EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
WebFTS as a first WLCG/HEP FIM pilot
SWITCHaai Team Federated Identity Management.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
INFSO-RI Enabling Grids for E-sciencE The US Federation Miron Livny Computer Sciences Department University of Wisconsin – Madison.
INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
2006 © SWITCH Grid Activities at SWITCH Christoph Witzig EGEE - 06 Geneva Sep 28, 2006.
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Multi-level monitoring - an overview James.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS SAML Vincenzo Ciaschini MWSG Zurich,
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.
INFSO-RI Enabling Grids for E-sciencE - II VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Kipper – a Grid bridge to Identity Federation Andrey Kiryanov.
2007© SWITCH SWITCHslcs the new AAI-based short-lived credential service for Grid users C.Witzig Swiss Grid Day, Berne, May 7, 2007.
INFSO-RI Enabling Grids for E-sciencE JRA3 Åke Edlund On behalf of JRA3 EGEE 8th All-activity meeting January 18-19,
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Status of the SAM/Nagios/GSTAT Components.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
WLCG Update Hannah Short, CERN Computer Security.
LCG Security Status and Issues
Global Banning List and Authorization Service
Tweaking the Certificate Lifecycle for the UK eScience CA
Grid Security Jinny Chien Academia Sinica Grid Computing.
Thursday pilot session: 7-minutes
What’s changed in the Shibboleth 1.2 Origin
UK Access Management Federation
AAI in EGI Status and Evolution
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph Witzig, SWITCH MWSG Mar 1, 2007

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Outline Introduction –Background: SWITCHaai Federation –Work Plan Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Summary

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, SWITCHaai Federation

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, AAI and Grid in Switzerland Current Status: –Approx. 160’000 (75%) members of the Swiss higher education sector have AAI-enabled accounts –Approx. 10% use SWITCHaai to access about 160 resources on a regular basis No “national” grid infrastructure –Various grid efforts (e.g. LCG Tier 2 center, Swiss Bio Grid, …) Effort underway to launch a national Grid initiative Motivation for enabling interoperability Shibboleth - Grid within EGEE-II

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Shibboleth Mechanism

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Prerequisites Our work is part of EGEE (gLite) Aim to be open for other grid middleware (if possible) Must take deployment into account –existing infrastructure

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Work Plan EGEE-II: –April Mar 2008 –Year 1: Phase 1 and 2  Add interoperability by starting “small” with minimal changes to gLite  Decides from the beginning against attribute “pull” –Year 2: Phase 3: Extend SAML to selected grid resources EGEE-III: –Continuation in EGEE-III

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Key Concepts Focus is on –Interoperability (NO replacement for X.509) –Specific for EGEE-2 infrastructure (VOMS etc) –Integrate, re-use, re-engineer existing code, write new code only as needed Key Concepts: –Home institution of the user should be the Identity Provider –Home institution provides some attributes –But VO is needed for (grid specific) attributes

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Overview Phase 1 and 2

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Design Decisions SLCS CA and “VOMS SP” should be independent of each other –Separate Service Providers –Deployed independently SLCS CA should be independent of the Grid middleware VOMS SP should only be dependent on VOMS

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Outline Introduction –Background: SWITCHaai Federation –Work Plan Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Summary

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, SLCS Profile SLCS = short lived credential service IGTF profile Minimum requirements: SLCSX.509 Certificate Certificate is generated based on Identity Management system “traditional” Registration Authority (e.g. passport) Lifetime < 1mio secLifetime < 1 year + 1 month Revocation handling optional Revocation handling

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, SWITCHslcs: Operation For the user: from the command line: invisible part of gLite UI (3.1) (can be installed independently) For the RA from web-based admin tool: Can enable or disable individual users (only for his institution) Requirements formulated in CP/CPS Can obtain log information SWITCH: Operates the service Strict access control Operate also a second test CA (everything being installed on the MSCS CA will be tested there first)

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, SWITCHslcs Private key is never transferred Use commercial CA and only standard protocols Modular design such that other people can use components Shibboleth attributes determine DN

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, SWITCHslcs: CA Setup

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Status SLCS Software development is finished MJRA1.4 document: Operation of SLCS TEST CA in test-bed since November – CP/CPS: –Accredited by EuGridPMA – Production CA setup: in progress (RSN)

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Outline Introduction –Background: SWITCHaai Federation –Work Plan Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Summary

