Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Published byChristina Bond Modified over 7 years ago

Similar presentations

Presentation on theme: "EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph."— Presentation transcript:

1 EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph Witzig, SWITCH MWSG Mar 1, 2007

2 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 2 Outline Introduction –Background: SWITCHaai Federation –Work Plan Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Summary

3 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 3 SWITCHaai Federation

4 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 4 AAI and Grid in Switzerland Current Status: –Approx. 160’000 (75%) members of the Swiss higher education sector have AAI-enabled accounts –Approx. 10% use SWITCHaai to access about 160 resources on a regular basis No “national” grid infrastructure –Various grid efforts (e.g. LCG Tier 2 center, Swiss Bio Grid, …) Effort underway to launch a national Grid initiative Motivation for enabling interoperability Shibboleth - Grid within EGEE-II

5 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 5 Shibboleth Mechanism

6 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 6 Prerequisites Our work is part of EGEE (gLite) Aim to be open for other grid middleware (if possible) Must take deployment into account –existing infrastructure

7 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 7 Work Plan EGEE-II: –April 2006 - Mar 2008 –Year 1: Phase 1 and 2  Add interoperability by starting “small” with minimal changes to gLite  Decides from the beginning against attribute “pull” –Year 2: Phase 3: Extend SAML to selected grid resources EGEE-III: –Continuation in EGEE-III

8 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 8 Key Concepts Focus is on –Interoperability (NO replacement for X.509) –Specific for EGEE-2 infrastructure (VOMS etc) –Integrate, re-use, re-engineer existing code, write new code only as needed Key Concepts: –Home institution of the user should be the Identity Provider –Home institution provides some attributes –But VO is needed for (grid specific) attributes

9 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 9 Overview Phase 1 and 2

10 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 10 Design Decisions SLCS CA and “VOMS SP” should be independent of each other –Separate Service Providers –Deployed independently SLCS CA should be independent of the Grid middleware VOMS SP should only be dependent on VOMS

11 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 11 Outline Introduction –Background: SWITCHaai Federation –Work Plan Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Summary

12 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 12 SLCS Profile SLCS = short lived credential service IGTF profile Minimum requirements: SLCSX.509 Certificate Certificate is generated based on Identity Management system “traditional” Registration Authority (e.g. passport) Lifetime < 1mio secLifetime < 1 year + 1 month Revocation handling optional Revocation handling

13 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 13 SWITCHslcs: Operation For the user: from the command line: invisible part of gLite UI (3.1) (can be installed independently) For the RA from web-based admin tool: Can enable or disable individual users (only for his institution) Requirements formulated in CP/CPS Can obtain log information SWITCH: Operates the service Strict access control Operate also a second test CA (everything being installed on the MSCS CA will be tested there first)

14 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 14 SWITCHslcs Private key is never transferred Use commercial CA and only standard protocols Modular design such that other people can use components Shibboleth attributes determine DN

15 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 15 SWITCHslcs: CA Setup

16 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 16 Status SLCS Software development is finished MJRA1.4 document: https://edms.cern.ch/document/770102/1 https://edms.cern.ch/document/770102/1 Operation of SLCS TEST CA in test-bed since November –http://www.switch.ch/pki/grid/testhttp://www.switch.ch/pki/grid/test CP/CPS: –Accredited by EuGridPMA –http://www.switch.ch/pki/grid Production CA setup: in progress (RSN)

17 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 17 Outline Introduction –Background: SWITCHaai Federation –Work Plan Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Summary

18 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 18 The Problem Phase 1 ties –AAI authentication to issuance of X.509 certificate\ –AAI attributes are used to construct the DN Phase 2 intends to make AAI attributes available to grid resources for authorization decisions –Which AAI attributes are of interest to grid resource? –How does resource obtain attributes? (pull vs push) –Relation to VO attributes –Deployment issues

19 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 19 Design VASH: –VOMS Attributes from Shibboleth Shibboleth SP –Browser-based –Specific for  Federation  VO “lightweight” SP –No administrator duties –No management of attributes –Simply transfers attributes upon user request

20 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 20 Design (2) X.509 and proxy X.509 with VOMS AC unchanged No change in VOMS –Needs version 1.7.10 or higher VO registration not changed Administrative domain between Shibboleth federation and VOMS fully decoupled User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509) Becomes a service which knows the mapping Shibboleth userid - DN Has to respect data privacy laws

