Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006.

Slides:



Advertisements
Similar presentations
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Advertisements

Lousy Introduction into SWITCHaai
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
GT 4 Security Goals & Plans Sam Meder
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.
5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.
The EC PERMIS Project David Chadwick
Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Shibboleth Update a.k.a. “shibble-ware”
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Federated A(A(A))I Jens Jensen hepsysman, RAL,
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.
TeraGrid VO Support and Plans for AAA Testbed Dane Skow, Deputy Director TeraGrid University of Chicago / Argonne National Laboratory Internet2 Member.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Shibboleth On-line Authentication System Jon Browne Senior Consultant Drew Heald BSc (Hons), MPhil, MCP Systems Developer IBIS Business Consultants Ltd.
LGfL Update Stewart Duncan LGfL Technical Manager Ian Lehmann LGfL Operations Manager.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Shibboleth at Columbia Update David Millman R&D July ’05
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
US of A and A Activities Ken Klingenstein, Director Internet2 Middleware Initiative.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
Shibboleth Update Eleventh Federal & Higher Education PKI Coordination Meeting (Fed/Ed Thursday, June 16, 2005.
SIF for US Science Michael Helm Esnet 09 June 2011.
ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Description WS Standards WS-Federation Picture Grid Security GridShib References 2.
Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
GridShib Grid-Shibboleth Integration An Overview Von Welch
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
JISC Shibboleth Briefing, 12-Mar Everything I always wanted to know about Shibboleth John Paschoud SECURe Project, LSE Library …but was afraid to.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
Shibboleth Architecture
Shibboleth Roadmap
e-Infrastructure Workshop 28th March 2006, University of Leeds
Michael R Gettes, Duke University On behalf of the shib project team
Shibboleth for Non-Web-Based Applications: GridShib
NSF Middleware Initiative: GridShib
Federated Digital Rights Management
NSF Middleware Initiative: GridShib
Presentation transcript:

Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006

TAGPMA27 Mar 2006 Shibboleth2 What is Shibboleth? Standard Internet2 description: –Architecture –Project –Codebase – Offshoots –InCommon – Federation (one of many) –GridShib – Grid & Shibboleth Integration –SAML - transport

TAGPMA27 Mar 2006 Shibboleth3 What is Shibboleth? Judges 12:6 (KJV) Then said they unto him, Say now Shibboleth: and he said Sibboleth: for he could not frame to pronounce it right. Then they took him, and slew him at the passages of Jordan: and there fell at that time of the Ephraimites forty and two thousand. Jueces 12 Entonces, le decían: Di, pues, la palabra Shibolet; pero él decía Sibolet, porque no podía pronunciarla correctamente. Entonces le echaban mano y lo mataban junto a los vados del Jordán. Y cayeron en aquella ocasión cuarenta y dos mil de los de Efraín.

TAGPMA27 Mar 2006 Shibboleth4 Why is Shibboleth Important? US: Internet2’s “long bet” on Authentication and Authorization –Note: Internet2 is the largest US NREN, 200+ Universities, multiple layers of projects, optical networking &c –Relationship with ESnet, NASA &c US Higher Education federation Other NREN –There are other AAA projects Other - US Government –Whether all these federations can interoperate

TAGPMA27 Mar 2006 Shibboleth5 Shibboleth Architecture Next set of slides from I2 (Michael Gedes et al) – used for illustration Illustration probably from SWTCH

TAGPMA27 Mar 2006 Shibboleth6 Shibboleth Architecture Handle Service –Yields a “Handle token” – SAML authentication assertion – bearer credential –Neutral – (eg LDAP) Attribute Authority –The AA is presented with a Handle Token, returns appropriate attributes for this user. Target Resource –(Service Provider) –Find user’s institution, and understand appropriate attributes WAYF –External service used to find home institution

TAGPMA27 Mar 2006 Shibboleth7 Shibboleth Architecture Next set of slides from I2 (Michael Gedes et al) – used for illustration Illustration probably from SWTCH

