Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.

Published byHarry Curtis Modified over 8 years ago

Similar presentations

Presentation on theme: "Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006."— Presentation transcript:

1 Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006

2 10 May 20062 This talk What is Shibboleth Can we use it on grids? –The Customer-Service Provider (portal) model –Shibbolizing myProxy etc. Oxford projects in this area

3 10 May 20063 What is Shibboleth? “Shibboleth is a system designed to exchange attributes across realms for the primary purpose of authorisation” –It’s not strictly an authentication mechanism –Nor an authorisation mechanism It enables both But in plainer speaking…

4 10 May 20064 What is Shibboleth? It’s all about how to transmit the authorisation and role information from your home institution to outside service providers And how those service providers can ask for that information Access management and the communication of authorisation credentials Aims: separate authentication from authorisation –Devolve authentication to the ‘home’ organisation –Devolve the management of authorisation information as well

5 10 May 20065 Accessing a service Graphics thanks to the SWITCH project Swiss Education and Research Network http://www.switch.ch/aai/demo/intro.html (A very good resource for an introduction).

6 10 May 20066 Accessing a service IdPUserSP

7 10 May 20067 Making the first connection You must be authorised to use this service I need you to log in somewhere! The WAYF will help to find your home site (IdP)

8 10 May 20068 Go home to authenticate You must be authorised to use this service I need you to log in somewhere! OK, you say you’re from Hometown University?

9 10 May 20069 Your handle is supplied OK, you’ve been authenticated, but are you authorised to use this resource? OK, you say you’re from Hometown University? Log in to Hometown (your IdP) Hometown finds you in the user database (steps 6&7) Hometown (IdP) asserts to SP and supplies a unique handle (step 8)

10 10 May 200610 Attributes for authorisation OK, you’ve been authenticated, but are you authorised to use this resource? OK, this user has these attributes that she is happy for you to know… (step 10) I’d like to know this… …about the user (step 9)

11 10 May 200611 Access permitted, authorised to… Those attributes look fine – Come on in!! Ah, I see you’re a lecturer in film studies… We’ve let you in and assigned you: access all areas, read only…

12 10 May 200612 Can we use it on grids? It’s not quite that easy! –Grids tend to use digital certificates (Centrally/Nationally issued) A bit hard to use (but that’s a different matter) –Shibboleth is (so far) based in the web world HTTP only –Some grid people think that Certificates = secure University libraries/SSO = insecure –(This is probably wrong, but grids do need higher security)

13 10 May 200613 A benefit of Shibboleth to grids Grids haven’t done very well in managing authorisation Grid architects have not considered privacy much Shibboleth can simplify authorisation and enable privacy use cases

14 10 May 200614 Combining Shibboleth and Grid A ‘Customer-Service Provider’ model –Like a portal with an application –From user-SP it is classic Shibboleth (web-based) –From SP-grid it is classic grid (using host certificates)

15 10 May 200615 Shib and Grid: other approaches ‘Shibbolize’ myProxy –Access to your proxy certificate using your home institution’s SSO Shibbolize myProxy-CA (or other CAs) –Temporary or low-assurance digital certificates Shibbolize a grid portal –This is really the Customer-Service Provider model –See http://wiki.oucs.ox.ac.uk/esp-grid/NeSC_Shibbolized_Resources

16 10 May 200616 Projects active in these areas (Oxford) ESP-GRID (Evaluation of Shibboleth and PKI for Grids) –Thinking about policies and building demonstrators along the C-SP model http://www.oesc.ox.ac.uk/activities/projects/eprojects/esp-grid/ ShibGrid (Integrating NGS into the academic framework) –Building the myProxy and grid portal use cases

17 Shibboleth and Grids This presentation at: http://users.ox.ac.uk/~markn/Presentations/ ChinaDelegOeRC_OIImay06.ppt Mark Norman 10 May 2006

Download ppt "Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006."

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Shibbolising UK Census and ESDS services Lucy Bell Associate Director, Head of Information Systems and Preservation, UKDA 26 May 2005.

Shibbolising UK Census and ESDS services Lucy Bell Associate Director, Head of Information Systems and Preservation, UKDA 26 May 2005.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.

Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
GEODE Workshop 16 th January 2007 Issues in e-Science Richard Sinnott University of Glasgow Ken Turner University of Stirling.

GEODE Workshop 16 th January 2007 Issues in e-Science Richard Sinnott University of Glasgow Ken Turner University of Stirling.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.

A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.
Security Approaches and Requirements John Watt NCeSS Conference 2008 - Workshop 3 Data Management through e-Social Science June 18th 2008.

Security Approaches and Requirements John Watt NCeSS Conference Workshop 3 Data Management through e-Social Science June 18th 2008.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
03 December 2003 Digital Certificate Operation in a Complex Environment Consultation/Stakeholders Meeting 3 December 2003.

03 December 2003 Digital Certificate Operation in a Complex Environment Consultation/Stakeholders Meeting 3 December 2003.

Similar presentations

Ads by Google