Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA
GT 4 Security Goals & Plans Sam Meder
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
CVRG Presenter Disclosure Information Tahsin Kurc, PhD Center for Comprehensive Informatics Emory University CardioVascular Research Grid Core Infrastructure.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
PKI Implementation in the Real World
Lecture 23 Internet Authentication Applications
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Widely Distributed Access Management Tom Barton University of Chicago.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Understanding Active Directory
Technical Introduction to caGrid Service Development caGrid 1.3 Justin Permar caGrid Knowledge Center
Chapter 10: Authentication Guide to Computer Network Security.
NCI-CBIIT Security in the System/Services Development Life Cycle Presenter: Braulio J. Cabral CBIIT Enterprise Security Coordinator.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
CGW 2003 Institute of Computer Science AGH Proposal of Adaptation of Legacy C/C++ Software to Grid Services Bartosz Baliś, Marian Bubak, Michał Węgiel,
Cancer Bioinformatics Grid (caBIG) CANS 2006 Chicago, Illinois Shannon Hastings Department of Biomedical Informatics Ohio State University.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Department of Biomedical Informatics Service Oriented Bioscience Cluster at OSC Umit V. Catalyurek Associate Professor Dept. of Biomedical Informatics.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
U.S. Department of Agriculture eGovernment Program July 15, 2003 eAuthentication Initiative Pre-Implementation Status eGovernment Program.
Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
Shannon Hastings Multiscale Computing Laboratory Department of Biomedical Informatics.
Module 9: Designing Public Key Infrastructure in Windows Server 2008.
Grid Trust Service (GTS). Problem How does the grid clients/services know which CA certificates to trust? Should I trust this CA?
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
1 caGrid Security Overview Mark Grand Senior Engineer caGrid Knowledge Center February 7, 2011.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
State of e-Authentication in Higher Education August 20, 2004.
CaGrid Overview and Core Services caGrid Knowledge Center February 2011.
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
1 Service Creation, Advertisement and Discovery Including caCORE SDK and ISO21090 William Stephens Operations Manager caGrid Knowledge Center February.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Security Solutions Rachana Ananthakrishnan University of Chicago.
E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
CaGrid 1.0 Security Infrastructure Stephen Langella, Scott Oster, Shannon Hastings, David Ervin, Joshua Phillips, Vinay Kumar, Tahsin Kurc, Joel Saltz.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
Trusted Organizations In the grid world one single CA usually covers a predefined geographic region or administrative domain: – Organization – Country.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Security in Research Computing John Sandefur UAB Comprehensive Cancer Center John-Paul Robinson UAB Research Computing.
Cancer Bioinformatics Grid (caBIG) CANS 2006 Chicago, Illinois
Viet Tran Institute of Informatics Slovakia
Community AAI with Check-In
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with Reliably Distributed Services (GAARDS)

Agenda caBIG caGrid caGrid Security Overview (GAARDS) Dorian Authentication Service Grid Trust Service (GTS) Grid Grouper Authz / Common Security Module (CSM) Additional Information

National Cancer Institute 2015 Goal Relieve suffering and death due to cancer by the year 2015

Cancer Biomedical Informatics Grid (caBIG TM ) Need: Enable investigators and research teams nationwide to combine and leverage their findings and expertise in order to meet NCI 2015 Goal. Strategy: Create scalable, actively managed organization that will connect members of the NCI-supported cancer enterprise by building a biomedical informatics network National Cancer Institute Initiative Over 800 Participants Over 80 Organizations Over 70 Projects

caBIG Community Organization

caGrid Grid Infrastructure for caBIG Enterprise Level Grid Components caGrid Components Grid Service Graphical Development Toolkit (Introduce) Metadata Advertisement and Discovery Semantic Services Data Service Infrastructure Analytical Service Infrastructure Identifiers Workflow Security

GAARDS Overview Grid Authentication and Authorization with Reliably Distributed Services (GAARDS) GAARDS provides services and tools for the administration and enforcement of security policy in an enterprise Grid. Developed on top of the Globus Toolkit Extends the Grid Security Infrastructure (GSI) Provide enterprise services and administrative tools for: Grid User Management Identity Federation Trust management Group/VO management Access Control Policy management and enforcement Integration between existing security domains and the grid security domain.

GAARDS Components Dorian Grid User Account Management Integration point between external security domains and the grid. Allows accounts managed in external domains to be federated and managed in the grid. Dorian allows users to use their existing credentials (external to the grid) to authenticate to the grid Grid Trust Service (GTS) Creation and Management of a federated trust fabric. Supports applications and services in deciding whether or not signers of digital credentials/user attributes can be trusted. Supports the provisioning of trusted certificate authorities and corresponding CRLS. Grid Grouper Group management service for the grid Provides a group-based authorization solution for the Grid Enforce authorization policy based on membership to groups

GAARDS Components Authentication Service Integrates existing credentials providers into the grid. Provides a uniform grid interface for authenticating to existing credential providers. Applications can communicate with any credential provider. Authz/Common Security Module (CSM) Provides a centralize approach to managing and enforcing access control policy authorization. Security Metadata Ensures communication interoperability between grid services

GAARDS in Action

GAARDS in Action Authenticate with Local Credential Provider SAML Assertion User authenticates to local credential provider using your everyday user credentials

GAARDS in Action SAML Assertion Grid Credentials Application obtains grid credentials from Dorian using SAML provided by the local provider.

GAARDS in Action Grid Credentials Application uses grid credentials to invoke secure grid services.

GAARDS in Action Grid Service authenticates the user by asking the GTS whether or not the signer of the credential should be trusted. Should I trust the credential signer?