21 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 21 Shibboleth Attributes Need common understanding of attributes given within a federation but inter-federation access (?) Attributes are based on eduPerson Only a subset of attributes are really interesting for grid resources

22 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 22 Web Interface VASH Service

23 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 23 Status Software implementation done MJRA1.5 document: https://edms.cern.ch/document/807849/1 https://edms.cern.ch/document/807849/1 Need to develop plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource –Access to VOMS AC

24 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 24 Review Phase 1 and 2

25 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 25 Alternative Scenarios (1) Instead of SP1 issuing a short-lived X.509 certificate –Keep using X.509 certificate from a (“classical”) CA  IdP not used for authN  May make sense if one wants to use only IdP attributes –Generate proxy X.509 if authN at IdP successful  authN from CA and IdP –Issue (long-lived) X.509 credential based on auth at IdP  TAGPMA MICS profile  User has to maintain long-lived certificate –Use a “low quality” CA (i.e. not accredited)  Much less work  Compatibility with existing infrastructure (EGEE, LCG)

26 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 26 Alternative Scenarios (2) Instead of SP2 being independent of SP1 –Merge them into one utility, which  Issues a X.509 certificate containing the IdP attributes as an extension X.509 certificate is no longer a “bare” X.509 User cannot choose to not expose his/her attributes Code must handle attributes from two sources: IdP attributes and the VOMS VO attributes Revocation whenever attribute changes  IdP issues an AC to be inserted into proxy X.509 (just like VOMS) IdP must be known to every grid resource Requires code change at the IdP –Attribute aggregation in SAML: Longer term project (dependencies on Shib 2 and future VOMS work) –Question: should data privacy be observed when releasing IdP attributes?

27 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 27 Outline Introduction –Background: SWITCHaai Federation –Work Plan Phase 1: Short-lived credential service (SLCS) Phase 2: Attribute exchange to VOMS Outlook: Phase 3 Summary

28 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 28 Phase 3 (1) Work program for EGEE-II year 2 and beyond: –Deployment of phase 1 and 2 within Switzerland –Inter-federation access with other partners (EGEE-III) –Phase 3 Goal of phase 3: Extend use of SAML in grids beyond what is already provided by phase 1 and 2 3 options: –Option 1: Embed SAML assertions in certificates and let them evaluate by grid resources –Option 2: SAML-enable selected grid resources –Option 3: extend certificate-based security infrastructure with SAML Option 2 preferred –Option 1: what is additional value beyond phase 1 and 2 ? –Option 3: means to modify every grid service

29 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 29 Phase 3 (2) Phase 3 is currently being designed SAML-enable those service, with which the user interacts directly –WMS –File access Benefits: –(Average) User has no certificates any more –Introduce SAML gently beyond phase 1 and 2, gain experience –No modifications on most grid software (--> deployment) –Compatible with Shibboleth roadmap (2.0, 2.1) and ID-WSF implementation –All options open for future

30 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 30 Interoperability SAML - X.509 Part of Grid infrastructure is SAML-capable, part is pure X.509 - how to interconnect them? XTS (X.509 translation/token service) –Aka STS –Translates a SAML assertion into a X.509 certificate –Webservice –Is being contacted by grid service if it receives a SAML assertion, but it only understands X.509 –One coupling element between the SAML world and the X.509 world  Avoid coupling every grid resource with every Shibboleth IdP

31 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 31 Summary Interoperability gLite - Shibboleth: –Phase 1: SLCS service  Online CA issuing X.509 certificates based upon authN at Shibboleth IdP  currently being deployed –Phase 2: VASH  Transfers Shibboleth attributes into VOMS  Shib attributes are available to grid resources as part of VOMS AC  Software development finished –Phase 3:  Currently being designed  Idea to SAML-enable a selected (small) number of grid resources (those close to the user)

32 Enabling Grids for E-sciencE EGEE-II INFSO-RI-031688 MWSG Sann Diego Mar 1, 2007 32 Q & A

Download ppt "EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
SWITCHaai Team Federated Identity Management.

SWITCHaai Team Federated Identity Management.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org The US Federation Miron Livny Computer Sciences Department University of Wisconsin – Madison.

INFSO-RI Enabling Grids for E-sciencE The US Federation Miron Livny Computer Sciences Department University of Wisconsin – Madison.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.

INFSO-RI Enabling Grids for E-sciencE Logging and Bookkeeping and Job Provenance Services Ludek Matyska (CESNET) on behalf of the.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Similar presentations

Ads by Google