Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Published byStanley Walters Modified over 8 years ago

Similar presentations

Presentation on theme: "Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor"— Presentation transcript:

1 Distributed Web Security for Science Gateways Jim Basney jbasney@illinois.edu In collaboration with: Rion Dooley dooley@tacc.utexas.edu Jeff Gaynor gaynor@illinois.edu Suresh Marru smarru@indiana.edu Marlon Pierce marpierc@indiana.edu This material is based upon work supported by the National Science Foundation under grant number 1127210.

2 Distributed Web Security for Science Gateways Software Development for Cyberinfrastructure grant from the NSF Office of CyberInfrastructure (www.nsf.gov/oci) 3 year project: August 2011 – July 2014 Goal: Support use of OAuth by science gateways for distributed authentication, delegation, and authorization Develop OAuth “profiles” for science gateway use cases Getting certificates from MyProxy servers Both individual and “community” credentials Delegating certificates between gateway components Delegated access to REST services Integration with external authentication (LDAP, Kerberos, SAML, OpenID) Credential refresh Web Single Sign-On (OpenID Connect) www.sciencegatewaysecurity.org

3 Defining Terms Authentication: Who are you? customer #83461234987 name: Jim Basney email: jbasney@illinois.edu Authorization: What are you allowed to do? Access private information Charge purchases to your credit card Delegated Authorization: Authorizations you grant to others Park your car (valet key) View your private photos on Flickr Collaboratively edit an online Google doc Credential: How security information is conveyed Also known as Assertion or Token www.sciencegatewaysecurity.org

4 Science Gateways: Tiered Access Models www.sciencegatewaysecurity.org user authenticates to science gateway science gateway authenticates to service providers

5 Science Gateways: Tiered Access Models Option A: Transitive Trust Bilateral agreement between science gateway & service provider Bulk allocation of service to the science gateway Service provider may not know who the end users are Users may not know who the underlying service providers are Example: XSEDE Community Account model User attributes in community credential provides user info to SP Option B: Delegation of Rights End user has account at underlying service provider Example: Individual XSEDE account with Globus Online Science Gateway explicitly acts on the user’s behalf when interacting with the underlying service providers Both options are useful (and can be combined) Our recent work is focused on Option B: Delegation of Rights www.sciencegatewaysecurity.org

6 Example: Photo Printing www.sciencegatewaysecurity.org Your flickr Password Photos Your flickr Password

7 Example: Using OAuth www.sciencegatewaysecurity.org Token Authenticate & Grant Access to Photos Toke n PhotosRequest Access to Photos

8 Example: Science Gateway www.sciencegatewaysecurity.org Your Password Access Your Password

9 Delegated Authorization via OAuth www.sciencegatewaysecurity.org Token Authenticate & Grant Access Toke n AccessRequest Access to Supercomputer

10 Delegated Authorization via OAuth www.sciencegatewaysecurity.org Token Authenticate & Grant Access Toke n Data Request Access to iPlant Data

11 OAuth for MyProxy Provides an OAuth 1.0a compliant REST web interface to MyProxy for providing user certificates to science gateways Eliminates the need for users to disclose their MyProxy passwords to science gateways. Instead, gateway users authenticate to their MyProxy server’s OAuth web interface to approve issuance of a certificate by MyProxy to the science gateway they are using. Java client & server implementations available now http://www.sciencegatewaysecurity.org/oauth-for-myproxy XSEDE MyProxy OAuth Server https://portal.xsede.org/oauth/ http://security.ncsa.illinois.edu/teragrid-oauth/ TG11 paper: http://dx.doi.org/10.1145/2016741.2016776 In use today by Globus Online Supports using individual XSEDE accounts via science gateways www.sciencegatewaysecurity.org

12 Old ApproachNew Approach www.sciencegatewaysecurity.org MyProxy Use Case

13 www.sciencegatewaysecurity.org

14

15 Globus Online Example www.sciencegatewaysecurity.org

16

17 Globus Online Example www.sciencegatewaysecurity.org

18

19

20 OOI Example www.sciencegatewaysecurity.org

21

22 OOI Example www.sciencegatewaysecurity.org

23

24 OOI Example www.sciencegatewaysecurity.org

25

26 Starting the Discussion What are science gateways doing today for web security? Using OAuth, OpenID, SAML? Supporting both individual and community accounts? Authenticating to REST services? Sharing data across multiple gateways? What are current/future science gateway security needs? What is your input on our project plans? Getting certificates from MyProxy servers Delegating certificates between gateway components Delegated access to REST services Integration with external authentication (LDAP, Kerberos, SAML, OpenID) OAuth 2.0 update Credential refresh Web Single Sign-On (OpenID Connect) What is your input on the XSEDE architecture? www.sciencegatewaysecurity.org

27 Continuing the Discussion Please join our discuss@sciencegatewaysecurity.org mailing list: Send email to: discuss+subscribe@sciencegatewaysecurity.org Or visit: https://groups.google.com/a/sciencegatewaysecurity.org/group/d iscuss/subscribe www.sciencegatewaysecurity.org

Download ppt "Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor"

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.

Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  
Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.

Finalize RESTful Application Programming Interface (API) Security Recommendations Transport & Security Standards Workgroup January 28, 2014.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

Similar presentations

Ads by Google