Presentation is loading. Please wait.

Presentation is loading. Please wait.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Published byDella Short Modified over 8 years ago

Similar presentations

Presentation on theme: "ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC."— Presentation transcript:

1 ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC

2 Motivation We want to encourage more users on the NGS –Need to cover all areas of research –From the single researcher to large projects –Security infrastructure must enable this PKI often a barrier Generalised not specific Straightforward to use Community is adopting Shibboleth

3 Requirements User/Project –Don’t want to know about certificates (or any other security mechanism!). –Transparent access to eScience facilities, consistent with other SSO-enabled components. –Access to components at home or away (even Internet Café). –Fit in with local authentication schemes. –Want to use own project portal. NGS –Must be compatible with GT2 and registration system. VOMS in the future.

4 Use cases Access to the Grid solely with Shibboleth Use standard Grid certificates when something extra is required – still many advantages Access to the Grid through a Portal –NGS portal/project portals Access to the Grid through other access methods –Globus, Java GSI-SSH Terminal, CoG, etc., Registration (for NGS) using Shibboleth

5 Shibboleth Overview Web-based federated access management system based on SAML Based on separation of authentication and authorisation –Authentication: Identity Provider (IdP) at user’s home institution –Authorisation: Service Provider (SP) based on attributes from the IdP –Discovery: Where Are You From (WAYF) service User can remain anonymous at the SP

6 Shibboleth Authentication and Authorisation (Thanks to Kang Tang)

7 Architectural Design Don’t change the user –Prevent extra logical steps: portal first –Easy to deploy in project portals –Support other access methods Don’t change other services –Work within Shibboleth and GSI frameworks

8 ShibGrid access to the NGS (via Portal) (Thanks to Kang Tang) Shibboleth Authentication and Authorisation

9 ShibGrid MyProxy Checks IdP (trusted) authentication/authorisation –Standard Shibboleth Portal (not trusted): –Standard MyProxy checks –+ check the attribute assertion was created for the portal Users: –Authentication: at IdP –Authorisation: Is user registered? username attribute = username used? –Attributes used to construct low-assurance certificate DNs

10 More than just portal access… Registration service –Data Protection Act/Acceptable Use Policy? –Supported IdP? –Correct configuration? –Link to NGS user registration Grid proxy download tool – For non portal Grid access methods Grid proxy upload tool

11 Logon via Shibboleth…

12 …Choose your home institution…

13 …background log-in in using Kerberos…

14 …welcome to the Portal…

15 …and we have a low- assurance Grid proxy

16 Certificate Download Tool Download a stored digital certificate from the MyProxy certificate store for use in other environments

17 Certificate Upload Tool Upload a standard UK e-Science certificate into the ShibGrid enabled MyProxy Server - enables download using Shib tools for those users who already have a digital certificate

18 Conclusion Succeeded in providing Shibboleth access to the Grid. Enabling NGS to grant access to users who do not have, and do not want, an e-Science certificate –lowering the barrier for beginners –widening the user base. Use of standard components and protocols ensures the product is easily deployable, maintainable, and interoperable. –Prototype was deployed in the NGS portal (both uPortal and StringBeans-based versions) –Software available through the OMII catalogue Led to some extra functionality being requested of the UK Shib federation

19 Thanks to the team! Jens Jensen David Meredith David Spence Kang Tang Matt Vilijoen

20 Questions

Download ppt "ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.

Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Security Approaches and Requirements John Watt NCeSS Conference 2008 - Workshop 3 Data Management through e-Social Science June 18th 2008.

Security Approaches and Requirements John Watt NCeSS Conference Workshop 3 Data Management through e-Social Science June 18th 2008.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Similar presentations

Ads by Google