Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Slides:

Advertisements

Similar presentations

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Advertisements

CLARIN AAI, Web Services Security Requirements

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

Connect. Communicate. Collaborate 1 QUATIC 2007 Lisbon New University (Portugal), September 12-14, 2007 Quality Assurance in perfSONAR Release Management.

Connect. Communicate. Collaborate WI5 – tools implementation Stephan Kraft October 2007, Sevilla.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate GÉANT2 JRA1 & perfSONAR Loukik Kudarimoti, DANTE 28 th May, 2006 RNP Workshop, Curitiba.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. The Language Bank of Finland User Authentication and Authorization Service

FIM-ig Federated Identity Management Interest Group.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

SWITCHaai Team Introduction to Shibboleth.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Connect. Communicate. Collaborate 1 ICISP, Cap Esterel (France), August 26-28, 2006 Complementary Visualization of perfSONAR Performance Measurements Andreas.

PerfSONAR Eric L. Boyd. 2 perfSONAR: Overview Joint effort of ESnet, GÉANT2 JRA1 and Internet2 Herding cats or babysitting rottweilers? Webservices network.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,

EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

PerfSONAR developer workshop - Zagreb, 7 th -9 th April AuthN and AuthR Where we have come from… Where we are going to… Cándido Rodríguez

Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.

Connect. Communicate. Collaborate Implementing Multi-Domain Monitoring Services for European Research Networks Szymon Trocha, PSNC A. Hanemann, L. Kudarimoti,

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

Payment in Identity Federations David J. Lutz Universitaet Stuttgart.

Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

January 16 GGF14 NMWG Chicago (June 05) Jeff Boote – Internet2 Eric Boyd - Internet2.

Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

PerfSONAR WG 2006 Spring Member Meeting Jeff W. Boote 24 April 2006.

DICE: Authorizing Dynamic Networks for VOs Jeff W. Boote Senior Network Software Engineer, Internet2 Cándido Rodríguez Montes RedIRIS TNC2009 Malaga, Spain.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

Connect. Communicate. Collaborate JRA1 Status Update Stephan Kraft, RRZE FAU Erlangen-Nürnberg JRA1 Montpellier Meeting, October 2006.

Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Etienne Dublé.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)

Status of perfSONAR Tools Jason Zurawski April 23, 2007 Spring Member Meeting.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Training for developers of X-Road interfaces

Applying eduGAIN to network operations The perfSONAR case

HMA Identity Management Status

Robert Szuman – Poznań Supercomputing and Networking Center, Poland

PerfSONAR: Development Status

Multi-Domain User Applications Research (JRA3)

Presentation transcript:

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008

Connect. Communicate. Collaborate Outline What is MDM perfSONAR? Which problem has been solved? The AAI of perfSONAR Conclusion and future work

Connect. Communicate. Collaborate What is MDM perfSONAR? perfSONAR (Performance focused Service Oriented Network Monitoring Architecture) system –Is a joint effort of EU-funded IST project GN2-JRA1, Internet2, ESnet and RNP –Open source development also for other interested networks –Name reflects the choice of Service Oriented Architecture –The solution is deployed and further elaborated in European Research Backbone GÉANT Connected European National Research and Education Networks Internet2’ s Abilene network ESnet (Energy Sciences network in US) RNP (Brazilian NREN)

Connect. Communicate. Collaborate What is MDM perfSONAR? Partners Connect. Communicate. Collaborate

What is MDM perfSONAR? Overview The project is divided in two parts –The web services architecture Java & Perl –Protocols Based on the Open Grid Forum Network Measurement Working Group Schemas It provides –Performance measurements in a multi-domain environment –Cross-domain monitoring capability

Connect. Communicate. Collaborate What is MDM perfSONAR? Framework Connect. Communicate. Collaborate

What is MDM perfSONAR? Services in perfSONAR MDM 3.0 Available services in perfSONAR MDM 3.0 –Lookup Service –Authentication Service –Measurement Archive Service RRD and SQL versions –Measurement Point SSH/Telnet BWCTL Command Line TC

Connect. Communicate. Collaborate What is MDM perfSONAR? Services in perfSONAR MDM 3.0 Web admin interface!

