Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.

Slides:



Advertisements
Similar presentations
MyProxy Jim Basney Senior Research Scientist NCSA
Advertisements

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
MyProxy: A Multi-Purpose Grid Authentication Service
Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.
ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Technology on the NGS Pete Oliver NGS Operations Manager.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
WebFTS as a first WLCG/HEP FIM pilot
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Integrating HPC and the Grid – the STFC experience Matthew Viljoen, STFC RAL EGEE 08 Istanbul.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Supporting further and higher education Current A&A Developments in the UK Alan Robiette, JISC Development Group.
Supporting further and higher education AA(A) – What does it mean to the service provider? Alan Robiette, JISC Development Group.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
1 Overview of the Application Hosting Environment Stefan Zasada University College London.
Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9.
David Spence GOSC Graphical Access to the NGS for All Java GSI-SSHTerm.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
ASPiS Security Jens Jensen Science and Technology Facilities Council AHM, 8-11 Sep 2008 Edinburgh.
3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK
Grid Security in a production environment: 4 years of running Andrew McNab University of Manchester.
HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.
Shibboleth: Installation and Deployment Scott Cantor July 29, 2002 Scott Cantor July 29, 2002.
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.
Next Steps: becoming users of the NGS Mike Mineter
12th September 2007UK e-Science All Hands Meeting1 John Kewley Grid Technology Group e-Science Centre STFC Daresbury Laboratory GROWL.
Next Steps.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
1 e-Science AHM st Aug – 3 rd Sept 2004 Nottingham Distributed Storage management using SRB on UK National Grid Service Manandhar A, Haines K,
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Rob Allan Daresbury Laboratory NW-GRID Training Event 26 th January 2007 Next Steps R.J. Allan CCLRC Daresbury Laboratory.
The National Grid Service Mike Mineter.
Shibboleth, SRB, PGL & Plone Russell Sim. MyProxy client uses portal with Web SSO protected with an SP transformation of attributes to certs by MyProxy.
SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
UK Grid Operations Support Centre All slides stolen by P.Clarke from a talk given by: Dr Neil Geddes CCLRC Head of e-Science Director of the UK Grid Operations.
Storage Element Security Jens G Jensen, WP5 Barcelona, May 2003.
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
P-p-pick up a Pathfinder
AAAI Pathfinder J Jensen, STFC 031 Oct,
Stephen Pickles Technical Director, GOSC
e-Infrastructure Workshop 28th March 2006, University of Leeds
Tweaking the Certificate Lifecycle for the UK eScience CA
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
Presentation transcript:

Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006

Jens G Jensen CCLRC e-Science Contents (approximately) Goals Current status –Site authentication –Grid authentication –Authorisation Terminal access

Jens G Jensen CCLRC e-Science The Problem Integrated Access (Authentication) Identity management Implemented locally… …integrate with future national efforts… …and international

Jens G Jensen CCLRC e-Science What is SSO? Central password management –Don’t reuse the same password –Stored securely in one location Central account management –ISIS, DLS, CLF – users –Keep up to date –User office can add new ones

Jens G Jensen CCLRC e-Science What is SSO? Use account with all resources –cf. Grid – certificate used with all grids (well, sort of) –Shibboleth, with web resources –Generally requires consistent attribute management (resp., VOM(S), AAs)

Jens G Jensen CCLRC e-Science Authentication – web based If on-site, use federal id (Active Directory/Kerberos) If off-site, use certificate –if loaded into browser Otherwise username/password –Same as fed username/password –Not allowed to store password… System must know these are the same

Jens G Jensen CCLRC e-Science Account Management DLS: Vintela for account management –Commercial –Accounts and password managed across Windows & Linux –PAM module for Linux –Allows users to reset passwords &c

Jens G Jensen CCLRC e-Science Site Authentication Microsoft Active Directory (2000  2003) –Compatible with Kerberos 5 As long as server is MS –Publishing data “Corporate Data Repository”  RFC2307

Jens G Jensen CCLRC e-Science Grids GridPP –More complex middleware stack –Plain ol’ ssh login –Uses VOMS for authorsation NGS & SCARF –Basic Globus 2.4 toolkit (VDT dist) –gsissh login (more later) –Basic (Unix group) or no VO mgmt

Jens G Jensen CCLRC e-Science “Data Grids” i.e., SRB (new one will be different?) –Can use X.509 or username/password –Password stored in file in ~ –Not integrated: inQ uses username/password only X.509 must be compiled in –Integrate with everything else? Separate db column for SRB ids?

