, VO members are from different institutions

About Grid Security Infrastructure (GSI) Grids (Foster, Kesselman) Purpose: to support research VO’s Implementation: NMI GRIDS Globus Toolkit Keys distributed to each end user; client-server, non-web requirements PKI based security infrastructure uses X.509 Certificate Surely global PKI is almost here Authorization to be dealt with later KEY INSIGHT: separation of identity from system-specific account.

Grid Authorization Today, Globus Toolkit provides identity-based authorization mechanisms: Access control lists (called grid- mapfiles) map DNs to local identity (e.g., Unix logins) Community Authorization Service (CAS) PERMIS and VOMS

Early UAB NMI Testbed work: Using pubcookie (web-enabled single sign on) for grid authentication – similar to UVa Components: Web-based grid portal (OGCE) Web-based CA (PHPKI) Secure end-user certificate repository Details: Robinson, J.-P., Gemmill, J., et al. (2005). Web-Enabled Grid Authentication in a Non-Kerberos Environment. In 6th IEEE/ACM International Workshop on Grid Computing. 6th IEEE/ACM International Workshop on Grid Computing.

Central Challenges: Authorization based on VO-membership requires: Cross-domain authentication (leverage distributed identity management) Certainly “member of VO XYZ” attribute central for access control VO is authoritative for its own membership assignment & roles Should work for both web and non-web applications

What Cross-Domain Security Architectures Exist? GRIDS Digital Certificates (X.509 / PKI) Cross-domain trust can be managed scalably thru Bridged CA’s Carry only a user identifier (DN) FEDERATIONS (SAML, Shibboleth, WS- Security) Digitally signed security assertions Carry Identity, AuthN method, other attributes

Don’t Existing Solutions Provide What Is Needed by VO’s? (No!) Single Domain solutions inadequate End-user certificate distribution and management has proven to be troublesome and non-scalable Essential VO (Group) Membership information not provided consistently by either one Most collaboration tools accessed by web browser (not client software w. certificate)

Observation 1 The size and vast number of VOs makes it difficult for administrators to manage the identity of each user in the VO (and VO members don’t want more passwords to remember) Goal: Leverage existing identity management infrastructure eduPerson/Shibboleth infrastructure appeared promising for identity management

Observation 2 Identity-based access control methods are inflexible and do not scale Goal: Use attribute-based access control Shibboleth, an attribute transport mechanism linked to identity management, appeared promising

Observation 3 The most important attribute for VOs is: “member of VO-XYZ” Who is authoritative for VO attributes? The enterprise? (No) The VO? (Yes!) How are VO attributes created? Where are VO attributes stored?

myVocs Overview (my Virtual Organization Collaboration System) myVocs Manages Attributes

A look inside myVocs Attributes Users VO Roles VO Members VOs

A Look Inside myVocs VO Attribute Authority Users VO Roles VO Membe rs VOs App Mail List Your App CMSWiki VO IdP VO SP

A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space

A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space Shibboleth SP

myVocs A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space Shibboleth SP UAB IdP UIUC IdP openidp.org IdP U. Chicago IdP

myVocs Membership Management Tool: Sympa Mailing lists are central to Collaborations Specify a collection of individuals Define useful member roles Generally autonomous Sympa mailing list software supports Shibboleth Sympa has an excellent web-based user interface Sympa developers were active collaborators

Shibboleth Drives myVocs Client Web Browser CMS Some IdP VO Attribs WAYF VO SPVO IdP ID SP

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib Identity Attributes

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib VO Attribs

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

myVocs automatically provisons Application Instances  (one set per VO) Accounts  Based on VO membership and roles

What is GridShib? Authentication: GridShib leverages the existing authentication mechanisms in GT GridShib provides attribute-based authorization based on Shibboleth GridShib adds attribute-based authorization to Globus Toolkit

Software Components GridShib for Globus Toolkit A plugin for GT 4.0 GridShib for Shibboleth A plugin for Shibboleth 1.3 IdP GridShib CA A web-based CA for new grid users Visit the GridShib Downloads page:

GridShib CA The GridShib Certificate Authority is a web-based CA for new grid users: The GridShib CA is protected by a Shib SP and backended by the MyProxy Online CA The CA issues short-term credentials suitable for authentication to a Grid SP Credentials are downloaded to the desktop via Java Web Start

Results of Integration

What we have enabled Turn-key Grid VO creation through the integration of GridShib and myVocs myVocs used to create and manage VOs GridShib allows myVocs users to create Grid credentials and access Grid resources Grid resources obtains, and allows access, based on attributes from myVocs

User Registers with myVocs Identity Auth

VO Admin Adds User to VO

Grid Logon Identity Auth Identity Grid Creds. Grid Id

Grid Service Invocation VO Attributes Grid Creds. Grid Id

Remaining Challenges Name binding on global scale Attribute Aggregation Defining VO membership, roles and attributes Group and role management UAB Currently working on Shibbolized, GridShibCA integrated version of GridSphere Portal (also in Australia)

Questions? For more information: GridShib: myVocs:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.