Connect. Communicate. Collaborate What is MDM perfSONAR? Services in perfSONAR MDM 3.0 Easy distribution –WAR files –RPM & DEB packages Also for Tomcat and eXist DB

Connect. Communicate. Collaborate Outline What is MDM perfSONAR? Which problem has been solved? The AAI of perfSONAR Conclusion and future work

Connect. Communicate. Collaborate Which problem has been solved? User groups using perfSONAR –NOC (Network Operations Center) / PERT (Performance Emergency Response Team) staff –Project members (e.g. EGEE project) –End users –Administrative/non-technical staff Users accessing perfSONAR services in a multi-domain environment

Connect. Communicate. Collaborate Which problem has been solved? PerfSONAR services have to be protected –Accepting messages only from allowed users/user groups –Providing them only the data they need to get The scenario we had found… –Different languages for web services –Different languages for visualization tools –Different AAIs in each domain –Not only the common web-based single sign-on solution

Connect. Communicate. Collaborate Outline What is MDM perfSONAR? Which problem has been solved? The AAI of perfSONAR Conclusion and future work

Connect. Communicate. Collaborate The AAI of perfSONAR MDM The Authentication and authorization Service (AS) –Developed as another perfSONAR service –It is used by other services for Checking whether the user is authenticated Checking whether the user is allowed to do an action in a service Checking user’s attributes

Connect. Communicate. Collaborate The AAI of perfSONAR MDM Connect. Communicate. Collaborate

The AAI of perfSONAR MDM What does eduGAIN offer perfSONAR? –An unified framework of digital identity URN registry service PKI service Neutral area of identity providers and messages –Shibboleth, PAPI, FEIDE, A-Select, … MetaData Service GÉANT Identity Provider (GIdP) for “homeless” Java-based libraries for interacting with eduGAIN components –Support for our problems! :-) What does NOT eduGAIN offer perfSONAR? –An Authentication and Authorization Service

Connect. Communicate. Collaborate The AAI of perfSONAR MDM: profiles Transmission of credentials –Clients send security tokens representing themselves –Web Service Security (WS-SEC) standard Different clients - different profiles –Automated Client (AC) profile: without human interaction Scripts –Client in a Web containEr (WE) profile: web-based applications –User behind a Client (UbC) profile: non web-based applications

Connect. Communicate. Collaborate The AAI of perfSONAR MDM: AC profile Connect. Communicate. Collaborate Unique and non-transferable ID for each client –URN obtained from eduGAIN registry service Private and public key valid in the eduGAIN trust model –Subject Alternative Name of the cert contains the URN –Obtained from eduGAIN PKI Security Token is based on the X.509 certificate

Connect. Communicate. Collaborate The AAI of perfSONAR MDM: AC profile Connect. Communicate. Collaborate Authentication data included in the SOAP header Certificate of the client sent following the X.509 profile of WS-SEC Generation of the ws-sec element is a proof of the authenticity of the client Certificate contains the component ID It is used for the Subject in the Attribute Request

Connect. Communicate. Collaborate The AAI of perfSONAR MDM: UbC profile Connect. Communicate. Collaborate A similar case than AC –An online CA for getting the certficate SASL CA

Connect. Communicate. Collaborate The AAI of perfSONAR MDM: WE profile Connect. Communicate. Collaborate Uses the eduGAIN webSSO profile SAML assertions contain user’s credentials Clients must have a pair of keys valid in the eduGAIN trust model Security Token is based on SAML assertions

Connect. Communicate. Collaborate The AAI of perfSONAR MDM: WE profile Connect. Communicate. Collaborate Constraints of the relayed-trust SAML assertion It must be bound to the client by the H-BE User’s credentials legally obtained It must be bound to the resource by the client Malicious resource cannot re-use it This SAML assertion contains AudienceRestrictionCondition element with the component ID of the resource Authentication statement ConfirmationMethod element containing the value relayed-trust SubjectConfirmationData has the SAML assertion got from the H-BE

Connect. Communicate. Collaborate The AAI of perfSONAR MDM: WE profile Connect. Communicate. Collaborate Authentication data included in the SOAP header Relayed-trust SAML assertion sent following the X.509 and SAML profiles of WS-SEC Certificate contains the component ID of the client Subject of the SAML assertion used for requesting its attributes

Connect. Communicate. Collaborate The AAI of perfSONAR MDM: the future Connect. Communicate. Collaborate

Outline What is MDM perfSONAR? Which problem has been solved? The AAI of perfSONAR Conclusion and future work

Connect. Communicate. Collaborate Conclusion and future work perfSONAR has a full AAI with “minimal” efforts –Components for services –Libraries for services and clients –They don’t have to understand AA issues… … or almost O:-) UbC profile has to be redesigned –It uses SASL CA Bad choice –There is a solution on the way “eduroam style” We are working on the authorization part –Making easy what it isn’t easy Main goal for the future: the performance

Connect. Communicate. Collaborate Thank you for your attention! Any questions?