University of Illinois at Urbana-Champaign National Center for Supercomputing Applications COI Identity Management and Federation: Design Issues, Process,

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA
GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Grid Security. Typical Grid Scenario Users Resources.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Using Digital Credentials On The World-Wide Web M. Winslett.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign InCommon and TeraGrid Campus Champions Jim Basney
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
WebFTS as a first WLCG/HEP FIM pilot
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Functional Model Workstream 1: Functional Element Development.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.
IOTA Questions for RPs Sept 9, 2013 Bucharest, Romania.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign NCSA Two Factor CA Jim Basney
Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Single.
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
More Allergic Reactions Some Potential Next Steps Tom Barton University of Chicago.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.
INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.
Grid Security.
HIMSS National Conference New Orleans Convention Center
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

University of Illinois at Urbana-Champaign National Center for Supercomputing Applications COI Identity Management and Federation: Design Issues, Process, and Progress Jim Basney Tom Scavo Von Welch

National Center for Supercomputing Applications Identity Management (IdM) Identity management is administration of identifiers and attributes (i.e. policy) regarding entities and the assertion of such between entities. Provides the basis for authentication and, in combination with governance, authorization.

National Center for Supercomputing Applications Identity Federation (IdF) Federated identity (IdF) is the sharing of identity and attributes across security domains. –“Authenticate Locally, Act Globally” IdM is about Technology IdF is about Policy

National Center for Supercomputing Applications IdM relationship to Governance IdM/IdF provides OOI entities with a persistent identifier and a set of attributes, and mechanisms by which to deliver those to other entities. The governance system then renders authorization decisions based on those identifiers, attributes, and relevant policy.

National Center for Supercomputing Applications Motivation for IdM/Authentication To authorize –Often don’t care identity except as binding to attributes For audit –E.g. incident response –Want binding to contact information and “real world identity” (sometimes for law enforcement) For metrics –How many users have we served? –From what communities, universities, etc.?

National Center for Supercomputing Applications What identities do we manage? People Applications running on a user’s behalf Servers/Services –Becoming more the latter than the former Data –Either at rest or in motion (messages) –Integrity, timeliness, source

National Center for Supercomputing Applications Issues in Identity Management to Consider

National Center for Supercomputing Applications Web Browsers vs Thick clients Conceptually similar But very different to implement and deploy A key decision for security in general - doing both is almost twice the work Browsers make for a nice client platform –Easy GUI, ubiquitous –In terms of security provide rich but rigid functionality Thick clients can do whatever you want –Just have to implement and maintain it

National Center for Supercomputing Applications NIST E-Authentication Guidelines – Aspects of Authentication Token type –What the user has. E.g. password, private key, token, fingerprint… Identity proofing –The vetting process to bind the token to an identity Remote Authentication mechanism –The protocol used to verify proof of token Assertion mechanism –Used to communicate result of authentication to remote parties –E.g. SAML, cookies

National Center for Supercomputing Applications Attributes vs Identifiers Attribute federation often has a different topology than Identity federation AAs often different than identity authorities –The folks who authenticate your users don’t know everything about them –VOs are prime example Third-party & commercial Idps exist for Shibboleth

National Center for Supercomputing Applications Semantics Attribute and Identity semantics are an issue What exactly does a “member” mean? Is a retired faculty a member of a university? A student showing up next Fall? Is the identity persistent? Can it be reassigned when someone leaves? Is it private?

National Center for Supercomputing Applications Delegation: Dealing with N-tier E.g. User makes a request of a front-end service which uses back-end service to complete request Two models The trusted front-end service –User authenticates and then is vouched for –Often easiest to implement and deploy –Lose end-to-end trust and information Delegation –Explicit delegation from user to front-end service –Specification of limited delegation is still open issue –E.g. RFC 3820: X.509 Proxy Certificates

National Center for Supercomputing Applications Id Federation Lessons Learned Based on our development… –MyProxy, GridShib, GSI, RFC 3820 and deployment experience. –TeraGrid PKI, LTER, LSST, DoEGrids… Putting IdF system on a good user database is easy What is hard? Maintaining the user database Applications like to assume they know their users. Controlling policy run-away… Standards are a treadmill –X.509, SAML1, SAML2, OpenID… –Need to put a stake in the ground and go Finding the Security vs Usability sweet spot –E.g. Short-lived vs long-lived credentials

