ASPiS Security Jens Jensen Science and Technology Facilities Council AHM, 8-11 Sep 2008 Edinburgh.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Federated Identity for Grid Architects Tom Scavo NCSA

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

J Jensen CCLRC RAL Data Management AUZN (mostly about SRM though) GGF 16, Athens J Jensen.

Contrail and Federated Identity Management

UK Campus Grid Special Interest Group Dr. David Wallom University of Oxford.

EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.

ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

PaN-data WP4 - Users Gordon Brown STFC-e-Science Alun Ashton DLS Bill Pulford DLS.

AAF Middleware update February Presented by Terry Smith Technical Manager and Heath Marks Manager.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

FIM-related activities and issues being discussed in Japan 1.GEO Grid Yoshio Tanaka (AIST) 2.HPCI, GakuNin Eisaku Sakane, Kento Aida (NII)

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

Rule-Based Data Management Systems Reagan W. Moore Wayne Schroeder Mike Wan Arcot Rajasekar {moore, schroede, mwan, {moore, schroede, mwan,

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9.

Data Management The GSM-WG Perspective. Background SRM is the Storage Resource Manager A Control protocol for Mass Storage Systems Standard protocol:

The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Jens G Jensen RAL, EDG WP5 Storage Element Overview DataGrid Project Conference Heidelberg, 26 Sep-01 Oct 2003.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

The UK Access Management Federation John Chapman Project Adviser – Becta.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure.

1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.

Attribute Release and Scalable Consent \. Part of the original vision for federated identity and necessary for it to succeed Federated identity is less.

Sep 25, 20071/5 Grid Services Activities on Security Gabriele Garzoglio Grid Services Activities on Security Gabriele Garzoglio Computing Division, Fermilab.

Campuses New to Shibboleth: WebSSO Barry Johnson

126/02/2016 META ACCESS MANAGEMENT SYSTEM A Ship on the Grid – Interoperability between Shibboleth and the Grid – Dr. Erik Vullings Programme Manager Macquarie.

Shibboleth, SRB, PGL & Plone Russell Sim. MyProxy client uses portal with Web SSO protected with an SP transformation of attributes to certs by MyProxy.

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.

The National Grid Service User Accounting System Katie Weeks Science and Technology Facilities Council.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

GridPP2 Data Management work area J Jensen / RAL GridPP2 Data Management Work Area – Part 2 Mass storage & local storage mgmt J Jensen

Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.

INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.

Digital Library Storage using iRODS Data Grids Mark Hedges, Tobias Blanke Centre for e-Research, King’s College London Arts and Humanities Data Service.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

ESA Single Sign On (SSO) and Federated Identity Management

Community AAI with Check-In

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

ASPiS Security Jens Jensen Science and Technology Facilities Council AHM, 8-11 Sep 2008 Edinburgh

ASPiS collaborators Mark Hedges, CeRch KCL Adil Hasan, Liverpool Andrea Weise, STFC/Reading Eric.., → CeRch KCL Jens Jensen, STFC JISC-funded project

Project Overview “New data grid technology with new authentication technology”

Project Overview What is ASPiS? –Access to iRODS via Shibboleth –Collaboration between CeRch (KCL) and STFC What is Shibboleth –UK Access Management Federation What is iRODS? –“data grid” for provenance, digital libraries –Successor to SRB –Open Source

ASPiS goals Access to iRODS via Shibboleth –IRODS offers rule-based data management via microservices –Positioned as data grid solution for preservation, curation, digital libraries Primary use cases: –Arts and Humanities data storage –Diamond Light Source –NGS data storage services

ASPiS goals Use Shibboleth attrs for access control –Can use attrs for AuZ decisions –ePEntitlement –Or extended attrs, e.g. from SARoNGS Prototype secure data management –Can be expanded later into trusted services –Open for adding security capabilities Interface with provenance management

User Security Enable access for security non-experts –X.509 considered “complicated” –Broaden user base via Shibboleth IdPs Users' VOs supported –Simple attribute-based –Simple gridmap style user mapping –Using VOMS? Via SARoNGS?

Shibboleth and NGS Other projects to enable access to NGS SARoNGS –Production deployment of ShibGrid and SHEBANGS –Certificates generated dynamically – users don't know they have them! –~75% of NGS user base with IdP –~95% by members of Federation –(Not all members have IdPs)‏ –(Rough numbers, could have changed)‏

Architecture SP IdP Usual Shib Stuff Disk Store (Tape Store at RAL)‏ Provenance Metadata Management μservice iRODS rule ACL

Implementing Security Make attributes available –To rule engine, microservices, provenance –Microservices reporting back to rule engine to alter workflow Other issues –Using AC and SAML (SARoNGS)‏ –Libraries iRODS in C, preservation systems in Java (Pasoa, RDF/OWL)‏ Availability, maturity, support, interoperation

Security Considerations Use of Shib 1.3, vs Shib 2.0 –Must work with existing Federation –Use of institutional attributes How useful are they? Avoid bilateral negotiations –Not sharing attributes between SPs Single SP, federated iRODS? Non-Federation (or no IdP) users –Considered local config or LDAP managed

Security Considerations User to local mapping –LCMAPS or VPMan? Or something simpler? –Delegation of authentication –IRODS users/groups/domains/zones? Use or combined use with GSI –For users with certificates already, exisitng NGS accounts Consistency and portal access –Supported in iRODS 1.1 –Needs account management

Preservation Issues Persistency of ePTID –Federation rules permit recycling if not used for 2yrs –APSiS: do not permit login if account idle for 2yrs Except if IdP guarantees uniqueness forever? Who is the ePTID? Non-persistency of IdP logs Verification of user-supplied attrs?

Other Issues QoS: priority mappings for some users? iRODS needs rebuild (or at least relink) when μservice changes

Current Status iRODS deployed at Reading, RAL Shibboleth IdP at RAL –DLS did not join the Federation at this time Not quite ready for testing yet

Conclusion Datastore for libraries, preservation –Interfacing to provenance mgmt Replacing SRB Single sign-on access via Shib –Usable –Secure