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, The Problem Phase 1 ties –AAI authentication to issuance of X.509 certificate\ –AAI attributes are used to construct the DN Phase 2 intends to make AAI attributes available to grid resources for authorization decisions –Which AAI attributes are of interest to grid resource? –How does resource obtain attributes? (pull vs push) –Relation to VO attributes –Deployment issues

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Design VASH: –VOMS Attributes from Shibboleth Shibboleth SP –Browser-based –Specific for  Federation  VO “lightweight” SP –No administrator duties –No management of attributes –Simply transfers attributes upon user request

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Design (2) X.509 and proxy X.509 with VOMS AC unchanged No change in VOMS –Needs version or higher VO registration not changed Administrative domain between Shibboleth federation and VOMS fully decoupled User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509) Becomes a service which knows the mapping Shibboleth userid - DN Has to respect data privacy laws

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Shibboleth Attributes Need common understanding of attributes given within a federation but inter-federation access (?) Attributes are based on eduPerson Only a subset of attributes are really interesting for grid resources

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Web Interface VASH Service

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Status Software implementation done MJRA1.5 document: Need to develop plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource –Access to VOMS AC

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Review Phase 1 and 2

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Alternative Scenarios (1) Instead of SP1 issuing a short-lived X.509 certificate –Keep using X.509 certificate from a (“classical”) CA  IdP not used for authN  May make sense if one wants to use only IdP attributes –Generate proxy X.509 if authN at IdP successful  authN from CA and IdP –Issue (long-lived) X.509 credential based on auth at IdP  TAGPMA MICS profile  User has to maintain long-lived certificate –Use a “low quality” CA (i.e. not accredited)  Much less work  Compatibility with existing infrastructure (EGEE, LCG)

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Alternative Scenarios (2) Instead of SP2 being independent of SP1 –Merge them into one utility, which  Issues a X.509 certificate containing the IdP attributes as an extension X.509 certificate is no longer a “bare” X.509 User cannot choose to not expose his/her attributes Code must handle attributes from two sources: IdP attributes and the VOMS VO attributes Revocation whenever attribute changes  IdP issues an AC to be inserted into proxy X.509 (just like VOMS) IdP must be known to every grid resource Requires code change at the IdP –Attribute aggregation in SAML: Longer term project (dependencies on Shib 2 and future VOMS work) –Question: should data privacy be observed when releasing IdP attributes?

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Outline Introduction –Background: SWITCHaai Federation –Work Plan Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Summary

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Phase 3 (1) Work program for EGEE-II year 2 and beyond: –Deployment of phase 1 and 2 within Switzerland –Inter-federation access with other partners (EGEE-III) –Phase 3 Goal of phase 3: Extend use of SAML in grids beyond what is already provided by phase 1 and 2 3 options: –Option 1: Embed SAML assertions in certificates and let them evaluate by grid resources –Option 2: SAML-enable selected grid resources –Option 3: extend certificate-based security infrastructure with SAML Option 2 preferred –Option 1: what is additional value beyond phase 1 and 2 ? –Option 3: means to modify every grid service

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Phase 3 (2) Phase 3 is currently being designed SAML-enable those service, with which the user interacts directly –WMS –File access Benefits: –(Average) User has no certificates any more –Introduce SAML gently beyond phase 1 and 2, gain experience –No modifications on most grid software (--> deployment) –Compatible with Shibboleth roadmap (2.0, 2.1) and ID-WSF implementation –All options open for future

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Interoperability SAML - X.509 Part of Grid infrastructure is SAML-capable, part is pure X how to interconnect them? XTS (X.509 translation/token service) –Aka STS –Translates a SAML assertion into a X.509 certificate –Webservice –Is being contacted by grid service if it receives a SAML assertion, but it only understands X.509 –One coupling element between the SAML world and the X.509 world  Avoid coupling every grid resource with every Shibboleth IdP

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Summary Interoperability gLite - Shibboleth: –Phase 1: SLCS service  Online CA issuing X.509 certificates based upon authN at Shibboleth IdP  currently being deployed –Phase 2: VASH  Transfers Shibboleth attributes into VOMS  Shib attributes are available to grid resources as part of VOMS AC  Software development finished –Phase 3:  Currently being designed  Idea to SAML-enable a selected (small) number of grid resources (those close to the user)

Enabling Grids for E-sciencE EGEE-II INFSO-RI MWSG Sann Diego Mar 1, Q & A