Presentation is loading. Please wait.

Presentation is loading. Please wait.

16/26/2016 META ACCESS MANAGEMENT SYSTEM MAMS & the Identity and Access Management (IAM) Suite A Shibboleth-Based VO for eResearch Neil Witheridge Meta.

Published byLizbeth Quinn Modified over 8 years ago

Similar presentations

Presentation on theme: "16/26/2016 META ACCESS MANAGEMENT SYSTEM MAMS & the Identity and Access Management (IAM) Suite A Shibboleth-Based VO for eResearch Neil Witheridge Meta."— Presentation transcript:

1 16/26/2016 META ACCESS MANAGEMENT SYSTEM MAMS & the Identity and Access Management (IAM) Suite A Shibboleth-Based VO for eResearch Neil Witheridge Meta Access Management System (MAMS) Project Manager Project Manager Macquarie E-Learning Centre of Excellence (MELCOE) Macquarie University

2 26/26/2016 META ACCESS MANAGEMENT SYSTEM Topics Shibboleth, ShARPE, XACML overview Shibboleth, ShARPE, XACML overview MAMS project update MAMS project update MAMS Testbed Federation MAMS Testbed Federation Australian HE eResearch infrastructure Australian HE eResearch infrastructure Shib-based VO for eResearch: IAM Suite Shib-based VO for eResearch: IAM Suite IAM Suite Requirements IAM Suite Requirements IAMSuite Architecture IAMSuite Architecture Australian Access Federation Australian Access Federation Flash/Live Demo Flash/Live Demo

3 36/26/2016 META ACCESS MANAGEMENT SYSTEM Shibboleth Federation Federation Entities Federation Entities Service Provider Provide Services accessible via the web Want to focus on core business & avoid risks of managing users’ confidential info. Federation Manager Agreements Policies Auditing ? WAYF Agent Belongs to an organisation which manages their identity User Privacy concerns Identity Provider Secure identity management is a core business requirement

4 46/26/2016 META ACCESS MANAGEMENT SYSTEM Identity Provider Service Provider SP A SP B User X Manages User X ’s ‘identity’ including ‘attributes’ (her name, affiliation, role, department ….) Shib Architecture View 2 WAYF Where are you From ? 3 Authenticate at Identity Provider 1 Access SP A - Authentication

5 56/26/2016 META ACCESS MANAGEMENT SYSTEM Identity Provider Service Provider SP A User X SP B WAYF 6 Provide User Attributes 7 Decide what User can Access Based on Attributes 4 Redirect User back to Service Provider with ‘opaque’ user handle 5 Request User Attributes Attribute Release Policy for SP A Shib Architecture View - Access implements SAML (an OASIS Standard) Security Assertion Markup Language (SAML provides for securely transfer of user attributes) (Authenticated)

6 66/26/2016 META ACCESS MANAGEMENT SYSTEM Identity Provider Another Service Provider Within authenticated session, SSO to other service providers in Federation (uses session cookies) Decide what User can Access based on Attributes SSO ! Redirect Authenticated User back to Service Provider with ‘opaque’ user handle 4 Gimme attributes You can have these Attribute Release Policy for SP B for U X 5 6 1 I know you! 2 I know you! 3 SP A SP B User X WAYF Shib Architecture View - Single Sign On (Authenticated) Service Provider

7 76/26/2016 META ACCESS MANAGEMENT SYSTEM Identity Provider Service Provider Hence no need for the WAYF to get involved … SP A SP B User X WAYF Portal Shib Architecture View - look, no WAYF ! Service Provider (Authenticated) Log into your Institution’s portal … Logs you into your IdP via your Institutions WebSSO mechanism… 2 Redirect User to Service Provider with ‘opaque’ user handle Gimme attributes You can have these 3 4 Decide what User can Access based on Attributes SSO ! 1 I know you! Access a Federation Service via the portal

