Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Slides:



Advertisements
Similar presentations
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Advertisements

Lousy Introduction into SWITCHaai
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
Presenter or main title… Session Title or subtitle… TF-EMC 2 Lyon - 14/02/2011 Accessing e-Infrastructure Christopher Brown Digital Infrastructure.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Security Approaches and Requirements John Watt NCeSS Conference Workshop 3 Data Management through e-Social Science June 18th 2008.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
Technology on the NGS Pete Oliver NGS Operations Manager.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Integrating HPC and the Grid – the STFC experience Matthew Viljoen, STFC RAL EGEE 08 Istanbul.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.
ASPiS Security Jens Jensen Science and Technology Facilities Council AHM, 8-11 Sep 2008 Edinburgh.
Grid Execution Management for Legacy Code Applications Grid Enabling Legacy Code Applications Tamas Kiss Centre for Parallel.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
NGS Portal.
Holding slide prior to starting show. A Portlet Interface for Computational Electromagnetics on the Grid Maria Lin and David Walker Cardiff University.
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Shibboleth, SRB, PGL & Plone Russell Sim. MyProxy client uses portal with Web SSO protected with an SP transformation of attributes to certs by MyProxy.
Introduction to Portals.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Holding slide prior to starting show. Lessons Learned from the GECEM Portal David Walker Cardiff University
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Grid Execution Management for Legacy Code Architecture Exposing legacy applications as Grid services: the GEMLCA approach Centre.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Enabling Grids for E-sciencE gLite security pratical tutorial Dario Russo INFN Catania Catania,
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
WLCG Update Hannah Short, CERN Computer Security.
Grid accounting system
Tweaking the Certificate Lifecycle for the UK eScience CA
NSF Middleware Initiative: GridShib
Community AAI with Check-In
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Overview Motivation Why Shibboleth? Previous work: ShibGrid Other projects Just starting: SARoNGS Conclusions

Motivation We want to encourage more users to use the Grid –All areas of research –Single researcher to large projects –Security infrastructure must enable this Certificates are often a barrier Generalised not specific Straightforward to use

Why Shibboleth? JISC is encouraging all institutions to transition from Athens to “Federated Access Management” This technology is currently based on Shibboleth It will become familiar to all academic users The Grid should also use this common technology for authentication

Shibboleth Overview Web-based federated access management system based on SAML Based on separation of authentication and authorisation –Authentication: Identity Provider (IdP) at user’s home institution –Authorisation: Service Provider (SP) based on information about the user from the IdP –Discovery: Where Are You From (WAYF) service User can remain anonymous at the SP

Shibboleth Authentication and Authorisation (Thanks to Kang Tang) Web server

ShibGrid Use cases Access to the Grid solely with Shibboleth Use standard Grid certificates when something extra is required – still many advantages Access to the Grid through a Portal –NGS portal/project portals Access to the Grid through other access methods –Globus, Java GSI-SSH Terminal, CoG, etc., Registration (for NGS) using Shibboleth

ShibGrid access to the NGS (via Portal) (Thanks to Kang Tang) Shibboleth Authentication and Authorisation

Other Components Grid proxy download tool – For non portal Grid access methods Grid proxy upload tool Registration service –Data Protection Act/Acceptable Use Policy –Check the user’s institution is supported –Check the user has correct configuration –Link to NGS user registration

Logon via Shibboleth…

…Choose your home institution…

…background log-in in using Kerberos…

…welcome to the Portal…

…and we have an automatically-generated Grid proxy

Other Projects “There’s more than one way to skin a cat” This list is not exhaustive... –UK – SHEBANGS, ShibGrid, GridSite, DyVOSE/VOTES/BRIDGES/GLASS and GridShibPERMIS –US – GridShib –Switzerland – SWITCH (gLite) –Australia – MAMS

SARoNGS: Full production service for NGS and MIMAS, etc. VPMan: VO-based resource access control. SARoNGS ShibGrid: Production quality, no VO support. Computation focus. SHEBANGS: Shib+Grid: research with VO support. Computation focus. NGS: No VO-based access control. NGS: Full VO/VOMS support. ShibGrid: Possible production service SARoNGS: Universal solution: VO, compute and data support. GEMS: Grid enabling MIMAS data set. Other Shib+Grid Projects: We want to support all use cases.

Just starting: SARoNGS Will provide a standard production bridge for all UK Academics from the UK Federation into the Grid world. Integrated access to compute and data resources Will provide a much simpler model for integrating resource. Will combine expertise from ShibGrid, SHEBANGS and MIMAS.

The SARoNGS CTS (NGS default) (Credential Translation Service) NGS default CTS Shib-enabled MyProxy CA VOMS Server NGS MyProxy Server Human Interface Machine Interface Shibboleth Service Provider Add VOMS AC Store proxy Request Authorisation certificate (by DN) Request certificate Requests from tools Portal – logon Redirect User’s browser MyProxy username/password Retrieve credential Registration Forms Via to VO manager

VO-based CTS PERMIS Access Control The SARoNGS CTS (VO-based) Shib-enabled MyProxy CA NGS MyProxy Server Human Interface Machine Interface Shibboleth Service Provider Generate VOMS AC Store proxy Request certificate Requests from tools Portal – logon Redirect User’s browser MyProxy username/password Retrieve credential Registration Forms (optional) PERMIS Policy

Conclusions There has been much research but this must now be brought together to form a core production service We are working towards fully integrating the Grid with the national access management federation: –Compute (initially NGS) –Data (initially MIMAS)

Questions

More than just portal access… Registration service –Data Protection Act/Acceptable Use Policy –Check the user’s institution is supported –Check the user has correct configuration –Link to NGS user registration Grid proxy download tool – For non portal Grid access methods Grid proxy upload tool

Architectural Design Don’t change the user –Prevent extra logical steps: portal first –Easy to deploy in project portals –Support other access methods Don’t change other services –Work within Shibboleth and GSI frameworks

Requirements highlights User/Project –Transparent access to eScience facilities, consistent with other SSO-enabled components. –Access to components at home or away (even Internet Café). –Fit in with local authentication schemes. –Don’t want to know about certificates. –Want to use own project portal. NGS –Must be compatible with GT2 and registration system. VOMS in the future.

ShibGrid MyProxy Checks IdP (trusted) authentication/authorisation –Standard Shibboleth Portal (not trusted): –Standard MyProxy checks –+ check the attribute assertion was created for the portal Users: –Authentication: at IdP –Authorisation: Is user registered? username attribute = username used? –Attributes used to construct low-assurance certificate DNs

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.