National Center for Supercomputing Applications IdF Deployment Process Identify the entities being federated –Derived from use cases and requirements –Users and Resources Select technologies based on requirements –Probably more social/political issues here Identify the stake holders for those entities –PIs, Security Officers, Funding Agencies, etc. Find the Policy Sweet Spot –Identify and address social, political and technical issues –Define just enough policy to satisfy everyone

National Center for Supercomputing Applications An X.509 IdF Example: TeraGrid TeraGrid CAs present TG users –Used both internal and external to TeraGrid –Some sites have local CA –NCSA CA serves all TeraGrid users Resource Providers (RPs) agree on trusted Certificate Authorities (CAs) –Internal and external to TeraGrid: Leveraging International Grid Trust Federation TG users manage binding of X.509 certificates to accounts –I.e. account linking Use Attributes flow from TG User DB to RPs

National Center for Supercomputing Applications COI IdM/IdF Activities to Date Refining COI models for IdM/IdF High level OOI Idm & Governance driver: A scientist is trying to setup up a facility out of resources (instruments, computing capabilities, storage) spread out over a variety of authority domains. Analyzing OOI documents and deriving relevant IdM/IdF use cases/requirements –Direct use cases for Idm are rare, usually they are component of another use case

National Center for Supercomputing Applications OOI Documents analyzed for Use Cases with Idm component ORION Cyberinfrastructure Concept of Operations (Version 0r ) Device Life Cycle Concept of Operations for Device Alpha (Instrument Life Cycle Concept of Operations v1r00.pdf) OOI Cyberinfrastructure Architecture & Design: OV-5 Operational Activity Model (OV5.doc) CI System Requirements Document ( CI-SRD-1.4- edited.doc) –Has requirements against which we will reconcile. OOI Domain Model ( OOI-DomainModel-draft.pdf) –Source of terminology OOI COI Prototype ( COI_Early_Prototype.ppt) OOI CI Design Overview & Security Options (Security CIIO.pdf) Underlined are significant sources of Idm Use Cases

National Center for Supercomputing Applications Examples OOI Idm Use Cases An OOI user creates a personal page on the OOI web portal. An OOI user subscribes to a data stream. –The user provides some information how the data will be used. –The user obtains a data subscription token for the desired data stream. –The CI associates the user's identity and contact information with the subscription token. –The user associates a modeling application with the data stream via the subscription token. –[The ConOps document says the user edits the subscription token, but this violates the integrity of the token.] –The modeling application executes whenever a new data resource is received from the data stream. –The modeling application submits the subscription token every time it accesses the data stream. –If a new data resource is received while the application is running, the data are cached so that the application can access the data during a subsequent execution cycle. An OOI user creates a Virtual Laboratory (VL) and vouches for prospective VL members. –An OOI member credential is required to create a VL. (A provisional credential is not sufficient.) –The VL owner provides the names and addresses of invited VL members. –The CI sends an invitation (with a link) to join the VL. An application subscribes to a data stream. –The user reconfigures the application to receive a notification when a new data source comes on line. –The application parses the Resource Descriptor and determines the relevancy of the new data source. –The application subscribes to the data stream by sending a message to the CI. –The CI issues a tentative subscription token to the application pending user review. Etc.

National Center for Supercomputing Applications Example Derived IdM Requirements OOI accepts two types of identity credentials, strong credentials and weak credentials. –A strong credential is a long-lived credential. –A weak credential is a short-lived credential. OOI strong credentials are managed by a trusted third party. –Multiple external credential issuers must be supported. –Identity verification is required to obtain a long-lived member credential. –A strong identity vetting process must be defined (e.g., International participants must present a passport to obtain a long-lived credential). OOI weak credentials may be managed by OOI or by a trusted third party. –New users may obtain weak credentials by invitation from an OOI user possessing a long-lived, OOI member credential. OOI administrators require identifying and contact information (name, phone, etc.) for all users accessing OOI resources so that rogue users are quickly traceable to their true identity and can be prevented from harming the system or its operations. Etc.

National Center for Supercomputing Applications Next Steps Define refined IdM/IdF domain models –Linked with Governance and broader COI work –Leverage SAML/Liberty for non-science requirements

National Center for Supercomputing Applications Next Steps (cont) Map models to relevant standards and implementations –Leverage IdF/campus infrastructure as much as possible Some relevant technologies… Authentication: –Shibboleth: Web Browser IdF/SAML –PKI/GSI, MyProxy, GridShib: Thick-client IdF Delegation: –RFC 3820 Proxy Certificates: Delegation for PKI Policy Management: –Grouper, Signet, CoManage: Shibboleth-based VO management

National Center for Supercomputing Applications Thank you Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.