8 86/26/2016 META ACCESS MANAGEMENT SYSTEM Shibboleth Protocol revisited Shibboleth Handshake message flow (10 + n steps), showing: Shibboleth Handshake message flow (10 + n steps), showing: SSL (IdP_SSL, WAYF_SSL, SP_SSL Certs issued by Federation agreed CA) SSL (IdP_SSL, WAYF_SSL, SP_SSL Certs issued by Federation agreed CA) SAML Assertion XML Sig’s (IdP_SAML and SP_SAML Certs) SAML Assertion XML Sig’s (IdP_SAML and SP_SAML Certs) Session (in-memory) Cookies: SP:ShibState, WAYF:SelectedIdP, IdP:AuthState, SP:ShibSession Session (in-memory) Cookies: SP:ShibState, WAYF:SelectedIdP, IdP:AuthState, SP:ShibSession (GET) https://SP/protected_resourcehttps://SP/protected_resource SSL:Local CA cert to validate SP_SSL_Cert (Redirect to) https://SP/shibboleth-loginhttps://SP/shibboleth-login IdentityProvider User Agent (Browser) ServiceProviderWAYF 1 (GET) https://SP/shibboleth-loginhttps://SP/shibboleth-login SSL:Local CA cert to validate SP_SSL_Cert Cookie: SP:ShibState (Redirect to) https://WAYF ?SP:AttributeConsumerService &timestamp1 &SPTarget: https://SP/shibboleth-login &SP:providerIdhttps://WAYFhttps://SP/shibboleth-login Set Cookie: SP:ShibState 2 (GET) https://WAYF ?SP:AttributeConsumerService &timestamp1 &SPTarget: https://SP/shibboleth-login &SP:providerIdhttps://WAYFhttps://SP/shibboleth-login SSL:Local CA cert to validate WAYF_SSL_Cert Cookie: SP:ShibState (Return FORM with list of IdPs) Submit Target: https://WAYFhttps://WAYF 3 (GET) https://WAYFhttps://WAYF ?AttributeConsumerService & SPTarget: https://SP/shibboleth-login & SP:providerId &timestamp2 &action=selection &https://IdP_SSO_Service &cache=session SSL:Local CA cert to validate WAYF_SSL_Certhttps://SP/shibboleth-login Cookie: SP:ShibState Cookie: WAYF:SelectedIdP (Redirect To) https://IdP_SSO_Service ? SPTarget: https://SP/shibboleth-login & SP:AttributeConsumerService & SP:providerId & timestamp3https://IdP_SSO_Servicehttps://SP/shibboleth-login Set Cookie: WAYF:SelectedIdP 4

9 96/26/2016 META ACCESS MANAGEMENT SYSTEM Shibboleth Protocol revisited (cont’d) IdentityProvider User/Browser ServiceProvider (Login Form for IdP Authentication Service*) Submit Target https://IdP_AuthServicehttps://IdP_AuthService *Authentication Service is not part of Shibboleth (GET) https://IdP_SSO_Servicehttps://IdP_SSO_Service ? SP:AttributeConsumerService & SPTarget: https://SP/shibboleth-login & SP:providerId &timestamp3https://SP/shibboleth-login SSL:Local CA cert to validate IdP_SSL_Cert Cookie: SP:ShibStateCookie Cookie: WAYF:SelectedIdP 5 (Redirect To) https://IdP_SSO_Service ? SPTarget: https://SP/shibboleth-login & SP:AttributeConsumerService & SP:providerId & timestamp3https://IdP_SSO_Servicehttps://SP/shibboleth-login Set Cookie: Idp:AuthStatus (POST) https://IdP_AuthServicehttps://IdP_AuthService ? Authentication Form field values SSL:Local CA cert to validate IdP_SSL_Cert Cookie: SP:ShibStateCookie Cookie: WAYF:SelectedIdP Cookie: IdP:AuthStatus 6 Form with hidden fields, including User Handle as SAML assertion, XMLSig using IdP_SAML, Submit Target: https://SP_ACS/POSThttps://SP_ACS/POST Form auto submitted if JavaScript enabled. Otherwise manual Submit required. (GET) https://IdP_SSO_Service ? SPTarget: https://SP/shibboleth-login & SP:AttributeConsumerService & SP:providerId & timestamp4https://IdP_SSO_Servicehttps://SP/shibboleth-login IdP:AuthenticationService Cookie SSL:Local CA cert to validate IdP_SSL_Cert Cookie: SP:ShibStateCookie Cookie: WAYF:SelectedIdP Cookie: IdP:AuthStatus 7 (POST) https://SP_ACS/POST ? Form hidden field, including XMLSig’d SAML Assertion containing User Handlehttps://SP_ACS/POST SP:ShibState Cookie SSL:Local CA cert to validate IdP_SSL_Cert Cookie: SP:ShibStateCookie Cookie: WAYF:SelectedIdP Cookie: IdP:AuthStatus Cookie: SP:ShibSession (Redirect To) https://SP/shibboleth-loginhttps://SP/shibboleth-login Set Cookie: SP:ShibSession (SAML Assertion ‘consumed’, User Handle passed to Shibboleth daemon (shibd) which then issues an ‘out-of-band’ or ‘back-channel’ attribute request to the IdP using the User Handle) 8