GAARDS in Action Authorization Grid Service asks CSM or their access control policy enforcer whether or not the user can perform X and resource Y. Is Authorized?

GAARDS in Action Authorization Alternative Grid Service can enforce local policy based on user membership to groups maintained in Grid Grouper. Is member of?

Dorian

Grid Account Management is Difficult User required to manage long term certificate and private key. How are they obtained? Traditionally user generate a key pair and certificate request locally, then contact ( ) a CA administrator to get a signed certificate. Mobility Issues User generally work on more that one computer Certificate and private key need to be available to users on each machine. Traditionally users need to copy around certificate and private key. Hassle for the users, some of which dont have the expertise to accomplish Security Concerns. Difficult to administrate Few tools for administrate provisioning of user accounts. Difficult to revoke accounts Limited information available to administrators for making decisions Why cant they leverage their existing accounts to access the grid?

Dorian Grid User Account Management Administrative interface for account provisioning and management. Built in Certificate Authority Manages Grid Credentials for each user. Enables users to authenticate and create grid proxies, which they may use to access the grid. Identity Management and Federation Integration point between external security domains and the grid. User may use existing credentials to obtain a grid proxy. Users authenticate to IdP, obtain a SAML assertion (proof) which is then given to Dorian to facilitate the creation of a grid proxy. Automated Account Creation and Provisioning Built in Identity Provider Comprehensive Administrative UI

Dorian Proxy Creation Users authenticate to IdP. Obtain a SAML assertion (proof) from IdP. Send SAML Assertion to Dorian in exchange for a grid proxy. Proxy Creation (Detailed) User Authenticates to Local IdP Local IdP Issues Signed SAML Assertion to user. User Authenticates to Dorian with SAML Assertion Dorian verifies the signature of the SAML Assertion. Signing IdP must be registered with Dorian is a trusted provider Dorian locates users grid account or creates one if does not exist. Dorian ensures users has rights to create a proxy Client and Dorian negotiate to create a proxy.

Dorian – Proxy Creation Proxy Creation Workflow Client authenticates with Local IdP Client creates public/private key pair to use for grid proxy. Client requests Dorian to create a grid proxy. Dorian verifies that the SAML assertion provided by the user is signed by a Trusted IdP and that the user has a valid account. Dorian locates the users grid credentials, private key and certificate Dorian uses the public key provided to create a proxy certificate and signs it with the users private key Dorian returns the proxy certificate to the user. The user may now use the proxy to authenticate to grid services SAML Assertion Username / Password SAML Assertion Signed

Grid User Account Creation A grid account is created the first time a user accesses Dorian with a SAML Assertion signed by a registered Trusted Identity Provider Each grid account has a status associated with it. Active, Pending, Suspended, Expired………… Only users with an Active Status will be given access to the grid. The initial status of a user account upon creation depends on the user policy configured with their IdP. A User Policy is applied to a users account every time they request that a proxy is created. User Policies enable the administration of Dorian to be as hands on/off as the administrators wish.

Grid User Accounts Grid User Account Managed through Grid Service Interface using Admin UI Grid User Account IdP Local User Id Uniquely Identifies a user within the context of an IdP First Name Last Name Users role with respect to Dorian User Account Status Grid Credentials Private Key Long term Certificate Grid Identity Dorian CA Metadata Trusted IdP Id Local User Id /O=OSU/OU=BMI/OU=caGrid/OU=Dorian/OU=localhost/OU=IdP [1]/CN=jdoe Dorian CA MetadataIdP Id Local User Id

Managing Trusted Identity Providers Trusted Identity Provider – An Identity Provider in which Dorian is configured to trust and manage grid user accounts. Id - Dorian assigned Identifier for the IdP. Name – Human Readable Name for easy identification Status – Active / Suspended User Policy – Executed when users authenticate, dictates a policy to apply to a users account Authentication Method IdP Certificate - Certificate whose corresponding private key will be used in signing SAML assertions.

Dorian Identity Provider Dorian Identity Provider (Dorian IdP)- Enables developers, smaller groups, research labs, unaffiliated users, and other groups without an IdP to use Dorian as their IdP, such that they may leverage Dorian for creating grid credentials. Registration- Provides a registration mechanism through the grid service interface. Authentication- Username/Password Authentication over grid service interface, successful authentication returns a SAML assertion which can later be consume by Dorian in exchange for a grid proxy. Account Management – Provides administrative operations for managing Dorian IdP accounts.

Dorian IdP – Registration / Authentication Potential Users obtain and account on the Dorian IdP by registering. Grid Service Interface provides a mechanism for registering with the Dorian IdP account. Dorian GUI provides graphical interface for registering with the Dorian IdP Account creation depends on how the Dorian IdP is configured Auto Creation Manual Creation Once Approved, registered users can authenticate (username, password) to the Dorian IdP to obtain a SAML Assertion which can then be used to create a proxy.

Dorian IdP User Management Manage User Account Information Manage Account Status Grant IdP Admin Rights Account Management done through grid service interface, only users with admin rights may manage accounts. Full Account Management Support through the Dorian GUI.

Authentication Service

Authentication Service The role of the AuthenticationService is to provide a uniform grid interface for authenticating to existing credential providers. Leveraged as a Integration point between local identity management and Grid identify federation. To achieve this goal, we define a framework as a set of interfaces that can be implemented by a credential provider caGrid provides an default implementation that exposes the Common Security Module (CSM) as an IdP. DorianAuthentication ServiceLocal Identity management Supported Credential Providers LDAP RDBMS

Authentication Service - Design Authentication Service Grid Service Authentication Provider Framework AuthenticationProvider SubjectProvider SAMLProvider Created Using Introduce Toolkit Credential Providers can be integrated by implementing this interface