Presentation is loading. Please wait.

Presentation is loading. Please wait.

Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Hannah Short (CERN) DI4R Authentication and Authorisation for Research.

Published byAlban Warner Modified over 7 years ago

Similar presentations

Presentation on theme: "Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Hannah Short (CERN) DI4R Authentication and Authorisation for Research."— Presentation transcript:

1 https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Hannah Short (CERN) DI4R Authentication and Authorisation for Research and Collaboration Enabling Federated Login to WLCG 28 September 2016 Presented by David Groep AARC - Policy and Best Practice Coordination

2 https://aarc-project.eu What is Federated Access? Why should WLCG adopt it? What does WLCG need from Federated Access? Example Services How can I implement this? 2 Agenda

3 https://aarc-project.eu What is Federated Access? Why should WLCG adopt it? What does WLCG need from Federated Access? Example Services How can I implement this? 3 Agenda

4 https://aarc-project.eu The ability to log in to a service using an identity managed by a separate organisation eduGAIN ‘is’ the international group of services and identity providers using Federated Login Has become common practice within Research and Education for access to web-based services 4 What is Federated Access?

5 https://aarc-project.eu “To use WLCG you must possess a personal digital certificate from a Certification Authority (CA) recognised by WLCG” [1] End users own and manage these certificates Certificate renewal Grid Proxy Certificate generation Users then enroll in ‘VOMS’ using this certificate VOMS defines roles and groups for additional authorisation expressed as attribute certificates embedded in ‘RFC3820’ proxy certificates 5 Authentication and Authorisation at WLCG [1] http://wlcg.web.cern.ch/getting-started/certificateshttp://wlcg.web.cern.ch/getting-started/certificates Maybe it’s time for a different approach?

6 https://aarc-project.eu What is Federated Access? Why should WLCG adopt it? What does WLCG need from Federated Access? Example Services How can I implement this? 6 Agenda

7 https://aarc-project.eu Mobility Coupling credentials with devices is not necessarily valid for highly mobile researchers Burden on users for each new device Usability Certificate management not in skillset of early career researchers One learning curve we can remove Users expecting “GAFA” experience, Single-Sign-On across tools Security Certificates are powerful when in the wrong hands Private keys leaked by users Certificates left on shared devices 7 Why should WLCG adopt Federated Access?

8 https://aarc-project.eu What is Federated Access? Why should WLCG adopt it? What does WLCG need from Federated Access? Example Services How can I implement this? 8 Agenda

9 https://aarc-project.eu Trustworthy eduGAIN users 1 Web and Command Line access 2 VOMS Authorisation 3 9 What does WLCG need from Federated Access?

10 https://aarc-project.eu How can eduGAIN assertions be as trustworthy as x.509 certificates? Restrict eduGAIN to trusted partners Sirtfi Research & Scholarship Restrict access to known users EduGAIN token transformed into x.509 ONLY if the user is registered in VOMS (we’ll come back to this later…) 10 1. Trusting eduGAIN Users User x.509 User

11 https://aarc-project.eu A flag for organisations that Have a good baseline in operational security Provide a security contact point for emergencies Are able and willing to participate in incident response These are organisations we want to work with! 11 1. Sirtfi https://refeds.org/sirtfi

12 https://aarc-project.eu A flag for organisations that Serve the Research & Education community Agree to release the attributes Name Email Unique Identifier CERN SSO requires this set of attributes, users from these organisations should be able to log in without a problem 12 2. Research & Scholarship SirtfiR&SOK! https://refeds.org/category/research-and-scholarship

13 https://aarc-project.eu The primary use case for SAML (the protocol used for Federated Login) is Web-Based Authentication whereas our users spend their life on the command line Several Command Line solutions exist (ECP, CiLogon, Moonshot) but Require configuration at home organisations (takes time and resources), or, Are not yet available for Europe At CERN, a prototype service, Educert, is available for generating GridProxy certificates for download 13 2. Web and Command Line Access

14 https://aarc-project.eu 14 2. Web and Command Line Access

15 https://aarc-project.eu 15 2. Web and Command Line Access

16 https://aarc-project.eu Hang on - I need to have a certificate to register in VOMS in the first place! How is this going to work? 16 3. VOMS Integration

17 https://aarc-project.eu 17 3. VOMS Registration – in the WLCG and CERN HR context

18 https://aarc-project.eu 18 3. VOMS Registration

19 https://aarc-project.eu What is Federated Access? Why should WLCG adopt it? What does WLCG need from Federated Access? Example Services How can I implement this? 19 Agenda

20 https://aarc-project.eu What is it? Jobs monitoring service for ATLAS Contacts additional services that require certificates Why enable federated access? Security – logs are open to wide audience and should be controlled by user certificates Finer granularity of user control possible with SSO – e-groups, user groups etc 20 Example Services – ATLAS PanDA (Bigpanda) In progress

21 https://aarc-project.eu What is it? https://webfts.cern.ch Web based tool to transfer files between grid/cloud storages Modular protocol support gsiftp, http(s), xrootd and srm Cloud extensions: dropbox, CERNBox Initial development funded by EUDAT Why enable Federated Access? X509 delegation is needed to let WebFTS access the grid on users behalf We are trying to replace user certificate delegation with transparent access via Identity Federation 21 Example Service – WebFTS (pilot) Credit to Andrea Manzi (CERN) and Andrey Kiryanov (CERN) https://indico.cern.ch/event/358127/contributions/848191/subcontributions/65475/attachments/713135/979052/W ebFTS_FIM_pilot.pdf Pilot

22 https://aarc-project.eu What is Federated Access? Why should WLCG adopt it? What does WLCG need from Federated Access? Example Services How can I implement this? 22 Agenda

