1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.

Slides:



Advertisements
Similar presentations
MyProxy Jim Basney Senior Research Scientist NCSA
Advertisements

Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
GT 4 Security Goals & Plans Sam Meder
FI-WARE Testbed Access Control temporary solution.
MyProxy: A Multi-Purpose Grid Authentication Service
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Gateway Node Security Block Diagram ESG Gateway Node Confluence Server OpenID Filter Authz Service Callout Authorization Service (SSL) F-TDS OpenID Filter.
A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.
The EC PERMIS Project David Chadwick
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
ESP workshop, Sept 2003 the Earth System Grid data portal presented by Luca Cinquini (NCAR/SCD/VETS) Acknowledgments: ESG.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Shibboleth: An Introduction
Leveraging Globus Services to Support Climate Model Data Access Through the Earth System Grid Federation (ESGF) Brian Knosp 1, Luca Cinquini 1, Lukasz.
June 24-25, 2008 Regional Grid Training, University of Belgrade, Serbia Introduction to gLite gLite Basic Services Antun Balaž SCL, Institute of Physics.
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
1 Research and Development. 2 R&D Agenda  Security  Bulk Data Movement  Data Replication and Mirroring  Monitoring  Metrics  Versioning  Product.
1 Gateways. 2 The Role of Gateways  Generally associated with primary sites in ESG-CET  Provides a community-facing web presence  Can be branded as.
Security Solutions Rachana Ananthakrishnan University of Chicago.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Globus Security: Features and Roadmap & Building Secure VOs using Globus Toolkit Frank Siebenlist Rachana Ananthakrishnan Computation Institute, University.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Secure Mobile Development with NetIQ Access Manager
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
F5 APM & Security Assertion Markup Language ‘sam-el’
1 Discussion about: * Security Provisioning and Validation * * Policy Enforcement Complexity * * Data Integrity Verification * 11th Middleware Security.
1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.
Using Your Own Authentication System with ArcGIS Online
WLCG Update Hannah Short, CERN Computer Security.
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Federation made simple
Identity Federations - Overview
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
ESA Single Sign On (SSO) and Federated Identity Management
Community AAI with Check-In
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands Meeting Boulder, Colorado

2 Single Sign On (SSO) Solutions

3 Earth System Grid Center for Enabling Technologies: (ESG- CET) Single Sign On Solutions  PKI SSO Single Sign On for non-browser applications MyProxy Online CA Auto-provisioning of trust configuration  Web SSO Single sign on for http/https applications OpenID

4 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning 1.Login Username /Password 0. Trusted CA/CRLs Authentication DB Provisioning Database Attribute Service

5 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning 2. Authentication and Attributes retrieval 0. Trusted CA/CRLs Authentication DB Provisioning Database Attribute Service

6 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning 3. Short term X509 credentials with attributes, CAs, CRLs 0. Trusted CA/CRLs Authentication DB Provisioning Database Attribute Service

7 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning 0. Trusted CA/CRLs Authentication DB Provisioning Database Attribute Service 4. Access using X509 Credentials

8 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning 0. Trusted CA/CRLs Authentication DB Provisioning Database Attribute Service 5. Update trust roots

9 Browser Web SSO using OpenID Application Server Service Provider (SP) Identity Provider (IdP) Authentication DB Site Attribute Service

10 Browser Web SSO using OpenID Application Server Service Provider (SP/RP) 1. Client access application server Identity Provider (IdP) Authentication DB Site Attribute Service

11 Browser Web SSO using OpenID Application Server Service Provider (SP) 2. Redirected to Identity Provider Identity Provider (IdP) Authentication DB Site Attribute Service

12 Browser Web SSO using OpenID Application Server Service Provider (SP) 3. User authenticates with IdP Identity Provider (IdP) Authentication DB Site Attribute Service

13 Browser Web SSO using OpenID Application Server Service Provider (SP) 4. AuthN completed, user identity. Identity Provider (IdP) Authentication DB Site Attribute Service

