Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA
Xsede eXtreme Science and Engineering Discovery Environment Ron Perrott University of Oxford 1.
1 US activities and strategy :NSF Ron Perrott. 2 TeraGrid An instrument that delivers high-end IT resources/services –a computational facility – over.
Contrail and Federated Identity Management
MyProxy: A Multi-Purpose Grid Authentication Service
Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
July 18, 2012 XSEDE12 Panel: Security for Science Gateways and Campus Bridging Jim Basney, Randy Butler, Dan Fraser, Suresh Marru, and Craig Stewart go.illinois.edu/xsede12secpanel.
1/13/05NCASSR PNNL Visit1 Security Tools Area Overview, Credential Management Services, and the PKI Testbed Jim Basney Senior Research Scientist
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney
GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign InCommon and TeraGrid Campus Champions Jim Basney
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Federated Incident Response Jim Basney
CILogon and InCommon: Technical Update Jim Basney This material is based upon work supported by the National Science Foundation under grant numbers
Identity and Access Management PM COP Forum May 20, 2014Tuesday10100 AMLamont Library.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
The InCommon Federation The U.S. Access and Identity Management Federation
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Secure Access to Research Infrastructure via the InCommon Federation.
Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign NCSA Two Factor CA Jim Basney
Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
An OGSI CredentialManager Service Jim Basney, Shiva Shankar Chetan, Feng Qin, Sumin Song, Xiao Tu National Center for Supercomputing Applications, University.
The MyProxy Online Credential Repository Jim Basney NCSA
Unlimited SSL and personal certificates at one annual fixed fee.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Challenges of Federated Authentication to TeraGrid and Open Science Grid Jim Basney
Federated Identity Management at NIH…NIH Login and Beyond Debbie Bucci September 2009.
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.
Security Solutions Rachana Ananthakrishnan University of Chicago.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney, Terry Fleury, Von Welch TeraGrid Round Table Update May 21, 2009.
Secure Mobile Development with NetIQ Access Manager
OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.
Lightweight OGCE Gadget Portal for Science Gateways Zhenhua Guo, Marlon Pierce Community Grids Laboratory, Pervasive Technology Institute, Indiana University,
1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney
Gateways security Aashish Sharma Security Engineer National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign.
UCTrust Integration for UC Grid David Walker University of California, Davis ucdavis.edu Kejian Jin University of California, Los Angeles kjin.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
WLCG Update Hannah Short, CERN Computer Security.
Federated Environments and Incident Response: The Worst of Both Worlds
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
This material is based upon work supported by the National Science Foundation under Grant #XXXXXX. Any opinions, findings, and conclusions or recommendations.
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation under grant number Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

CILogonwww.cilogon.org CILogon Project Goal Enable campus logon to CyberInfrastructure (CI) –Use researchers’ existing security credentials at their home institution –Ease credential management for researchers and CI providers

InCommon is the federation for U.S. research and education, providing higher education and their commercial and non-profit partners with a common trust framework for access to online resources. 264 InCommon Participants Almost 5 million end-users (faculty, staff, students)

CILogonwww.cilogon.org A Roadmap for Using NSF Cyberinfrastructure with InCommon A helpful guide for CI projects

CILogonwww.cilogon.org Prior Work: go.teragrid.org Campus login to TeraGrid 35 campuses so far Relies on TeraGrid identity vetting In production since September certificates issued so far to 65+ users IGTF accredited Integration with portal.teragrid.org underway IDtrust 2010 paper: “Federated Login to TeraGrid” ( trust/2010/)

CILogonwww.cilogon.org New Service: cilogon.org No TeraGrid account required Supports InCommon and OpenID authentication Delivers certificates to desktop, browser, and portals Available certificate lifetimes: from 1 hour to 13 months Supports close integration with CI projects Available now! FAQ:

CILogonwww.cilogon.org CILogon Portal Delegation Grid Portals and Science Gateways provide web interfaces to CI –Portals/Gateways need certificates to access CI on researchers’ behalf CILogon Delegation Service allows researchers to approve certificate issuance to portals (via OAuth) Web Browser CILogon Portal CI access request certificate authenticate & approve access

An OAuth Service for Issuing Certificates to Science Gateways for TeraGrid Users Jim Basney and Jeff Gaynor National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science Foundation under grant number

Goals Support use of individual TeraGrid accounts via gateways Independent of support for gateway community accounts For more accurate accounting, greater resource access Avoid disclosing TeraGrid user passwords to gateways Avoid risk to long-lived credentials (i.e., user passwords) Use TeraGrid passwords only on systems operated by TeraGrid Use standard security protocols: TLS, OAuth More trustworthy Ease of integration for gateway developers

Current ApproachNew Approach +

Benefits Security WG concerns about password disclosure to external science gateway sites are addressed Science Gateways can support individual TeraGrid account access via standard protocols Resource Providers can support user access via gateways using existing certificate-based interfaces Users can access their individual TeraGrid accounts via gateways using their TeraGrid Portal login

OAuth Example Web User (Resource Owner) Photo Printing Service (Client) Photo Sharing Service (Server) Token Authenticate & Grant Access to Photos Token PhotosRequest Access to Photos

Current ApproachNew Approach

Distributed Web Security for Science Gateways Jim Basney (NCSA) Rion Dooley (TACC) Jeff Gaynor (NCSA) Suresh Marru (IU) Marlon Pierce (IU) This material is based upon work supported by the National Science Foundation under grant number

Science Gateway Security Project Primary Deliverable: A standards-compliant OAuth service implementation to securely delegate, deliver, and renew credentials to science gateways on a user's behalf. Including optional MyProxy integration Including client libraries and modules for web frameworks Timeline: August 2011: Project Start February 2012: Initial MyProxy OAuth release August 2012: Initial release of general software components August 2013: Feature complete software releases August 2014: Final software releases

Current ApproachNew Approach

Certificate Delegation via OAuth (Option A)

Certificate Delegation via OAuth (Option B)

Integration with External Authentication LDAP/KerberosSAML/OpenID

Science Gateway Security Project Other planned OAuth deliverables Secure access to gateway REST services Authorizing access to services via OAuth tokens instead of certs Certificate renewal Using OAuth refresh tokens Community engagement UltraScan, iPlant, GridChem/ParamChem XSEDE, Globus Online

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.