10 106/26/2016 META ACCESS MANAGEMENT SYSTEM Shibboleth Protocol revisited (cont’d) IdentityProvider User Agent (Browser) ServiceProvider (GET) https://SP/shibboleth-loginhttps://SP/shibboleth-login SP:ShibState Cookie SP:ShibSessionCookie SSL:Local CA cert to validate SP_SSL_Cert Cookie: SP:ShibStateCookie Cookie: WAYF:SelectedIdP Cookie: IdP:AuthStatus Cookie: SP:ShibSession (Redirect to) https://SP/protected_resource https://SP/protected_resource 9 (GET) https://SP/protected_resource SP:ShibState Cookie SP:ShibSessionCookiehttps://SP/protected_resource SSL:Local CA cert to validate SP_SSL_Cert Cookie: SP:ShibStateCookie Cookie: WAYF:SelectedIdP Cookie: IdP:AuthStatus Cookie: SP:ShibSession Protected Resource home page 1010 IdentityProvider ServiceProvider SAML RESPONSE https://SP_AttributeConsumerService User Attributes returned as SAML Assertions with XMLSig using IdP_SAML_Cert https://SP_AttributeConsumerService Attributes corresponding to user designated by User Handle, and permitted to be released according to Attribute Release Policies, are returned. SAML REQUEST https://IdP_AttributeAuthority https://IdP_AttributeAuthority Request for user attributes corresponding to User Handle with XMLSig using SP_SAML_Cert Received attributes provided to protected resource “resource manager” component which determines access. n Out of Band

11 116/26/2016 META ACCESS MANAGEMENT SYSTEM Shibboleth Security Features PKI Certificates (mutual authentication for IdP-SP message transfers) PKI Certificates (mutual authentication for IdP-SP message transfers) SSL/TLS (transport layer security) SSL/TLS (transport layer security) XMLSignature, XMLEncryption for protecting SAML assertions (message layer security) with time-stamping XMLSignature, XMLEncryption for protecting SAML assertions (message layer security) with time-stamping SAML Assertions from a trusted IdP are basis for conveying user authentication (user handle) SAML Assertions from a trusted IdP are basis for conveying user authentication (user handle) Session Cookies for HTTP state management Session Cookies for HTTP state management provides Single-Sign-On capability provides Single-Sign-On capability IP Address checking for protection against cookie theft & session hijacking (however NAT/proxy limitations) IP Address checking for protection against cookie theft & session hijacking (however NAT/proxy limitations) Metadata Protection Metadata Protection Federation Metadata embodies trust relationships Federation Metadata embodies trust relationships

12 126/26/2016 META ACCESS MANAGEMENT SYSTEM MAMS Shibboleth Add-ons: ShARPE & Autograph What personal attributes am I willing to share with others…

13 136/26/2016 META ACCESS MANAGEMENT SYSTEM Attribute Release Policies When I visit an SP, how do I present myself? Reference #123456 Staff at Macquarie Uni Erik Vullings Staff at Macquarie Uni Erik Vullings Erik@mq.edu.au Staff at Macquarie Uni +61-(0)2-9850.6537 MQ

14 146/26/2016 META ACCESS MANAGEMENT SYSTEM Different cards open different doors – Attributes give access to Features – Reference #123456 Staff at Macquarie Uni Enables access to repository Erik Vullings Staff at Macquarie Uni Allows me to rank material Erik Vullings Erik@mq.edu.au Staff at Macquarie Uni +61-(0)2-9850.6537 MQ Allows me to add comments

