AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
CLARIN AAI, Web Services Security Requirements
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EMI INFSO-RI Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
WebFTS as a first WLCG/HEP FIM pilot
Federated A(A(A))I Jens Jensen hepsysman, RAL,
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
European Grid Initiative AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
2007© SWITCH SWITCHslcs the new AAI-based short-lived credential service for Grid users C.Witzig Swiss Grid Day, Berne, May 7, 2007.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
News from EUGridPMA EGI OMB, 22 Jan 2013 David Kelsey (STFC) Using notes from David Groep 22/01/20131EUGridPMA News.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
WLCG Update Hannah Short, CERN Computer Security.
EGI Updates Check-in Matthew Viljoen – EGI Foundation
Grid Security.
HMA Identity Management Status
Identity Federations - Overview
Grid accounting system
EMI Interoperability Activities
AARC Blueprint Architecture and Pilots
Community AAI with Check-In
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG

EMI INFSO-RI Comments Disclaimer: This is work in progress that has just started We are aware that some of these issues have already been discussed within EuGridPMA 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 2

EMI INFSO-RI Content EMI AAI WG Identified use-cases Security Token Service Policy issues Next steps 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 3

EMI INFSO-RI EMI AAI WG EMI proposal mentions interoperability of EMI / Grid with AAIs, in particular – „Easier“ credential handling for the user – Interoperability with Shibboleth and kerberos domains Members from – CNAF, HIP, NKUOA, SWITCH, UWAR 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 4

EMI INFSO-RI Objectives 1.Identify use-cases how EMI could support AAI 2.Support sub-set of identified use-cases within EMI 3.Reachout to other parties involved – EuGridPMA  Trust – ESFRI, EGI, … 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 5

EMI INFSO-RI Use Case 1: Obtaining a X.509 Based on token from another domain 1a) short-lived credential  next slide 1b) long-lived credential Well-known for EuGridPMA  SLCS, MICS profile 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 6

EMI INFSO-RI SLCS 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 7 slcs-init: command line tool User Agent handles WebSSO mechanism

EMI INFSO-RI Portal obtains X.509 from – Certificate store (e.g. myproxy) – „CA“ Note: CA has a very broad meaning here – not necessarily EUGridPMA CA Based on portal request (portal acting on behalf of user) Based on SAML issued by IdP (delegation)  next slide Note: New use-case, becoming available now 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 8 Use Case 2: AAI-enabled portals to Grid infrastructures

EMI INFSO-RI Use Case 2: AAI-enabled portals 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 9

EMI INFSO-RI Use Case 3: AAI-enabled portals for displaying and accessing Grid information Any portal can easily be accessed through AAI – Low priority  typical Grid administrator already has X /05/2010 STS SAML Trust Domain, EUGridPMA Meeting 10

EMI INFSO-RI Use Case 4 : Security Token Service A service obtains a security token and needs to convert it into another security token in order to access another service (e.g. Grid service) Example: – Incoming token: SAML, kerberos – Outgoing token: X.509 Note: very general use-case 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 11

EMI INFSO-RI Use Case 5: Use of AAI attributes in Grid services Today: attributes are issued by VOMS Tomorrow: non-VO attributes can be issued by AAI Attributes in question are few, simple but possibly very important, such as Employing institution Afflilation (student, professor,...) Study branch (biology, physics 5th semester) Question: What requirements should be put on AA? 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 12

EMI INFSO-RI Use Case 6: VO Registration Identity vetting based on AAI in registration process – Possibly involving AAI attributes – Low priority established mechanism exists Interesting if other communities bring large number of users 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 13

EMI INFSO-RI Use-cases: Summary Use- case DescriptionStatus 1X.509 issuance based on AAI„Solved“ (but needs improvement!) 2AAI-enabled portalsSolutions exist SAML delegation new 3AAI-enabled Grid info portalsLow priority 4STSNew, general purpose service, high priority 5Use of AAI attributes in GridInteresting, potentially very important 6VO registrationLow priority 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 14

EMI INFSO-RI Security Token Service: Functionality (1/2) Authenticates and authorizes users based on security tokens Transforms a security token (the claim) into another security token suitable for the requested service Username token into SAML token SAML token into X.509 token Aggregates required information from external Attribute Authorities Establishes a trust relation between different application domains Shibboleth domain vs Grid domain 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 15

EMI INFSO-RI Security Token Service: Functionality (2/2) Web Service (SOAP) based protocol WS-Trust profile – Version 0 (dated Jan 2008!) – Basic Operations: Request token Renew token Cancel token Validate token Easy expansion to handle new tokens Prospect: Integrated with Shibboleth IdP 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 16

EMI INFSO-RI Security Token Service: Architecture Profile Handler implements WS-Trust profile Token Authority manages security tokens Resolver retrieves information, attributes from external authorities (LDAP, Online CA, VOMS,...) 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 17 Note: Prospect of building on Shibboleth (IdP v3)

EMI INFSO-RI /05/2010 STS SAML Trust Domain, EUGridPMA Meeting 18 Trust Model: X.509 to SAML X.509 Validation – Service A and STS validate the X.509 token (X.509 trust based on the IGTF trust anchors) SAML Validation – Service B must validate and trust the SAML token issued by the STS (SAML Trust Domain)

EMI INFSO-RI /05/2010 STS SAML Trust Domain, EUGridPMA Meeting 19 Trust Model: SAML to X.509 SAML Validation – Service A and STS must validate and trust the SAML token issued by an IdP/AA (SAML Trust Domain) X.509 Validation – Service B validates the X.509 token issued by the STS (based on the IGTF trust)

EMI INFSO-RI /05/2010 STS SAML Trust Domain, EUGridPMA Meeting 20 SAML Trust Model SAML Token Issuance – STS must be able to issue SAML token to another service (signed and encrypted?) SAML Token Validation and Trust – Services must be able to validate and trust a SAML token issued by another service (STS, IdP, Attribute Authority, …) => SAML Trust Domain must be defined – Using Metadata (Shibboleth) Entity ID (uniquely identifies a SP, IdP, AA, …) Key-Info (X.509 certificate for signature/encryption)

EMI INFSO-RI Issues / Questions Handling trust between trust domains – Authentication assertions – Attributes handling (VOMS, IdP) – What requirements do you put on STS and other trust domain?  linking trust domains Issuance of certificates – proxies – Interaction STS/IdP/VOMS – Private key handling Attribute handling / attribute trust? 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 21

EMI is partially funded by the European Commission under Grant Agreement RI Thank you! 12/05/ STS SAML Trust Domain, EUGridPMA Meeting

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.