Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Slides:



Advertisements
Similar presentations
MyProxy Jim Basney Senior Research Scientist NCSA
Advertisements

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
MyProxy Guy Warner NeSC Training.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
Peter Berrisford RAL – Data Management Group SRB Services.
Contrail and Federated Identity Management
MyProxy: A Multi-Purpose Grid Authentication Service
Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.
ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.
ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Technology on the NGS Pete Oliver NGS Operations Manager.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
WebFTS as a first WLCG/HEP FIM pilot
Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Integrating HPC and the Grid – the STFC experience Matthew Viljoen, STFC RAL EGEE 08 Istanbul.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
Integrating with UCSF’s Shibboleth system
Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.
1 Overview of the Application Hosting Environment Stefan Zasada University College London.
Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9.
David Spence GOSC Graphical Access to the NGS for All Java GSI-SSHTerm.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Single Sign-On
Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.
ASPiS Security Jens Jensen Science and Technology Facilities Council AHM, 8-11 Sep 2008 Edinburgh.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
NGS Portal.
Rob Allan Daresbury Laboratory A Web Portal for the National Grid Service Xiaobo Yang, Dharmesh Chohan, Xiao Dong Wang and Rob Allan CCLRC e-Science Centre,
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
1 e-Science AHM st Aug – 3 rd Sept 2004 Nottingham Distributed Storage management using SRB on UK National Grid Service Manandhar A, Haines K,
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarksEGEE-III INFSO-RI Astro-Wise and EGEE.
GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
1 Egrid portal Stefano Cozzini and Angelo Leto. 2 Egrid portal Based on P-GRADE Portal 2.3 –LCG-2 middleware support: broker, CEs, SEs, BDII –MyProxy.
Shibboleth, SRB, PGL & Plone Russell Sim. MyProxy client uses portal with Web SSO protected with an SP transformation of attributes to certs by MyProxy.
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Introduction to Portals.
SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Initiating Teragrid Sessions Raghu Reddy. Outline Motivation Initial Setup –Certificates –Proxies –Grid-map file entries and DNs Softenv for customizing.
Kipper – a Grid bridge to Identity Federation Andrey Kiryanov.
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,
Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Tweaking the Certificate Lifecycle for the UK eScience CA
Update on EDG Security (VOMS)
Overview and Development Plans
Shiv Kaushal, University of Manchester
Presentation transcript:

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management

Jens G Jensen CCLRC e-Science The Problem Integrated Access (Authentication) Identity management Implemented locally… …integrate with future national efforts… …and international

Jens G Jensen CCLRC e-Science What’s in SSO? Identity mgmt, User mgmt Credential conversions –Certificates, AD/K5 –Protection of credentials Thin clients vs thick clients Passwords and -phrases –Single password to all resources

Jens G Jensen CCLRC e-Science What’s in SSO? Portals MyProxy VOMS Java gsissh terminal SDSC SRB SRM Tapestore Active Directory Kerberos Challenge: get distinct components to talk together

Jens G Jensen CCLRC e-Science Authentication – web based If on-site, use federal id (Active Directory/Kerberos) If off-site, use certificate –if loaded into browser Otherwise username/password –Same as fed username/password –Not allowed to store password… System must know these are the same

Jens G Jensen CCLRC e-Science Web (HTTPS) based SSO Easier to implement servers –Apache can do Everything™ –Not trivial to integrate with existing Java portals –Apache vs Tomcat, StringBeans, uPortal, CHEF, SAKAI,… Lots of HTTP tools that understand security Future proof, when UK goes to Shibboleth

Jens G Jensen CCLRC e-Science Client Side – from outside CCLRC PORTALPORTAL VOMS THE GRID Certificate SRB (old slide)

Jens G Jensen CCLRC e-Science Client Side – from within CCLRC PORTALPORTAL MyProxyVOMS Microsoft Active Directory THE GRID SRB (old slide)

Jens G Jensen CCLRC e-Science SRB SRB provides SSO But ∫ with everybody else’s… S commands can be used with GSI and with username/password inQ doesn’t understand certificates THE GRID SRB THE BEAM

Jens G Jensen CCLRC e-Science MyProxy MyProxy essential to SSO to Grid –Because Grid requires X.509 certs Call out to site authentication –For username/password maintenance Investigating new MyProxy+PAM

Jens G Jensen CCLRC e-Science Status – Users Need certificates for Grid work Once every year, obtain/renew cert –Usability of CA improved with upgrade –Will resurrect applets Once every week, renew proxy –Upload tool in Java, another in python Once every day –Log in to Windows (or Linux kinit )

Jens G Jensen CCLRC e-Science Status – software Prototype portal (python) –Thin clients (web browser) –Fetches proxy from myproxy –AD/K5 works with IE and certain Linux browsers Components for thick clients –Fetches proxy locally from MyProxy

Jens G Jensen CCLRC e-Science Microsoft Active Directory Authorisation Corporate Data Repository LDAPLDAP VOMS MyProxy Gridmap file

Jens G Jensen CCLRC e-Science Combining Grid Authorisation LDAPLDAP LDAPLDAP LDAPLDAP CCLRC NGS LCG Grid AUZ

Jens G Jensen CCLRC e-Science Future work VOMS Extending collaboration –Related Shib work with Oxford Grid access for non-certificate users DLS & IB very interested (+BDWorld?) Ponder credential conversions/protection –Work on-going between CAs in IGTF

Jens G Jensen CCLRC e-Science Summary Prototype SSO access to Grid Existing implementations, added glue Loads of other minor things that need doing Integrating with other SSO efforts Facilities’ user offices maintain ids More authorisation work req’d

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.