Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMI is partially funded by the European Commission under Grant Agreement RI-261611 Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

Published byVeronica Collins Modified over 8 years ago

Similar presentations

Presentation on theme: "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute."— Presentation transcript:

1 EMI is partially funded by the European Commission under Grant Agreement RI-261611 Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute of Physics (UH.HIP) EGI Community Forum 2013, April 8-12, 2013 The University of Manchester, U.K.

2 EMI INFSO-RI-261611 Identity federations – National and international (eduGAIN) – De-facto standard is Security Assertion Markup Language (SAML) – Mostly Web-based Non-browser is coming up (e.g. Project Moonshot) Grid middlewares – EMI: ARC, dCache, gLite and UNICORE – User authentication is based on X.509 certificates – Command-line and other non-browser clients Federated Grid Access? 11/04/2013Henri Mikkonen @ EGI CF 20132

3 EMI INFSO-RI-261611 Grid identity is not just the X.509 certificate – gLite, ARC and dCache use Grid proxies – Grid proxy = End-Entity Certificate (EEC) + (short- lived) proxy certificate + private key Proxy certificate contains VO attributes Grid proxy initialization (voms-proxy-init) – Request VO attributes from VOMS – Attach them into the proxy certificate which is signed by the private key corresponding to EEC – Default lifetime is 12 hours … not just X.509 certificate 311/04/2013Henri Mikkonen @ EGI CF 2013

4 EMI INFSO-RI-261611 WS-Trust: “STS is a Web service used to issue, renew, validate and cancel security tokens” – Security Token: “A collection of statements (claims) about a user or resource” (WS-Security) Any digital identity that can be attached into a SOAP message – STS establishes a trust relationship between different application / security domains EMI STS implements the ISSUE operation for the supported token formats What is STS? 411/04/2013Henri Mikkonen @ EGI CF 2013

5 EMI INFSO-RI-261611 S STS Architecture 5 WS-Trust Handler SOAP Client External Source * * * * SECURITY TOKEN SERVICE External Source RST RSTR Plugin AuthN Engine Attribute Decoder Attribute Resolver Token Generator Request Dispatcher 11/04/2013Henri Mikkonen @ EGI CF 2013

6 EMI INFSO-RI-261611 User knows username/password at his home institute & wants to access a Grid resource SAML to Proxy - Components 6 ComponentCredential inputCredential output Grid resourceGrid Proxy 11/04/2013Henri Mikkonen @ EGI CF 2013

7 EMI INFSO-RI-261611 User knows username/password at his home institute & wants to access a Grid resource SAML to Proxy - Components 7 ComponentCredential inputCredential output Grid resourceGrid Proxy VOMSX.509 certificateVOMS attributes 11/04/2013Henri Mikkonen @ EGI CF 2013

8 EMI INFSO-RI-261611 User knows username/password at his home institute & wants to access a Grid resource SAML to Proxy - Components 8 ComponentCredential inputCredential output Grid resourceGrid Proxy VOMSX.509 certificateVOMS attributes Online CACertificate Signing Request (CSR)X.509 certificate 11/04/2013Henri Mikkonen @ EGI CF 2013

9 EMI INFSO-RI-261611 User knows username/password at his home institute & wants to access a Grid resource SAML to Proxy - Components 9 ComponentCredential inputCredential output Grid resourceGrid Proxy VOMSX.509 certificateVOMS attributes Online CACertificate Signing Request (CSR)X.509 certificate STSSAML assertionGrid Proxy 11/04/2013Henri Mikkonen @ EGI CF 2013

10 EMI INFSO-RI-261611 User knows username/password at his home institute & wants to access a Grid resource SAML to Proxy - Components 10 ComponentCredential inputCredential output Grid resourceGrid Proxy VOMSX.509 certificateVOMS attributes Online CACertificate Signing Request (CSR)X.509 certificate STSSAML assertionGrid Proxy Home InstituteUsername/passwordSAML assertion 11/04/2013Henri Mikkonen @ EGI CF 2013

