Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Published byElaine Tucker Modified over 8 years ago

Similar presentations

Presentation on theme: "Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management."— Presentation transcript:

1 Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management

2 Jens G Jensen CCLRC e-Science The Problem Integrated Access (Authentication) Identity management Implemented locally… …integrate with future national efforts… …and international

3 Jens G Jensen CCLRC e-Science What’s in SSO? Identity mgmt, User mgmt Credential conversions –Certificates, AD/K5 –Protection of credentials Thin clients vs thick clients Passwords and -phrases –Single password to all resources

4 Jens G Jensen CCLRC e-Science What’s in SSO? Portals MyProxy VOMS Java gsissh terminal SDSC SRB SRM Tapestore Active Directory Kerberos Challenge: get distinct components to talk together

5 Jens G Jensen CCLRC e-Science Authentication – web based If on-site, use federal id (Active Directory/Kerberos) If off-site, use certificate –if loaded into browser Otherwise username/password –Same as fed username/password –Not allowed to store password… System must know these are the same

6 Jens G Jensen CCLRC e-Science Web (HTTPS) based SSO Easier to implement servers –Apache can do Everything™ –Not trivial to integrate with existing Java portals –Apache vs Tomcat, StringBeans, uPortal, CHEF, SAKAI,… Lots of HTTP tools that understand security Future proof, when UK goes to Shibboleth

7 Jens G Jensen CCLRC e-Science Client Side – from outside CCLRC PORTALPORTAL VOMS THE GRID Certificate SRB (old slide)

8 Jens G Jensen CCLRC e-Science Client Side – from within CCLRC PORTALPORTAL MyProxyVOMS Microsoft Active Directory THE GRID SRB (old slide)

9 Jens G Jensen CCLRC e-Science SRB SRB provides SSO But ∫ with everybody else’s… S commands can be used with GSI and with username/password inQ doesn’t understand certificates THE GRID SRB THE BEAM

10 Jens G Jensen CCLRC e-Science MyProxy MyProxy essential to SSO to Grid –Because Grid requires X.509 certs Call out to site authentication –For username/password maintenance Investigating new MyProxy+PAM

11 Jens G Jensen CCLRC e-Science Status – Users Need certificates for Grid work Once every year, obtain/renew cert –Usability of CA improved with upgrade –Will resurrect applets Once every week, renew proxy –Upload tool in Java, another in python Once every day –Log in to Windows (or Linux kinit )

12 Jens G Jensen CCLRC e-Science Status – software Prototype portal (python) –Thin clients (web browser) –Fetches proxy from myproxy –AD/K5 works with IE and certain Linux browsers Components for thick clients –Fetches proxy locally from MyProxy

13 Jens G Jensen CCLRC e-Science Microsoft Active Directory Authorisation Corporate Data Repository LDAPLDAP VOMS MyProxy Gridmap file

14 Jens G Jensen CCLRC e-Science Combining Grid Authorisation LDAPLDAP LDAPLDAP LDAPLDAP CCLRC NGS LCG Grid AUZ

15 Jens G Jensen CCLRC e-Science Future work VOMS Extending collaboration –Related Shib work with Oxford Grid access for non-certificate users DLS & IB very interested (+BDWorld?) Ponder credential conversions/protection –Work on-going between CAs in IGTF

16 Jens G Jensen CCLRC e-Science Summary Prototype SSO access to Grid Existing implementations, added glue Loads of other minor things that need doing Integrating with other SSO efforts Facilities’ user offices maintain ids More authorisation work req’d

Download ppt "Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management."

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
MyProxy Guy Warner NeSC Training.

MyProxy Guy Warner NeSC Training.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
Peter Berrisford RAL – Data Management Group SRB Services.

Peter Berrisford RAL – Data Management Group SRB Services.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.

Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.
ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.

ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.

ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Technology on the NGS Pete Oliver NGS Operations Manager.

Technology on the NGS Pete Oliver NGS Operations Manager.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

Similar presentations

Ads by Google