14 Browser Web SSO usign OpenID 4. Authenticated Call. Identity Provider (IdP) Authentication DB Site Attribute Service Application Server Service Provider (SP)

15 Earth System Grid Center for Enabling Technologies: (ESG- CET) AuthN DB uname password PKI Client MyProxy Online-CA AuthN Svc OpenID IdP Browser Client Web SvcPKI App Svc u/p => X509 credsu/p => cookie http-redirect + cookie X509 PK-authN trusts CA =><= trusts IdP Integrated WebSSO & PKI-SSO

16 SSO Integration

17 Earth System Grid Center for Enabling Technologies: (ESG- CET) Gateway Integration: PKI SSO  PKI SSO Tested MyProxy Online CA with ESG user database  Next steps: Install MyProxy on Gateway Plan integration/shipping with Gateway software Bootstrap of MyProxy CA certificate  Download from ESG portal  Part of ESG client download  Investigate pre-configured web start application

18 Earth System Grid Center for Enabling Technologies: (ESG- CET) Gateway Integration: OpenID SP  OpenID Service Provider (SP) Provides SSO for gateway portal Prototyped Acegi filter (Gateway team)  Next steps: Session management in the portal? Configuration of trusted IdPs  Add support to OpenID4Java

19 Earth System Grid Center for Enabling Technologies: (ESG- CET) Gateway Integration: OpenID IdP  OpenID Identity Provider (IdP) IdP front-end to username/password database Must comply with following requirements:  SSL should be used for communication  Identifiers should be Yadis IDs  Next steps: Design and develop IdP service to host on gateway  IdP service shell (Gateway team)  OpenID specifics (Argonne team) Integrate with ESG user database

20 Gateway Integration: Open Issues  Approved list of IdPs Propagate and update white list of IdPs  Enforced at ESG-VO’s SPs Support for external IdPs?  Maybe commercial IdP with right “signing-policy”  Register with ESG?  Attribute handling Integrate with IdP

21 Earth System Grid Center for Enabling Technologies: (ESG- CET) Data Publishing Integration: OpenID SP  Desktop application to publish data  Two phase publishing Desktop application is unaware of OpenID  Integrated desktop application Handle OpenID redirect to IdP OpenID Python libraries Issue with IdP login page  Could be added to IdP profile  Would PKI based authentication be easier? PKI client authentication can be built in Investigate dual-client authN option on SPs?

22 Earth System Grid Center for Enabling Technologies: (ESG- CET) Data node Integration: PKI SSO  OPeNDAP server Integrate with PKI SSO solution and GridFTP Prototype integration completed (Jose/Stephan)  Next steps: MyProxy client/library added to ESG distribution Trusted CA installation  MyProxy to provision  Is OpenID integration required? Issue with delegation of rights for GridFTP?  SRM: user access to data servers that don’t trust ESG CA?

23 Earth System Grid Center for Enabling Technologies: (ESG- CET) Product server Integration: OpenID SP  Components: LAS and F-TDS  Use case: access via portal Token-authentication solutions can be adopted (Gateway team)  Use case: direct client access? OpenID SP tomcat filter  Integration with backend applications Identity push from LAS to OPeNDAP?

24 Attribute-based Authorization

25 Question  Current status: If a gateway is down, the user cannot access ESG infrastructure  Requirement It is acceptable for hours down time  What does the single sign on solution buy?

