Outline What is a Science Gateway ? The Catania Science Gateway Framework General Architecture Authentication, Authorisation and Roles Catania Grid Engine Roles Use Case: The DECIDE Science Gateway The GARR Science Gateway
Reference Model Science Gateway Science Gateway Scientific Application E-Collaboration Social Application Standard Services Users of different Institutions members of GARR and/or international partners involved in European Projects of the Consortium GRID CLOUD Local Cluster
Reference Model Science Gateway Science Gateway Scientific Application E-Collaboration Social Application Users of different Institutions members of GARR and/or international partners involved in European Projects of the Consortium Standard-based (SAGA) middleware-independent Grid Engine Standard-based (SAGA) middleware-independent Grid Engine
Requirements Authentication and Autorisation SAML, LDAP Application middleware indipendent jSAGA, SAGA Standard Java Technology JSR 168/286 Web Technology Web CMS Wiki, Blog, Messages Board, Vconf, Adobe Connect Portal Framework Standard Adoption Reusability Simplicity Easy usage and access
Terena Identity Federations map.html
Federated Identity Management (FIdM) In the web technology arena many approaches are available to federate authentication A standard provided by OASIS defines the Security Assertion Markup Language (SAML) Several tools are available, e.g.: Shibboleth SimpleSAMLphp Organisations can rely on traditional tools to manage users: LDAP, CAS, plain text, etc. Free and Open Source
Enabling SGs to FIdM Access to e-Infrastructure services requires authentication. The distributed/cross-domain nature of resources requires, in some case, strong security mechanisms SGs willing to provide easy access to these services Some institutions want to maintain the control of their own users' authentication
So a federation is made of… A collection of Identity Providers that follows a defined set of rules and policy. Identity providers (IdPs) are responsible for authenticating a closed group of users (i.e. of the same organisation) Each IdPs regulate access to a set of Service Providers (i.e. mail server of the mentioned organisation)
Federated User Science Gateway
Social User Science Gateway
Authorisation request The first time users access the Science Gateway their IdP authenticates them LDAP server connected to the Service Provider (SP) cannot authorise the users SP leads users automatically to the registration form A part from them data, users can request for a specific role
Authorisation request
Authorisation Managment
Registration Users not belonging to any of the enabled federation can register to the catch all Identity Provider of the GrIDP federation
Integrated Services GRID CLOUD JSR 168/286 Catania Science Gateway Framework Local Cluster
Catania Science Gateway Framework Catania Science Gateway Framework Grid Engine Data On Grid Services Cloud Services JSAGA Adaptors
Usage Workflow 1. Sign in eTokenServer User Tracking DB 3. Proxy request 4. Proxy transfer 5. Grid Submission 5. Tracking 6. Getting Results Grid Request
Access
Applications accessing grid services 12 applications developed among 5 different countries and 3 continents (Europe, Latin America and Asia); 4 scientific domains: Life Science; Mathematic & Computer Science; High Energy Physics; Cultural Heritage.
Job Submission
Job Submission
My Workspace – Active Job List
My Workspace - Done Job List
My Workspace – MyJobsMap
My Data Sharing features among users will soon be added
Roles & Privileges Surfing a Science Gateway changes according different roles Mapping between Liferay roles and LDAP group Similar mapping available on grid (i.e. voms roles) Liferay allows administrator to fully customize users experience assigning different roles to each components (pages, wikis, plugins, data)
Facebook Integration
References GARR Science Gateway: GARR Science Gateway Facebook Community Page: mmunity mmunity Training Material: Catania Science Gateways: science-gateways.ithttp:// science-gateways.it
