EFDA-Fed: European federation among fusion energy research laboratories EURATOM/CIEMAT JET CEA R. Castro, J. Vega, A. Portas, A. Pereira, S. Balme, A.

Slides:

Advertisements

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Advertisements

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

Testing Web Applications & Services Testing Web Applications & Web Services.

CLARIN AAI, Web Services Security Requirements

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

MyProxy: A Multi-Purpose Grid Authentication Service

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

Architecture & Integration: CP v x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)

EFDA Federation PAPI based federation as a test-bed for a common security infrastructure in EFDA sites R. Castro, J. Vega, A. Portas, D. R. López, S. Balme,

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

The EC PERMIS Project David Chadwick

Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.

Infrastructure for Multi-Professional Education and Training Using Shibboleth.

Alcatel Identity Server Alcatel SEL AG. Alcatel Identity Server — 2 All rights reserved © 2004, Alcatel What is an Identity Provider?  

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

System Architecture.  Windows Phone 7  Mobile Phone Application  User – End Perspective  Google App Engine  Administration Console  Handles authentication,

Eduroam Louis Twomey HEAnet Library Services Day 20 th November 2014.

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

M i SMob i S Mob i Store - Mobile i nternet File Storage Platform Chetna Kaur.

ASP.NET Web API. ASP.NET Members MS Open Source ASP.NET MVC 4, ASP.NET Web API and ASP.NET Web Pages v2 (Razor) now all open source ASP.NET MVC 4, ASP.NET.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

PAPI Points of Access to Providers of Information.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Opendap dev - meeting, Boulder, Feb 2007 OPeNDAP infrastructure in European Operational Oceanography T Loubrieu (IFREMER) T Jolibois (CLS)

Update on PKI Activities in the Spanish Academic Network PKI-COORD November 26, Amsterdam.

Web Database Programming Week 7 Session Management & Authentication.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Delegation of Authority David Chadwick

An Authentication and Authorization Infrastructure: the PAPI System.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

The PAPI System Point of Access to Providers of Information

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

UNINETT. 1 An Evaluation of Shibboleth, PAPI and A-Select.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

PAPI-PERMIS Integration Project Proposal David Chadwick

PAPI 2 Distributed trust model and AA interoperability.

TechNet Architectural Design Series Part 5: Identity and Access Management Gary Williams & Colin Brown Microsoft Consulting Services.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.

AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics

Grid Services for Digital Archive Tao-Sheng Chen Academia Sinica Computing Centre

Web and mobile access to digital repositories Mario Torrisi National Institute of Nuclear Physics – Division of

Monitoring and Accounting for AAI - Courtesy of RAPTOR, AMAAIS Rhys Smith, Cardiff University/JANET(UK) TNC 2011.

Secured Services Best Practices on ArcGIS for Server Patrick Jackson & Thomas Noble.

Shibboleth Architecture

Introduction to Windows Azure AppFabric

Federation made simple

Web Portal Project.

Jim Fawcett CSE686 – Internet Programming Summer 2005

OAuth protocol for CERN Web Applications

Kerberos: An Authentication Service for Open Network Systems

Solutions for federated services management EGI

BY: SHIVI AGRAWAL ( ) CSE-(6)C

A Web-based Integrated Console for Controlling a Set of Networks

Public Key Infrastructure from the Most Trusted Name in e-Security

O. Otenko PERMIS Project Salford University © 2002

AAI Architectures – current and future

Community AAI with Check-In

Encrypted Database Final Presentation

Back end Development CS Programming Languages for Web Applications

R. Castro, J. Vega, A. Portas, A. Pereira, S. Balme, A. Duarte,

Back end Development CS Programming Languages for Web Applications

The new EDAMIS and its security

Authentication and Authorisation for Research and Collaboration

Presentation transcript:

EFDA-Fed: European federation among fusion energy research laboratories EURATOM/CIEMAT JET CEA R. Castro, J. Vega, A. Portas, A. Pereira, S. Balme, A. Duarte, H. Fernandes, J. Kadlecsik, P. Lebourg, A. Neto, F. Oliveira, K. Purahoo, F. Reis, C. Rodriguez, J. Signoret, J. M. Theis, K Thomsen EFDA-Fed

Index  Motivation  Federation  PAPI as AAI  New technical solutions Federation logout Integration with JAVA applications  Demo

Motivation

 Security framework for services access control  Necessity in organizations of sharing resources Transparency Simple management  Requirements Single Sign On Secure Access Users Mobility Simple Management and Scalability Transparency Common tools compatibility

Federation

EFDA Federation  Authentication and authorisation infrastructure PAPI  Trust Public Key  Coordination and repository centre

How does it work? Web browser Authentication Server Federated Serice User Repository Federation GPoA Federated Organization Federated Serice Federation WAYF ? ?

PAPI as AAI: Identity management GPoA 1 Point of Access GPoA 2 Authentication Server Send ID ID propagation Point of Access Point of Access Point of Access ID propagation

PAPI as AAI: GPoA  One credential -> Many resources GPoA 1 Point of Access Point of Access Point of Access Point of Access GPoA 2 HTTP Client 1 2

PAPI as AAI: Infrastructure architecture Organisation AOrganisation BOrganisation C GPoA PoA GPoA PoA GPoAAS Federation GPoA

PAPI as AAI: Application level front-end  Easy services integration One XML configuration point PoA GPoA HTTP Server HTTP Service HTTP Server

Technical solutions

Logout Mechanism  Problem: Service sessions based on encrypted cookies (created first time the user is authorised) Logout => to disable all session cookies  Solution: Only AS registered GPoAs, have not “timeout” cookies Two “timeout” levels:  Lcook: Very short fixed timeout  Hcook: If close time renewed -> to renew hcook Else -> to climb to GPoA

Logout Mechanism Web browser Authentication Server Federated Serice User Repository Federation GPoA Federated Organization Federated Serice Federation WAYF ? ? Logout

Integration with JAVA applications  Adapted CookieModule class of libraries RT-HTTPClient  [ jakarta commons-httpclient  HTTP lib of jakarta projects XML-RPC integration  [  New standard CookieHandler for java > 1.5

Integration with JAVA applications JAVA Bercley DB CookiesDB RT-HTTPClient CookieModule Jakarta common-httpclient Java 1.5 or above CookieModuleCookieHandler

JAVA PAPI Runner  Compatible with JWS  Transparent for JAVA application  NOT recompilation required PAPI Runner JAVA App Cookies DB HTTP Resource PoA GPoA CookieHandler

Demo

Thank you for your attention R. Castro, J. Vega, A. Portas, A. Pereira, S. Balme, A. Duarte, H. Fernandes, J. Kadlecsik, P. Lebourg, A. Neto, F. Oliveira, K. Purahoo, F. Reis, C. Rodriguez, J. Signoret, J. M. Theis, K Thomsen EFDA-Fed