OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland

Slides:

Advertisements

Similar presentations

Demonstrations at PRAGMA demos are nominated by WG chairs Did not call for demos. We will select the best demo(s) Criteria is under discussion. Notes.

Advertisements

Federated Identity for Grid Architects Tom Scavo NCSA

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

AHM 2008, 11 th September 2008 Supporting Security-Oriented Interdisciplinary Research: Crossing the Social, Clinical and Geospatial Domains Prof. Richard.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

Authz work in GGF David Chadwick

Security Approaches and Requirements John Watt NCeSS Conference Workshop 3 Data Management through e-Social Science June 18th 2008.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

The EC PERMIS Project David Chadwick

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010.

UK e-Science All Hands Meeting, September 2007 The GLASS Project: Supporting Secure Shibboleth-based Single Sign-On to Campus Resources John Watt (

E-Science Institute Neuro- workshop, 28 th November 2006 Virtual Organisations for Trials and Epidemiological Studies (VOTES) – Experiences & Prototypes.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

Supporting the Clinical Trial Recruitment Process through the Grid 19 th September th UK e-Science All-Hands Meeting University of Glasgow, Scotland,

Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.

VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.

Delegation of Authority David Chadwick

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

INFSO-RI Enabling Grids for E-sciencE LCAS/LCMAPS and WSS Site Access Control boundary conditions David Groep et al. NIKHEF.

University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authorization GGF-6 Grid Authorization Concepts Proposed work item of Authorization WG Chicago, IL - Oct 15 th 2002 Leon Gommans Advanced Internet.

Dynamic Privilege Management Infrastructures Utilising Secure Attribute Exchange Dr John Watt Grid Developer, National e-Science Centre University of Glasgow.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.

INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

VOTES Virtual Organisations for Trials and Epidemiological Studies Overview The development.

Secure Federated Data Retrieval in Clinical Trials 4 th July 2006 IASTED Telehealth Conference, Banff, Alberta University of Glasgow, Scotland, UK Anthony.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

Virtual Organisations for Trials and Epidemiological Studies (VOTES) Overview VOTES is a pioneering project investigating the application of Grid technology.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

Oracle Virtual Directory

Virtual Organisation Management in the Level 2 Grid Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

e-Infrastructure Workshop 28th March 2006, University of Leeds

CRC exercises Not happy with the way the document for testbed architecture is progressing More a collection of contributions from the mware groups rather.

OGF 21 Seattle Washington

NSF Middleware Initiative: GridShib

O. Otenko PERMIS Project Salford University © 2002

GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,

A Grid Authorization Model for Science Gateways

NSF Middleware Initiative: GridShib

Presentation transcript:

OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland

OGF22 25 th February 2008 Shibboleth Scenario Service provider Shib Frontend 5. Pass authentication info and attributes to authZ function Grid Portal 6. Make final AuthZ decision Grid Application Identity Provider Home Institution W.A.Y.F. Federation User 1. User points browser at Grid resource/portal 2. Shibboleth redirects user to W.A.Y.F. service 3.User selects their home institution 4. Home site authenticates user and pushes attributes to the service provider AuthN LDAP AuthZ ? What sites + attributes to accept (trust)? What attributes to send? Only see/use what allowed to? uid Log-in once and roam

OGF22 25 th February 2008 Centralised Shibboleth Scenario Service provider 5. Pass authentication info and attributes to authZ function Grid Portal 6. Make final AuthZ decision Grid Application Identity Provider Home Institution W.A.Y.F. Federation User 1. User points browser at Grid resource/portal 2. Shibboleth redirects user to W.A.Y.F. service 3.User selects their home institution 4. Home site authenticates user and pushes attributes to the service provider AuthN LDAP AuthZ VO wide authZ

OGF22 25 th February 2008 VOMS

OGF22 25 th February 2008 VOMS

OGF22 25 th February 2008 VOTES Virtual Organisations for Trials and Epidemiological Studies 3 year (£2.8M) MRC funded project started October 2005 Plans to develop framework for producing Grid infrastructures to address key components of clinical trial/observational study  Recruitment of potentially eligible participants  Data collection during the study  Study administration and coordination –Involves Glasgow, Oxford, Leicester/Nottingham, Manchester, Imperial »Direct links with UK Biobank, Generation Scotland Scottish Family Health Study

OGF22 25 th February 2008 VOTES Distributed Data Framework Service

OGF22 25 th February 2008 Existing Demonstration (pushing attributes in SAML)

OGF22 25 th February 2008

OGF22 25 th February 2008

OGF22 25 th February 2008

OGF22 25 th February 2008

OGF22 25 th February 2008

OGF22 25 th February 2008

OGF22 25 th February 2008

OGF22 25 th February 2008 VOMS’ing

OGF22 25 th February 2008 The Scenario (1) A VOTES diabetes service is deployed on a GT4 infrastructure (2) A user runs “voms-proxy-init” to generate a proxy certificate including VOMS credentials (3) and tries to invoke the protected stored procedure (4) The PEP passes the user information (including proxy certificate) to the VOMS PIP (5) VOMS PIP validates the credentials and passes back the VOMS Fully Qualified Attribute Name (FQAN) within the subject attributes. (6) The PEP calls the PERMIS PDP pushing the request information and credentials (7) The PERMIS PDP according to the policy decides if this user with certain attributes is authorized to access the service. (8) If successful the stored procedure is invoked, the federated query run and returned results joined and returned to the end user

OGF22 25 th February 2008

OGF22 25 th February 2008 Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse Interaction Unuccessful Nurse Interaction => java -classpath./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSNurseClient security-configRichard.xml =>java -classpath./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSDoctorClient security-configRichard.xml

OGF22 25 th February 2008

OGF22 25 th February 2008 Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse role Authorisation of Nurse Client Unsuccessful Nurse role Authorisation of Doctor Client Successful Nurse Interaction Successful Doctor Interaction => java -classpath./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSNurseClient security-configRichard.xml =>java -classpath./build/stubs/classes/:$CLASSPATH org/globus/clients/DataFederationProxy/SecureGSDoctorClient security-configRichard.xml

OGF22 25 th February 2008 The Scenario with Permis (VPMan) (1) The client attempts to invoke the PERMIS protected Geronimo service. The PEP extracts the users DN and identifies that it needs attributes from a VOMS server (2) The PEP, via a Subject PIP, pulls back the relevant attributes from VOMS server (3)and passes them to the PDP (4) The permis PDP makes the decision (5) and if ok, submit job using via GridSAM to appropriate Grid Resource