Presentation is loading. Please wait.

Presentation is loading. Please wait.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Published byJayden York Modified over 10 years ago

Similar presentations

Presentation on theme: "Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access."— Presentation transcript:

1 Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access the National Grid Service http://www.mc.manchester.ac.uk/research/shebangs Mike Jones Federated Identity 2/4 OGF19

2 Combining the strengths of UMIST and The Victoria University of Manchester Introduction SHEBANGS is all about getting a federation of users onto the UK National Grid Roadmap for shibboleth within UK academia via the SDSS Federation –http://www.sdss.ac.uk/http://www.sdss.ac.uk/ Requirement for GSI credentials to login to and use NGS Experimental shibboleth usage for Levels of Assurance via the FAME IdP –http://www.fame-permis.org/http://www.fame-permis.org/

3 Combining the strengths of UMIST and The Victoria University of Manchester Credential Translation Shibboleth IdP provides a signed assertion to a SP about the identity of a client (plus whistles and bells) –The NGS takes authentic X.509 / GSI-proxies –The NGS allows usage based upon attributes within the X.509 / GSI-proxy Shibboleth is browser based –Can't use command lines BUT can use portals (NGS has portals) SHEBANGS makes a Credential Translation service which is both –A shibboleth SP –A GSI root of trust

4 Combining the strengths of UMIST and The Victoria University of Manchester Notes Change to root of trust Not passing assertions through ( IdP -> CTS -> Grid ) – (NGS can't handle it yet) CTS is an on-line entity –Implications with IGTF CA profiles How to construct the X.509 certificate? –Depending upon LoA :- choose a CA certificate –Some kind of DN based upon the ID of the CTS (e.g. C=UK, O=ThisCTS) the ID of the IdP (e.g. OU=$HTTP_SHIB_IDENTITY_PROVIDER) CN ~= EduPersonTargetedID (BUT not all IdPs give us this) How to do the grid authorisation step? –We add bespoke VOMS AC credentials

5 Combining the strengths of UMIST and The Victoria University of Manchester Addressing some of Ken's questions Federated info plugged into the X.509 / GSI creds. VOMS creds –Need to inject certificates into trusted CA stores and SOAs. Nothing for NGS is really being refactored that isn't already in the pipe line, –except we hope-to-make/foresee use of MyProxy extensions from our sister project: ShibGrid: http://www.oerc.ox.ac.uk/activities/projects/index.xml.ID=ShibGrid http://www.oerc.ox.ac.uk/activities/projects/index.xml.ID=ShibGrid No other choices of system given that the UK SDSS and NGS. LoA is being conveyed to the grid along with bespoke VO membership assertions. –Initially by the CA certificate used to sign X509 credentials –Maybe by an LoA X509v3 extension How much of this is AuthN and how much is AuthZ depends on your perspective! –We think that the CTS is a representation of a VO, –we'd like someone else to do the AuthN out (see ShibGrid) We expect the Portal that consumes the GSI cred and the subsequent grid to not treat these credentials differently to how it treats other GSI creds

6 Combining the strengths of UMIST and The Victoria University of Manchester fin

7 Combining the strengths of UMIST and The Victoria University of Manchester Basic Access to the National Grid Service Today NGS is a Globus 2 based Grid Users need the means to authenticate themselves:GSI credentials The NGS needs the means to make authorization decisions:Grid-map +... Users need heavyweight tools and network access We target users without these.

8 Combining the strengths of UMIST and The Victoria University of Manchester Portal Access to the National Grid Service Today Clients no longer need heavyweight tools.

9 Combining the strengths of UMIST and The Victoria University of Manchester Portal Access to the National Grid Service Today 1Client delegates their credential to MyProxy 2Client uses a browser to access the Portal 3Portal obtains the client's credential 4Portal access the Grid

10 Combining the strengths of UMIST and The Victoria University of Manchester Portal Access to the NGS through SHEBANGS Clients no longer need heavyweight tools. Clients no longer need GSI Credentials

11 Combining the strengths of UMIST and The Victoria University of Manchester Portal Access to the National Grid Service Today 1-7Client logs into CTS via Shibboleth Mechanisms 7.5CTS creates an X509 Certificate based upon SAML Assertions 8CTS delegates a GSI Proxy certificate to MyProxy 9-12Client uses username/password/MyProxy triplet to access the Grid via the Portal

12 Combining the strengths of UMIST and The Victoria University of Manchester Portal Access to the NGS through SHEBANGS Issues –The system covers only authentication –The identity will be authentic but not recognized –Need/want to use VOMS credentials –Need to maintain decisions Outcomes –Clients no longer need GSI Credentials –Shibbolized VOMS service and Online CA

Download ppt "Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access."

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Demonstrations at PRAGMA 13 10 demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.
Introduction of Grid Security

Introduction of Grid Security
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
MyProxy Guy Warner NeSC Training.

MyProxy Guy Warner NeSC Training.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Presenter or main title… Session Title or subtitle… TF-EMC 2 Lyon - 14/02/2011 Accessing e-Infrastructure Christopher Brown Digital Infrastructure.

Presenter or main title… Session Title or subtitle… TF-EMC 2 Lyon - 14/02/2011 Accessing e-Infrastructure Christopher Brown Digital Infrastructure.

Similar presentations

Ads by Google