Presentation is loading. Please wait.

Presentation is loading. Please wait.

Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific."— Presentation transcript:

1 Federated Identity for Scientific Collaborations: Policy Issues Jim Basney jbasney@ncsa.uiuc.edu 2 nd Workshop on Federated Identity Systems for Scientific Collaborations STFC at Rutherford Appleton Laboratory in the UK 2-3 November 2011

2 About Me Project staff for: – Open Science Grid (www.opensciencegrid.org) – XSEDE (www.xsede.org) (TeraGrid follow-on) Member: – InCommon Technical Advisory Committee (www.incommon.org/about) – TAGPMA (www.tagpma.org) Project lead for: – CILogon (www.cilogon.org) – MyProxy (myproxy.ncsa.uiuc.edu) – GSI-OpenSSH (grid.ncsa.uiuc.edu/ssh) – www.sciencegatewaysecurity.org

3 What is my definition of a community? Simply: A group of scientists working together, using common cyberinfrastructure Examples: – Virtual Organization in Open Science Grid – Science Gateway in XSEDE – Project in XSEDE – Research and Scholarship community in InCommon – CILogon user community: Ocean Observatories Initiative users DataONE users

4 What must a community do to be recognized? Register a new Virtual Organization with OSG (http://www.opensciencegrid.org/About/Getting_Started_wit h_OSG/Form_New_VO) Apply for an XSEDE Project allocation (https://www.xsede.org/allocations) Register an XSEDE Science Gateway (https://www.xsede.org/register-gateway) Register as an InCommon R&S Service Provider (https://spaces.internet2.edu/x/-IKVAQ) Request a custom CILogon instance (help@cilogon.org)

5 Federated ID Use Cases 1.Federating project-managed identities (example: LIGO/Virgo) 2.Linking project-managed identities with external identities – SAML + OpenID + … – International inter-federation 3.Integration across browser and non-browser (thick client, command-line, etc.) apps 4.Multi-tier apps: portals, glide-ins, pilot jobs

6 Lessons Learned InCommon today supports browser SSO – SAML->X.509 bridges are common for non-web apps (CILogon, TERENA Certificate Service, etc.) – SAML ECP adopted by ~5 InCommon IdPs so far (http://www.cilogon.org/ecp) Attribute release is a major challenge today for SPs that want to support many IdPs Google OpenID is a popular “catch-all” IdP – US ICAM LOA 1 certified (http://openidentityexchange.org/certified-providers)

7 Overhead of On-boarding User may need to approve attribute release User may need to provide additional information during a service-specific registration process IdP must scale to many SPs – Attribute release policy using federation managed SP “tags” – Federation metadata for UI elements, public keys, etc. SP must scale to many IdPs – Apply to federation(s), not individual IdPs – Leverage federation metadata as with idP User should not need to email IdP and SP administrators to make this work! What do you consider to be an acceptable administrative overhead for a user to connect to a service WRT the actions that the user and actions that the IdP and SP administration have to perform?

8 Attribute Release Policies Per-Project / Per-SP doesn’t scale Alternatives: – Release defined attribute bundles (targetedID, “directory attributes”), with user consent, to projects/SPs approved (“tagged”) by federation – Handle attribute release problems at SP Automated request to IdP for attribute release Don’t leave user stranded – redirect to “catch-all” IdPs

9 Can IdPs serve many concurrent and distinct projects? Yes! Motivation – Expensive and inconvenient for every project to operate its own IdP(s) – Better to leverage cost of IdP operations across multiple projects How: General-purpose IdPs – Examples: University IdPs, IGTF CAs, Google OpenID, ProtectNetwork, Globus Online – Projects still need to manage their own attributes

10 Are there any efforts to bring harmonization of identity attributes across federations? Yes! MACE-Dir (http://middleware.internet2.edu/dir/) REFEDS (http://www.terena.org/refeds)

11 References A Roadmap for Using NSF CyberInfrastructure with InCommon (http://www.incommon.org/nsfroadmap) An Analysis of the Benefits and Risks to LIGO When Participating in Identity Federations (http://www.google.com/search?q=LIGOIdentityFe derationRiskAnalysis.pdf) Federated Security Incident Response (https://spaces.internet2.edu/x/8o6KAQ)

12 Thanks! Questions/Comments? Contact: jbasney@ncsa.uiuc.edu

Download ppt "Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific."

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
July 18, 2012 XSEDE12 Panel: Security for Science Gateways and Campus Bridging Jim Basney, Randy Butler, Dan Fraser, Suresh Marru, and Craig Stewart go.illinois.edu/xsede12secpanel.

July 18, 2012 XSEDE12 Panel: Security for Science Gateways and Campus Bridging Jim Basney, Randy Butler, Dan Fraser, Suresh Marru, and Craig Stewart go.illinois.edu/xsede12secpanel.
Interfederation subgroup of InCommon Technical Advisory Committee (TAC) spaces.internet2.edu/display/incinterfed.

Interfederation subgroup of InCommon Technical Advisory Committee (TAC) spaces.internet2.edu/display/incinterfed.
Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.

Federated Identity Management for Research Communities (FIM4R) David Kelsey (STFC-RAL) EGI TF, AAI workshop 19 Sep 2012.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign InCommon and TeraGrid Campus Champions Jim Basney

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign InCommon and TeraGrid Campus Champions Jim Basney
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
InCommon Forum Fall 2012 Internet2 Member Meeting Wednesday, October 3, 2012 1.

InCommon Forum Fall 2012 Internet2 Member Meeting Wednesday, October 3,
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
CILogon and InCommon: Technical Update Jim Basney This material is based upon work supported by the National Science Foundation under grant numbers 0943633.

CILogon and InCommon: Technical Update Jim Basney This material is based upon work supported by the National Science Foundation under grant numbers

Similar presentations

Ads by Google