Federated access to e-Infrastructures worldwide

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Grid Initiatives for e-Science virtual communities in Europe and Latin America The VRC-driven GISELA Science Gateway Diego Scardaci.
Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Contrail and Federated Identity Management
Introduction on Science Gateway Understanding access and functionalities Catania, 09/06/2014Riccardo Rotondo
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures – Proposal n A Standard-based.
FIM-ig Federated Identity Management Interest Group.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Co-funded.
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant.
1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.
European Grid Initiative Federated Cloud update Peter solagna Pre-GDB Workshop 10/11/
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Jamie Hall (ILL). SciencePAD Persistent Identifiers Workshop PANData Software Catalogue January 30th 2013 Jamie Hall Developer IT Services, Institut Laue-Langevin.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Widening the number of e-Infrastructure users with Science Gateways and Identity Federations Giuseppe Andronico INFN -
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
How to integrate EGI portals with Identity Federations Roberto Barbera Univ. of Catania and INFN EGI Technical Forum – Prague,
b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.
Storing digital assets on Grid/EGI FedCloud with gLibrary Giuseppe La Rocca, INFN DARIAH ERIC.
WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
Tutorial on Science Gateways, Roma, Riccardo Rotondo Introduction on Science Gateway Understanding access and functionalities.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Tutorial on Science Gateways, Roma, Catania Science Gateway Framework Motivations, architecture, features Riccardo Rotondo.
Rome - 24 January Earth Server EU FP7-INFRA project Scalability for Big Data Roberto Barbera - University of Catania and INFN - Italy
Introduction to Distributed Computing Infrastructures and the Catania Science Gateway Framework Roberto Barbera Univ. of Catania.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant.
INDIGO – DataCloud Security and Authorization in WP5 INFN RIA
Authentication and Authorisation for Research and Collaboration Bari, Italy Training and Outreach Authentication and Authorisation.
Storing digital assets on Grid/EGI FedCloud with gLibrary Giuseppe La Rocca, INFN DARIAH ERIC.
Utilizzo di portali per interfacciamento tra Grid e Cloud Workshop della Commissione Calcolo e Reti dell’INFN, May Laboratori Nazionali del.
Co-ordination & Harmonisation of Advanced e-Infrastructures Research Infrastructures – Grant Agreement n The CHAIN project and its worldwide interoperability.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Co-funded.
REST API to develop application for mobile devices Mario Torrisi Dipartimento di Fisica e Astronomia – Università degli Studi.
Visita al sito di Catania RECAS Attività correlate a RECAS condotte a Catania Roberto Barbera.
The eCSG Mobile App Mario Torrisi INFN – Division of Catania 24 June 2013 Webinar on the eCSG 1.
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures – Grant Agreement n
Co-ordination & Harmonisation of Advanced e-INfrastructures CHAIN Worldwide Interoperability Test Roberto Barbera – Univ. of Catania and INFN Diego Scardaci.
Co-ordination & Harmonisation of Advanced e-INfrastructures Technical program: advancement & issues Roberto Barbera University.
DARIAH EU AAI consideration K. Skala, D. Davidović, Z. Šojat Lisbon, 22 May 2015.
Web and mobile access to digital repositories Mario Torrisi National Institute of Nuclear Physics – Division of
The Catania Science Gateway framework Mr. Riccardo Rotondo Consortium GARR, Rome, Italy
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Grant.
AAI for a Collaborative Data Infrastructure
Extending Authentication to Members of Social Networks
Identity Federations - Overview
Grid accounting system
CHAIN-REDS computing solutions for Virtual Research Communities CHAIN-REDS Workshop – 11 December 2013 Roberto Barbera – University of Catania and.
Riccardo Rotondo INFN Catania – Italy
Antonella Fresa Technical Coordinator
ESA Single Sign On (SSO) and Federated Identity Management
Authentication and Authorisation for Research and Collaboration
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
LifeWatch AARC Pilot Fernando Aguilar 13th FIM4R Workshop
Presentation transcript:

Federated access to e-Infrastructures worldwide Marco Fargetta, INFN Catania - Italy (marco.fargetta@ct.infn.it) VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

DCIs developed in the last decade DCI=Distributed Computing Infrastructure VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Evolution Research organisations are moving to cloud computing Internal services and research applications Many different cloud models Public vs Private vs Commercial IaaS, PaaS, SaaS Grid paradigm still adopted by many projects Grid and cloud will co-exist for a while Many mixed approach are under investigation and testing VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

e-Infrastructures problems Different authentication/authorisation Username/password, X509, others Different tools to interact with GUI, CLI, API, Web Apps, Web Services, etc… Different middleware and workflows to execute applications Very little standard adoption Lack of interoperability Difficult for users to move from a system to another VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Science Gateways “A Science Gateway is a community-developed set of tools, applications, and data that is integrated via a portal or a suite of applications, usually in a graphical user interface, that is further customized to meet the needs of a specific community.” Teragrid/XSEDE VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Primary requirement: building Science Gateways should be like playing with Lego bricks Standards Simplicity Easiness of use Re-usability Sc. Gtwy E Sc. Gtwy D Sc. Gtwy C Sc. Gtwy B Sc. Gtwy A VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Catania Science Gateway Framework architecture Embedded Services Administrator(s) Scientists Cloud tenants ....... App. 1 App. 2 MyCloud Catania Science Gateway CLEVER Orchestrator (based on OCCI) Grid/Cloud Engine (based on SAGA) Cloud #1 HPC Clusters Users belonging to Identity Federations Cloud #2 Cloud #n Single logical domain VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Unified authentication system Users have to use only one account for all the systems The account is generally provided by the home institution SAML2.0 used Authentication to e-Infrastructure is performed by the Science Gateway e-Infrastructures do not distinguish Science Gateway users User tracking DB implemented for accounting and auditing purposes, compliant with EGI policies VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Social Networks’ Bridge IdP AuthN/AuthZ Schema Science Gateway Authorisation LDAP Authentication 1. Register to a Service GrIDP (“catch-all”) Social Networks’ Bridge IdP IDPOPEN (“catch-all”) IDP_y 2. Sign in ......... LDAP VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

