1. Frascati, 2-3 July 2008 Slide 1 User Management compliance testing for G-POD HMA-T Phase 2 KO Meeting 2-3 July 2008, Frascati Andrew Woolf, STFC Rutherford Appleton Laboratory Presented by Pedro Gonçalves, Terradue Srl.

2. Frascati, 2-3 July 2008 Slide 2 HMA-T  Background to G-POD User Management  Objectives  ITT and Proposal information  Open Issues

3. Frascati, 2-3 July 2008 Slide 3 ESA G-POD Infrastructure  Computing and Storage Elements + 200 Working Nodes, +120 TB on-line store Middleware: LCG 2.6, GLOBUS 4, gLite3 Links to external CE and SE (e.g. campus, EGEE…)  Data Interfaces GS products Rolling Archives (ENVISAT, MSG) and MODIS NRT products over Europe NASA and other external data providers  Software resources on-line IDL, Matlab, BEAT, BEAM, BEST, CQFD, Compilers, public domain image processing utilities Spatial Catalogue access (e.g. EOLI) and data provision functions  web portal and web services access powered by gridify, maintenance and evolution under Terradue responsibility

4. Frascati, 2-3 July 2008 Slide 4 G-POD User Management  Based on the Grid Security Infrastructure (GSI) Secure communications between elements of a computational Grid. Security across organizational boundaries, (without a centrally managed security system) User’s ”Single sign-on", including delegation of credentials for computations that involve multiple resources and/or sites.  GRID Technology develop comprehensive infrastructure to handle common issues: Security and “single sign on” with X509 certificates Cross-community workgroups formation -“Virtual Organizations” Dynamic discovery and utilization of shared resources and services Location transparency (of users, computing resources, data etc.) Workload scheduling and load-balancing Accounting, auditing and traceability

5. Frascati, 2-3 July 2008 Slide 5 G-POD Web Portal Interface  Temporal/spatial selection of products  Job definition, submission and live status monitoring  Specific result visualization interfaces  Access to output products and documentation

6. Frascati, 2-3 July 2008 Slide 6 G-POD Web Service

7. Frascati, 2-3 July 2008 Slide 7 Objectives  WP 4000: HMA User Management for G-POD Objective - Improve the harmonization of the authentication and authorization approaches between HMA and G-POD  WP4300: Conformance testing Objective – Demonstration of conformance to HMA User Management specification (07-118r1)  User management (07-118r1) conformance clause empty Potential additional objective – Propose conformance clause for User Management specification

8. Frascati, 2-3 July 2008 Slide 8 ITT and Proposal Information  07-118r1 (User management)  Approach: Abstract Test Suite  conformant to ISO 19105  basis for updated Conformance Clause in 07-118r1 Evaluate the Possibility of Executable Test Suite  for execution in CITE TEAM Engine Test data and Test Report developed against G-POD implementation of User Management Support

9. Frascati, 2-3 July 2008 Slide 9 Abstract Test Suite  Follow ISO 19105 and template recommended by OWS-5  Covering key clauses in 07-118r1 authentication, authorisation, WS-Security (encryption, digest / signature, SAML, interface)

10. Frascati, 2-3 July 2008 Slide 10 Executable Test Suite  SoW I18.5.1 – Develop, deliver and deploy CITE conformance test scripts (for 07-118r1)  Acceptance Test Plan to verify ATS (SoW I15)  ETS developed against ATS  Evaluate the possibility of execution within ESA’s CITE TEAM Engine  Using Compliance Test Language (CTL, 06-126)

11. Frascati, 2-3 July 2008 Slide 11 Test data and Report  Preparation of ancillary test data schema files, authentication credentials, public/private keys, etc.  Test plan validation report executed against G-POD User Management interface Prototype deployed on Terradue G-POD development platform

12. Frascati, 2-3 July 2008 Slide 12 Support  Support for the possible use of test suite against other implementations e.g. SSE Toolbox  note SSE Toolbox gateway to G-POD already implemented in previous work

13. Frascati, 2-3 July 2008 Slide 13 Initial thoughts on relevant clauses of 07-118r1  WS-Security (cl. 6.4.6) Encryption/decryption of SAML token by authentication service (cl. 6.4.1) Message digest and digital signature (cl. 6.4.2)  Authentication Four cases outlined in 07-118r1 for federated identity management (cl. 6.4.3.1-6.4.3.4) For G-POD, federating entity is the same as Identity Provider  Authorisation workflow Issues Service Request invocation to target service with SAML token, enforced at Policy Enforcement Point (cl. 6.4.4)

14. Frascati, 2-3 July 2008 Slide 14 Initial thoughts on relevant clauses of 07-118r1  SAML Profile check token format against WS-Security spec (cl. 6.4.5)  Interface Authenticate operation (cl. 7.1)  e.g. encoding of request (cl. 7.1.2), response (cl. 7.1.3), failure (cl. 7.1.4) Service Request operation (cl. 7.2)  i.e. enforcing authorisation at PEP, invoking target operation  check encoding of request (cl. 7.2.1) and invocation failure (cl. 7.2.3)

15. Frascati, 2-3 July 2008 Slide 15 Issues / Risks  07-118r1 – no conformance clauses specified, foreshadowed extension of conformance tests for Cataloguing (06-131), Ordering (06-141), Programming (07-018) proposal addresses 07-118r1 conformance separate from above HMA specs  07-118r1 SOAP-based but SOAP/WSDL support identified as future work for CITE TEAM Engine

16. Frascati, 2-3 July 2008 Slide 16 Issues / Risks  Access to deployments of ESA CITE TEAM Engine and G- POD User management interface (based at development site)  User Management Service Request invocation to G-POD different from {Cataloguing, Ordering, Programming} – extensibility of test scripts to other User Management interfaces?  No federated Identity Management scenario