Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Shibbolising UK Census and ESDS services Lucy Bell Associate Director, Head of Information Systems and Preservation, UKDA 26 May 2005.
AHM 2006 September 2006 DyVOSE Project: Experiences in Applying Advanced Authorisation Infrastructures John Watt (
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Security Approaches and Requirements John Watt NCeSS Conference Workshop 3 Data Management through e-Social Science June 18th 2008.
® Practical Approaches to Web Services Authentication 72nd OGC Technical Committee Frascati, Italy Fiona Culloch March 9, 2010 Sponsored and hosted by.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
SWITCHaai Team Federated Identity Management.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
A PERMIS-based Authorization Solution between Portlets and Back-end Web Services Hao Yin 1, Sofia Brenes-Barahona 2, Donald F. McMullen * 2, Marlon Pierce.
UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt (
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
Integrating with UCSF’s Shibboleth system
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Navigating the Standards Landscape Andrew Owen SEARCH.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Shibboleth: An Introduction
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Web Services Tiered Internet Authorization (WSTIERIA) 21 June 2011 Fiona Culloch
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
State of e-Authentication in Higher Education August 20, 2004.
E-Authentication in Higher Education April 23, 2007.
Scenario w/ WS-Federation to SAML 2.0 interop challenge for Danish public sector The following slides illustrates in a basic manner the technical/security.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Dynamic Privilege Management Infrastructures Utilising Secure Attribute Exchange Dr John Watt Grid Developer, National e-Science Centre University of Glasgow.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.
INFSO-RI Enabling Grids for E-sciencE - II VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007.
Is Federation Putting you at Risk? Presenter: Dan Dagnall – Chief Operating Officer, Fischer International Identity, LLC.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
The FederID project The First Identity Management and Federation Free Software.
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
HMA Identity Management Status
THE STEPS TO MANAGE THE GRID
ESA Single Sign On (SSO) and Federated Identity Management
NAAS 2.0 Features and Enhancements
O. Otenko PERMIS Project Salford University © 2002
INTEGRATIONS WITH Single Sign-On
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008

Problem No. 1 User management –Historically done by providers of services Custom access control lists –Maps user to rights on system –Admin burden as user numbers skyrocket User registration required –Face to face? Terms and conditions? User revocation process is essential –User registered on many resources, always out-of-date info –Certification Authority National-level identity – well recognised –Still requires devolved user registration process (RA) –Solution: Federated Access Management…

Shibboleth (SAML) Implements a federation of trusting sites who agree to recognise the identity assertions of their federation partners –Federation manages registration and dissemination of current trusted sites –Defines Identity Providers (IdPs) and Service Providers (SPs) IdP is an entity that has promised to correctly assert and verify the identity of its local users –Hence, user identity within fed. resources is reliable –Also supplies extra user info in SAML Attributes SP is a resource provider that accepts incoming federation authentication assertions as valid.

Logging In to a Service Input service URL, choose IdP, enter credentials, service

Shibboleth (SAML) May not be desirable for an SP to accept EVERY IdP in the federation –The Shibboleth Attribute Acceptance Policy (AAP) defines the SP rules for accepting: Identity Providers SAML Attribute types SAML Attribute values –The Scoped Attribute Management Portlet (SCAMP) allows this policy to be formally created Produces consistent XML based on the administrator’s policy requirements

SCAMP Policy Editor tool –Defines valid IdPs, SAML attributes values and types

Problem No. 2 Single sign-on –Shibboleth enables one-time-password access for federation services. –But services need to be able to utilise Shibboleth provided information to enforce access control –Need to ALSO login to deployed portlet containers/apps to utilise their user management capability For GridSphere, we need to define a new authentication module/framework –JAAS? – Couldn’t get it to work –Custom module? – Failed for GS2.2.X –MAMS Shibbolized GridSphere – Yes »Requires modification to handle complex Shibboleth roles

Content Configuration Module provides alternate login to GridSphere –Picks up active Shibboleth credentials and builds GridSphere login session from this information

Content Configuration GridSphere now has an established user session with externally provided (from SAML) access privileges –In addition to the custom GridSphere roles (USER, ADMIN, SUPER)

Content Configuration Layout manager can be used to assign Role Based Access Control on individual portlets

Problem No. 3 Have presented solution for portal based access control –Doesn’t allow access to external security infrastructures –Scenario: protected service has a policy requiring a signed assertion of a user’s role, traceable to a reliable Source of Authority, with a finite validity PERMIS –Need to issue local users with X.509 Attribute Certificates for access to these services…

Attribute Certificate Portlet Portlet allows a privileged user to issue Attribute Certificates (based on Shibboleth-provided roles if required) to users and store in LDAP –‘privileged user’ may be local admin who has been delegated ability to assign attributes, OR, the admin of the external service who has been given attribute assignment privileges within the portal

SPAM-GP Deployment Presence in SEE-GEO and DAMES –PERMIS-protected GT4 services accessed through an RBAC-enabled portal utilising SAML- provided information ACP and SCAMP –Unzip.tar.gz file and ‘ant deploy’ CCP –Requires change to GridSphere source and re- installation

Security for SEE-GEO GLS Client SPAM-GP tools in green IdP LDAP VOMS Ext Lic. Portal EDINA WFS MIMAS Census PEPPEP PEPPEP ACP CCPCCP SCAMPSCAMP GLS External store (may be merged)

Status SCAMP code complete –May require slight alteration for “100%” JSR-168 –Submitted for evaluation, docs available ACP functional –Requires user interface clean-up –PERMIS license issues CCP –Have a deployable solution that draws on MAMS software –Alterations documented ARP & PERMIS policy editor (not done) –Relegated as they are essentially SP-external –Tools have emerged that provide this functionality (ARPeditor, ShARPe…) All tools will be utilised in future NeSC projects, so improvements/augmentations are inevitable