Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.

Slides:

Advertisements

Similar presentations

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Advertisements

© 2006 Open Grid Forum Federated Identity in the Cloud OGF 32, Salt Lake City.

MyProxy Jim Basney Senior Research Scientist NCSA

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Project Moonshot February Background Project Moonshot 2.

John Chapman, Janet Fall 2012 Internet 2 Member Meeting 3 October 2012 Trust me, I’m an engineer: Engineering trust using a Trust Router infrastructure.

August 2013 Introduction to Moonshot. Why Moonshot? Within education, there are a number of specialised federations: – UK federation - Access to web-based.

Contrail and Federated Identity Management

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

MyProxy: A Multi-Purpose Grid Authentication Service

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

WebFTS as a first WLCG/HEP FIM pilot

Multihop Federations & Trust Router draft-mrw-abfab-multihop-fed-02.txt draft-mrw-abfab-trust-router-01.txt Margaret Wasserman

Project Moonshot TF-MNM. Use cases Project Moonshot 2.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

AFS & Kerberos Best Practices Workshop 2008 Design Goals Functions that require authentication Solution Space Kerberos, GSSAPI or SASL (Decide on your.

Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

1 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Using Internet Explorer 7.0 to Access Cisco Unity 5.0(1) Web Interfaces Unity 5.0(1)

David Spence GOSC Graphical Access to the NGS for All Java GSI-SSHTerm.

MetaCentrum – the Czech computational grid Martin Kuba CESNET and Masaryk University Brno, Czech Republic.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Introduction Moonshot workshop

Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.

Tim Bell 24/09/2015 2Tim Bell - RDA.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Grid Access Toolkit for MS Windows Daniel Kouřil CESNET, MWSG meeting, Jun

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Image © Viatour Luc ( Project Moonshot TNC 2010 Vilnius, 1 June 2010 Josh Howlett, JANET(UK)

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Improved X.509 Management Using PKCS11 Daniel Kouřil, Michal Procházka CESNET.

Moonshot-enabled Federated Access to Cloud Infrastructure Terena Networking Conference, Reykjavik. May 2012 David Orrell, Eduserv.

Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.

Project Moonshot Daniel Kouřil EGI Technical Forum

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht.

Short Customer Presentation September The Company  Storgrid delivers a secure software platform for creating secure file sync and sharing solutions.

Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.

The Umbrella Project Authentication The minimum user information possible is stored centrally to avoid Data Protection issues. The Authentication is done.

CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López

Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.

Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.

Moonshot, in a nutshell SAML IdP Client Server AAA EAP RADIUS.

Using Umbrella with other technologies at Diamond

P-p-pick up a Pathfinder

UK e-Science CA Update J Jensen, STFC 31 Jan 2017.

AAAI Pathfinder J Jensen, STFC 031 Oct,

Jens Jensen, STFC Sep EUGridPMA Manchester

European AFS & Kerberos Conference 2010

Tweaking the Certificate Lifecycle for the UK eScience CA

AARC Blueprint Architecture and Pilots

AD FS Integration Active Directory Federation Services (AD FS) 7.4

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013

Background Like RADIUS, but for “higher level” services RadSec Carrying SAML assertions Standards based (IETF) – RADIUS, EAP,-TTLS, GSSAPI Federated: user, SP, IdP, AA Targeting glueware like ssh, MyProxy, Technology project (code, not federations)

Current Status In theory, anything using GSS (and SASL (and SSPI)) – Some things need minor fixes Get started with Ubuntu/Debian ISO – “Hello, World” for Moonshot – RPMs available, broadening OS support (Win, OSX) – Needs client and server libs Project led by JANET Development by Painless Security – IETF ABFAB-WG

UK Pilot Started 2 April Kick off meeting Mon 8th 37 partners, 5 non-UK, most starting now Documentation being written 18 months, three phases (1, 2, and 3)

Pilot Common Areas 0. Grid resources (via certificates in medium term) 1.“HPC” (ssh) – everyone 2.OpenStack – Kent, Sussex 3.iRODS – STFC, UCL (maybe) 4.CIFS (maybe) – UCL 5.Federated desktops (ie acct mgmt) 6.Ticket systems/support (Cambridge) 7.Clouds and cloudbursting (Kingston) 8.Scalability and performance (JANET) 9.Trust routers (initially JANET will run one) 10.Grid COI (STFC+JANET)

Moonshot Integration

Examples of tested scenarios OpenSSH client  OpenSSH server (GSS) OpenLDAP client  OpenLDAP server (SASL) OpenLDAP client (GSS)  Windows Active Directory (SSPI) Firefox  Apache (GSS) Internet Explorer  IIS (SSPI) Adium  Jabberd (SASL) Console authentication using PAM/GSS on Linux and SSPI on Windows

Moonshot & MyProxy Moonshot supported via SASL – No code changes or recompiling needed – Only matter of configuration (server/client) Both CA and repository mode supported – Users can obtain new credentials or retrieve stored ones X.509 credentials can be obtained using federated identity: myproxy-logon –l –s server -n

Moonshot & NFSv4 Distributed file system – Several implementations available – Security implemented using GSS-API Significant changes to client and server done – “hidden” dependency on Kerberos Pilot deployment oriented on grid users – Authentication using X.509 (IGTF) – Gridified file system