11 EMI INFSO-RI-261611 SAML to Proxy - Components 11 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML assertion SAML TRUST DOMAIN X.509 TRUST DOMAIN Username/password 11/04/2013Henri Mikkonen @ EGI CF 2013

12 EMI INFSO-RI-261611 Use case 1: Web portal 12 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML TRUST DOMAIN X.509 TRUST DOMAIN Username/password Web portal Browser access SAML AuthnRequest SAML Assertion 11/04/2013Henri Mikkonen @ EGI CF 2013

13 EMI INFSO-RI-261611 Use case 1: Web portal 13 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML TRUST DOMAIN X.509 TRUST DOMAIN Username/password Web portal Browser access SAML AuthnRequest SAML Assertion -Relatively simple -Uses SAML 2.0 Web SSO Profile -Certificates nor private keys are never stored locally by the user -Requires browser (to some users) -If STS has different SAML entity than portal (as it should), SAML delegation is required 11/04/2013Henri Mikkonen @ EGI CF 2013

14 EMI INFSO-RI-261611 Use case 2: CLI with ECP profile 14 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML TRUST DOMAIN X.509 TRUST DOMAIN Client tool Local access 1. 2. 3. 4. 5. 6.7. 11/04/2013Henri Mikkonen @ EGI CF 2013

15 EMI INFSO-RI-261611 Use case 2: CLI with ECP profile 15 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML TRUST DOMAIN X.509 TRUST DOMAIN Client tool Local access 1. 2. 3. 4. 5. 6.7. 1.Client tool initiates the ECP profile 2.STS issues a SAML AuthnRequest 3.User chooses home institute from the list 4.Client tool sends the AuthnRequest to the chosen home institute 5.User writes his username/password 6.Client authenticates the user to his home institute 7.Home Institute Issues SAML assertion 11/04/2013Henri Mikkonen @ EGI CF 2013

16 EMI INFSO-RI-261611 Use case 2: CLI with ECP profile 16 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML TRUST DOMAIN X.509 TRUST DOMAIN Client tool Local access 1. 2. 3. 4. 5. 6.7. 1.Client tool initiates the ECP profile 2.STS issues a SAML AuthnRequest 3.User chooses home institute from the list 4.Client tool sends the AuthnRequest to the chosen home institute 5.User writes his username/password 6.Client authenticates the user to his home institute 7.Home Institute Issues SAML assertion -No Web-browser required (to some users) -Supported by Shibboleth Identity Provider (as of version 2.3) -Not widely supported worldwide (a small fraction of the users need the ECP profile) 11/04/2013Henri Mikkonen @ EGI CF 2013

17 EMI INFSO-RI-261611 Use case 3: CLI with another STS 17 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML assertion SAML TRUST DOMAIN X.509 TRUST DOMAIN Client tool Home Institute & Username password RST(Username&Passwd):SAML 11/04/2013Henri Mikkonen @ EGI CF 2013

18 EMI INFSO-RI-261611 Use case 3: CLI with another STS 18 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML assertion SAML TRUST DOMAIN X.509 TRUST DOMAIN Client tool Home Institute & Username password RST(Username&Passwd):SAML -Simpler than the ECP profile to be implemented -Not widely supported by the open source SAML Identity Provider softwares 11/04/2013Henri Mikkonen @ EGI CF 2013

19 EMI INFSO-RI-261611 STS is a general purpose service used for transforming security tokens – It can be used in both Web browser and non-Web use cases for enabling Grid access using federated identity – SAML to X.509 & Grid proxy conversion Proxy initialization can be outsourced to STS STS is relatively simple to be integrated – One SOAP message exchange between the client and the STS Summary 1911/04/2013Henri Mikkonen @ EGI CF 2013

20 EMI is partially funded by the European Commission under Grant Agreement RI-261611 Thank you! STS is a part of the EMI-3 release: http://www.eu-emi.eu/emi-3-montebianco

Download ppt "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Similar presentations

Ads by Google