Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jens Jensen, STFC Sep EUGridPMA Manchester

Published byVictoria Fisher Modified over 6 years ago

Similar presentations

Presentation on theme: "Jens Jensen, STFC Sep EUGridPMA Manchester"— Presentation transcript:

1 Jens Jensen, STFC Sep. 2017 EUGridPMA Manchester
Pathfinder Stuff Jens Jensen, STFC Sep. 2017 EUGridPMA Manchester

2 Contents AAAI Pathfinder Er, that’s it.

3 AAAI Pathfinder GridPP VOMS DiRAC, ARCHER X.509 SAFE ssh IdP

4 AAAI Pathfinder GridPP PRACE EGI, EUDAT, Indigo DC X.509 IdP

5 GridPP, EGI, PRACE, EUDAT, GlobusConnect(?)
DB Pathfinder T3.2 STFC/Facilities Portal sshd User Reg’n portal SCARF Public Authn MyProxy Online CA HSM GridPP, EGI, PRACE, EUDAT, GlobusConnect(?)  VOMS

6 (links to) JISC and service AUP CRL (links to) CP and CPS
Moonshot (user) authenticated Account management Public Portal/server (no authentication required) Information Links to helpdesk (links to) JISC and service AUP CRL (links to) CP and CPS AUP Acceptance Name filter IdP check Attribute check Data Processing Acceptance Certificate Interface Acct DB Status (Re)new Revoke Management Interface (X.509 authenticated) Service API Forget

7 GridPP’s participation
Work with Suleman Tariq CA portal (user interface) If you have an IdP in Assent, you can authenticate to Not finished yet You can’t get a certificate (yet) Evaluated, but chose not to use MP client Chose not to use the CTS code No VOMS in interface; expecting attrs from Moonshot

8 Visiony Stuff Single identity provided by home org.
Or a “homeless” org. Access to both web and non-web resources Chicken and egg takeup: More resources make having an IdP more attractive Use Pathfinder to provide resources

9 Technical Points Moonshot requires client side libs (mech_eap.so)
X.509 certificates require higher LoA Aiming for BIRCH Need for IdP to communicate “loss of traceability” Infrastructure managed private keys Should improve usability

10 (Main) Risks (There is a proper risk register…) Not enough IdPs…
Of a sufficient LoA (IGTF BIRCH) Need to sign a contract! (little assurance in Assent itself) IdP cannot notify on loss of traceability IGTF accreditation delayed Users still manage certs through browser!

11 Database

12 Current Status Trusted IdPs: managed manually (whitelist) in service
No assurance in Assent Needs agreement (lawyers, legal) Compare UK eSc: HoD signed Option for individual user step up auc. Guidance from AARC? Needs to not just be a one off (traceability) Registration practices statement? Option for notification “step up” as well Complicated status: need UF indicator

13 Current Status – Person
Unauthenticated person Authenticated person Authenticated from good org Or has step-up (see prev.) Authenticated from good org with good attrs Authenticated from good org with good attrs and notify on loss of traceability Authenticated from good org with good attrs and notify on loss of traceability and AUP/dataprot.-accept

14 Final steps Need approval from reviewers! MyProxy ∫ (à la CTS)
No VOMS extensions though Not prod’n ready Temporary CA, database in cloud Writeup to be finished Still some funnies in the system 10-14 unauthorised requests are made before one is authorised(!) Still need the attributes! (see RFC 7056) Doesn’t pick up local biscuit even with IE Ensure logging is correct

15 Future directions ∫ with RCauth?
Could support IOTA branch for < MICS Lots of Globus dependencies for MyProxy Will need to approve each IdP (Need to define process for doing so) And debug its attributes… Like, what is the User-Name (RFC 7056)

Download ppt "Jens Jensen, STFC Sep EUGridPMA Manchester"

Similar presentations

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.

Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.

EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.

David Groep Nikhef Amsterdam PDP & Grid Evolving Assurance – IGTF LoA generalisation David Groep Interoperable Global Trust Federation IGTF Documents at.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept. 2013.

CA Stuff Jens Jensen Dave Meredith John Kewley GridPP31, Imperial, London Sept
Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.

Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA

Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9.

Usable Security for Science Challenges and Next Steps Jens Jensen Science and Technology Facilities Council Trust and Security 2 nd Workshop Oxford 8-9.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.

Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.

CertWizard: a New Certificate Tool for the UK NGI User Community John Kewley ( ), Jens Jensen, David Meredith and Akay Okcun 16/11/20151EGI.
Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.

Jens G Jensen UK e-Science Alternative CA software Jens G Jensen UK e-Science CA Rutherford Appleton Laboratory.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

Similar presentations

Ads by Google