EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
WebFTS as a first WLCG/HEP FIM pilot
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.
INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
2006 © SWITCH Grid Activities at SWITCH Christoph Witzig EGEE - 06 Geneva Sep 28, 2006.
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security and Job Management.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to GILDA and gaining access.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Next steps with EGEE EGEE training community.
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Multi-level monitoring - an overview James.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS SAML Vincenzo Ciaschini MWSG Zurich,
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks New Authorization Service Christoph Witzig,
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,
INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.
INFSO-RI Enabling Grids for E-sciencE - II VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks gLite – UNICORE interoperability Daniel Mallmann.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Study on Authorization Christoph Witzig,
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
EGEE-III INFSO-RI Enabling Grids for E-sciencE VO Authorization in EGEE Erwin Laure EGEE Technical Director Joint EGEE and OSG Workshop.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Job Management Claudio Grandi.
2007© SWITCH SWITCHslcs the new AAI-based short-lived credential service for Grid users C.Witzig Swiss Grid Day, Berne, May 7, 2007.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Authorization Service Christoph Witzig, SWITCH.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus: command line usage and banning Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Tweaking the Certificate Lifecycle for the UK eScience CA
Presentation transcript:

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph Witzig, SWITCH TNC Copenhagen

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Content Introduction –Motivation for interoperability Shibboleth - Grids –Authentication and authorization (AA) in Grids and Shibboleth –General approach Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Other activities in interoperability Shibboleth - Grids Summary

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Why Interoperability AAI - Grid ? For AAI Federations: Add grid resources to federation For Grids: Add huge user base (campus network) For e-Science: Unified user base Bring stakeholders together (NRENs - Grids) For Users: Simpler management of credentials Easy access to grids

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, AAI Models AAI solve the old problem of access control to resources There are various technologies in use - their usefulness depends on the underlying infrastructure 1.Passport Model (PKI / Grids) 2.Federated Identity (Shibboleth)

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Passport Model (PKI) Resource Broker Computing Element (CE) Worker Node (WN) X.509 Proxy X.509 w/ VOMS AC job submission VO attributes VOMS = virtual organization management system AC = attribute certificate

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Federated Identity Model Home Organization / Identity Provider 2. authN 3. SAML 1. Attempts access ? 4. authZ Service Provider authN = authentication authZ = authorization SAML = security assertion markup language

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Topics authN at grid resource Attribute-based authZ Federation attributes vs VO attributes Delegation Renewal of credentials

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, General Approach EGEE-II: –April Mar 2008 –Year 1: Phase 1 and 2  Add interoperability by starting “small” with minimal changes to gLite –Year 2: Phase 3: Extend SAML to selected grid services EGEE-III: –Continuation in EGEE-III

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Overview Phase 1 and 2 SLCS = Short lived credential service VASH = VOMS attributes from Shibboleth

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Design Decisions SLCS CA and “VOMS SP” independent of each other –Separate Service Providers –Deployed independently SLCS CA independent of the Grid middleware VOMS SP only dependent on VOMS

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Content Introduction –Motivation for interoperability Shibboleth - Grids –Authentication and authorization (AA) in Grids and Shibboleth –General approach Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Other activities Summary

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, SLCS Profile SLCS = short lived credential service IGTF profile Minimum requirements: SLCSX.509 Certificate Certificate is generated based on Identity Management system “traditional” Registration Authority (e.g. passport) Lifetime < 1mio secLifetime < 1 year + 1 month Revocation handling optional Revocation handling

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, SWITCHslcs: Operation For the user: from the command line: invisible part of gLite User Interface [UI] (3.1) (can also be installed independently) For the RA from web-based admin tool: Can enable or disable individual users (only for his institution) Requirements formulated in CP/CPS Can obtain log information SWITCH: Operates the service

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, SWITCHslcs Private key is never transferred Use commercial CA and only standard protocols Modular design such that other people can use their own components Shibboleth attributes determine DN

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Status SLCS Software development is finished in 2006 Accredited by EuGridPMA in February 2007 Production operation since April

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Content Introduction –Motivation for interoperability Shibboleth - Grids –Authentication and authorization (AA) in Grids and Shibboleth –General approach Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Other activities in interoperability Shibboleth - Grids Summary

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, The Problem Phase 1 ties –AAI authentication to issuance of X.509 certificate –AAI attributes are used to construct the DN Phase 2 intends to make AAI attributes available to grid resources for authorization decisions –Which AAI attributes are of interest to grid resource? –How does resource obtain attributes? (pull vs push) –Relation to VO attributes –Deployment issues

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Shibboleth Attributes Need common understanding of attributes given within a federation but inter-federation access (?) In SWITCHaai: Attributes are derived from eduPerson Only a subset of attributes is really interesting for grid resources Home Organization (IdP) Affiliation Study level and branch Staff Member of

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Design (1) VASH: –VOMS Attributes from Shibboleth Shibboleth SP –Browser-based –Specific for  Federation  VO “lightweight” SP –No administrator duties –No management of attributes –Simply transfers attributes upon user request

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Design (2) X.509 and proxy X.509 with VOMS AC unchanged No change in VOMS –Needs version or higher VO registration not changed Administrative domain between Shibboleth federation and VOMS fully decoupled User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509) Becomes a service which knows the mapping Shibboleth userid - DN Has to respect data privacy laws

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Web Interface VASH Service

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Status Software implementation done MJRA1.5 document: Currently in process to develop plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource –Access to VOMS AC –LCAS/LCMAPS

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Content Introduction –Motivation for interoperability Shibboleth - Grids –Authentication and authorization (AA) in Grids and Shibboleth –General approach Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Other activities in interoperability Shibboleth - Grids Summary

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Phase 3 Goal of phase 3: Extend use of SAML in grids beyond what is already provided by phase 1 and 2 SAML-enable those services, with which the user interacts directly –WMS –File access Benefits: –(Average) User has no certificates any more –Introduce SAML gently beyond phase 1 and 2, gain experience –No modifications on most grid software (--> deployment) –Compatible with Shibboleth roadmap (2.0, 2.1) and ID-WSF implementation –All options open for future

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Content Introduction –Motivation for interoperability Shibboleth - Grids –Authentication and authorization (AA) in Grids and Shibboleth –General approach Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Other activities in interoperability Shibboleth - Grids Summary

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Other Activities GridShib –Globus –Community Access to TeraGrid through gateways Activities in UK –Shebangs and ShibGrid –Shintau: attribute aggregation from multiple IdPs OMII-Europe: –SAML assertions from VOMS

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Summary Interoperability gLite - Shibboleth: –Phase 1: SLCS service  Online CA issuing X.509 certificates based upon authN at Shibboleth IdP  In operation –Phase 2: VASH  Transfers Shibboleth attributes into VOMS  Shib attributes are available to grid resources as part of VOMS AC  Software development finished –Phase 3:  Is starting now  Idea to SAML-enable a selected (small) number of grid services (those close to the user)

Enabling Grids for E-sciencE EGEE-II INFSO-RI TNC2007, Kopenhagen, Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.