23 https://aarc-project.eu 23 How can I implement this? – the CERN WLCG prototype Web service CERN SSO IdP Credentials Attributes Web Redirect SAML VOMS IdP WLCG Grid X.509 VOMS STS IOTA CA SAML X.509 VOMS also please see https://aarc-project.eu/aarc-draft-blueprint-architecture-available-for-comments/

24 https://aarc-project.eu A "Single Sign On" (SSO) endpoint is required to configure your service as a CERN Service Provider. Shibboleth or Mellon are the recommended technologies to use and are supported by CERN IT. ​A user's SAML Assertion can be exported from the local SSO Service and sent to STS for transformation to an x.509 certificate. CERN SSO The "Security Token Service" (STS) takes SAML tokens, or username and password pairs, and transforms them into x.509 certificates​. STS uses the IOTA CA to generate short-lived certificates for users registered with their WLCG Virtual Organisation (VO) in VOMS. STS The "Identifier Only Trust Assurance" (IOTA) Certificate Authority (CA) issues short-lived x.509 certificates to STS clients. IOTA Certificates will only be issued to users from Virtual Organisations (VOs) that employ strong identity vetting, such as WLCG VOs. IOTA CA 24 Components

25 https://aarc-project.eu Apache web service Must be able to install SAML2.0 SP locally – not on a load balancer as tokens issued must be specific to the host Not centrally hosted! Stand-alone web service Users must belong to a VO with strong identity vetting, i.e. WLCG The IOTA CA will only issue certificates to these users! Appropriate Users 25 Pre-requisites

26 https://aarc-project.eu Enable SSO Create an STS instance Authorise users with VOMS 26 How can I implement this? The following slides are a summary. Full documentation is available at: https://espace.cern.ch/authentication/CERN%20Authentication/WLCG%20Federated%20Access.aspx

27 https://aarc-project.eu Your Web Service must be enabled as a SAML2 Service Provider Supported technologies at CERN are: Mellon https://espace.cern.ch/authentication/CERN%20Authentication/Configure%20a%20Mod_MellonA%20Applic ation.aspx https://espace.cern.ch/authentication/CERN%20Authentication/Configure%20a%20Mod_MellonA%20Applic ation.aspx Shibboleth https://espace.cern.ch/authentication/CERN%20Authentication/Configure%20a%20Shibboleth%20Applicatio n.aspx https://espace.cern.ch/authentication/CERN%20Authentication/Configure%20a%20Shibboleth%20Applicatio n.aspx Register your service with CERN SSO You will be connected to eduGAIN via the CERN SSO IdP/SP Proxy 27 Enable SSO CERN SSO SAML2 SP

28 https://aarc-project.eu To make installation simple… STS is available as a puppet module at https://gitlab.cern.ch/ai/it-puppet-module-sts STS Virtual Machines should be created in the Puppet hostgroup federatedidentity/sts, which includes all additional modules and packages required for easy installation Configure your STS service with Puppet (example below) 28 Create an STS instance sts::config::entity_id: https://educert.cern.ch/ sts::config::consumer_service_url: https://educert.cern.ch/Shibboleth.sso/SAML2/POST sts::config::voms_base_url: https://ftsvoms01.cern.ch:8443/voms/bitface sts::config::vo_name: /bitface sts::config::vomses_file: /etc/vomses/bitface-ftsvoms01.cern.ch sts::config::match_attribute_name: eduGAINID sts::config::incoming_attribute_id: http://schemas.xmlsoap.org/claims/CommonName We’ll move on to this in a second!

29 https://aarc-project.eu 29 hannah.short08@gmail.com hannah.short08@gmail.com f72ba133e9413837dea1 IdP CERN SSO Web Servic e Authorise users with VOMS User data is contained in the incoming SAML assertion – at CERN we use CommonName to identify users

30 https://aarc-project.eu 30 Authorise users with VOMS IdP CERN SSO Web Servic e STS VOMS f72ba133e9413837dea1 VOMS attributes can be configured for each user. Here we have set up an eduGAINID attribute for the user that matches the incoming CommonName.

31 https://aarc-project.eu Depending on your VO, you may be able to use VOMS Authorisation already! For some VOs, nickname contains the CERN ID, e.g. jsmith, of the user Currently all users have CERN IDs, since they all have CERN accounts We are working on how to make this work smoothly for future users without a CERN account 31 Authorise users with VOMS hannah.short08@gmail.com jsmith jsmith SAML Assertion VOMS Record

32 https://aarc-project.eu What is Federated Access? Why should WLCG adopt it? What does WLCG need from Federated Access? Example Services How can I implement this? 32 Agenda

33 https://aarc-project.eu eduGAIN provides a pool of users from which we can select those we trust via Sirtfi Command line solutions are around the corner and a prototype service, Educert, is a viable lightweight option VOMS registration without user certificates is the next milestone but deployment can begin in parallel 33 Conclusions Visit https://espace.cern.ch/authentication/CERN%20Authentication/WLCG%20Federated%20Access.aspxhttps://espace.cern.ch/authentication/CERN%20Authentication/WLCG%20Federated%20Access.aspx

34 https://aarc-project.eu Thank you Any Questions? © GÉANT on behalf of the AARC project. The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 653965 (AARC). https://aarc-project.eu hannah.short@cern.ch davidg@nikhef.nl

Download ppt "Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Hannah Short (CERN) DI4R Authentication and Authorisation for Research."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Shibboleth: An Introduction

Shibboleth: An Introduction
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Niels van Dijk AARC General Meeting Authentication and Authorisation.

Authentication and Authorisation for Research and Collaboration Niels van Dijk AARC General Meeting Authentication and Authorisation.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.
Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Similar presentations

Ads by Google