15 156/26/2016 META ACCESS MANAGEMENT SYSTEM Admin tool: ShARPE

16 166/26/2016 META ACCESS MANAGEMENT SYSTEM ShARPE – attribute mapping

17 176/26/2016 META ACCESS MANAGEMENT SYSTEM Download via NSF’s National Middleware Initiative (NMI) release

18 186/26/2016 META ACCESS MANAGEMENT SYSTEM Different cards open different doors – Services & Service Level –

19 196/26/2016 META ACCESS MANAGEMENT SYSTEM Different cards open different doors – Services & Service Level –

20 206/26/2016 META ACCESS MANAGEMENT SYSTEM Adding Personal Attributes Other examples: Accessibility info (colorblind, blind)

21 216/26/2016 META ACCESS MANAGEMENT SYSTEM Autograph in the Shibboleth-Cycle (mockup) Accept onceAccept alwaysDeny

22 226/26/2016 META ACCESS MANAGEMENT SYSTEM A Brief Look at Authorization Leverage federated authN using SAML assertions about users Leverage federated authN using SAML assertions about users Combine with XACML policies Combine with XACML policies SUBJECT does ACTION on RESOURCE SUBJECT does ACTION on RESOURCE Different policies, containing different rules Different policies, containing different rules Use XACML for Use XACML for RBAC (role-based access control) RBAC (role-based access control) Protecting resources Protecting resources

23 236/26/2016 META ACCESS MANAGEMENT SYSTEM XACML in Action Request Policy Enforcement Point (PEP) Policy Decision Point (PDP) Policy Access Point (PAP) Policy Information Point (PIP) JOE wants to EDIT the POLICY PLAN Retrieve Policies Retrieve Information Create XACML request Respond with Permit/deny/obligation

24 246/26/2016 META ACCESS MANAGEMENT SYSTEM I accept the copyrights Access Control with XACML JOE wants to EDIT the POLICY PLAN SubjectActionResource Target Policy Set PolicyObligation RuleConditionEffect @mq.eduAnyPolicy Plan Rule Comb. Alg. Policy Comb. Alg. Staff memberPermit Show copyrights If any

25 256/26/2016 META ACCESS MANAGEMENT SYSTEM MAMS Project Update: delivered Shibbolized Applications Shibbolized Applications DSpace, Fedora, Zope/Plone, Twiki, Moodle… DSpace, Fedora, Zope/Plone, Twiki, Moodle… Authenticated Federated Search service Authenticated Federated Search service Access control using XACML (Fedora repo.) Access control using XACML (Fedora repo.) MAMS Testbed Federation (Levels 1,2) MAMS Testbed Federation (Levels 1,2,3) Federation Manager Federation Manager Shibboleth IdP Easy Installation CD (knoppix) Shibboleth IdP Easy Installation CD (knoppix) ShARPE: Shib Attribute Release Policy Editor ShARPE: Shib Attribute Release Policy Editor Autograph: Configure your personal idCard Autograph: Configure your personal idCard

26 266/26/2016 META ACCESS MANAGEMENT SYSTEM MAMS deliverables (cont’d) Online Librarian: Shibboleth protected instant messaging (& generic helpdesk application) Online Librarian: Shibboleth protected instant messaging (& generic helpdesk application) Shibbolized GridSphere portal  Virtual Organization Infrastructure (IAM Suite) Shibbolized GridSphere portal  Virtual Organization Infrastructure (IAM Suite) Shibbolized MyProxy  Access to Grid Services Shibbolized MyProxy  Access to Grid Services Authentication State Manager (ASM) & Delegated Attribute Retriever (DAR) Authentication State Manager (ASM) & Delegated Attribute Retriever (DAR) Roadshows, Workshops for Australian HE Roadshows, Workshops for Australian HE MiniGrant Scheme (Rounds 1 and 2) MiniGrant Scheme (Rounds 1 and 2) Debian Linux VMWare IdP/SP Debian Linux VMWare IdP/SP

27 276/26/2016 META ACCESS MANAGEMENT SYSTEM Testbed Federation (~700,000 ID) Level-2: 10 Service Providers 9 Identity Providers

28 286/26/2016 META ACCESS MANAGEMENT SYSTEM Federation Status (cont’d) Level-1 (non-MAMS): 27 Service Providers 25 Identity Providers * Expected to migrate to Level-2, resulting from MiniGrant funding work * * * * *

