Vincenzo Ciaschini JRA1 All-Hands Helsinki 18-20/06/07

Slides:



Advertisements
Similar presentations
Federated Identity for Grid Architects Tom Scavo NCSA
Advertisements

Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.
Project Overview Daniel Mallmann, Research Centre Juelich Alistair Dunlop, University of Southampton.
Interoperability and Usability of Grid Infrastructures Alistair Dunlop Achim Streit University of SouthamptonForschungszentrum Jülich.
GT 4 Security Goals & Plans Sam Meder
The National Grid Service and OGSA-DAI Mike Mineter
Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.
VO Support and directions in OMII-UK Steven Newhouse, Director.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.
VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Authz work in GGF David Chadwick
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
ΗΛΕΚΤΡΟΝΙΚΟ ΕΜΠΟΡΙΟ Web Services Overview Mary Grammatikou 9/06/2009.
Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
WebFTS as a first WLCG/HEP FIM pilot
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
September, 2005What IHE Delivers 1 ITI Security Profiles – ATNA, CT IHE Vendors Webinar 2006 IHE IT Infrastructure Education Robert Horn, Agfa Healthcare.
DICOM Security Lawrence Tarbox, Ph.D. Chair, WG 14 Mallinckrodt Institute of Radiology Washington University in St. Louis School of Medicine.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.
SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Andrew McNab - GridSite/EDG/GGF - 29 Sept 2003 GridSite, EDG and GGF Andrew McNab, University of Manchester
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS SAML Vincenzo Ciaschini MWSG Zurich,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.
OSG AuthZ components Dane Skow Gabriele Carcassi.
VOMS: Status & Plans Vincenzo Ciaschini, Valerio Venturi MWSG Meeting, CERN, Feb
Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSI with OpenSSL Vincenzo Ciaschini EGEE-3.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.
GridSite status Andrew McNab University of Manchester.
ETICS, EU-OMII and the Software Repository Andrea Caltroni, INFN Padova ETICS 1 st All-Hands Meeting, Budapest - May 29-31, 2006.
Security Assertion Markup Language, v2.0 Chad La Joie Georgetown University / Internet2.
Frascati, 2-3 July 2008 Slide 1 User Management compliance testing for G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Andrew Woolf, STFC Rutherford.
Access Policy - Federation March 23, 2016
Jean-Philippe Baud, IT-GD, CERN November 2007
HMA Identity Management Status
OGF PGI – EDGI Security Use Case and Requirements
Federation made simple
OGSA-WG Basic Profile Session #1 Security
SAML New Features and Standardization Status
HMA Identity Management Status
Grid accounting system
Building Components for Grid Interoperability
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
OGF 21 Seattle Washington
What’s changed in the Shibboleth 1.2 Origin
Tim Bornholtz Director of Technology Services
Building components for Grid Interoperability
TeraGrid 08 The Third Annual TeraGrid Conference
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
A Grid Authorization Model for Science Gateways
InfiNET Solutions 5/21/
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Vincenzo Ciaschini JRA1 All-Hands Helsinki 18-20/06/07 VOMS Developments Vincenzo Ciaschini JRA1 All-Hands Helsinki 18-20/06/07

Globus Dependency Removal Step 0: APIs capable of interpreting the AC without globus. DONE (VOMS 1.7.0) Step 1: Server to be contacted indifferently with GSI and SSL. APIs capable of contacting the server via both GSI and SSL. Scheduled for VOMS 1.8.0 (approx. October) Step 2: Server and clients speaking only SSL. Breaks protocol compatibility with VOMS < 1.8.0 Not before VOMS 1.9.0 (depending on TCG) JRA1 All-Hands, Helsinki 18-20/6/07

Globus Dependency Removal Deployment Procedure: When 1.8.0 comes out: Upgrade the servers to 1.8.0. Start linking applications against the SSL libraries. When 1.9.0 comes out: Upgrade the clients to 1.9.0. APIs libraries will silently remove GSI and use SSL instead. JRA1 All-Hands, Helsinki 18-20/6/07

Shorter FQANs Finally implement the shorter FQANs, e.g: /atlas instead than: /atlas/Role=NULL/Capability=NULL Current APIs can already deal with this, since 1.5.x. Optional, disabled by default. Longer form will be deprecated. Scheduled for 1.8.0 Shorter form will become the default in 1.9.0 JRA1 All-Hands, Helsinki 18-20/6/07

Aliased Identities The possibility to have two or more different identities (certificates) for the same user. See VOMS-Admin presentation for details admin-side. Credentials will belong to the identity which contacted the server. The different credentials would be considered synonyms. Will require a DB schema change => sync update of voms & voms-admin. Scheduled for VOMS 1.8.0 JRA1 All-Hands, Helsinki 18-20/6/07

Syslog Logging Allows logging to be done on syslog (different levels) as well as on private files. Respecting David’s document. In VOMS 1.8.0 (Done. Now under conformance testing) JRA1 All-Hands, Helsinki 18-20/6/07

APIs Additions Allow parsing of FQANs standalone. e.g: pass FQAN /atlas/prod/Role=sgm[/Capability=NULL], get: (/atlas/prod, sgm, “NULL”) JRA1 All-Hands, Helsinki 18-20/6/07

Other Platform Support Integration of patch from Apple. Patch accepted, but integration stopped pending resolution of copyright issues. In VOMS 1.8.0 (tentatively) Fixing of lib64 issue. In VOMS 1.7.x JRA1 All-Hands, Helsinki 18-20/6/07

