Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Published byEsmond Waters Modified over 8 years ago

Similar presentations

Presentation on theme: "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph."— Presentation transcript:

1 EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph Witzig, SWITCH OGF19 Jan 30, 2007

2 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 2 Outline Introduction –Basic approach to the problem Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Next Steps

3 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 3 AAI and Grid in Switzerland SWITCH built and operates now SWITCHaai - a national Shibboleth-based AAI Current Status: –Approx. 160’000 (75%) members of the Swiss higher education sector have AAI-enabled accounts –Approx. 10% use SWITCHaai to access about 100 resources on a regular basis No “national” grid infrastructure –Various grid efforts (e.g. LCG Tier 2 center, Swiss Bio Grid, …) Effort underway to launch a national Grid initiative

4 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 4 Prerequisites Our work is part of EGEE (gLite) Aim to be open for other grid middleware (if possible) AAI federation –Shibboleth is main target –But there are also other federations (A-Select, PAPI)  eduGAIN –By far not everyone within EGEE has an AAI federation Must take deployment into account –existing infrastructure

5 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 5 Work Plan EGEE-II: –April 2006 - Mar 2008 –Year 1: Phase 1 and 2  Add interoperability by starting “small” with minimal changes to gLite –Year 2: Extend SAML to grid resources EGEE-III: –Continuation in EGEE-III

6 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 6 Basic Idea

7 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 7 SP1 (“CA SP”) and SP2 (“VOMS SP”) should be independent of each other –Separate Service Providers –Deployed independently SP1 should be independent of the Grid middleware SP2 should only be dependent on VOMS

8 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 8 Alternative Scenarios (1) Instead of SP1 issuing a short-lived X.509 certificate –Keep using X.509 certificate from a (“classical”) CA  IdP not used for authN  May make sense if one wants to use only IdP attributes –Generate proxy X.509 if authN at IdP successful  authN from CA and IdP –Issue (long-lived) X.509 credential based on auth at IdP  TAGPMA MICS profile  User has to maintain long-lived certificate –Use a “low quality” CA (i.e. not accredited)  Much less work  Compatibility with existing infrastructure (EGEE, LCG)

9 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 9 Alternative Scenarios (2) Instead of SP2 being independent of SP1 –Merge them into one utility, which  Issues a X.509 certificate containing the IdP attributes as an extension X.509 certificate is no longer a “bare” X.509 User cannot choose to not expose his/her attributes Code must handle attributes from two sources: IdP attributes and the VOMS VO attributes Revocation whenever attribute changes  IdP issues an AC to be inserted into proxy X.509 (just like VOMS) IdP must be known to every grid resource Requires code change at the IdP –Attribute aggregation in SAML: Longer term project (dependencies on Shib 2 and future VOMS work) –Question: should data privacy be observed when releasing IdP attributes?

10 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 10 Outline Introduction –Basic approach to the problem Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Next Steps

11 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 11 SLCS Profile SLCS = short lived credential service Minimum requirements: SLCSX.509 Certificate Certificate is generated based on Identity Management system “traditional” Registration Authority (e.g. passport) Lifetime < 1mio secLifetime < 1 year + 1 month Revocation handling optional Revocation handling

12 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 12 SWITCHslcs: CA Setup

13 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 13 SWITCHslcs: Operation For the user: from the command line: invisible part of gLite UI (3.1) (can be installed independently) For the RA from web-based admin tool: Can enable or disable individual users (only for his institution) Can obtain log information SWITCH: Operates the service Strict access control Operate also a second test CA (everything being installed on the MSCS CA will be tested there first)

14 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 14 SWITCHslcs Design goals: –Private key is never transferred –Use commercial CA and only standard protocols –Modular design such that other people can use components

15 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 15 Status SLCS Software development is finished MJRA1.4 document: https://edms.cern.ch/document/770102/1 https://edms.cern.ch/document/770102/1 Operation of SLCS TEST CA in test-bed –http://www.switch.ch/pki/grid/testhttp://www.switch.ch/pki/grid/test CP/CPS: –Submitted to EuGridPMA for review Production CA setup: –In progress (delivery of production HSM, CA server configuration, hardening and testing)

16 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 16 Outline Introduction –Basic approach to the problem Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Next Steps

17 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 17 Design VASH: –VOMS Attributes from Shibboleth Shibboleth SP –Browser-based –Specific for  Federation  VO “lightweight” SP –No administrator duties –No management of attributes –Simply transfers attributes upon user request

18 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 18 Design (2) X.509 and proxy X.509 with VOMS AC unchanged No change in VOMS –Needs version 1.7.10 or higher VO registration not changed Administrative domain between Shibboleth federation and VOMS fully decoupled User manages mapping between DN in VOMS and Shibboleth user id –For “classic” X.509 –For SLCS X.509 Becomes a service which knows the mapping Shibboleth userid - DN

19 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 19

20 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 20 Status Software implementation done MJRA1.5 document: https://edms.cern.ch/document/807849/1 https://edms.cern.ch/document/807849/1 Need to develop plug-ins to evaluate the Shibboleth attributes at the grid resource

21 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 21 Next Steps Near future (3 months): –Evaluation modules for Shibboleth attributes at grid resource –Test-bed: Access to Shibboleth resources for grid users Medium future (1 year): –Deployment of phase 1 and phase 2 –Phase 3: currently in design Long-term future: –To what extent shall authN, authZ be based on certificates? –What is feasible within a regional / national / international grid?

22 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 gLite Shib OGF19 Jan 30, 2007 22 Q & A

Download ppt "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Shibbolising UK Census and ESDS services Lucy Bell Associate Director, Head of Information Systems and Preservation, UKDA 26 May 2005.

Shibbolising UK Census and ESDS services Lucy Bell Associate Director, Head of Information Systems and Preservation, UKDA 26 May 2005.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Similar presentations

Ads by Google