EMI is partially funded by the European Commission under Grant Agreement RI-261611 Security Token Service (STS) Simplified Credential Management Henri.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

GT 4 Security Goals & Plans Sam Meder

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.

Lecture 23 Internet Authentication Applications

Grid Security. Typical Grid Scenario Users Resources.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

WebFTS as a first WLCG/HEP FIM pilot

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

SWEB SWEB Security and Privacy Technologies – Implementation Aspects Venue:SWEB Day in APV, Novi Sad Author(s):Dr. Milan Marković Organisations:MISANU.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Description WS Standards WS-Federation Picture Grid Security GridShib References 2.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

Claims-based security with Windows Identity Foundation.

European Middleware Initiative (EMI) – Training Kathryn Cassidy, TCD EMI NA2.

Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics

EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.

Kipper – a Grid bridge to Identity Federation Andrey Kiryanov.

In Vivo Imaging Middleware — Phase 6 Ashish Sharma, Tony Pan, Y. Nadir Saghar.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

August 3, 2004WSRP Technical Committee WSRP v2 leveraging WS-Security 1. Motivation 2. WS-Securtiy Roadmap and Status 3. WSRP Use Cases 4. Strawman/Issues.

Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)

WLCG Update Hannah Short, CERN Computer Security.

Federation made simple

EMI Interoperability Activities

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Security Token Service (STS) Status Update

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri Mikkonen, Helsinki Institute of Physics EGI Technical Forum , Prague, Czech Republic

EMI INFSO-RI Motivation Related Work Technology Some Use Cases Current State Contents 18/09/2012Henri EGI Technical Forum 20122

EMI INFSO-RI Grid users do not want to handle multiple credentials – Users would like to initialize their Grid identity using their existing user credentials DCIs would like to use federated identities – It is recognized that (inter)national federations are becoming more and more important X.509 certificates are and will be required by the majority of the Grid infrastructures for the foreseeable future Motivation 18/09/2012Henri EGI Technical Forum 20123

EMI INFSO-RI Solutions to X.509 issuance based on existing credentials exist – SLCS profile: gLite SLCS, MyProxy, … – MICS profile: Terena TCS, CERN CA, … Most of them are Web-based, even though Grid users often use command-line tools – I.e. Web-browser must be used as a client, or – Non-web client-tools need to parse the login forms manually Related work 18/09/2012Henri EGI Technical Forum 20124

EMI INFSO-RI Security Token? – WS-Security: A collection of statements (claims) about a user or resource Any digital identity that can be attached into a SOAP message: X.509, SAML assertion, Kerberos ticket, … Security Token Service? – WS-Trust: A Web service used to issue, renew, validate and cancel security tokens Establishes a trust relationship between different application / security domains Technology 18/09/2012Henri EGI Technical Forum 20125

EMI INFSO-RI Use Case 1 18/09/2012Henri EGI Technical Forum STS CA Username/Password -token Verifies the token X.509 certificate -token User Database Requests a certificate Issues a certificate STS Client Tool Username & Password X.509 & Private key to the filesystem User attributes (public key + proof)

EMI INFSO-RI Use Case 2 18/09/2012Henri EGI Technical Forum STS CA SAML assertion -token Requests a certificate Issues a certificate STS Client Tool Username, Password, Home Institute Home Institute Username, Password SAML assertion X.509 & Private key to the filesystem X.509 certificate -token (public key + proof)

EMI INFSO-RI Use Case 2 18/09/2012Henri EGI Technical Forum STS SAML assertion -token X.509 certificate -token Requests a certificate Issues a certificate STS Client Tool Username, Password, Home Institute Home Institute SAML Trust Domain Username, Password SAML assertion X.509 & Private key to the filesystem X.509 Trust Domain CA (public key + proof)

EMI INFSO-RI Use Case 3 18/09/2012Henri EGI Technical Forum STS SAML assertion -token X.509 proxy certificate -token Requests a certificate Issues a certificate STS Client Tool Username, Password, Home Institute Home Institute SAML Trust Domain Username, Password SAML assertion X.509 proxy certificate chain & private key to the filesystem VOMS Requests attributes Issues an attribute certificate X.509 Trust Domain CA (public key + proof + VO-info)

EMI INFSO-RI Use Case 4 18/09/2012Henri EGI Technical Forum SAML assertion -token Grid Portal Home Institute SAML Trust Domain Username, Password SAML assertion Access Grid Services using the user’s proxy Web browser access X.509 proxy certificate -token STS VOMS CA Requests a certificate Issues a certificate Requests attributes Issues an attribute certificate X.509 Trust Domain (public key + proof + VO-info)

EMI INFSO-RI The server-side for the presented use cases is mostly implemented (Issue-operation) – Incoming token formats: Username/Password, SAML assertion – Outgoing token formats: X.509, X.509 proxy – See live demonstrations at this event The first official release will be a part of EMI-3 Monte Bianco Current State 18/09/2012Henri EGI Technical Forum

EMI INFSO-RI Wednesday : AAI Workshop – Henri Mikkonen: “EMI STS – Transforming the Existing User Credentials for the Grid” Thursday : EMI Security for Grids and Clouds – Henri Mikkonen: “EMI STS – Status Update” – Carolina Lindqvist: “Exploring the SAML 2.0 ECP- Profile” More at two other sessions 18/09/2012Henri EGI Technical Forum

EMI is partially funded by the European Commission under Grant Agreement RI Thank you! Questions? Henri Mikkonen