Valerio Venturi JRA1 All-Hands, Helsinki, 18-20/6/07 VOMS & SAML Valerio Venturi JRA1 All-Hands, Helsinki, 18-20/6/07

OMII-Europe OMII-Europe is an EU-funded project which has been established to source key software components that can interoperate across several heterogeneous Grid middleware platforms The emphasis is on the re-engineering of software components rather than on the development of new technology. OMII-Europe will develop a repository of quality-assured Grid services running on these existing major Grid infrastructures. Component being re-engineered with relevant standard bodies Job Submission (OGF OGSA-BES WG) Database (OGF DAIS WG) Virtual Organisation Management (OGF OGSA Authorization WG) Accounting (OGF RUS WG)

OMII-Europe JRA1 VOM Activity OMII-Europe is extending VOMS to support recommendation emerging from the OGF OGSA Authorization WG Web Service Using SAML V2.0 Deployment Profile for X.509 Subjects,OASIS Committee Draft (undergoing public comment) VOMS is being integrated in UNICORE using the re-engineered service UNICORE Job Submission with authorization based on VOMS attributes demonstrated at OGF 20 Wider integration undergoing

VOMS SAML Service Same semantic of the Attribute Certificate based service Using SAML for protocols and assertions What was expressed using RFC 3821 Attribute Certificate is expressed using saml:Assertion elements SAML protocols elements are used for the interface Web Service exposing operation following “Bindings for the OASIS Security Assertion Markup Language (SAML) V2.0” A single operation AttributeQuery(samlp:AttributeQuery) returns: samlp:Response

VOMS SAML Service AttributeQuery allows to specify The subject whose attributes the requestor wants to know The attributes requested <AttributeQuery ID=... Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:protocol"> <Issuer Format=... xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> CN=Valerio Venturi,L=CNAF,OU=Personal Certificate,O=INFN,C=IT </Issuer> <Subject xmlns="urn:oasis:names:tc:SAML:2.0:assertion"> <NameID Format=...> CN=Valerio Venturi,L=CNAF,OU=Personal Certificate,O=INFN,C=IT </NameID> </Subject> <!-- here Attribute elements to request attribute --> </AttributeQuery> Subject must match Issuer Going to provide support for Query (attribute pull mode, third party request for a Subject's attributes) In parallel with AC based VOMS, discussing authorization issues

VOMS SAML Service Response contains An Assertion element (digitally signed) <saml:Assertion ID=... IssueInstant=... Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Issuer Format=...> CN=omii002.cnaf.infn.it,L=CNAF,OU=Host,O=INFN,C=IT </saml:Issuer> <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> ... signature data ... </ds:Signature> <saml:Subject> <saml:NameID Format=...> CN=Valerio Venturi,L=CNAF,OU=Personal Certificate,O=INFN,C=IT </saml:NameID> <saml:SubjectConfirmation Method=...> ... binding to subject's X.509 data ... </saml:SubjectConfirmation> </saml:Subject> continue next page

VOMS SAML Service Issuer Subject Conditions element set duration <saml:Conditions NotBefore=... NotOnOrAfter=...> <saml:AttributeStatement> <saml:Attribute Name="group-membership-id" NameFormat=...> <saml:AttributeValue xsi:type="xs:string"> /omiieurope </saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> Issuer Subject Distinguished Name following RFC 2253 Conditions element set duration Attribute element contains FQAN and GA finalizing attribute naming (more in sequent slides)

VOMS SAML Service Uses Built in ETICS under the OMII-Europe project Tomcat tested version 5.5.20 used Tomcat default HTTPS connectors so far, plans to support Tomcat+TrustManager HTTPS in a few weeks Axis version 1.4 OpenSAML version 2.0 supporting SAML V2.0 is still Tecnology Preview, official release expected soon Built in ETICS under the OMII-Europe project Will undergo OMII-Europe QA process before released made public available Prototype available for testing and internal development in the OMII- Europe Evaluation Infrastructure at CNAF

SAML VOMS Tokens Attribute Certificate normally used in conjunction with users' proxy certificates Embedded in an extension of the users' proxies GridShib doing the same for SAML assertions Bind an ASN.1 SEQUENCE of <saml:Assertion> elements at a well-known, non-critical X.509 v3 certificate extension Exploring alternatives WS-Security gives a way to transport security tokens with SOAP messages In the SOAP Header UNICORE OGSA-BES using WS-Security for the prototype and UNICORE planning to use it for VOMS integration Supported in the WS-I Basic Security Profile

VOMS SAML Attributes MUST provide clear indications on how VOMS information are expressed using SAML Going to have a SAML V2.0 VOMS Attributes Profile Synchronize with others using SAML Attributes Naregi guys post to OGSA AuthZ WG They're using voName, group and role attributes (in their own namespace naregi:vo) VASH guys is going to face the same problem Going to use XACML profile for SAML Attributes due to interoperability within OGSA AuthZ WG specs

VOMS SAML FQANs Expressing FQANS as SAML Attribute elements Natural to use AttributeValue elements with type xsd:string <saml:Attribute Name="FQAN" NameFormat=...> <saml:AttributeValue xsi:type="xs:string"> a FQAN </saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string"> another FQAN </saml:AttributeValue> </saml:Attribute> Problems with SAML specs Going to differentiate FQANs expressing only group information <saml:Attribute Name="a-sounding-name" NameFormat=...> <!-- attribute values with FQANs here --> </saml:Attribute>

JRA1 All-Hands, Helsinki 18-20/6/07