Kipper – a Grid bridge to Identity Federation Andrey Kiryanov.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

MyProxy Jim Basney Senior Research Scientist NCSA

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

MyProxy: A Multi-Purpose Grid Authentication Service

E-science grid facility for Europe and Latin America A Data Access Policy based on VOMS attributes in the Secure Storage Service Diego Scardaci.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

WebFTS as a first WLCG/HEP FIM pilot

LHC Experiment Dashboard Main areas covered by the Experiment Dashboard: Data processing monitoring (job monitoring) Data transfer monitoring Site/service.

DIRAC Web User Interface A.Casajus (Universitat de Barcelona) M.Sapunov (CPPM Marseille) On behalf of the LHCb DIRAC Team.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

PanDA Multi-User Pilot Jobs Maxim Potekhin Brookhaven National Laboratory Open Science Grid WLCG GDB Meeting CERN March 11, 2009.

GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

INFSO-RI Enabling Grids for E-sciencE ARDA Experiment Dashboard Ricardo Rocha (ARDA – CERN) on behalf of the Dashboard Team.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

VOX Project Status T. Levshina. 5/7/2003LCG SEC meetings2 Goals, team and collaborators Purpose: To facilitate the remote participation of US based physicists.

Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.

David Groep Nikhef Amsterdam PDP & Grid Bring the WLCG federation Home Extending your trust options beyond bottom-up identity by collaborating with global.

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

EMI is partially funded by the European Commission under Grant Agreement RI Argus Policies Tutorial Valery Tschopp (SWITCH) – Argus Product Team.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.

Authentication and Authorisation for Research and Collaboration Hannah Short (CERN) DI4R Authentication and Authorisation for Research.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI solution for high throughput data analysis Peter Solagna EGI.eu Operations.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

The IGTF to eduGAIN Bridge

WLCG Update Hannah Short, CERN Computer Security.

Bring the WLCG federation Home

Grid accounting system

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Pilots in AARC Arnout Terpstra (AARC2) / Paul van Dijk (AARC1)

Community AAI with Check-In

Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.

AAI in EGI Status and Evolution

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Kipper – a Grid bridge to Identity Federation Andrey Kiryanov

Brief The Kipper client software combines tools and utilities to extend a Web Application to: Enable login via federated SSO like eduGAIN Retrieve a SAML2 Identity Assertion from SSO Transform a SAML2 Identity Assertion into an X.509 proxy certificate with VOMS extensions Do it all directly in browser context with JavaScript API The result: “X.509-free” access to the Grid ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

WLCG pilot service Goal: give access to WLCG resources using home institute’s credentials  No need for X.509 certificates WLCG working group dedicated to Identity Federation  CLI (job submission, admin tasks)  Web-based (grid portals for job submission, data transfers, etc.) Focus on the web-based solution ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

eduGAIN Built on existing federations and infrastructures CERN participates in eduGAIN via SWITCHaai Many NRENs participate in eduGAIN too 4 ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

Access via CERN SSO 5 ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

IdF and CERN SSO CERN SSO service is based on Microsoft ADFS (Active Directory Federation Services) In order to benefit from SSO your Apache web server needs a special plug-in: Shibboleth – first solution supported by CERN, widespread, supports all possible standards, not easy to configure Mellon – pure SAML2 Service Provider. Minimal configuration, supported by CERN since 2015 Kipper supports both natively ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

SSO Auth. request (redirect) SAML2 Assertion Apache SSO plug-in Auth. SAML2 Web browser HTTPS session ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016 SSO log-in process SAML2 assertion is an XML-formatted signed attribute list, which contains your name, address, e-groups, etc.

