EMI is partially funded by the European Commission under Grant Agreement RI-261611 Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
Federated Identity for Grid Architects Tom Scavo NCSA
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Lecture 23 Internet Authentication Applications
WSO2 Identity Server Road Map
Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
WebFTS as a first WLCG/HEP FIM pilot
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
WS-Trust Joseph Calandrino Vincent Noël Department of Computer Science University of Virginia February 9, 2004.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
WS-Trust “From each,according to his ability;to each, according to his need. “ Karl marx Ahmet Emre Naza Selçuk Durna
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
SWEB SWEB Security and Privacy Technologies – Implementation Aspects Venue:SWEB Day in APV, Novi Sad Author(s):Dr. Milan Marković Organisations:MISANU.
EGEE-II INFSO-RI Enabling Grids for E-sciencE The GILDA training infrastructure.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Security Token Service (STS) Design & Development Plans Henri Mikkonen / HIP 3 rd EMI All-Hands Meeting , Padova, Italy.
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Description WS Standards WS-Federation Picture Grid Security GridShib References 2.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI TF.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.
Claims-based security with Windows Identity Foundation.
European Middleware Initiative (EMI) – Training Kathryn Cassidy, TCD EMI NA2.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
Kipper – a Grid bridge to Identity Federation Andrey Kiryanov.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Security and Delegation The Certificate Perspective Jens Jensen Rutherford Appleton Laboratory Workshop at NIKHEF, 27 April 2010.
In Vivo Imaging Middleware — Phase 6 Ashish Sharma, Tony Pan, Y. Nadir Saghar.
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)
Argus EMI Authorization Integration
HMA Identity Management Status
Identity Federations - Overview
EMI Interoperability Activities
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Security Token Service (STS) Status Update
Community AAI with Check-In
A Grid Authorization Model for Science Gateways
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute of Physics (UH.HIP) EGI Community Forum 2013, April 8-12, 2013 The University of Manchester, U.K.

EMI INFSO-RI Identity federations – National and international (eduGAIN) – De-facto standard is Security Assertion Markup Language (SAML) – Mostly Web-based Non-browser is coming up (e.g. Project Moonshot) Grid middlewares – EMI: ARC, dCache, gLite and UNICORE – User authentication is based on X.509 certificates – Command-line and other non-browser clients Federated Grid Access? 11/04/2013Henri EGI CF 20132

EMI INFSO-RI Grid identity is not just the X.509 certificate – gLite, ARC and dCache use Grid proxies – Grid proxy = End-Entity Certificate (EEC) + (short- lived) proxy certificate + private key Proxy certificate contains VO attributes Grid proxy initialization (voms-proxy-init) – Request VO attributes from VOMS – Attach them into the proxy certificate which is signed by the private key corresponding to EEC – Default lifetime is 12 hours … not just X.509 certificate 311/04/2013Henri EGI CF 2013

EMI INFSO-RI WS-Trust: “STS is a Web service used to issue, renew, validate and cancel security tokens” – Security Token: “A collection of statements (claims) about a user or resource” (WS-Security) Any digital identity that can be attached into a SOAP message – STS establishes a trust relationship between different application / security domains EMI STS implements the ISSUE operation for the supported token formats What is STS? 411/04/2013Henri EGI CF 2013

EMI INFSO-RI S STS Architecture 5 WS-Trust Handler SOAP Client External Source * * * * SECURITY TOKEN SERVICE External Source RST RSTR Plugin AuthN Engine Attribute Decoder Attribute Resolver Token Generator Request Dispatcher 11/04/2013Henri EGI CF 2013

EMI INFSO-RI User knows username/password at his home institute & wants to access a Grid resource SAML to Proxy - Components 6 ComponentCredential inputCredential output Grid resourceGrid Proxy 11/04/2013Henri EGI CF 2013

EMI INFSO-RI User knows username/password at his home institute & wants to access a Grid resource SAML to Proxy - Components 7 ComponentCredential inputCredential output Grid resourceGrid Proxy VOMSX.509 certificateVOMS attributes 11/04/2013Henri EGI CF 2013

EMI INFSO-RI User knows username/password at his home institute & wants to access a Grid resource SAML to Proxy - Components 8 ComponentCredential inputCredential output Grid resourceGrid Proxy VOMSX.509 certificateVOMS attributes Online CACertificate Signing Request (CSR)X.509 certificate 11/04/2013Henri EGI CF 2013