29 296/26/2016 META ACCESS MANAGEMENT SYSTEM Federation Status (cont’d) MAMS Development IdPs, SPs, are NOT SHOWN 44 Service Providers 24 Identity Providers MAMS Testbed Federation Level-1 membership (cont’d) * * * * Expected to migrate to Level-2, resulting from MiniGrant funded work

30 306/26/2016 META ACCESS MANAGEMENT SYSTEM MAMS Mini-Grant Program (~ AUS$40k per project) Round 1 (Feb 2006): AARNet: AARNet: IdP, ENUM SP IdP, ENUM SP Griffith: Griffith: IdP, Wiki SP IdP, Wiki SP QU QU IdP, Fedora (Fez) SP IdP, Fedora (Fez) SP QUT: QUT: ATN IdP, eGrad School SP ATN IdP, eGrad School SP USYD USYD IdP, NANO data SP IdP, NANO data SP Round 2 (Jul 2006): Deakin: Deakin: IdP, e-Lectures SP JCU: JCU: IdP, AIMS data (SRB & Plone) Melbourne: Melbourne: IdP, LIGO data SP Monash Monash IdP, Shib SRB SP Murdoch: Murdoch: IdP, Online Librarian SP Curtin/Edith Cowan (WAGUL): Curtin/Edith Cowan (WAGUL): 5 IdPs, Reciprocal Borrowing SPs

31 316/26/2016 META ACCESS MANAGEMENT SYSTEM Aust. HE Research Infrastructure Federal Government (DEST) investment Federal Government (DEST) investment (2001-2006) Backing Australia’s Ability (2001-2006) Backing Australia’s Ability – An Innovation Action Plan for the Future ( AUS $3bn) – An Innovation Action Plan for the Future ( AUS $3bn) SII (Systemic Infrastructure Initiative) SII (Systemic Infrastructure Initiative) FRODO (Federated Repositories of Digital Objects) AUS $12m (Included MAMS) FRODO (Federated Repositories of Digital Objects) AUS $12m (Included MAMS) MERRI (Managed Environments for Research Repositories) AUS $19 MERRI (Managed Environments for Research Repositories) AUS $19 (2006-2012) Backing Australia’s Ability – Building our Future through Science and Innovation ( AUS $5.3bn) (2006-2012) Backing Australia’s Ability – Building our Future through Science and Innovation ( AUS $5.3bn) NCRIS ( National Collaborative Research Infrastructure Strategy) ( AUS $540m) NCRIS ( National Collaborative Research Infrastructure Strategy) ( AUS $540m) PfC (Platforms for Collaboration) AUS $75m PfC (Platforms for Collaboration) AUS $75m

32 326/26/2016 META ACCESS MANAGEMENT SYSTEM VO’s for eResearch in Australian HE It is anticipated that many of the NCRIS funded projects ( AUS $540m) will involve HE institutions engaging in inter-institutional collaborative eResearch. It is anticipated that many of the NCRIS funded projects ( AUS $540m) will involve HE institutions engaging in inter-institutional collaborative eResearch. VO’s will be established in order to facilitate this collaboration. VO’s will be established in order to facilitate this collaboration.

33 336/26/2016 META ACCESS MANAGEMENT SYSTEM VO Management Issues Significant time spent on establishing and administering VO infrastructure - less time for core business of research Significant time spent on establishing and administering VO infrastructure - less time for core business of research Reliance on open-source tools (cost sensitivity, avoiding vendor lock-in, desire/requirement to access source code to understand and modify tools) Reliance on open-source tools (cost sensitivity, avoiding vendor lock-in, desire/requirement to access source code to understand and modify tools) OS Tool integration difficult - Disparate IAM mechanisms, poor or no external access to configuration data and/or application state data OS Tool integration difficult - Disparate IAM mechanisms, poor or no external access to configuration data and/or application state data

