2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

AAA/SWITCH Overview Christoph Witzig

2005 © SWITCH Authentication and Authorization Infrastructure Martin Sutter, Head of NetServices Thomas Lenggenhager, Deputy Project Manager AAI Christoph.

Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

Shibboleth & IMPETUS 1.What are they? 2.Demo. Shibboleth - A system to support the sharing of Web resources among organisations IMPETUS - Infrastructure.

NJVid New Jersey Video Portal 1 Grant partners. NJVid New Jersey Video Portal 2 NJTrust - New Jersey Identity Trust Federation NJViD Advisory Board Meeting.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.

SWITCHaai Team Federated Identity Management.

Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

2005 © SWITCH Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai Martin Sutter, Head of NetServices, SWITCH (Ueli Kienholz & Thomas.

Australian Access Federation and other Middleware Initiatives Presented at TF-EMC2, Prague 4 Sep 2007 Patty McMillan, The University of Queensland.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

2006 © SWITCH Grid Activities at SWITCH Christoph Witzig EGEE - 06 Geneva Sep 28, 2006.

EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

Supporting Are we ready? REFEDS, Oct 2013 Ann Harding

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.

2005 © SWITCH Interoperability Shibboleth and gLite in EGEE-2 MWSG Amsterdam Dec 15, 2005 Christoph Witzig SWITCH.

Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.

INFSO-RI Enabling Grids for E-sciencE External Projects Integration Summary – Trigger for Open Discussion Fotis Karayannis, Joanne.

Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

Project Overview Dr Fredrik Hedman Royal Institute of Technology (PDC/KTH)

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

GridShib Grid-Shibboleth Integration An Overview Von Welch

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Grid Security work in 2004 Andrew McNab Grid Security Research Fellow University of Manchester.

2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.

HEXAA e-Science gateways with external attribute authority István Tétényi, MTA SZTAKI 21-May-2014 Co-Authors: Mr. Héder, Mihály (MTA SZTAKI); Mr. BAJNOK,

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EGEE Project Review Fabrizio Gagliardi EDG-7 30 September 2003 EGEE is proposed as a project funded by the European Union under contract IST

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Trygve Aspelien and Yuri Demchenko

Bob Jones EGEE Technical Director

Shibboleth Roadmap

ESA Single Sign On (SSO) and Federated Identity Management

Overview and Development Plans

NSF Middleware Initiative: GridShib

Presentation transcript:

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005

2005 © SWITCH 2 Outline Introduction – Overview of SWITCH – SWITCH activities in AAI and Grid SWITCHaai: The Swiss Shibboleth-based AAI – How it works – Shibboleth concepts EGEE security framework – Introduction EGEE – How it works – Grid security concepts SWITCH proposal for interoperability Shibboleth - gLite Related efforts Summary

2005 © SWITCH 3 Introduction SWITCH has four strategic business areas – Network: operating the Swiss Research and Eduction network – Domain name registration for.ch and.li – Security  Operates (among other things) SWITCHpki – NetServices  providing services on top of the network for academic users NetServices – Video conferences, streaming technologies, support for (physical) mobility – SWITCHaai: Shibboleth-based AAI for the Swiss academic sector – Grid: targeted Grid services as new strategic direction  There is no Swiss grid program  Various grid efforts at some universities Introduction

2005 © SWITCH 4 SWITCHaai = federated, national, Shibboleth-based authentication and authorization infrastructure (AAI). SWITCHaai Main efforts: > 110’000 users (  50%) of the Swiss higher education sector are currently “AAI-enabled”. Federally funded cooperation projects will complete the national roll-out and increase the number of new resources. Define cooperation with other federations. Develop accounting (AAAI) services. Introduction

2005 © SWITCH 5 Grid support = new strategic direction: national AAI-enabled grid infrastructure in Switzerland. SWITCH Activities in Grid Computing Two main strategic efforts: Within the context of EGEE-2 we want to add interoperability between Shibboleth and the gLite middleware stack. Within the national context we want to work together with our partners (universities, computing centers) to build up such a national grid infrastructure based on the AAI-enabled gLite middleware. Introduction

