Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

Slides:

Advertisements

Similar presentations

LEAD Portal: a TeraGrid Gateway and Application Service Architecture Marcus Christie and Suresh Marru Indiana University LEAD Project (

Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy: A Multi-Purpose Grid Authentication Service

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

July 11 - September FFIEC Central Data Repository Bank Enrollment.

Grid Security. Typical Grid Scenario Users Resources.

WSO2 Identity Server Road Map

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

1/13/05NCASSR PNNL Visit1 Security Tools Area Overview, Credential Management Services, and the PKI Testbed Jim Basney Senior Research Scientist

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

MyProxy NMI Integration Jim Basney, NCSA Marty Humphrey, University of Virginia

SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Prabath Siriwardena Senior Software Architect. An open source Identity & Entitlement management server.

FIM-ig Federated Identity Management Interest Group.

Smart Card Single Sign On with Access Gateway Enterprise Edition

University of Illinois at Urbana-Champaign National Center for Supercomputing Applications COI Identity Management and Federation: Design Issues, Process,

Exploratory Data Analysis & Visualization, Spring 2015: Intro to APIs and examples in Python Yu Tian, Christine Lee March 31, 2015.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Software for Science Gateways: Open Grid Computing Environments Marlon Pierce, Suresh Marru Pervasive Technology Institute Indiana University

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Geneva, Switzerland, September 2014 Identity Based Attestation and Open Exchange Protocol (IBOPS) Scott Streit Chief Scientist.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Managing Credentials with MyProxy Jim Basney National Center for Supercomputing Applications University of Illinois

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign NCSA Two Factor CA Jim Basney

Federated Environments and Incident Response: The Worst of Both Worlds? A TeraGrid Perspective Jim Basney Senior Research Scientist National Center for.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.

Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

Security, Accounting, and Assurance Mahdi N. Bojnordi 2004

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

All Rights Reserved 2014 © CMG Consulting LLC Federated Identity Management and Access Andres Carvallo Dwight Moore CMG Consulting, LLC October

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Federating non-web services with LDAP-Façade

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

Challenges of Federated Authentication to TeraGrid and Open Science Grid Jim Basney

National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

Secure Mobile Development with NetIQ Access Manager

#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson

Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,

Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.

1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney

Gateways security Aashish Sharma Security Engineer National Center for Supercomputing Applications (NCSA) University of Illinois at Urbana-Champaign.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Consuming OAuth Services in Alfresco Share

Data and Applications Security Developments and Directions

A Grid Authorization Model for Science Gateways

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor Suresh Marru Marlon Pierce This material is based upon work supported by the National Science Foundation under grant number

National Center for Supercomputing Applications (NCSA) Located at University of Illinois at Urbana-Champaign Established in 1986 by NSF Supercomputer Centers Program

Distributed Web Security for Science Gateways Software Development for Cyberinfrastructure grant from the NSF Office of CyberInfrastructure ( 3 year project: August 2011 – July 2014 Co-PIs: Marlon Pierce (IU), Rion Dooley (TACC) What is cyberinfrastructure? Supercomputers, mass-storage systems, data repositories, networks, software and more Supporting science and engineering research and education

Motivating Example: Photo Printing Your flickr Password Photos Your flickr Password

Defining Terms Authentication: Who are you? customer # name: Jim Basney Authorization: What are you allowed to do? Access private information Charge purchases to your credit card Delegated Authorization: Authorizations you grant to others Park your car (valet key) View your photos on Flickr Collaboratively edit an online Google doc Credential: How security information is conveyed Also known as Assertion or Token

Delegated Authorization Token Authenticate & Grant Access to Photos Toke n PhotosRequest Access to Photos

OAuth An open protocol for delegated authorization (oauth.net) Development OAuth 1.0 released (October 2007) OpenID+OAuth hybrid developed (2009) OAuth 1.0a revision (June 2009) RFC 5849 (Informational), April 2010 OAuth WRAP ( ) Basis for OAuth 2.0 OAuth 2.0 Standards Track RFC coming soon OpenID Connect based on OAuth 2.0 Used by Flickr, Twitter, Facebook, Google, Netflix, …

