EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
SWITCHaai Team Federated Identity Management.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Extending user controlled security domain.
INFSO-RI Enabling Grids for E-sciencE The US Federation Miron Livny Computer Sciences Department University of Wisconsin – Madison.
INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
A DΙgital Library Infrastructure on Grid EΝabled Technology ETICS Usage in DILIGENT Pedro Andrade
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
2006 © SWITCH Grid Activities at SWITCH Christoph Witzig EGEE - 06 Geneva Sep 28, 2006.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Shibboleth: An Introduction
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE Gergely Sipos
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Multi-level monitoring - an overview James.
2005 © SWITCH Interoperability Shibboleth and gLite in EGEE-2 MWSG Amsterdam Dec 15, 2005 Christoph Witzig SWITCH.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS SAML Vincenzo Ciaschini MWSG Zurich,
Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MSG - A messaging system for efficient and.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.
INFSO-RI Enabling Grids for E-sciencE - II VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite configuration (plans) Robert Harakaly.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
2007© SWITCH SWITCHslcs the new AAI-based short-lived credential service for Grid users C.Witzig Swiss Grid Day, Berne, May 7, 2007.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
INFSO-RI Enabling Grids for E-sciencE JRA3 Åke Edlund On behalf of JRA3 EGEE 8th All-activity meeting January 18-19,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
GN2 JRA5 Roaming and Authorisation Jürgen Rauschenbach, DFN-Verein
NSF Middleware Initiative: GridShib
Presentation transcript:

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph Witzig, SWITCH (P.Flury, T.Lenggenhager, V.Tschopp) EGEE-06, Sep 27, 2006

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, Outline Introduction: –SWITCH –Shibboleth SWITCHaai: The Swiss Shibboleth-based Federation Interoperability Shibboleth-gLite Current Status

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, SWITCH is the Swiss NREN (new partner in EGEE-II) Four strategic areas: –Network –Domain name registration –Netservices –Security  CERT  Middleware AAI (Shibboleth) Mobile PKI Grid

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, Shibboleth AAI = Authentication and Authorization Infrastructure Developed by internet2 Web-based single sign on (SSO) –When user accesses a resource  Authentication takes place at an Identity Provider (independent of the resource)  Resource receives Attributes describing the user from the Identity Provider and uses them for the authorization decision SAML: security assertion markup language

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, How does it work?

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, SWITCHaai SWITCH built up and operates now SWITCHaai - a national Shibboleth-based AAI AAI efforts started in 2002, since last summer in production mode Current Status: –Approx. 160’000 (75%) members of the Swiss higher education sector have AAI-enabled accounts –Approx. 10% use SWITCHaai to access about 100 resources on a regular basis

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, Shibboleth and grids SWITCH was an early adopter of Shibboleth, but in the meantime Shibboleth federations are being deployed and operated in many countries US, Finland, UK, Australia, Belgium, France as well as others Interest to leverage these (national) campus infrastructures against grids SAML vs X.509 user certificates

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, Shibboleth and EGEE-II Focus is on –Interoperability (NO replacement for X.509) –Specific for EGEE-2 infrastructure (VOMS etc) –Integrate, re-use, re-engineer existing code, write new code only as needed Key Concepts: –Home institution of the user should be the Identity Provider –Home institution provides some attributes –But VO is needed for (grid specific) attributes

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, Work plan Our plan consists of three phases –Two initial, shorter phases with the goal  Start small and hook up Shibboleth AAI to a gLite grid with minimum amount of changes (in particular no change at the CE)  Build up knowledge and expertise  April 06 --> fall/winter –A third phase  SAML support at the resource end  Design during phase 1 and 2  Implementation in 2007

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, Overview Phase 1 and 2

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, SLCS (1) SLCS = short lived credential service Minimum requirements: SLCSX.509 Certificate Certificate is generated based on Identity Management system “traditional” Registration Authority (e.g. passport) Lifetime < 1mio secLifetime < 1 year + 1 month Revocation handling optional Revocation handling

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, Phase 1: SLCS (2) Design goals: –Private key is never transferred –Use commercial CA and only standard protocols –Modular design such that other people can use components

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, Phase 1: SLCS (3)

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, Status Software development is finished, now in testing Nov/Dec: operation in test-bed CP/CPS: –Internal Draft –Will be discussed at next EUGRIDPMA (October) –Accreditation early 2007

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, Phase 2: Attribute Exchange with VOMS Goal: Put a subset of Shib attributes into VOMS, such that they automatically appear in the VOMS attribute certificate and can be evaluated at the CE VO specific Shibboleth SP, where an authorized user can log on and approve the release of his attributes to VOMS Two modes can be envisaged: –“automatic”: once enabled, the attributes are sync-ed in regular time intervals –“on demand”: user only releases the attributes for a given amount of time and then they are removed from VOMS (unless renewed after reminder) Which attributes are being transferred? –Configurable by SP administrator –Expect small subset of rather general attributes: identity provider, study branch and level, affiliation -> attributes Evaluation by plug-in in LCMAPS

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, Q & A

Enabling Grids for E-sciencE EGEE-II INFSO-RI gLiteShib: MWSG Sept 27, Phase 1: SLCS (3)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.