EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

Slides:

Advertisements

Similar presentations

Marcus Pattloch (DFN-Verein) DESY Technisches Seminar

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using EGEE middleware: AA and simple job submission.

Lousy Introduction into SWITCHaai

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

UNITED NATIONS Shipment Details Report – January 2006.

RXQ Customer Enrollment Using a Registration Agent (RA) Process Flow Diagram (Move-In) Customer Supplier Customer authorizes Enrollment ( )

MyProxy Jim Basney Senior Research Scientist NCSA

Federated Identity for Grid Architects Tom Scavo NCSA

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

18 Copyright © 2005, Oracle. All rights reserved. Distributing Modular Applications: Introduction to Web Services.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to EGEE hands-on Gergely Sipos.

The National Grid Service and OGSA-DAI Mike Mineter

Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.

VO Support and directions in OMII-UK Steven Newhouse, Director.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security - the Grid View The Good, the Bad.

12th EELA Tutorial, Lima, FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America.

31242/32549 Advanced Internet Programming Advanced Java Programming

Services Course Windows Live SkyDrive Participant Guide.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.

Model and Relationships 6 M 1 M M M M M M M M M M M M M M M M

PSSA Preparation.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,

MyProxy: A Multi-Purpose Grid Authentication Service

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

WebFTS as a first WLCG/HEP FIM pilot

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.

INFSO-RI Enabling Grids for E-sciencE - II VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

Kipper – a Grid bridge to Identity Federation Andrey Kiryanov.

2007© SWITCH SWITCHslcs the new AAI-based short-lived credential service for Grid users C.Witzig Swiss Grid Day, Berne, May 7, 2007.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

Presentation transcript:

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph Witzig, SWITCH NORDUnet Conference April 9, 2008

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Content Introduction to AAIs –Why interoperability AAI - Grids –Authentication and authorization (AA) in Grids and Shibboleth Interoperability Shibboleth - Grid within EGEE –Short-lived credential service (SLCS) –Attribute exchange to VOMS –Future developments within EGEE Other activities in interoperability Shibboleth - Grids Summary

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Security Models AAI solve the old problem of access control to resources There are various technologies in use - their usefulness depends on the underlying infrastructure 1.Crusader Castle 2.League of Nations 3.Federations

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Crusader Castle Appropriate for few, non-mobile users

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, University A Library B University C Student Admin Web Mail e-Learning Literature DB e-Learning Research DB Authorization User Administration Authentication Resource Credentials e-Journals Tedious user registration at all resources Unreliable and outdated user data at resources Different login processes Many different passwords Many resources not protected due to difficulties Often IP-based authorization Costly implementation of inter-institutional access Crusader Castle

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, University A University C League of Nations Student Admin Web Mail e-Learning Research DB Authorization User Administration Authentication Resource Credentials User registration process with CA User has one credential to present to resources authN and authZ at resource User has to manage credential Standard use in grids (IGTF) Delegation mechanism Standardized Credentials (International Conference on Passports 1920) Passport Issuer (CA) X.509 credentials

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, University A Library B University C Federated Identity Management Student Admin Web Mail e-Learning Literature DB e-Learning Research DB Authorization User Administration Authentication Resource Credentials e-Journals No user registration and user data maintenance at resource needed Single login process for the users Many new resources available for the users Enlarged user communities for resources Efficient implementation of inter-institutional access Shibboleth open source internet2 SAML Web-based Single Sign-on authN at Identity Provider authZ at Service Provider based on users attributes as provided by IdP Privacy Federated Identity Management

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Example of an AAI: SWITCHaai

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Why Interoperability AAI - Grid ? For AAI Federations: Add grid resources to federation For Grids: Add huge user base (campus network) For e-Science: Unified user base Bring stakeholders together (NRENs - Grids) For Users: Simpler management of credentials Easy access to grids

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Interoperability Challenges authN at grid resource Attribute-based authZ Federation attributes vs VO attributes Delegation Renewal of credentials

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Content Introduction to AAIs –Why interoperability AAI - Grids –Authentication and authorization (AA) in Grids and Shibboleth Interoperability Shibboleth - Grid within EGEE –Short-lived credential service (SLCS) –Attribute exchange to VOMS –Future developments within EGEE Other activities in interoperability Shibboleth - Grids Summary

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Overview Phase 1 and 2 SLCS = Short lived credential service VASH = VOMS attributes from Shibboleth

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Design Decisions SLCS CA and VOMS SP independent of each other –Separate Service Providers –Deployed independently SLCS CA independent of the Grid middleware VOMS SP only dependent on VOMS

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Short Lived Credential Service (SLCS)

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, SLCS Profile SLCS = Short Lived Credential Service International Grid Trust Federation (IGTF) Profile Minimum requirements: SLCSX.509 Certificate Certificate is generated based on Identity Management system traditional Registration Authority (e.g. passport) Lifetime < 1mio secLifetime < 1 year + 1 month Revocation handling optional Revocation handling mandatory

