Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Slides:



Advertisements
Similar presentations
MyProxy Jim Basney Senior Research Scientist NCSA
Advertisements

Contrail and Federated Identity Management
Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
WSO2 Identity Server Road Map
Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.
Mobile Identity and Mobile Authentication (mobile e-signature) Valdis Janovs Sales Director Lattelecom Technology SIA.
Claims Based Authentication
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
PostalOne! / FAST Data Exchange - Vision 02/15/05.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign NCSA Two Factor CA Jim Basney
Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.
Openid Connect
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Single Sign-On
An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October
Cole David Ronnie Julio. Introduction Globus is A community of users and developers who collaborate on the use and development of open source software,
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Grid, Web services and Taverna Machiel Jansen Richard Holland.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
Building consumer apps with Azure AD B2C
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
Web Services Security Patterns Alex Mackman CM Group Ltd
Security Solutions Rachana Ananthakrishnan University of Chicago.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.
Access Policy - Federation March 23, 2016
A National e-Authentication Service
Identity Management (IdM)
Federation made simple
Data and Applications Security Developments and Directions
Community AAI with Check-In
A Grid Authorization Model for Science Gateways
D Guidance 26-Jun: Would like to see a refresh of this title slide
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor Suresh Marru Marlon Pierce This material is based upon work supported by the National Science Foundation under grant number

Distributed Web Security for Science Gateways Software Development for Cyberinfrastructure grant from the NSF Office of CyberInfrastructure ( 3 year project: August 2011 – July 2014 Goal: Support use of OAuth by science gateways for distributed authentication, delegation, and authorization Develop OAuth “profiles” for science gateway use cases Getting certificates from MyProxy servers Both individual and “community” credentials Delegating certificates between gateway components Delegated access to REST services Integration with external authentication (LDAP, Kerberos, SAML, OpenID) Credential refresh Web Single Sign-On (OpenID Connect)

Defining Terms Authentication: Who are you? customer # name: Jim Basney Authorization: What are you allowed to do? Access private information Charge purchases to your credit card Delegated Authorization: Authorizations you grant to others Park your car (valet key) View your private photos on Flickr Collaboratively edit an online Google doc Credential: How security information is conveyed Also known as Assertion or Token

Science Gateways: Tiered Access Models user authenticates to science gateway science gateway authenticates to service providers

Science Gateways: Tiered Access Models Option A: Transitive Trust Bilateral agreement between science gateway & service provider Bulk allocation of service to the science gateway Service provider may not know who the end users are Users may not know who the underlying service providers are Example: XSEDE Community Account model User attributes in community credential provides user info to SP Option B: Delegation of Rights End user has account at underlying service provider Example: Individual XSEDE account with Globus Online Science Gateway explicitly acts on the user’s behalf when interacting with the underlying service providers Both options are useful (and can be combined) Our recent work is focused on Option B: Delegation of Rights

Example: Photo Printing Your flickr Password Photos Your flickr Password

Example: Using OAuth Token Authenticate & Grant Access to Photos Toke n PhotosRequest Access to Photos

Example: Science Gateway Your Password Access Your Password

Delegated Authorization via OAuth Token Authenticate & Grant Access Toke n AccessRequest Access to Supercomputer

Delegated Authorization via OAuth Token Authenticate & Grant Access Toke n Data Request Access to iPlant Data

OAuth for MyProxy Provides an OAuth 1.0a compliant REST web interface to MyProxy for providing user certificates to science gateways Eliminates the need for users to disclose their MyProxy passwords to science gateways. Instead, gateway users authenticate to their MyProxy server’s OAuth web interface to approve issuance of a certificate by MyProxy to the science gateway they are using. Java client & server implementations available now XSEDE MyProxy OAuth Server TG11 paper: In use today by Globus Online Supports using individual XSEDE accounts via science gateways

Old ApproachNew Approach MyProxy Use Case

Globus Online Example

Globus Online Example

OOI Example

OOI Example

OOI Example

Starting the Discussion What are science gateways doing today for web security? Using OAuth, OpenID, SAML? Supporting both individual and community accounts? Authenticating to REST services? Sharing data across multiple gateways? What are current/future science gateway security needs? What is your input on our project plans? Getting certificates from MyProxy servers Delegating certificates between gateway components Delegated access to REST services Integration with external authentication (LDAP, Kerberos, SAML, OpenID) OAuth 2.0 update Credential refresh Web Single Sign-On (OpenID Connect) What is your input on the XSEDE architecture?

Continuing the Discussion Please join our mailing list: Send to: Or visit: iscuss/subscribe

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.