Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.

Slides:

Advertisements

Similar presentations

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

Advertisements

Going for the Silver Winter 2010 CSG January 13, 2010.

Getting to Silver: Practical Matters for CIC Universities Tom Barton University of Chicago © 2009 The University of Chicago.

OSG PKI RA Training Mine Altunay, Jim Basney OSG PKI Team October 1, 2012.

Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 04/02/2014.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April

OSG Area Coordinators Meeting Security Team Report Mine Altunay 05/15/2013.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity for Scientific Collaborations: Policy Issues Jim Basney 2 nd Workshop on Federated Identity Systems for Scientific.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Policy Issues for Identity Management (and other attributes) EGI Technical.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

Mary Dunker Common Solutions Group January 12, 2010.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign InCommon and TeraGrid Campus Champions Jim Basney

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

The InCommon Federation The U.S. Access and Identity Management Federation

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign Secure Access to Research Infrastructure via the InCommon Federation.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

OSG Area Coordinators Meeting Security Team Report Kevin Hill 08/14/2013.

OSG Security Review Mine Altunay June 19, June 19, Security Overview Current Initiatives  Incident response procedure – top priority (WBS.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Security Update WLCG GDB CERN, 12 June 2013 David Kelsey STFC/RAL.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Updates from the EUGridPMA David Groep, July 16 st, 2007.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 6/6/2012.

SIF for US Science Michael Helm Esnet 09 June 2011.

ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Challenges of Federated Authentication to TeraGrid and Open Science Grid Jim Basney

NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.

INFSO-RI Enabling Grids for E-sciencE - II VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney, Terry Fleury, Von Welch TeraGrid Round Table Update May 21, 2009.

APGridPMA Update Eric Yen APGridPMA August, 2014.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.

Open Science Grid Security Activities D. Olson, LBNL OSG Deputy Security Officer For the OSG Security Team: M. Altunay, FNAL, OSG Security Officer, D.O.,

Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.

OSG PKI Transition Mine Altunay OSG Security Officer

OSG Area Coordinators Meeting Security Team Report Mine Altunay 8/15/2012.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.

A Survey of Certificate Management Processes and Procedures in OSG Gabriel Ghinita and Mine Altunay

14 th EUGridPMA Meeting Update from TAGPMA Jim Basney Lisbon, Portugual October 6-8, 2008 The Americas Grid Policy Management Authority.

News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.

Bringing Federated Identity to Grid Computing Dave Dykstra CISRC16 April 6, 2016.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

TAGPMA Update Riga, 19 April 2010 David Kelsey Input from Roger Impey & Scott Rea.

WLCG Update Hannah Short, CERN Computer Security.

AARC Update What’s been happening in AARC which matters for GÉANT

Presentation transcript:

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer Fermilab

June, 2011 CERN ID Management Workshop Current Status of Identity Management in OSG OSG uses IGTF accredited CAs + 2 TeraGrid CAs Mainly uses DOEGrids CA for issuing personal and service certificates OSG does not run its own CA.  Runs a Registration Authority for handling requests.  Certificates are issued by DOEGrids CA 3-5 day approval period per certificate

June, 2011 CERN ID Management Workshop Challenges, Needs Desires:  Accelerating the approval/renewal period  Strong desire to use Federation-enabled CAs (CILogon); leveraging existing university identities  Easing user experience, enabling SAML tokens when appropriate 3

June, 2011 CERN ID Management Workshop InCommon and Educational Identity Providers in the US InCommon is the largest identity federation for educational institutions in the USA. (see Jim Basney’s talk)  Spans DOE National Labs, over 200 major universities, NSF, NIH, and so on InCommon has different levels of assurances for Identity Providers: Bronze, Silver, and Basic ( 4

June, 2011 CERN ID Management Workshop Challenges Challenges:  There are no InCommon Identity Providers who are accredited at Silver or Bronze level; equiv to IGTF levels.  All IdPs operate at Basic level.  CILogon CA serves InCommon IdPs  Two flavors of CILogon CA: CILogon Silver CA serves InCommon Silver IdPs; CILogon Basic serves all IdPs.  Expectation is InCommon members will get their accreditations individually, but requirements are heavy and adoption is slow. 5

June, 2011 CERN ID Management Workshop Future Directions  How can we find a common ground between InCommon Basic IdP and IGTF identity vetting requirements?  Normally falls under IGTF SLCS profile with requirements for identity vetting  Can we create a new TAGPMA profile that does not require stringent identity vetting at the certificate issuance from Basic IdPs?  Equivalent to NIST LoA1.  Certificates does not have to match user’s legal name  User vetting and authorization happens at VO registration 6

June, 2011 CERN ID Management Workshop Not all the VOs can comply, but LHC VOs already applies stringent identity checks at VO registration step. (Double identity vetting) For example, CMS VO checks  CERN id number  Birthdate  Supervisor approval  And then adds the certificate into VOMS There is existing work in IGTF for VO registration guidelines What about allowing CILogon Basic CA for VOs who operate and comply with IGTF VO requirements? 7

June, 2011 CERN ID Management Workshop Future Directions OSG is joining InCommon as a member entity. While waiting to leverage existing University IdPs, OSG may  Run its own IdP as an InCommon member, OR  Leverage Identities given out by major US institutions Fermilab and BNL.  Fermi and BNL plan on running a Shibboleth IdP  We can integrate these IdPs with a Federation-CA such as CILogon  Will need IdP accreditation 8