Kipper cornerstones SAML2 to X.509 translation  STS Short-living X.509 certificates  IOTA CA VO membership  VOMS ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

STS Security Token Service (STS) consumes SAML2 assertions and produces X.509 credentials in return STS is an implementation of WS-Trust OASIS standard and it speaks SOAP STS has been developed in the context of the EMI project and was extended at CERN to support: CERN IOTA CA specific client VOMS DN mapping registration and caching (IOTA DN is an alias to VOMS DN) ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

STS integration in a Web Application STS IOTA CA VOMS ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016 Apache SSO plug-in Auth. SAML2 SSO Auth. request (redirect) SAML2 Assertion Web browser HTTPS session SAML2 SAML2 Assertion X.509 VOMS proxy Grid X.509 Kipper

IOTA CA IOTA CA (Identifier-Only Trust Assurance Certification Authority) issues short-living (days) X.509 certificates First implementation was issuing certificates to any STS client (provided that it had a valid assertion) Now STS can ask to sign certificates only for users registered in the configured VOMS Handy if you need a restricted set of eduGAIN members that would get a valid certificate ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

DN uniqueness IOTA CA should use an eduGAIN persistent identifier attribute to return a unique DN Which attribute(s) can be considered persistent and unique in eduGAIN? eduPersonPrincipalName is considered unique in theory but it can be reassigned according to local policy Only Identity Providers that secure unique eduPersonPrincipalName will be enabled in STS ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

A document containing all the details for the new CA at CERN has been prepared in 2015 by CERN IT IdF Team with help from us The document went through the review process of EUGridPMA and was accepted CERN LCG IOTA CA is included in IGTF Trusted Anchor Distribution since version 1.72 Deployed on virtually all WLCG sites now It should “just work” for you ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016 CERN LCG IOTA CA

Open issues The new IOTA DN is associated to the already existing one in VOMS, but the grid middleware is not aware of this alias Two different users (not always an issue since proper VOMS extensions are included in the certificate) Dedicated STS instance per each WebApp+VO combination VOMS DN mapping and checks WebApp and STS need to consume the same SAML2 assertion ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

Use cases What kind of web applications could benefit from Kipper? All kinds of portals that need to talk directly to Grid resources with X.509 authentication Data and workload management interfaces What are the benefits? Clear distinction between users (no catch-all robot proxies) No need to maintain App-specific user database Security, VOMS support What needs to be changed in the WebApp? Backend web server needs to be Apache on Linux (no IIS yet) Server side needs to accept user proxies from browser via specific delegation mechanism A dedicated instance of STS needs to be deployed ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

Ongoing work CERN is developing a portal to enable eduGAIN members that are also members of LHC VOs to get a proxy certificate out of their eduGAIN credentials There’s an ongoing integration of ATLAS Panda Monitor with SSO which will allow then exploiting Kipper to transparently access job/monitoring log files stored on Grid storage elements ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

Web-based tool to transfer files between Grid/cloud storages Modular protocol support gsiftp, http/dav, xroot and srm Cloud extensions: Dropbox ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016 What is WebFTS?

ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016 WebFTS pilot

X.509 delegation is needed to let WebFTS access the Grid resources on user’s behalf User needs to make his private key available to the browser Browser keystore is not accessible via JavaScript API A first prototype integrated with STS and IOTA CA was implemented at the end of 2014 WebFTS-specific solution, no Kipper yet Initially STS returned a plain certificate then delegated to FTS3 which was in charge of requesting VOMS extensions ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016 “X.509-free” access

Segregation of Kipper from WebFTS Detached codebase of STS and Kipper WebFTS uses Kipper as a library Following the changes in STS with the generation of VO-specific certificates, we have adapted WebFTS (and Kipper) to use proxy certificates and delegate them to FTS3 Move to RFC proxy generation was needed Still both scenarios are supported WebFTS is the first technology demonstrator ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

Conclusions Kipper enables Federated Identity Web-based access to WLCG resources IdF-enabled WebFTS is a working prototype (available only inside CERN so far) ATLAS has kindly agreed to provide its VOMS for testing purposes CERN LCG IOTA CA is globally deployed on WLCG sites This is an important step towards “X.509-free” access to Grid resources ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

Acknowledgements Andrea Manzi Oliver Keeble Henri Mikkonen Romain Wartel Emmanuel Ormancey ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016 This work was funded in part by the Russian Ministry of Education and Science under contract №14.Z

References  STS and Kipper sources  CERN LCG IOTA CA certificates and documents ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016

Thank you! ISGC 2016, Academia Sinica, Taipei, Taiwan, March 2016