Widely Distributed Access Management Tom Barton University of Chicago.

Slides:

Advertisements

Similar presentations

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

Advertisements

Federated Identity for Grid Architects Tom Scavo NCSA

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Agenda AD to Windows Azure AD Sync Options Federation Architecture

Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.

WSO2 Identity Server Road Map

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

WebFTS as a first WLCG/HEP FIM pilot

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

Catania Science Gateway Framework Motivations, architecture, features Catania, 09/06/2014Riccardo Rotondo

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Intro to Identity for Developers Tom Barton, U Chicago Scott Cantor, Ohio State Patrick Michaud, U Washington.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Introduction to Grouper Part 1: Access Management & Grouper Tom Barton University of Chicago and Internet2 Manager – Grouper Project.

I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Directory Enabled AuthN/Z at Clemson LDAP yesterday, Shibboleth tomorrow Jill Gemmill Barry Johnson Jill Gemmill Barry Johnson.

The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.

Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.

Sudha Iyer Principal Product Manager Oracle Corporation.

Collaborative Platforms. Collaborations and Virtual Organizations IdM is a critical dimension of collaboration, crossing many applications.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Shibboleth: An Introduction

Access Information Management Tom Barton University of Chicago.

Scared Straight… if you want to go outside… Authenticate Locally, Act Globally.

Implementing Kuali Identity Management at your Institution Jasig Spring 2010 Wednesday, March 10, am.

GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

© 2006 The University of Chicago Grouper Backgrounder for Authorization WG Tom Barton, U Chicago.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.

Bronze Sky customer premises AD MS Online Directory Sync Provisioning platform Provisioning platform Lync Online Lync Online SharePoint Online SharePoint.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Internet2 AdvCollab Apps 1 Access Grid Vision To create virtual spaces where distributed people can work together. Challenges:

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

GridShib Grid-Shibboleth Integration An Overview Von Welch

More Allergic Reactions Some Potential Next Steps Tom Barton University of Chicago.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

CaGrid 1.0 Security Infrastructure Stephen Langella, Scott Oster, Shannon Hastings, David Ervin, Joshua Phillips, Vinay Kumar, Tahsin Kurc, Joel Saltz.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

Illinois Health Network The 14th Global Grid Forum Chicago, Illinois June 27, 2005.

Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Collaboration and Federated Identity Two powerful forces being leveraged – the rise of federated identity – the bloom in collaboration tools, most particularly.

Security in Research Computing John Sandefur UAB Comprehensive Cancer Center John-Paul Robinson UAB Research Computing.

Web SSO with Cloud Resources using AD Federation Services

LIGO Identity and Access Management

eduTEAMS platform for collaboration Niels Van Dijk

I2/NMI Update: Signet, Grouper, & GridShib

CLARIN Federated Identity Vision

ESA Single Sign On (SSO) and Federated Identity Management

Shibboleth for Non-Web-Based Applications: GridShib

NSF Middleware Initiative: GridShib

Guests and Collaborators

Single Sign-On (SSO) Authentication

Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

Una herramienta para la gestión de identidad, el control de acceso y uso compatible con la regulación de identidad europea eIDAS.

NSF Middleware Initiative: GridShib

Presentation transcript:

Widely Distributed Access Management Tom Barton University of Chicago

An Everyday Problem People would like to use the collaboration tools available to them to collaborate with whom they choose –Can we do better than attachments?

as Collaboration Platform Pros –Connects arbitrary sets of collaborators –Shares any type of file (ok, some limits) –Self access management Cons –Insecure –Limited capabilities –Reduces productivity more than pot-smoking

Campus Collaboration Scenario UC faculty/staff self-initialize collaboration space to work with others internal & external to UC on focused activities – list; protected file share; private wiki or web space; specialized compute or data services –Initiator-identified collaborators –Both campus and external participants administer shared collaboration resources

Requirements for Campus Collaboration Scenario Authenticate campus and external participants Self-creation of collaboration group by authorized campus people Delegation of selective admin privileges to campus & non- campus people Integration of collaboration services with above (centrally operated & not)

Service Provider Scenario An organization provides collaboration services to a population of users –Think Internet2 and its working groups –Or a Science Gateway Additional requirement: An initial delegation step, since self- initialization may not be appropriate

Solution Elements Distributed access management tools (Grouper & Signet) A DB for housing identifiers, memberships & privileges for collaboration participants Single locus at which to configure federated SSO (support for internal + external authentication) Architecture that adds collaboration attributes (identifiers, memberships, privileges) to authentication context and passes along to collaboration services

Collaboration Connector An integration architecture with all solution elements Proxy IdP –“IdP” = “Identity Provider” ala SAML and Shibboleth –Provides SSO and Attributes to integrated services –“Proxy” because collaboration attributes must be added to externally-sourced ones

,7

Examples MyVocs + GridShib –My Virtual Organization Collaboration Service –Improvement of user registration, access management, service registration needed Dorian + Grid Grouper –caBIG’s caGrid security infrastructure –Needs adaptation to be more generally deployable Almost all needed elements exist to be integrated into a “Collaboration Connector in-a-box”

Is it Better Than ? Pros Connects arbitrary sets of collaborators Shares any type of file (ok, some limits) Self access management Collaboration Connector Yes, with federated authentication Yes, whatever the collaboration services provide Yes

Is it Better Than ? Cons Insecure Limited capabilities Reduces productivity more than pot-smoking Collaboration Connector Secure Specialized capabilities We’ll have to do a study!