2005 © SWITCH 6 Disclaimer Decision of EU regarding EGEE-2 proposal is pending Assuming a positive answer from the EU EGEE-2 will start in April 2006 and last for two years Introduction

2005 © SWITCH 7 University A Library B University C The World without AAI Student Admin Web Mail e-Learning Literature DB e-Learning Research DB Authorization User Administration Authentication Resource Credentials  Tedious user registration at all resources  Unreliable and outdated user data at resources  Different login processes  Many different passwords  Many resources not protected due to difficulties  Often IP-based authorization  Costly implementation of inter-institutional access e-Journals SWITCHaai

2005 © SWITCH 8 University A Library B University C AAI The World with AAI Student Admin Web Mail e-Learning Literature DB e-Learning Research DB Authorization User Administration Authentication Resource Credentials  No user registration and user data maintenance at resource needed  Single login process for the users  Many new resources available for the users  Enlarged user communities for resources  Authorization independent of location  Efficient implementation of inter-institutional access e-Journals SWITCHaai

2005 © SWITCH 9 How it works SWITCHaai

2005 © SWITCH 10 Shibboleth Concepts SWITCHaai Based on SAML Initial focus on Web-based resources

2005 © SWITCH 11 EGEE: Enabling Grids for E-sciencE EU sponsored grid project within FP6 – Funding : 32 Mio € – Proposal for second phase submitted ( ) Emphasis is on – not software development – operating a production grid and supporting the end-users – Hardening, re-engineering and extending existing middleware functionality Large collaboration – > 180 sites – 20 VO’s – > 800 registered users EGEE

2005 © SWITCH 12 EGEE Security Framework EGEE

2005 © SWITCH 13 EGEE Security Concepts EGEE

2005 © SWITCH 14 Interoperability Shibboleth - gLite Part of EGEE-2 proposal (by SWITCH in EGEE NREN Federation) Focus is on – Interoperability (NO replacement for X.509) – Specific for EGEE infrastructure (VOMS etc) – Integrate, re-use, re-engineer existing code, write new code only as needed Key Concepts: – Home institution of the user should be the Identity Provider – Home institution provides some attributes – But VO is needed for (grid specific) attributes Proposal of doing work in three phases: – Two initial, shorter phases with the intention of hooking SWITCHaai up to the grid with a minimal amount of effort to have a working system – A third phase with adding support for SAML at the resource (service provider) Interop. Shib gLite

2005 © SWITCH 15 Phase 1 and 2 Note: no changes at the Resource Work is more than just software (policies) Interop. Shib gLite

2005 © SWITCH 16 Access for Grid Users to Shib SP Intention: add “symmetry” between enabling access for Shib and grid users Test-bed between SWITCH and INFN in 2006 Interop. Shib gLite

2005 © SWITCH 17 SAML Support at the Resource Third (and main) phase of project Goal: Support for SAML for authentication and authorization without relying on X.509 (on a configurable basis) Should be based on SAML2 – Supports ECP Profile (constrained delegation) – Will be used in Shibboleth 2 Interop. Shib gLite

2005 © SWITCH 18 Related Efforts GridShib: – Emphasis is on providing attributes based authorization – Based on GT4 and Shib 1.3 – Beta version available since Sept 05 OGSA authZ working group: – Defines specifications for basic interoperability and pluggability of authorization modules in OGSA framework Condor Shibboleth Merger Project – Phase I: Shib enabled Condor web portal – Phase II: Shib enabled Condor fat client Shibboleth - grid activities in UK – ESP-Grid – Further work is planned (JISC) to look at CA/Shib issues Issue of attribute management between IdP and VO (e.g. Signet) Related Efforts

2005 © SWITCH 19 Summary There is interest and activity for interoperability AAI / Shibboleth - grid – But X.509 is still the standard security mechanism for grids (and likely to remain so for quite some time) – Issue is not only authentication but also attribute sharing between IdP, VO, SP – Opportunity and need for NREN and Grid communities to interoperate GridShib: – beta version available – GT4 and Shib 1.3 SWITCH participates in EGEE-2 to add interoperability Shibboleth - gLite – Pending approval by EU (expected in November) – We are interested in learn about other activities, share experiences and coordinate efforts

2005 © SWITCH 20