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, SLCS Design Private key is never transferred Use commercial CA and only standard protocols Modular design such that other people can use their own components Shibboleth attributes determine DN

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, SLCS Operation For the user: Command line: slcs-init --idp Part of gLite User Interface (gLite-UI 3.1) (can also be installed independently) For the RA from web-based admin tool: Can enable or disable individual users (only for his institution) Requirements formulated in CP/CPS Can obtain log information (audit) SWITCH: Operates the service for the SWITCHaai federation

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Status SLCS Software development finished in 2006 SWITCH SLCS Root CA accredited by EuGridPMA in February 2007 SWITCH SLCS in production since April

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Attribute exchange to VOMS VOMS attributes from Shibboleth (VASH)

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Problem SLCS ties –AAI authentication to issuance of X.509 certificate –AAI attributes are used to construct the DN SLCS intends to make AAI attributes available to grid resources for authorization decisions –Which AAI attributes are of interest to grid resource? –How does resource obtain attributes? (pull vs push) –Relation to VO attributes –Deployment issues

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, VASH Design (1) VASH: –VOMS Attributes from Shibboleth Shibboleth SP –Browser-based –Specific for Federation VO lightweight SP –No administrator duties –No management of attributes –Simply transfers attributes upon user request

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, VASH Design (2) X.509 and proxy X.509 with VOMS AC unchanged No change in VOMS –Requires VOMS version or higher VO registration not changed Administrative domain between Shibboleth federation and VOMS fully decoupled User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509)

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Deployment Options Option 1: –As an add-on to an existing VOMS-based VO Option 2: –As a registration tool which allows the member of a Shibboleth IdP become a member of a VOMS-based VO Suitable for production VOs as well as temporary VOs (e.g. summer schools, grid classes)

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Status VASH Software implementation done MJRA1.5 document: Plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource available –Access to VOMS AC –LCAS/LCMAPS plugin

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Future developments within EGEE SAML Support in Grids

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, SAML Support Goal: Extend use of SAML in grids beyond what is already provided by EGEE-II (SLCS, VASH) Benefits: –(Average) User has no certificates anymore –Introduce SAML gently beyond phase 1 and 2, gain experience –Compatible with Shibboleth roadmap (2.0, 2.1) and WS-Trust STS implementation –Options open for future Requires: A mean for service to transform a security tokens it has into a security token it needs

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Security Token Service WS-Trust defines mechanisms for brokering trust to an authority called Security Token Service (STS) The Security Token Service have a trust relationship with both the client and the service.

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Use Cases Grid: –Shibboleth user wants to access a Grid resource (e.g. WMS, File Catalogue, Storage Element…) –He needs to obtains security token that the Grid services understand (X.509) Non-browser based Shibboleth applications: –User agent contacts Shibboleth IdP with credential (e.g. username, password) –User agent receives SAML assertion to be sent to a Shibboleth SP

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Content Introduction to AAIs –Why interoperability AAI - Grids –Authentication and authorization (AA) in Grids and Shibboleth Interoperability Shibboleth - Grid within EGEE –Short-lived credential service (SLCS) –Attribute exchange to VOMS –Future developments within EGEE Other activities in interoperability Shibboleth - Grids Summary

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Other Activities GridShib –Globus –Community Access to TeraGrid through gateways Activities in UK –Shebangs and ShibGrid –Shintau: attribute aggregation from multiple IdPs OMII-Europe: –SAML assertions from VOMS

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, GridShib Software Components GridShib for Globus Toolkit –A plugin for GT 4.0 GridShib for Shibboleth –A plugin for Shibboleth 1.3 IdP GridShib CA –A web-based CA for new grid users GridShib SAML Tools –Tools for portals and users to embed attributes into X.509 credentials All at: Slide: Courtesy of Von Welch, NCSA

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, GridShib SAML Tools Attributes Web Portal Authenticate Grid Requests Community Access via Science Gateway GridShib for GT Local Attributes (may be dynamic) GridShib for Shib Slide: Courtesy of Von Welch, NCSA

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Summary Interoperability AAI - Grids makes the Grid accessible for a large user community Interoperability Grid - Shibboleth in EGEE: –SLCS service Online CA issuing X.509 certificates based upon authN at Shibboleth IdP –VASH service Transfers Shibboleth attributes into VOMS Shib attributes are available to grid resources as part of VOMS AC –SLCS and VASH can be used independent of gLite –SAML support in Grids through Security Token Service (STS) Other Interoperability Efforts –GridShib –UK e-Science: ShibGrid, Shintau,

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Q & A

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, SWITCH SLCS Setup 3 separate servers in increasingly secure environment (network and physical access) Front End –Shibboleth SP SLCS Server –Tomcat web app Online CA –Microsoft Certificate Server –Hardware Security Module (HSM) Offline CA –Sign the Online CA –Stored in a bank safe

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Web Interface VASH Service

Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Multiple Security Domains A client may need to communicate with services that operate across trust boundaries (i.e. Shibboleth SAML vs Grid X.509) Multiple STS can be used in a trust chain across security domains (delegated trust)