26 Earth System Grid Center for Enabling Technologies: (ESG- CET) Attributes and Authorization  Two types of attributes: VO and Site attributes Maybe distinguish VO-Gateway attributes? Is the distinction needed for ESG?  VO attributes important with non-ESG IdP  Attribute service options Centralized, Gateway, VO level?  Attribute retrieval options: Push site attributes with authentication Pull VO attributes post-authentication Pull VO attributes during authorization

27 VO Attr group role Client Gateway ESG-VO Svcs Site IdP IdP Attr openID password affiliation Gateway Attr group role Client’s Domain Gateway’s Domain VO’s Domain Attributes and Domains

28 Attributes  October Test-bed target: Only site attributes Attribute store with IdP Push site attributes with authentication  OpenID and MyProxy allow for that  Post-test bed Define transition path to include external IdPs and VO attributes

29 Earth System Grid Center for Enabling Technologies: (ESG- CET) Attributes and Authorization  SAML Attribute format Signed SAML Assertions with Attribute Statements Can be independently sent on wire OpenSAML, open source library for SAML processing  Configuration of attribute release policy

30 Earth System Grid Center for Enabling Technologies: (ESG- CET) Attributes and Authorization  Push attributes as a part of authentication OpenID protocol allows push of attributes MyProxy Online CA can embed attributes in issued certificates  SAML Attribute format Signed SAML Assertions with Attribute Statements Can be independently sent on wire OpenSAML, open source library for SAML processing

31 Gateway Integration: SSO & Attributes  Attribute Provider Remote interface to pull down attributes SAML Attribute Query Interface?  PKI SSO Integrate to pull attributes from site attribute provider Embed in certificate SAML attribute assertion or X509 attribute cert?  Web SSO Pull from site attribute provider Interface in OpenID4Java to callout to attribute provider  SAML?

32 Gateway Integration: SSO & Attributes  PKI SSO Integrate to pull attributes from site attribute provider Embed in certificate SAML attribute assertion or X509 attribute cert?  Web SSO Pull from site attribute provider Interface in OpenID4Java to callout to attribute provider  SAML?

33 Gateway Integration: Open Issues  VO attributes Either if external IdPs are used or used in addition to site attributes Attribute service hosted by gateways Central ESG-VO attributes and attribute service? SPs pull down attributes from Attribute Service  Configuration of attribute release policy? Not required if IdP is set up for ESG use only  VO membership of SPs is implicit white-list

34 Service Providers and Attributes  Product services SP: Only relevant in direct access use case Might have to push attributes through to back end applications  Other SPs: Relevant for authorization filters only

35 Earth System Grid Center for Enabling Technologies: (ESG- CET) Attributes and Authorization  Authorization policy Centralized policy (or) Per gateway with only policy on resources owned by gateway’s site (or) Combination of both?  Centralized policy Replicate to gateway  Partitioned policy Gateway stores policy only about the resources it owns Does this improve reliability?

36 Earth System Grid Center for Enabling Technologies: (ESG- CET) Attributes and Authorization  Authorization policy How is it implemented today?

37 Attributes and Authorization  Authorization service interface for remote access Web services? Protocol needed?  Configuration for trusted authorization service(s) in application callbacks Endpoint of service Identity of service Trusted certificate

38 Service Providers and Authorization  Gateway Integration Acegi filter to callback to authorization service (embedded?)  Data node Integration Callback to authorization service Do we need to push attributes? GridFTP authorization callout can be used  Product services Integration Access through portal  Token based authorization Direct user access  Not relevant for now  Define transition path for post-test bed

39 Security Configuration for Deployment  OpenID Identity Providers: Attribute service endpoint White-list of SPs  OpenID Service Providers: White-list of IdPs Authorization (and Attribute) service endpoints  MyProxy server CA and CRLs Attribute service endpoint  PKI Service Providers: MyProxy server endpoint CA and CRLs Authorization service endpoints  PKI Clients: MyProxy Server endpoint and bootstrap trust-root VO’s CAs and CRLS

40 Attribute an Metadata Replication Breakout Session

41 Attribute and meta data replication  Meta data replication service Search meta data replication If gateway serves multiple VOs No replication  Remote query  Performance issues  Partial search results. Database based replication  No gateway dependency Replication Service (ISI)

42 Attribute and meta data replication  Security meta data -Replicate user membership and resource authz policies -Metrics reporting issues -Exchange all information except user credentials -Explore JMS as solution -Event driven system -Transaction based system - Eliminates gateway dependency

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.