34 346/26/2016 META ACCESS MANAGEMENT SYSTEM Solution: IAM Suite Development of a secure portal-based VO infrastructure enabling integration of collaboration tools (portlets, standalone applications) using Shibboleth/SAML as common IAM mechanism, integrating with Grid services via MyProxy. Development of a secure portal-based VO infrastructure enabling integration of collaboration tools (portlets, standalone applications) using Shibboleth/SAML as common IAM mechanism, integrating with Grid services via MyProxy. Federation + VO specific attributes used to access VO ‘internal’ services (which may be distributed across member institutions) Federation + VO specific attributes used to access VO ‘internal’ services (which may be distributed across member institutions) Release as OpenSource software, architected to enable user community to contribute tools Release as OpenSource software, architected to enable user community to contribute tools Potential to influence design of new OS collaboration tools to facilitate integration Potential to influence design of new OS collaboration tools to facilitate integration

35 356/26/2016 META ACCESS MANAGEMENT SYSTEM Requirements Analysis Consider Actors and Use-Cases Consider Actors and Use-Cases Actors Actors Principal Investigator Project Leader eResearcher Software Developer Librarian System Administrator Steering Committee members Funding body Equipment or service manager/owner University Staff University Students Industry

36 366/26/2016 META ACCESS MANAGEMENT SYSTEM UseCase Examples VO Setup by Principal Investigator PI: determines need for VO, tools required, initial structure (groups, workspaces) and content. Defines initial set of roles and privileges. PI: determines need for VO, tools required, initial structure (groups, workspaces) and content. Defines initial set of roles and privileges. Requests VO setup, providing VO spec to the SysAdmin, and initial content list to the Librarian...) Requests VO setup, providing VO spec to the SysAdmin, and initial content list to the Librarian...) PI will become the VO administrator PI will become the VO administrator

37 376/26/2016 META ACCESS MANAGEMENT SYSTEM UseCase Examples VO Setup (System Administrator) Based on VO Spec from PI, installs the VO (either locally or hosted); selects initial set of tools, implements initial structure (groups, workspaces) and initial set of roles and privileges. Based on VO Spec from PI, installs the VO (either locally or hosted); selects initial set of tools, implements initial structure (groups, workspaces) and initial set of roles and privileges. Configures service authorisation Configures service authorisation Configures VO ‘middleware’: myproxy server, people-picker, delegated attribute retriever Configures VO ‘middleware’: myproxy server, people-picker, delegated attribute retriever

38 386/26/2016 META ACCESS MANAGEMENT SYSTEM UseCase Examples VO Setup (Principal Investigator) PI invites initial members, assigns high level tasks, populates groups, delegates administration of work-spaces… PI invites initial members, assigns high level tasks, populates groups, delegates administration of work-spaces… VO Setup (Librarian) Librarian populates VO with initial content, with content protection applied by virtue of workspace into which entered. Librarian populates VO with initial content, with content protection applied by virtue of workspace into which entered.

39 396/26/2016 META ACCESS MANAGEMENT SYSTEM UseCase Examples VO Usage by VO Members: Receive email invitation, log in, view task descriptions, provide feedback to PI… Receive email invitation, log in, view task descriptions, provide feedback to PI… Collaborate using available VO services: Collaborate using available VO services: collaborative apps e.g. wiki, info repository, CMS collaborative apps e.g. wiki, info repository, CMS integrated Grid services integrated Grid services Use comms tools (presence indicator, instant messaging, desktop video conferencing…) Use comms tools (presence indicator, instant messaging, desktop video conferencing…) Create artifacts and store in VO local repository or institutional repository Create artifacts and store in VO local repository or institutional repository Personalise work environment (RSS feeds) Personalise work environment (RSS feeds)

40 406/26/2016 META ACCESS MANAGEMENT SYSTEM UseCase Examples As required (by workspace administrators) As required (by workspace administrators) Add new services, configure authorization of services Add new services, configure authorization of services Invite new members, create sub-groups and sub-workspaces, define new roles and privileges. Invite new members, create sub-groups and sub-workspaces, define new roles and privileges.

