INFSO-RI-031688 Enabling Grids for E-sciencE - II www.eu-egee.org VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
INFSO-RI Enabling Grids for E-sciencE XACML and G-PBox update MWSG 14-15/09/2005 Presenter: Vincenzo Ciaschini.
WP6: Grid Authorization Service Review meeting in Berlin, March 8 th 2004 Marcin Adamski Michał Chmielewski Sergiusz Fonrobert Jarek Nabrzyski Tomasz Nowocień.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
March 27, 2006TAGPMA - Rio de Janeiro1 Short Lived Credential Services Profile Tony J. Genovese The Americas Grid PMA DOEGridsATF/ESnet/LBNL.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Voms & Voms-admin report Vincenzo Ciaschini.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security and Job Management.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay OSG Security Officer.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Oxford University e-Science Centre 1 Managing Access 4 Dec Managing Access to Resources on the Grid 4 December 2002.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.
INFSO-RI Enabling Grids for E-sciencE gLite Data Management and Interoperability Peter Kunszt (JRA1 DM Cluster) 2 nd EGEE Conference,
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
INFSO-RI Enabling Grids for E-sciencE EGEE Security Joni Hahkala, UH-HIP On behalf of JRA3 JRA1 AH March 22-24, 2006.
INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
Enabling Grids for E-sciencE EGEE Applications Registry Current status & latest developments Marios Chatziangelou.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks The Dashboard for Operations Cyril L’Orphelin.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
INFSO-RI Enabling Grids for E-sciencE JRA3 Åke Edlund On behalf of JRA3 EGEE 8th All-activity meeting January 18-19,
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Argus gLite Authorization Service Workplan.
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Trygve Aspelien and Yuri Demchenko
WLCG Update Hannah Short, CERN Computer Security.
Shibboleth Roadmap
Tweaking the Certificate Lifecycle for the UK eScience CA
ESA Single Sign On (SSO) and Federated Identity Management
What’s changed in the Shibboleth 1.2 Origin
NSF Middleware Initiative: GridShib
G-PBox: current status and future plans
NSF Middleware Initiative: GridShib
Presentation transcript:

INFSO-RI Enabling Grids for E-sciencE - II VOMS Attributes from Shibboleth (VASH) JRA1 All-Hands meeting Catania 8 March 2007

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 2 Motivation Shibboleth: Grid, yet another resource? –highly attractive (typically for academia) –*but* ‘resource’ protected by different authN/authZ concepts and mechanisms Grid: get/use authZ information from authoritative sources outside of the grid-universe –permitting more granular authorization –decouple management & maintenance responsibilities –common understanding of semantics of authZ info (open issue) Common to both: leverage of existing identity management and allow easy access to grid ‘resource’

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 3 Grid, yet another Shib resource? Phase 1: SLCS service 2.authN 3.handle 4. SAML attributes 1. ‘access’ SAML attributes

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 4 SLCS Service (Status) Presented in Abingdon CP/CPS accredited –Accredited by EuGridPMA – Operation of SLCS TEST CA in test-bed since November – Production infrastructure ready (Online CA, HSM) Admin interface finished –User management (ACL based activation of users etc.) MJRA1.4 document: Todo’s : finish documentation, ETICS integration CP/CPS: Certificate Policy and Certification Practice Statement

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 5 SWITCHslcs: CA Setup

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 6 SLCS Admin

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 7 Consolidation of authZ info Grid: get/use authZ information from authoritative sources outside of the grid-universe –permitting more granular authorization –decouple management & maintenance responsibilities –common understanding of semantics of authZ info (open issue) Consolidate/integrate authZ information provided by different sources (IdPs) –transparent integration of authZ info from ‘non-Grid’ authorization information providers –alternative; explicit awareness of grid resource for external authZ information. –feature since VOMS permitting to define attributes besides user/role/group concept

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 8 VOMS Attributes from Shibboleth Scenario. User already registered on VOMS Note: not anymore Shibboleth attributes, but VOMS attributes ? access visit SAML attributes LCAS Plug-in

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 9 VASH Service

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 10 VASH Key Features transparent integration of Shibboleth attributes in Grid (as VOMS attributes) no changes on existing Grid code…just add plug-ins decoupled administrative domains from point of view of Shibboleth, VASH is just another service (web resource) identity mapping done by user (low admin. burden) no IGTF certificates on Shibboleth IdP no performance penalties Notice: everything VASH puts on VOMS, VASH does also maintain

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 11 VASH Tasks push Shibboleth attributes to VOMS enforce Shibboleth and VOMS conform security standards. enforce up-to-date attributes on VOMS (expiration of records) inform users auditing (to a certain degree) defines set of Shibboleth attributes that can be pushed provide administration facilities ease usage of SLCS certificates (not a task but a goody) Open: SLCS pre-registration feature (work in progress) conversion of attribute names (for common understanding)

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 12 VASH Service Detailed

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 13 VASH Viewer Servlet

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 14 VASH Admin interface(1)

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 15 VASH Admin interface(2)

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 16 VASH Admin interface(3)

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 17 LCAS Plug-in – LCAS plug-in written; currently testing it – ACL xml file – todo: documentation Example: bigBoss master studies unizh.ch staff

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 18 Status Software implementation done, – integration of ‘existing’ SLCS admin features to be done – improve look’n’feel (strutifying viewer servlet) finish testing finish documentation ETICS MJRA1.5 document:

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 19 Questions?

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 20 Attributes sent to VASH swissEduPersonUniqueID: Surname: Flury givenName: Placi swissEduPersonGender: male swissEduPersonHomeOrganization: ethz.ch telephoneNumber: swissEduPersonStudyBranch1: electrical engineering eduPersonAffiliation: student swissEduPersonStudyLevel: master studies

Enabling Grids for E-sciencE VOMS Attributes from Shibboleth (VASH) 21 Attributes pushed to VOMS Need common understanding of attributes given within a federation but inter-federation access (?) In Grid, interpretation of attribute meaning still open issue. Experience in Shibboleth may promote a consens. swissEduPersonHomeOrganization: ethz.ch swissEduPersonStudyBranch1: electrical engineering eduPersonAffiliation: student swissEduPersonStudyLevel: master studies

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.