Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.

Slides:



Advertisements
Similar presentations
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Advertisements

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
MyProxy: A Multi-Purpose Grid Authentication Service
Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Technology on the NGS Pete Oliver NGS Operations Manager.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Integrating HPC and the Grid – the STFC experience Matthew Viljoen, STFC RAL EGEE 08 Istanbul.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
Athens Building Communities Ed Zedlewski & Lyn Norris UKSG, Warwick, April 2002.
3 Nov 2003 A. Vandenberg © Second NMI Integration Testbed Workshop on Experiences in Middleware Deployment, Anaheim, CA 1 Shibboleth Pilot Local Authentication.
Supporting further and higher education AA(A) – What does it mean to the service provider? Alan Robiette, JISC Development Group.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.
Unit 1: Protection and Security for Grid Computing Part 2
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9.
GEON meeting - May 22, 2006 GAMA 2.0 Features and Status Kurt Mueller SDSC.
David Spence GOSC Graphical Access to the NGS for All Java GSI-SSHTerm.
JSPG: User-level Accounting Data Policy David Kelsey, CCLRC/RAL, UK LCG GDB Meeting, Rome, 5 April 2006.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.
3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
12th September 2007UK e-Science All Hands Meeting1 John Kewley Grid Technology Group e-Science Centre STFC Daresbury Laboratory GROWL.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
25 April 2005NVO Team Meeting - Tucson1 Interoperable Authentication And Authorization for the VO T HE US N ATIONAL V IRTUAL O BSERVATORY Background: Single.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Shibboleth, SRB, PGL & Plone Russell Sim. MyProxy client uses portal with Web SSO protected with an SP transformation of attributes to certs by MyProxy.
SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Initiating Teragrid Sessions Raghu Reddy. Outline Motivation Initial Setup –Certificates –Proxies –Grid-map file entries and DNs Softenv for customizing.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Improved X.509 Management Using PKCS11 Daniel Kouřil, Michal Procházka CESNET.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
Project Status: Computer Security June 26, Agenda Background, Technical Going Forward.
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,
EGEE-II INFSO-RI Enabling Grids for E-sciencE Authentication, Authorisation and Security Emidio Giorgio INFN Catania.
P-p-pick up a Pathfinder
AAAI Pathfinder J Jensen, STFC 031 Oct,
Tweaking the Certificate Lifecycle for the UK eScience CA
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
Presentation transcript:

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006

Jens G Jensen CCLRC e-Science The Problem Integrated Access (Authentication) Identity management Implemented locally… …integrate with future national efforts… …and international

Jens G Jensen CCLRC e-Science What’s in SSO? More than just “type password once” Identity mgmt, User mgmt Credential conversions –Certificates, AD/K5 –Protection of credentials Thin clients vs thick clients Passwords and –phrases validation –Single password to all resources

Jens G Jensen CCLRC e-Science What’s in SSO (authentication)? Portals MyProxy Account mgmt Java gsissh terminal SDSC SRB SRM Tapestore Active Directory Kerberos Challenge: get distinct components to talk together

Jens G Jensen CCLRC e-Science Authentication – web based If on-site, use federal id (Active Directory/Kerberos) If off-site, use certificate –if loaded into browser Otherwise username/password –Same as fed username/password –Not allowed to store password… System must know these are the same

Jens G Jensen CCLRC e-Science Java SSH Term Written in Java (no, really) –Standalone – untar and run –Applet xterm –Understands (most) ANSI control seqs

Jens G Jensen CCLRC e-Science Java SSH Term Took open source terminal (in sf.net) And GSISSH plugin contrib’d from Canada And developed: –Integration with myproxy –Various tweaks and fixes

Jens G Jensen CCLRC e-Science Java SSH Term > echo hello world hello world MyProxy User Interface ID databaseVOMS WN SRBSRM

Jens G Jensen CCLRC e-Science Java SSH Term Integrate with site Active Directory Works! But only with Java 1.6 –Available in beta

Jens G Jensen CCLRC e-Science Java SSH Term – User view Use “proper” Grid (X.509) cert –Upload a proxy to myproxy once a week –Terminal gets proxies where you need them Or use a proxy from the built-in CA No need for PKCS#12  PEM conv –Or even no need for understanding certs

Jens G Jensen CCLRC e-Science Java SSH Term – Admin view Can shut down vanilla ssh Key mgmt is Somebody Else’s Problem™ Decreased support load…(potentially) Must trust a MyProxy CA –UK: Tie into CA hierarchy

Jens G Jensen CCLRC e-Science Java SSH Term Try it!

Jens G Jensen CCLRC e-Science User Management DLS and ISIS have users Already ~ unique users in DB –How to establish – and maintain – uniqueness? Users get accounts locally –Accounts set up by User Office –Give them Unix UID? RFIO and NFS use 16 bit UID… 

Jens G Jensen CCLRC e-Science Vintela Used by Diamond Light Source (synchroton) – not all of CCLRC/RAL Commercial Manage user accounts across Linux and Windows Uses RFC2307-with-extensions –“Make more scalable” Caching daemon makes system scalable

Jens G Jensen CCLRC e-Science Vintela “Active Roles” Users can unlock their own accounts –Questions Scriptable user creation NSS module for NIS PAM module calls out to Active Directory Suport for RH, SuSe, Solaris, HPUX, AIX

Jens G Jensen CCLRC e-Science Future work Better database integration (eduPerson++) Related Shib work with Oxford –Now funded, 2 p.yr. Authorisation –VOMS integration Ponder credential conversions/protection –Need extra info (staff, temp’ry, visitor) –Work on-going between CAs in IGTF

Jens G Jensen CCLRC e-Science Future work Integrate Grid services with UK-wide infrastructure (JISC) –Shibboleth for all higher and further ed –Lots of add’l middleware effort CCLRC involved in writing JISC 10 yr AAA roadmap

Jens G Jensen CCLRC e-Science Summary Terminal access to Grid –In production –Non-certificate access via myproxy To integrate with CA rollover –Handles all grid-proxy-init Much of account mgmt solved Integrating with future SSO efforts