AuthN/AuthZ Schema e-Infrastructures Science Gateway 4. Check authorisations Federation 3. Identity attributes Sync user roles 2. Forwarded to the IdP Retrieve e-Infrastructure credentials Science Gateway 1. Try to login e-Infrastructures VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Science Gateways deployed 12 SGs in production and others in development Africa Grid agINFRA CHAIN-REDS COGITO-MED DCH-RP e-Culture DECIDE EarthServer EUMEDGRID GARR GISELA IGI KLIOS VRCs supported either by region or discipline Very easy and intuitive access procedure User-driven development Surveys to propose applications are available in Italian and other languages VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Official Identity (Inter-)Federations currently supported by Catania Science Gateways VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

The TERENA AAA Study (Objectives) The goal has been broken down into two objectives: A collection of users’ access requirements coming from different communities; A gap analysis of the existing AAIs used in the realm of research and education, the use-cases they support and the associated challenges. https://confluence.terena.org/display/aaastudy/AAA+Study+Home+Page VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

The TERENA AAA Study (Findings) VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

The TERENA AAA Study (Recommendations) Action Required Main Stakeholder(s) Area VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

DCH-RP AAI Survey (www.dch-rp.eu) “Digital Cultural Heritage Roadmap for Preservation” (DCH-RP) is a coordination action supported by the European Commission under the e-Infrastructure Capacities Programme of Seventh Framework Programme for Research (FP7) A survey about the AAI performed both within and outside the project community Mainly research and cultural organisations 20 organisations already filled the survey http://dch-rp.eu/index.php?en/71/news-archive/6/dch-rp-questionnaire VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

DCH-RP AAI Survey (Current findings) VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

DCH-RP AAI Survey (Current findings) VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

DCH-RP AAI Survey (Current findings) VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

The GrIDP “catch-all” federation (http://gridp.garr.it) v VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

The Open and Social IdP’s VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Mobile Support (Both Android and iOS) DCH-RP eCSG Mobile glibrary.ct.infn.it REST API Science Gateway Call gLibrary REST API through API Server Gateway E-Infrastructure Authorization service Authentication VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Implementation Discovery service modified to provide a JSON with federations and IdPs Based on Shibboleth DS Federations and IdPs selection developed as native apps both for Android and iOS IdP login page shown in a web view After the login, the native app catches the SAML token and closes the web view The token is used for the communication with RESTful services VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Mobile Authentication Web views Native apps VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

IdP Management Catch-all IdP does not have a user DB to access Users need to ask for registration Anonymous self- registration not supported A web application has been developed to manage the registration workflow LDAP as back-end DB VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

IdP Management VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Science Gateway Authorisation At first access users are sent to an authorisation request form Fields are automatically populated with information from SAML token If not available, users must provide information If different roles are available users can select one or more of them Users can apply for new roles at any time VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Science Gateway Authorisation VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

After Signing-in … … accessing Digital Repositories Screenshots da DCH-RP & Chain VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

After Signing-in … … accessing Digital Repositories Screenshots da DCH-RP & Chain VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

After Signing-in … … managing services in federated clouds Screenshots da DCH-RP & Chain VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

After Signing-in … … running jobs on different infrastructures Screenshots da DCH-RP & Chain VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Support to other organisations Some organisations are deploying SGs using our framework and tools Including those for authentication/authorisation Federations are not everywhere Many project partners are located in countries without a national identity federation No know-how on SAML is present We are supporting organisations to deploy their IdPs They are starting with “catch-all” ones for their local communities VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Some of the IdPs supported VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Implementation and status IdPs deployed use the same tools and web application of our catch-all IdP They use Shibboleth, LDAP and the web application developed by INFN Catania for user management 3 IdPs currently under test and 1 already included in the GrIDP federation Some NRENs are also planning to create their federation and add more IdPs IdPs for own users are also foreseen in the short term VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Summary Identity federations make authentication on distributed systems easy and safe Still many organisations are not federated and tools for not-federated users are needed We built a catch-all federation and IdPs Catch-all IdPs important for services whose users are distributed in many countries and belonging to many organisations Many organisations supported to implement their services (IdPs and SGs) Tools for user management could be integrated in the main SAML implementations (e.g. Shibboleth) VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Outlook Finalise the deployment of IdPs and integrate them the in GrIDP federation Foresee the use of SAML for the authentication to clouds OpenStack based clouds allow the use of SAML Investigate the integration with OAuth protocol for mobile authentication and authorisation Current approach has several limitations VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

VAMP Workshop 2013 – Helsinki, 30/9-1/10/2013

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.