Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Marcus Hardt AARC AHM, Milan Current Status of Non Web (via LDAP.

Slides:

Advertisements

Similar presentations

People Database project John Byrne. Project aims Improve current Computing Service resource management processes Provide a reference 'People Database'

Advertisements

Managing Student Access. What will we cover Registration Options Student Uploads Login Options Alumni Access versus Student Access.

MyProxy: A Multi-Purpose Grid Authentication Service

WP8 Combined Demo on IDM GE (NSN) Data Handling GE (SAP) Privacy GE (IBM) Aug. 25 th 2014, v8.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.

Prepared by Dept. of Information Technology & Telecommunication, October 24, 2005 Enterprise Directory Services and Identity Management.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

ESA EO Federated Identity Management Initiatives A. Baldi ESA: M. Leonardi RHEA:

SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

Identity on Force.com & Benefits of SSO Nick Simha.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

In the web address box enter Enter your user ID (first and last initial 7 digit ID number) Select Log in.

Textual Password How to use the Textual Authentication Model (AC)

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Web TPAX Proxies and Unit Representatives. Topics Full Signature Proxy Advance Signature Proxy Proxy (Basic) Unit Representative.

Shibboleth 2.0 IdP Training: Authentication January, 2009.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Parent/Guardian Identity & Access. The Needs Parents/Guardians need to access their child’s data via the EDP School Districts need to verify parent/guardian.

Shibboleth Update Fall Ch-ch-changes Chad moving on to new job opportunity, requires realigning product responsibilities and reviewing roadmap Tom.

Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.

Web-Based T-Pax Signature Proxy Advance Signature Proxy Proxy (Basic) Unit Representative.

The Application and the Ecosystem. Acknowledgments Home and Scott Cantorhttps://spaces.internet2.edu/display/fedapp/

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

SAML to LDAP bridging developments Marcus Hardt Marcus kit.eduSteinbuch Centre for Computing (SCC) Motivation Allow linux logins,

Federating non-web services with LDAP-Façade

AUSTRALIAN ACCESS FEDERATION. Who we are Shared service for R&E Provide the trusted authentication framework for:  Universities  Education  Research.

Getting started with VendorVision Getting started with VendorVision Congratulations on using VendorVision! To get started, go to the VendorVision.

EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

Global Transaction Bank Deutsche Bank Investor Reporting Demo.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht.

General Overview of Various SSO Systems: Active Directory, Google & Facebook Antti Pyykkö Mikko Malinen Oskari Miettinen.

1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney

Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.

Using Your Own Authentication System with ArcGIS Online

Federated Identity Management at Virginia Tech

EGI Updates Check-in Matthew Viljoen – EGI Foundation

Authentication Interact Cloud.

AARC Update What’s been happening in AARC which matters for GÉANT

Federation made simple

Identity and Certificates

Data and Applications Security Developments and Directions

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Christos Kanellopoulos

CheckIn: the AAI platform for EGI

AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)

Azure AD Application Proxy

ESA Single Sign On (SSO) and Federated Identity Management

Suppliers will click REGISTER button to begin registration process

Accessing your HEAR Register with Gradintelligence on the link provided on your registration . If you are eligible and do not receive a registration.

ACS Functionality.

Logging In When a district or state registers a school, the school login and password information is sent to the school principal and the process manager.

Integrating non web-based services with identity federations

Guest Identities – Milan workshop goals

5 Way to Improve User Access

Community AAI with Check-In

Open Google Chrome and go to the Woodbridge High School website Login = username for logging into the computer Password = password (change it via edit.

Authentication and Authorisation for Research and Collaboration

The first time you login in to the upgraded system, please select ‘Forgotten your password?’ to reset your password before using the system.

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Authentication and Authorisation for Research and Collaboration Marcus Hardt AARC AHM, Milan Current Status of Non Web (via LDAP Facade) 2-3, Nov 2015 KIT

ECP: Enhanced Client or Proxy profile Proxy We can steal your password Enhanced Client You have to modify your client software ECP Problems Nobody wants to modify the clients Proxy-style federations cannot support this => Our Enhanced Client mix: Goal: Allow non-web without exposing the password, without ECP 1.Website “SAML-delegation.data.kit.edu” Authenticate using WebSSO (OIDC) Issue a token 2.Extension of LDAP-Facace mechanism (PAM / LDAP + Authention-interceptor): 2 Motivation: Bring federated identities to the commandline

Intercepts password / token Looks up a PID for given UIDNumber Forwards PID + password to LDAP Facade LDAP-Facade performs SAML ECP If fails: Forward PID + password / token to saml-delegation.data.kit.edu There: Verify token (PID + expiration time) 3 Authenticator

Demo: plain login: Log in with ka_ym0762 and password non-exposed-password/saml: Log in with ka_ym0762 via saml-delegation (via kit-IDP) non-exposed-password/oidc: Log in with mcvsmob via saml-delegation (google) 0-Attr: Log in with umbrella_marcvs => only password login, registration Things to mention: Deprovisioning Account linking Link to docs Demo