Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lousy Introduction into SWITCHaai

Published byJeremiah Neal Modified over 10 years ago

Similar presentations

Presentation on theme: "Lousy Introduction into SWITCHaai"— Presentation transcript:

1 Lousy Introduction into SWITCHaai
Pragma UZH Summit March 17, 2008 Christoph Witzig SWITCH

2 Without AAI Tedious user registration at all resources
University A Tedious user registration at all resources Unreliable and outdated user data at resources Different login processes Many different passwords Many resources not protected due to difficulties Often IP-based authorization Costly implementation of inter-institutional access Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB The next two slides are a very brief introduction, why the SWITCHaai project was started some years ago. Here we have the situation without AAI. In this picture we have 2 Universities and a Library with each of them having several resources. Here, the user administration and authentication ….. This model has a couple of well known disadvantages …. e-Learning User Administration Authentication Authorization Resource Credentials

3 With AAI University A No user registration and user data maintenance at resource needed Single login process for the users Many new resources available for the users Enlarged user communities for resources Authorization independent of location Efficient implementation of inter-institutional access AAI Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB This is the world with AAI. Here, the user administration and authentication is very close to the place where the users are known best: e.g. the central student administration of a universitiy. We call the orange boxes the AAI home organizations (in Shibboleth terms they are called Origins). In this situation the disadvantages listed before have disappeared. So, … e-Learning User Administration Authentication Authorization Resource Credentials

4 SWITCHaai Federation Jan 2008
# Home Organizations # AAI enabled accounts # Resources 80% coverage in higher education

5 SWITCHaai Project Timeline
2001 2002 2003 2004 2005 2006 2007 2008 2009 Study Pilot Implemen- tation Production Architecture Evaluation  Shibboleth Shibboleth 1.3 Shibboleth 2.0 AAI Subsidies AAA/SWITCH Nov 1999: Term AAI first time mentioned in a document Nov 2000: AAI Workshop

6 Shibboleth http://shibboleth.internet2.edu/ Open Source
Developed by Internet2 Federated Approach Privacy National deployment projects in the US, UK and Finland, growing interest in other European countries Currenty for web resources only - will be extended Based on SAML Cooperations with Liberty Alliance Cooperations with Content Providers (e-journals)

7 How it works

8 Virtual Home Organization - VHO
Integrate End Users without Identity Provider Resource Owner “AAI-enabled” accounts for users without an Identity Provider A VHO account is only usable for that resource managed by the Resource Owner Federation Member Some end users without Identity Provider Identity Provider Resource Owner End User Admin VHO Policy VHO Service @SWITCH User Dir Identity Providers

9 Organisational Framework
SWITCH acts as SWITCHaai Federation Service Provider Federation membership based on signed service agreements

10 Overview of SLCS and VASH
gLite UI SLCS = Short Lived Credential Service VASH = VOMS attributes from Shibboleth

11 Outlook: SAML Support in Grids

12 Phase 3: SAML Support Goal of phase 3: Extend use of SAML in grids beyond what is already provided by phase 1 and 2 Benefits: (Average) User has no certificates anymore Introduce SAML gently beyond phase 1 and 2, gain experience Compatible with Shibboleth roadmap (2.0, 2.1) and WS-Trust STS implementation Options open for future Requires: A mean for service to transform a security tokens it has into a security token it needs

13 Security Token Service
WS-Trust defines mechanisms for brokering trust to an authority called Security Token Service (STS) The Security Token Service have a trust relationship with both the client and the service.

14 Multiple Security Domains
A client may need to communicate with services that operate across trust boundaries (i.e. Shibboleth SAML vs Grid X.509) Multiple STS can be used in a trust chain across security domains (delegated trust)

15 Use Cases Grid: Non-browser based Shibboleth applications:
Shibboleth user wants to access a Grid resource (e.g. WMS, File Catalogue, Storage Element…) He needs to obtains security token that the Grid services understand (X.509) Non-browser based Shibboleth applications: User agent contacts Shibboleth IdP with credential (e.g. username, password) User agent receives SAML assertion to be sent to a Shibboleth SP

16 Issue a proxy X.509 User authenticates with his credential to a Shibboleth IdP STS and receives a SAML security token He requests a proxy X.509 from a Grid STS using the SAML token

17 Summary Interoperability Shibboleth - gLite
Phase 1: SLCS Online CA issuing short-lived X.509 certificates based upon authentication at Shibboleth IdP Operative and in production Phase 2: VASH Transfers Shibboleth attributes into VOMS Shib attributes are available to grid resources as part of VOMS AC Software development finished Phase 3: SAML Actual phase: design of a WS-Trust STS for SAML and (proxy) X.509 Grid use-case should be the same as the non-Browser-based use-case Leverage the existing SWITCHaai Shibboleth federation

Download ppt "Lousy Introduction into SWITCHaai"

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee

Authorisation Models for National Scale Services Alan Robiette Joint Information Systems Committee
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.

Joint Information Systems Committee 01/04/2014 | | Slide 1 Connecting People to Resources The JISC Access Management Strategy Nicole Harris Programme Manager.
PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.

PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
Joint Information Systems Committee 01/04/2014 | slide 1 Support e-Research at JISC Access Management and Security Joint Information Systems CommitteeSupporting.

Joint Information Systems Committee 01/04/2014 | slide 1 Support e-Research at JISC Access Management and Security Joint Information Systems CommitteeSupporting.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Introduction to Shibboleth and the IAMSECT Project.

Introduction to Shibboleth and the IAMSECT Project.
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
2006 © SWITCH Group Management Tool Lukas Haemmerle

2006 © SWITCH Group Management Tool Lukas Haemmerle

Similar presentations

Ads by Google