WebFTS as a first WLCG/HEP FIM pilot

Slides:

Advertisements

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

18 th TF-EMC2. WebEx, June 2011 Diego R. Lopez, RedIRIS On the Many Ways to Identity Exchange (Again) Digital identities are more valuable as they are.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

SWITCHaai Team Introduction to Shibboleth.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,

Shibboleth at the U of M Christopher A. Bongaarts code-people June 2, 2011.

Tim Bell 24/09/2015 2Tim Bell - RDA.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Navigating the Standards Landscape Andrew Owen SEARCH.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Shibboleth: An Introduction

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

SAML to LDAP bridging developments Marcus Hardt Marcus kit.eduSteinbuch Centre for Computing (SCC) Motivation Allow linux logins,

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

Placeholder ES 1 CERN IT EGI Technical Forum, Experiment Support group AAI usage, issues and wishes for WLCG Maarten Litmaath CERN.

David Groep Nikhef Amsterdam PDP & Grid Bring the WLCG federation Home Extending your trust options beyond bottom-up identity by collaborating with global.

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

F5 APM & Security Assertion Markup Language ‘sam-el’

Kipper – a Grid bridge to Identity Federation Andrey Kiryanov.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.

Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.

Authentication and Authorisation for Research and Collaboration Hannah Short (CERN) DI4R Authentication and Authorisation for Research.

The IGTF to eduGAIN Bridge

Access Policy - Federation March 23, 2016

WLCG Update Hannah Short, CERN Computer Security.

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

HMA Identity Management Status

Identity Federations - Overview

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

Grid accounting system

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

DCache things Paul Millar … on behalf of the dCache team.

Shiv Kaushal, University of Manchester

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

WebFTS as a first WLCG/HEP FIM pilot Andrea Manzi Andrey Kiryanov 8th FIM4R meeting

WebFTS as a first WLCG/HEP FIM pilot What is WebFTS? https://webfts.cern.ch Web based tool to transfer files between grid/cloud storages Modular protocol support gsiftp, http(s), xrootd and srm Cloud extensions: dropbox, CERNBox Initial development funded by WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

WebFTS as a first WLCG/HEP FIM pilot Based on FTS3 FTS3 is the service responsible for distributing the majority of LHC data across the WLCG infrastructure Low level data movement service, responsible for moving sets of files from one site to another while allowing participating sites to control the network resource usage Used by LHC VOs + many others VOs part of EGI ~20PB monthly transfer volume / ~2.2M files per day (WLCG) http://dashb-fts-transfers.cern.ch/ui/ WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

WebFTS as a first WLCG/HEP FIM pilot “X509 free” access X509 delegation is needed to let WebFTS access the grid on users behalf Users make private key available to browser Not available via browser API We are trying to replace user certificate delegation with transparent access via Identity Federation (pilot project for WLCG) The same technology may be used for other types of services, e.g. job submission. WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

WebFTS as a first WLCG/HEP FIM pilot WebFTS pilot WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

Architecture Slide adapted from Romain Wartel, GDB Sept 2014 IOTA CA STS IdP IdP IdP IdP CERN SSO VOMS X.509 VOMS SAML SAML Redirect WAYF Credentials Attributes WebFTS Grid Storage Element X.509 VOMS Web Slide adapted from Romain Wartel, GDB Sept 2014

WebFTS as a first WLCG/HEP FIM pilot eduGAIN Built on existing federations and infrastructures CERN participates in eduGAIN via SWITCHaai Many NRENs participate in eduGAIN too WebFTS as a first WLCG/HEP FIM pilot 04/02/2015 8

WebFTS as a first WLCG/HEP FIM pilot IdF and CERN SSO CERN SSO service is based on Microsoft’s ADFS (Active Directory Federation Services) In order to benefit from SSO our web server (Apache) needs a special plug-in: Shibboleth –supported by CERN, widespread solution, supports all possible standards, but not easy to configure. Mellon – pure SAML2 SP. First integration done via some development versions. Since last week a specific package has been distributed by CERN for SL5/6, so it’s also officially supported. WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

What happens when you log-in to SSO? Web browser HTTP session SSO Apache Auth request (redirect) Auth. SAML SSO plug-in SAML Assertion SAML = Security Assertion Markup Language SAML Assertion is essentially a signed list of attributes (name, email, etc.) WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

WebFTS as a first WLCG/HEP FIM pilot STS Security Token Service (STS) consumes SAML2 assertions and produces X.509 credentials in return. STS is an implementation of WS-Trust OASIS standard and it speaks SOAP. This functionality is based on so-called IOTA CA (Identifier-Only Trust Assurance Certification Authority) that issues short-living (days) X.509 certificates. At CERN we can get such certificates from “CERN CA” (which is NOT “CERN Grid CA”) – the same that signs EduRoam certificates. WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

What’s in all this for WebFTS? STS Web browser FTS3 REST API X.509 certificate SAML2 Assertion (JavaScript context) IOTA CA SAML2 Assertion Auth request SSO Apache Auth request (redirect) Auth. SAML2 SAML2 Assertion SSO plug-in WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

WebFTS as a first WLCG/HEP FIM pilot Next steps The way STS issues certificates has to change. Basically STS has more than one mode of operation: It can generate a key pair, sign it with a CA, and send both certificate and private key back to us. This is what is used right now, but this is wrong because private key is transmitted over the network. It can generate a proxy certificate (with or without VOMS extensions) based on a public key provided from our side. This is more secure but this requires changes in the delegation code on WebFTS side ( ongoing ) VOMS integration is implemented by FTS now. Waiting for STS VOMS integration. WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

WebFTS as a first WLCG/HEP FIM pilot Open Issues Above all we have to convince sites to trust IOTA-profile CAs. It has to be discussed at the level of Infrastructures: EGI, WLCG, .. How we associate different identities of the same user (e.g. normal X.509 certificate and IdF) ? Now we manually map the X509 user credentials with IOTA CA DN on the VOMS ( as alias) But how to guarantee this DN to be unique? WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

WebFTS as a first WLCG/HEP FIM pilot Open Issues[ii] STS RA for the IOTA CA should use an eduGAIN persistent identifier attribute to ask for a unique DN Which attributes can be consider persistent and unique in eduGAIN? Looks like the eduPersonPrincipalName can be reassigned according to local policy.. Can we use SAML2 Persistent Identifier ? And are all eduGAIN IdPs providing it? What about a combination of attributes? WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

What we have achieved so far? IdF-enabled WebFTS is a working prototype available at https://webfts-dev.cern.ch/ only few testing Storage Elements have IOTA CA configured This is an important step towards “X.509-free” access to Grid resources. As said the same technology may be used for other types of services WebFTS as a first WLCG/HEP FIM pilot 04/02/2015

WebFTS as a first WLCG/HEP FIM pilot https://github.com/cern-it-sdc-id/webfts Questions? WebFTS as a first WLCG/HEP FIM pilot 04/02/2015