41 416/26/2016 META ACCESS MANAGEMENT SYSTEM IAM Suite Federation Architecture + IAM Suite WAYF > CA? > MyProxy server Federation Services IdP1@UQIdP2@UTSIdPn@MQ … > IR … MyProxy Client SP: Wiki SP: Forum SP: CMS GTK: Grid GTK: HPC GTK: Store VO IdP Federation Level Institutions Level Virtual Org. Level (intra-institution, eResearch project) Gateway (CTS) > CMS > VO Portal

42 426/26/2016 META ACCESS MANAGEMENT SYSTEM Another view GridSphere Federation SP GroupModule VO-IdP VO-WAYF AuthN IM Fedora (internal or external, e.g. IR) VO-SP Forum Federation FedoraWeb ShARPE OpenLDAP Presence PeoplePicker Calendar MyProxy AuthZ Mgnr VO-SP LMS VO-SP Wiki VO-SP Etc. GTK Storage GTK Specific tools GTK Cluster GTK Equipm. “Possibility for collaboration” Search Login via IdP Receive assertions Receive assertions Receive proxy cert. AFS adaptor “Possibility for collaboration” IAM Suite

43 436/26/2016 META ACCESS MANAGEMENT SYSTEM Authorisation Authorisation of VO Services generally depends on internal authZ mechanisms Authorisation of VO Services generally depends on internal authZ mechanisms Typically adopt role based access control (RBAC) Typically adopt role based access control (RBAC) IAM Suite: VO AA attribute-sets mapped to roles IAM Suite: VO AA attribute-sets mapped to roles In future, XACML and attribute-based-access- control likely to be used In future, XACML and attribute-based-access- control likely to be used Ideally, services will have modular, pluggable authZ architecture Ideally, services will have modular, pluggable authZ architecture XACML authz modules, policy editors currently being developed XACML authz modules, policy editors currently being developed

44 446/26/2016 META ACCESS MANAGEMENT SYSTEM IAM Suite Technical Challenges VO feature set - ‘one size fits all’ solution VO feature set - ‘one size fits all’ solution Common approach to shibb’ing OS tools. Common approach to shibb’ing OS tools. Modular and pluggable architecture enabling integration of new tools into suite Modular and pluggable architecture enabling integration of new tools into suite Proxy certificate administration Proxy certificate administration Issues confronting Shibboleth apply (n-tier delegation, distributed identity, federation peering… all tractable). Issues confronting Shibboleth apply (n-tier delegation, distributed identity, federation peering… all tractable).

45 456/26/2016 META ACCESS MANAGEMENT SYSTEM IAM Suite & myVocs Goals similar to myVocs Goals similar to myVocs Portal + Middleware + Applications are integrated to create a secure work environment for conducting eResearch, attributes used to generate a proxy certificate via MyProxy. Portal + Middleware + Applications are integrated to create a secure work environment for conducting eResearch, attributes used to generate a proxy certificate via MyProxy. In addition to typical Grid features (eg, Globus integration via MyProxy, GridFTP, etc), will provide a wide range of web-based tools (such as document and data repositories, forums, wikis, instant messaging, etc) via Shibboleth integration. In addition to typical Grid features (eg, Globus integration via MyProxy, GridFTP, etc), will provide a wide range of web-based tools (such as document and data repositories, forums, wikis, instant messaging, etc) via Shibboleth integration. Convergence opportunities under investigation Convergence opportunities under investigation

46 466/26/2016 META ACCESS MANAGEMENT SYSTEM Australian Access Federation Based on MAMS (establishing Shibboleth Federations) and eSecurity project (establishing root CA for Australian HE) work, funding has been approved to establish the Australian Access Federation (AAF) Based on MAMS (establishing Shibboleth Federations) and eSecurity project (establishing root CA for Australian HE) work, funding has been approved to establish the Australian Access Federation (AAF) Possible infrastructure (MAMS proposal), including role for VO Portal: (next slide) Possible infrastructure (MAMS proposal), including role for VO Portal: (next slide)

47 476/26/2016 META ACCESS MANAGEMENT SYSTEM External Federations Nat. Data Centres GUI Nat. Computing Centres GUI Research Specific Tools 1234n … IdP1@UQIdP2@UTSIdPn@MQ … WAYF MyProxy Australian Access Federation CAPP VO Portal AAAWikiCMSGridRTCRSSGroupsCalendaring… …

48 486/26/2016 META ACCESS MANAGEMENT SYSTEM MAMS View on eResearch IAM… SAML & PKI are complementary parts of common ‘trust fabric’ SAML & PKI are complementary parts of common ‘trust fabric’ PKI for server-server authentication & secure transport PKI for server-server authentication & secure transport Federated IAM for human-server authentication Federated IAM for human-server authentication SAML for dynamic attributes transfer, enabling RBAC (->ABAC) SAML for dynamic attributes transfer, enabling RBAC (->ABAC) “Best Fit” access control - ultimately XACML to take full advantage of SAML “Best Fit” access control - ultimately XACML to take full advantage of SAML