EMI INFSO-RI User knows username/password at his home institute & wants to access a Grid resource SAML to Proxy - Components 9 ComponentCredential inputCredential output Grid resourceGrid Proxy VOMSX.509 certificateVOMS attributes Online CACertificate Signing Request (CSR)X.509 certificate STSSAML assertionGrid Proxy 11/04/2013Henri EGI CF 2013

EMI INFSO-RI User knows username/password at his home institute & wants to access a Grid resource SAML to Proxy - Components 10 ComponentCredential inputCredential output Grid resourceGrid Proxy VOMSX.509 certificateVOMS attributes Online CACertificate Signing Request (CSR)X.509 certificate STSSAML assertionGrid Proxy Home InstituteUsername/passwordSAML assertion 11/04/2013Henri EGI CF 2013

EMI INFSO-RI SAML to Proxy - Components 11 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML assertion SAML TRUST DOMAIN X.509 TRUST DOMAIN Username/password 11/04/2013Henri EGI CF 2013

EMI INFSO-RI Use case 1: Web portal 12 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML TRUST DOMAIN X.509 TRUST DOMAIN Username/password Web portal Browser access SAML AuthnRequest SAML Assertion 11/04/2013Henri EGI CF 2013

EMI INFSO-RI Use case 1: Web portal 13 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML TRUST DOMAIN X.509 TRUST DOMAIN Username/password Web portal Browser access SAML AuthnRequest SAML Assertion -Relatively simple -Uses SAML 2.0 Web SSO Profile -Certificates nor private keys are never stored locally by the user -Requires browser (to some users) -If STS has different SAML entity than portal (as it should), SAML delegation is required 11/04/2013Henri EGI CF 2013

EMI INFSO-RI Use case 2: CLI with ECP profile 14 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML TRUST DOMAIN X.509 TRUST DOMAIN Client tool Local access /04/2013Henri EGI CF 2013

EMI INFSO-RI Use case 2: CLI with ECP profile 15 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML TRUST DOMAIN X.509 TRUST DOMAIN Client tool Local access Client tool initiates the ECP profile 2.STS issues a SAML AuthnRequest 3.User chooses home institute from the list 4.Client tool sends the AuthnRequest to the chosen home institute 5.User writes his username/password 6.Client authenticates the user to his home institute 7.Home Institute Issues SAML assertion 11/04/2013Henri EGI CF 2013

EMI INFSO-RI Use case 2: CLI with ECP profile 16 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML TRUST DOMAIN X.509 TRUST DOMAIN Client tool Local access Client tool initiates the ECP profile 2.STS issues a SAML AuthnRequest 3.User chooses home institute from the list 4.Client tool sends the AuthnRequest to the chosen home institute 5.User writes his username/password 6.Client authenticates the user to his home institute 7.Home Institute Issues SAML assertion -No Web-browser required (to some users) -Supported by Shibboleth Identity Provider (as of version 2.3) -Not widely supported worldwide (a small fraction of the users need the ECP profile) 11/04/2013Henri EGI CF 2013

EMI INFSO-RI Use case 3: CLI with another STS 17 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML assertion SAML TRUST DOMAIN X.509 TRUST DOMAIN Client tool Home Institute & Username password RST(Username&Passwd):SAML 11/04/2013Henri EGI CF 2013

EMI INFSO-RI Use case 3: CLI with another STS 18 Online CA VOMS STS Home Institute STS SOAP Client RST(SAML):Proxy Proxy CSR X.509 certificate Request for attributes VOMS attributes SAML assertion SAML TRUST DOMAIN X.509 TRUST DOMAIN Client tool Home Institute & Username password RST(Username&Passwd):SAML -Simpler than the ECP profile to be implemented -Not widely supported by the open source SAML Identity Provider softwares 11/04/2013Henri EGI CF 2013

EMI INFSO-RI STS is a general purpose service used for transforming security tokens – It can be used in both Web browser and non-Web use cases for enabling Grid access using federated identity – SAML to X.509 & Grid proxy conversion Proxy initialization can be outsourced to STS STS is relatively simple to be integrated – One SOAP message exchange between the client and the STS Summary 1911/04/2013Henri EGI CF 2013

EMI is partially funded by the European Commission under Grant Agreement RI Thank you! STS is a part of the EMI-3 release:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.