A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.

Slides:



Advertisements
Similar presentations
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Digital Certificate Operation in a Complex Environment Matthew J. Dovey Oxford University Computing Services.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
Password?. Project CLASP: Common Login and Access rights across Services Plan
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Password?. Project CLASP: Common Login and Access rights across Services Plan
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
ESP-GRID The case for devolved authentication: over-centralised security doesn't work JISC Core Middleware meeting at NeSC: Developments within Security.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
03 December 2003 Digital Certificate Operation in a Complex Environment Consultation/Stakeholders Meeting 3 December 2003.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
03 December 2003 Digital Certificate Operation in a Complex Environment Presentation as part of the Digital Projects in Oxford series 4 February 2004.
Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
Learning Management Systems Camp June 2004 Barry R Ribbeck UT HSC Houston Copyright, Barry Ribbeck, This work is the intellectual property of the.
Shibboleth Update a.k.a. “shibble-ware”
Federated A(A(A))I Jens Jensen hepsysman, RAL,
SWITCHaai Team Federated Identity Management.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Term 2 – Contemporary Relationships with Outdoor Environments.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
Gary Brown, Senior Systems Developer, Portal Development Team Identity Management Toolkit a JISC sponsored project.
National Science Foundation Chief Information Officer CIO Fall Update for the Advisory Committee for Business and Operations: Identity Management 2.0 George.
New Developments in Authentication and Access Management Alan Robiette JISC Development Group JISC-NSF-DLI2 Meeting, 2002.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.
Shibboleth for Real Dave Kennedy
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University
Digital Certificate Operation in a Complex Environment Presentation to the IT Support Staff Conference 24 June 2004.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.
Security Vulnerability Identification and Reduction Linda Cornwal, JRA1, Brno 20 th June 2005
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
11-Dec-00D.P.Kelsey, Certificates, WP6 meeting, Milan1 Certificates for DataGrid Testbed0 David Kelsey CLRC/RAL, UK
E-Science Security Roadmap Grid Security Task Force From original presentation by Howard Chivers, University of York Brief content:  Seek feedback on.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
VOMS Attribute Authorities Michael Helm ESnet/LBNL 23 Feb 2007.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Write your name and class here
Full Page Watermarking
UK e-Science All Hands Meeting, 2006 Mark Norman 18 Sept 2006
e-Infrastructure Workshop 28th March 2006, University of Leeds
Tweaking the Certificate Lifecycle for the UK eScience CA
The New Virtual Organization Membership Service (VOMS)
Presentation transcript:

A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006

19 Sept 062 This talk The ESP-GRID project What is Shibboleth? Our requirements for grid security –How we usually express those requirements –What are the real requirements? Shibboleth vs (usual GSI-style) PKI –Assertion of permanent identifier versus –Assertion of current membership and suitability

19 Sept 063 The ESP-GRID Project The Evaluation of Shibboleth and PKI for Grids (ESP-GRID) Project –Ran July 04 to June 06 Aim was to investigate whether and how Shibboleth offers solutions to issues of grid authentication, authorisation and security The first questions we hit were: –Do we really need explicit IDs asserted everywhere? –What would make things scalable?

19 Sept 064 Unforgeable or unrevocable? What’s the best situation? –Using unforgeable paper that lasts for 10 years –or… –Checking with a trusted colleague to vouch for you every time ?? The answer is (obviously) “it depends” It’s all about authorisation…

19 Sept 065 What is Shibboleth? “Shibboleth is a system designed to exchange attributes across realms for the primary purpose of authorisation” –It’s not strictly an authentication mechanism –Nor an authorisation mechanism It enables both But in plainer speaking…

19 Sept 066 What is Shibboleth? It’s all about how to transmit the authorisation and role information from your home institution to outside service providers And how those service providers can ask for that information Access management and the communication of authorisation credentials Aims: to separate authentication from authorisation –Devolve authentication to the ‘home’ organisation –Devolve the management of authorisation information as well

19 Sept 067 Can we use it on grids? It’s not quite that easy! –Grids tend to use X.509 digital certificates (Centrally/Nationally issued) A bit hard to use (but that’s a different matter) –Shibboleth is (so far) based in the web world HTTP only –Some grid people think that Certificates = secure University libraries/SSO = insecure –(This is probably wrong, but grids do need higher security)

19 Sept 068 Grid security: what are we trying to secure? Current grid users have quite a deep level of control over the host machines If you compare them with web browser/readers, for example Is this scaleable to high numbers of users? Surely these people are Power Users (and we just haven’t got many Regular Users yet)? Are personal digital certificates suitable for Power Users and something else (e.g. Shib) good for ordinary Users?

19 Sept 069 Should we devolve ID management? (Shibboleth is an ideal model for this) Currently we use 12 month credentials, checked once (possibly years ago) And trust that the user hasn’t gone bad, or if s/he does, we’ll somehow get to hear about it When ID management is devolved: Less central control of user policies (bad) When someone steals something, they get their accounts immediately suspended (good)

19 Sept 0610 Should we devolve ID management? (2) (Shibboleth is an ideal model for this) Maybe we can’t trust the local ID managers –They might be really sloppy with their ID management! But we trusted the University Card that they issued –So we were trusting them all along!?!

19 Sept 0611 GSI-style PKI: it’s identity, not AuthZ We all know that you should separate authentication and authorisation But having a certificate tends to mean that ‘you’re a member of the community for a year’ –That’s mixing authN and authZ It would be OK if someone had a long term certificate (e.g. 10 years) and we had sophisticated authZ

19 Sept 0612 Emotional security “We must know who everyone is in case they do something bad” –Do we really mean that? How about: “If someone/something does something bad (on purpose or otherwise), I need to suspend their jobs and their activity until they are identified and dealt with” –So maybe you don’t need to know their ID up front?

19 Sept 0613 Real requirements Rapid suspension –Get the bad thing to stop ASAP and you could go for slower (human mediated) identification/revocation? (It’s not outside the requirement) Identification of wrong-doers Revocation of credentials for deliberate wrong- doers These are the real requirements. The supposed requirement of needing to know an ID ‘up front’ is one solution for these requirements.

19 Sept 0614 A case for Shibboleth If we agree that… –numbers of users will grow –most current users are Power Users –most (future) regular users will be less technical –most regular users will be interested in (predictable) applications –(and maybe) we will have methods to deal with rogue users and jobs based upon suspend and then investigate then Shibboleth is attractive

19 Sept 0615 Grids use GSI But grids are based on Grid Security Infrastructure –Tied inextricably to X.509 digital certificates Grids do have greater need for high security What about people using (e.g.) portals with applications in portlets? –The portal could authenticate them using username/password – or even via Shibboleth –The portal talks to the grid using GSI –(See other paper for the Customer-Service Provider model)

19 Sept 0616 The C-SP model

19 Sept 0617 A last word about “identity” Is your identity a unique (scoped) identifier? e.g. citizen uk (or mark o o ox o ac o uk) Or is your identity a whole list of things? e.g. member of oucs, member of oerc, member of Oxford University, part of ESP-GRID project, staff, “Mark Norman”, male?

A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.