49 496/26/2016 META ACCESS MANAGEMENT SYSTEM Conclusion IAM Suite is a real world VO Management toolkit, bringing together Grid/PKI and Shib/Web tools in a single, easy-to-use system. IAM Suite is a real world VO Management toolkit, bringing together Grid/PKI and Shib/Web tools in a single, easy-to-use system. Strong interest in using IAM Suite in the Australian Access Federation – could be one of the key drivers to widespread AAF adoption. Strong interest in using IAM Suite in the Australian Access Federation – could be one of the key drivers to widespread AAF adoption. Strong interest in current federation projects related to collaborative eResearch - will deliver implementation experiences and drive refinements over the next 6 months Strong interest in current federation projects related to collaborative eResearch - will deliver implementation experiences and drive refinements over the next 6 months

50 506/26/2016 META ACCESS MANAGEMENT SYSTEM SRB Server MyProxy (+CA) ASM PeoplePicker IdP* Fedora IR ASM SRB Datastore IdP* OpenIdP DSpace IR SRB Datastore IdP* VO Portal (+DAR) VO AA (Shib IdP) Wiki (Twiki) CMS (Plone) Version Ctrl (CVS) Defect DB (Bugzilla) Calendar (Bedework) Project Mgnt (tbd) Workflow Mgnt (tbd) MAMS Testbed Federation Level-1 Federation Mgr / WAYF dev1.mams.org.au dev2.mams.org.audev3.mams.org.au federation.org.au dev3vo.mams.org.au vosp1.mams.org.au vosp2.mams.org.au vosp3.mams.org.au Portlets: VO Administration, Informational (e.g. News), Presence Indicator, Instant Messaging HelpDesk, Fedora IR WebGUI, PeoplePicker client GridPortlets (Job Submission, FTP Service, SRB client) Calendar portlet, Development diagnostics MAMS Testbed Level-1 Federation Shib-based eResearch VO IAMSuite Target Demo Environment Notes: * IdP includes ShARPE/Autograph functionality to manage attribute release policies Key: Shibboleth SP

51 516/26/2016 META ACCESS MANAGEMENT SYSTEM Flash/Live Demonstration Scenario: VO Established for Wheat shipment contamination task force Wheat shipment contamination task force

52 526/26/2016 META ACCESS MANAGEMENT SYSTEM The End Questions welcome !

Download ppt "16/26/2016 META ACCESS MANAGEMENT SYSTEM MAMS & the Identity and Access Management (IAM) Suite A Shibboleth-Based VO for eResearch Neil Witheridge Meta."

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.

Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.

Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.
18/05/2015 META ACCESS MANAGEMENT SYSTEM Virtual Organisations Accomodating Research Groups in a Shibboleth Federation Peter Schendzielorz Macquarie University’s.

18/05/2015 META ACCESS MANAGEMENT SYSTEM Virtual Organisations Accomodating Research Groups in a Shibboleth Federation Peter Schendzielorz Macquarie University’s.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
An Overview of eResearch Activities in Australia Paul Davis, GrangeNet Jane Hunter, Uni of Qld.

An Overview of eResearch Activities in Australia Paul Davis, GrangeNet Jane Hunter, Uni of Qld.
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Alex Reid, AARNet Australia Middleware Update; 16-Oct-06 Middleware in Australia - Update TF-ECM2 Malaga 16-Oct-06 Alex Reid Director, eResearch/Middleware.

Alex Reid, AARNet Australia Middleware Update; 16-Oct-06 Middleware in Australia - Update TF-ECM2 Malaga 16-Oct-06 Alex Reid Director, eResearch/Middleware.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager

16/3/2015 META ACCESS MANAGEMENT SYSTEM Implementing Authorised Access Dr. Erik Vullings MAMS Programme Manager
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.

Presenter’s Name InCommon Approximately 80 members and growing steadily More than two million “users” Most of the major research institutions (MIT joining.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March

Similar presentations

Ads by Google