ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.

Slides:

Advertisements

Similar presentations

© 2006 IBM Corporation Tivoli Identity Manager Express Tivoli Access Manager for Enterprise Single Sign-On (Product Demonstrations) Tivoli Live! – 15 June.

Advertisements

Lousy Introduction into SWITCHaai

MyProxy Jim Basney Senior Research Scientist NCSA

Federated Identity for Grid Architects Tom Scavo NCSA

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Contrail and Federated Identity Management

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Grid Security. Typical Grid Scenario Users Resources.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.

Public Key Infrastructure from the Most Trusted Name in e-Security.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

How Grid Security works in GEO Sciences N. Yamamoto, Y. Tanaka, I. Kojima, S. Sekiguchi AIST Oct. 28, 2009.

MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Shibboleth: An Introduction

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.

GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

12-Jun-03D.P.Kelsey, CA meeting1 CA meeting Minimum Requirements CERN, 12 June 2003 David Kelsey CCLRC/RAL, UK

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Improved X.509 Management Using PKCS11 Daniel Kouřil, Michal Procházka CESNET.

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

Security Bob Cowles

2007© SWITCH SWITCHslcs the new AAI-based short-lived credential service for Grid users C.Witzig Swiss Grid Day, Berne, May 7, 2007.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

LIGO Identity and Access Management

THE STEPS TO MANAGE THE GRID

Identity Federations - Installation and operation

Public Key Infrastructure from the Most Trusted Name in e-Security

Shibboleth 2.0 IdP Training: Introduction

Presentation transcript:

ARCHER’s Security Requirements within the AAF

2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on for Federation services Federation members can access services  For accessing and managing datasets in a Research Repository  Accessible from either desktop or web applications Federation members can define groups of Federation members which can access their datasets  Groups membership defined autonomously by the group Research Repository accessible by other Federation services  including Grid services Privileges for content owners and groups managed by the Research Repository Consistent Identity and Group Management across Shibboleth and PKI protected services

3 Consistent Identity & Group Management Shibboleth-protected Services Identity Management Group Management PKI-protected Services

4 Status of Repository Requirements Identity Management provided by the Federation  Single-sign-on for Federation services Federation members can access services  For accessing and managing datasets in a Research Repository  Accessible from either desktop or web applications Federation members can define groups of Federation members which can access their datasets  Groups membership defined autonomously by the group Research Repository accessible by other Federation services  Including Grid services Privileges for content owners and groups managed by the Research Repository Consistent Identity and Group Management across Shibboleth and PKI protected services Legend Available Under Development Not available

5 Objective Access a Federation service (e.g. a research repository) using Shibboleth from either a web or desktop application Problem Shibboleth was never designed to be used from desktop applications

6 Solution: Accessing a Federation Service from the Desktop using Federation’s Identity Management Fed Service (PKI-protected) IdP Desktop App Desktop Credential Manager Certificate Provider 1. Request Cert. 2. Authenticate 3. Shib. Token 4. Shib Token 7. Short-lived Cert. 9. Short-lived Cert. 10. Success/Fail 8. Short-lived Cert. 5.Shib Token 6.Attributes

7 Credential Manager Requirements Must be able to authenticate with an Identity Provider Must be able to be trusted by the user, as they will be authenticating with their institution through it Must be able to cache the user’s credentials Must query the user for confirmation, if an application requests a credential Must be available for Win, Mac, and Linux boxes

8 Certificate Provider Requirements Must generate certificates which:  Are short-term  Maintain a consistent identity for the user  Are approved by IGTF  Are signed by the Federation  Transport only those shibboleth attributes that are essential for accessing PKI protected services Service must be managed by the Federation Desirable to have an interface which allows Grid Certificates to be refreshed

9 Useful Security Components SWITCH’s SLCS, for the Certificate Provider  Shibboleth protected web application  Generates IGTF approved certificates from Shibboleth attributes Bandit-Project’s DigitalMe, for the Credential Manager  Similar to Microsoft’s InfoCard/Cardspace solution  Written in Java Red Hat’s CA  To be used by the AAF

10 Cert. Provision with Cert. available from MyProxy Certificate User IdP Certificate Provider (Service Provider) Certificate Provider Certificate Generator MyProxy 2. Shib Token 3. Attributes 1. Shib Token 6. Short-lived Cert. 4. Attributes External interface available to MyProxy to refresh certificates 5. Short-lived Cert

11 Cert. Provider with Cert. not available from MyProxy Certificate User IdP Certificate Provider (SLCS) Certificate Provider Certificate Generator MyProxy 2. Shib Token 3. Attributes 1. Shib Token 12. Short-lived Cert. 4. Attributes 5.Fail External interface available to MyProxy to refresh certificates 10. Attributes 11.Short-lived Cert. 6. Attributes 9. Success 7. Attributes and Medium-lived Cert. 8. Success

12 Web Portal IdP Certificate Provider Red Hat CA MyProxy External interface available to MyProxy to refresh certificates SLCS Post Back Request Shor-term Cert Post back Cert. Desktop App DigitalMe Shib Module

13 Prototypes: Shib Desktop Access & Shib Cert Provider SVN: In this folder, there are three separated projects as follows: ArcherCertProvider: The front end Webapps to manage certificate. CardSpace: The desktop module for local certificate management. Desktop Shibboleth: The desktop module for shibboleth authentication. Installation of each module is provided in README files available in each project. To run the demonstration: 1. Deploy the ArcherCertProvider to a J2EE application (tested with Tomcat and 6.*)- an existing war file can be found at 2. Start the CardSpace: ant LocalCertManager 3. Run a HelloWorld example of an GSI application: ant GSIApp