TAGPMA27 Mar 2006 Shibboleth8 Shibboleth AA Process Resource WAYF Identity Provider Service Provider Web Site 1 ACS I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where are you from? HS 5 6 I don’t know you. Please authenticate Using WEBLOGIN 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. AR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource

TAGPMA27 Mar 2006 Shibboleth9 From Shibboleth Arch doc OriginTarget

TAGPMA27 Mar 2006 Shibboleth10 From Shibboleth Arch doc OriginTarget

TAGPMA27 Mar 2006 Shibboleth11 Shibboleth Limitations Limited IDP –Identity Provider does all the work –What about distributed authorization??? –Attribute Authority, Authentication, Authorization often linked together – requires strong trust of IdP Limited deployment (web) Grid Incompatibility Focused on enterprises –Marketing limitation Many of these issues are being addressed….

TAGPMA27 Mar 2006 Shibboleth12 Shibboleth Strengths Privacy –Chaotic story in Grids, but mostly, none Standardization –Relatively open development process Marketing –US Higher Ed –Non-US: Higher Ed & NRENs –US Government –Well supported and development continues

TAGPMA27 Mar 2006 Shibboleth13 GridShib (NCSA) NSF funded, development centered at NCSA –Argonne National Lab (ANL), Globus, University of Chicago Really, Shibboleth->Grid –Enable use of some Shibboleth attributes in a Grid context Replace Shibboleth “Handle token” with PKI credential Using XACML Next 3 slides – from NCSA GridShib overview

TAGPMA27 Mar 2006 Shibboleth14 The GridShib picture (1) Grid Authentication (2) Shib Attribute Request Shibboleth (3) Attributes Grid Service (4) Attribute-based authorization Campus User (0) Attribute Release Policy

TAGPMA27 Mar 2006 Shibboleth15 GridShib Integration Principles No modification to typical grid client applications Leverage Shibboleth’s attribute administration and end-user maintenance of attribute release policies Leverage high-quality Campus Identity Provider operations Leverage high-quality Shib and Grid software

TAGPMA27 Mar 2006 Shibboleth16 GridShib Challenges Use of an identifier in X.509 certificate as a subject handle for use by the Shib Attribute Authority (SAA) –Shibboleth v1.3 should handle this –Name mapping has proved challenging –Focusing on MyProxy to solve? IdP function? Allowing VOs to define attributes meaningful to them Attribute Authority identification –“Where Are You From” problem Plumbing interconnect Translating requirements into meaningful authorization policy Support pseudonymity (Shibboleth requirement)

TAGPMA27 Mar 2006 Shibboleth17 Shibboleth and Grid Authentication/Authorization Grid – community driven? Grid – distributed authorization Shibboleth – fundamentally based on site (or VO?) –That is assumes a strong site open to working in this area – not always true Grid->Shibboleth? –Projects exist in this area

TAGPMA27 Mar 2006 Shibboleth18 US DOE Lab/ESnet Shibboleth Something new – DOE Lab CIO’s have commissioned a pilot Shibboleth test bed and policy development activity US DOE research labs are heavily influenced by trends and needs in US academic research (NSF, EDUCAUSE, and other US Gov’t funding sources) US DOE labs have limited resources for development in this area –Shibboleth &al is both good news & bad news here: –Standard development platform –Limited resources to make changes

TAGPMA27 Mar 2006 Shibboleth19 Shibboleth Federation Shibboleth makes no sense w/o a federation component – why bother. InCommon ( Internet2 – US Higher Ed example of Shibboleth federation –There are some others: SWTCH, UK US Legal System –More complex bylaws, legal membership & status &c Good Example or Bad Example? –Some market inhibition –International legal context –Are our member organizations interested in federating for this purpose? TAGPMA?

TAGPMA27 Mar 2006 Shibboleth20 E-Authentication (separate) Summary Overlapping communities Overlapping interests What interest in this?

TAGPMA27 Mar 2006 Shibboleth21 Acknowledgements Technical content in most slides drawn from Michael Geddes &al from I2; from Von Welch &al from NCSA; a bit from David Chadwick, and others.

TAGPMA27 Mar 2006 Shibboleth22 Summary Overlapping communities Overlapping interests What interest do we have in this?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.