OAuth 1.0 Model Resource Owner Client Server Token Authenticate & Grant Access Toke n ResourceRequest Access

OAuth 2.0 Model Resource Owner Client Token Authenticate & Grant Access Toke n Resource Request Access Authorization Server Resource Server Validate Token Token Refresh

Authentication Model User App Identity Provider Assertion Authenticate Assertion Who are you? Examples: OpenID, SAML Assertion User Information

Authentication Via Delegation Resource Owner App Identity/R esource Provider Token Authenticate & Grant Access to My Info Toke n User Information Who are you? Example: OpenID Connect

Authentication Via Delegation Bad Idea App: Who are you? User: Here’s full access to my Twitter account. Better Idea App: Who are you? User: Here’s read access to my Twitter account profile. Delegated access to user’s profile information difference-between-oauth-authentication-and-openid/ Example: OpenID Connect built on OAuth

OAuth 1.0 Model (Again) Resource Owner Client Server Token Authenticate & Grant Access Toke n ResourceRequest Access

External Authentication Resource Owner Client Server Password AuthN Service Examples: LDAP, RADIUS, PAM, Kerberos Verify Password

Token-based Authentication Resource Owner Client Server IdP Examples: OpenID, SAML, Kerberos PasswordAssertion Who are you? User Attributes

Science Gateways

Science Gateways: Accessing Resources user accesses science gateway science gateway uses external resources (supercomputers, compute clusters, data stores)

Science Gateways: Tiered Access Models user authenticates to science gateway science gateway authenticates to service providers

Science Gateways: Tiered Access Models Option A: Transitive Trust Bilateral agreement between science gateway & service provider Bulk allocation of service to the science gateway Service provider may not know who the end users are Users may not know who the underlying service providers are Option B: Delegation of Rights End user has account at underlying service provider Goal: Use underlying services via science gateway interfaces Science Gateway explicitly acts on the user’s behalf when interacting with the underlying service providers Both options are useful Today let’s focus on Option B: Delegation of Rights

Motivating Example: Science Gateway Your Password Access Your Password

Delegated Authorization via OAuth Token Authenticate & Grant Access Toke n AccessRequest Access to Supercomputer

Challenge: Multi-Tier Science Gateways Web Browser Gadget Container Gadget Backing Service Service Factory Info Service Compute Cluster Data Store Service Factory Science Gateway External Services … ……

Long-Running Science Gateway Workflows Common Science Gateway Use Case: Scientist launches workflow (computational simulation, data analysis, data movement/replication, visualization) Workflow runs for hours/days/weeks Scientist monitors workflow / receives notifications of completion Challenge: Duration of Delegation “How long can the science gateway act on my behalf?” Ideally: only as needed for the workflow to complete Limit duration of delegation to minimize window of exposure Difficult / inconvenient to predict workflow duration Approaches: refresh / renewal / revocation OAuth 2.0 refresh is needed!

Globus Online Example Kerberos Authentication Server

Back-end Authentication (Again) Resource Owner Client Server Password AuthN Service Verify Password

Globus Online Example

Globus Online Example Kerberos Authentication Server

OOI Example

Token-based Authentication (Again) Resource Owner Client Server IdP PasswordAssertion Who are you? User Attributes

OOI Example

OOI Example

OOI Example

Wrap Up More info References Jim Basney, Rion Dooley, Jeff Gaynor, Suresh Marru, and Marlon Pierce, "Distributed Web Security for Science Gateways," Gateway Computing Environments Workshop (GCE11), November 17, 2011, Seattle, WA. Jim Basney and Jeff Gaynor, "An OAuth Service for Issuing Certificates to Science Gateways for TeraGrid Users," TeraGrid Conference, July 18-21, 2011, Salt Lake City, UT. Jim Basney, Von Welch, and Nancy Wilkins-Diehr, "TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned," TeraGrid Conference, August 2-5, 2010, Pittsburgh, PA. Von Welch, Jim Barlow, James Basney, Doru Marcusiu, Nancy Wilkins-Diehr, "A AAAA model to support science gateways with community accounts," Concurrency and Computation: Practice and Experience, Volume 19, Issue 6, March Thanks for your interest!