Jens G Jensen CCLRC e-Science Shibboleth Site password to common web resources Web-resources –Depends on http proto (eg redirects) SWITCH in EGEE –Work on Shibifying middleware, starting with gatekeeper Shib2 will be less web-specific

Jens G Jensen CCLRC e-Science Shibboleth deployment SDSS –JISC funded, under core middleware programme –Early deployment of UK Federation UK Federation will encompass all HEI and FEI –SDSS will become UK Federation

Jens G Jensen CCLRC e-Science Shibboleth Deployment CCLRC has IdP in SDSS –Doesn’t cover all site, only ShibGrid project –ShibGrid? Shibboleth access to Grid Collab ‘tween Oxford & CCLRC IdP? –SSO (password) and AA (attributes)

Jens G Jensen CCLRC e-Science Shibboleth Deployment Shibboleth Service Provider: –Portals (for NGS) to access Grid “ShibGrid” project –MyProxy Used for credential conversion

Jens G Jensen CCLRC e-Science Java SSH Term Written in Java (no, really) –Standalone – untar and run –Applet xterm –Understands (most) ANSI control seqs

Jens G Jensen CCLRC e-Science Java SSH Term Took open source terminal (in sf.net) And GSISSH plugin contrib’d from Canada Authenticate: –With site AD/K5 magic biscuit (see later) –Via MyProxy (username/password) –Via certificate (private key passphrase)

Jens G Jensen CCLRC e-Science Java SSH Term Picks up magic AD/K5 biscuit –Integrated with site Active Directory –Callout, no naughty storing passwords Works! But only with Java 1.6 for this –Available in beta

Jens G Jensen CCLRC e-Science Java SSH Term > echo hello world hello world MyProxy User Interface ID databaseVOMS WN SRBSRM

Jens G Jensen CCLRC e-Science Java SSH Term – User view Use “proper” Grid (X.509) cert –Upload a proxy to myproxy once a week –Terminal gets proxies where you need them Or use a proxy from the built-in CA No need for PKCS#12  PEM conv –Or even no need for understanding certs

Jens G Jensen CCLRC e-Science Java SSH Term – Admin view Can shut down vanilla ssh Key mgmt is Somebody Else’s Problem™ Decreased support load…(potentially) Must trust a MyProxy CA –UK: Tie into CA hierarchy –Separate hierarchy for NGS

Jens G Jensen CCLRC e-Science (planned) UK hierarchy e-Science ROOT e-Science CA Credential conversion top level Institutional CC CA Institutional CC CA Institutional CC CA NGS Training and Monitoring Trusted CA (Explicit Trust) Accredited CA

Jens G Jensen CCLRC e-Science Java SSH Term Try it! Public link may be for the non-AD/K5 one –Secret link for the Java 1.6 version –Until Java 1.6 is out – me

Jens G Jensen CCLRC e-Science User Management DLS and ISIS have users Already ~ unique users in DB –How to establish – and maintain – uniqueness? Users get accounts locally –Accounts set up by User Office –Give them Unix UID? RFIO and NFS use 16 bit UID… 

Jens G Jensen CCLRC e-Science Vintela Used by Diamond Light Source (synchroton) – not all of CCLRC/RAL Commercial Manage user accounts across Linux and Windows Uses RFC2307-with-extensions –“Make more scalable” Caching daemon makes system scalable

Jens G Jensen CCLRC e-Science Vintela “Active Roles” Users can unlock their own accounts –Questions Scriptable user creation NSS module for NIS PAM module calls out to Active Directory Suport for RH, SuSe, Solaris, HPUX, AIX

Jens G Jensen CCLRC e-Science Future work Better database integration (  eduPerson) –Identity management (next slide) –Users may have different ids in different contexts?  Authorisation needed –VOMS integration –Site attributes, maybe? VO attributes! –Combined?

Jens G Jensen CCLRC e-Science Identity Management – TODO Tie together all the identities in central DB –Grid certificates –Low assurance (credential conversion) certificates –SRB identities –Tapestore ids –Unix user ids How to populate with initial data…

Jens G Jensen CCLRC e-Science Summary Terminal access to Grid –In production –Non-certificate access via myproxy To integrate with CA rollover –Handles all grid-proxy-init Much of account mgmt solved Integrating with future SSO efforts

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.