Presentation is loading. Please wait.

Presentation is loading. Please wait.

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

Published byErin Tyler Modified over 5 years ago

Similar presentations

Presentation on theme: "TeraGrid Identity Federation Testbed Update I2MM April 25, 2007"— Presentation transcript:

1 TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
VonWelch NCSA/U. of Illinois National Center for Supercomputing Applications

2 TeraGrid Overview Nine site federation of resource providers
Each with own accounts, processes, policies, etc. There exist both TeraGrid users and local, site-specific users O(10k) TeraGrid users from wide variety of different sites Most users not from TeraGrid sites Almost all from U.S. campuses TeraGrid users have accounts on some/all sites Each site has own local users as well These are centrally managed National Center for Supercomputing Applications

3 Account management Central process for getting/managing allocation
NSF Allocations process Central database keeps track of TG user accounts at all sites no uid or username alignment across sites Also keeps track of User’s Grid Identities X.509 DNs Both TG-issued and from external CAs Pushes out to all sites All users have a TG username and password Exposed via Kerberos 5 domain and MyProxy online-CA TeraGrid User Portal National Center for Supercomputing Applications

4 TeraGrid Access Traditional interactive SSH login via Site authn
Grid (PKI) SSO SSH interactive login Short-lived PKI credentials issues via MyProxy and User’s TG username & password Hides site-specific identity details from user Grid Services Globus job submission, GridFTP, etc. Science Gateways/Web Portals Have own user databases Tied to community accounts and allocations on TG sites Give constrained, domain-specific interface National Center for Supercomputing Applications

5 Ultimate Id Federation Goals and Testbed
Allow scaling of TeraGrid to O(100k)+ users Get TeraGrid out of identity management game to allow this Leverage existing campus identity management Allowing servicing of existing VO’s Attribute-based authorization Allow for incident response Blocking and/or contacting problematic users Testbed running first half of 2007 to evaluate how Shibboleth, GridShib and other tools can achieve this NCSA, Purdue National Center for Supercomputing Applications

6 Testbed Thrusts Three thrusts…
One: Java-based Grid-enabled SSH and MyProxy client Build on work from UK NGS Allow user to do Grid-based SSH SSO with no Grid client installation Just vanilla Java Using TeraGrid username and password This is working: National Center for Supercomputing Applications

7 Testbed Thrusts Two: Shibboleth-based TeraGrid Access
Using GridShib-CA to access existing TeraGrid account In Shibboleth terms, a Shibboleth SP that issues short-lived Grid credentials Allows user to connect to TeraGrid using their local campus authentication Integrated with Java GSI-SSH client to allow for zero-client install SSH access Currently doing bi-lateral Shibboleth peering eventually InCommon Requires ePPN from IdP Friendly user mode One time registration of Shibboleth-based X.509 DN National Center for Supercomputing Applications

8 Testbed Thrusts Three: Attribute-based authorization from Science Gateways Allow Science Gateways to push VO attributes to TeraGrid sites Could be passed from user’s Idp or generated locally In development. National Center for Supercomputing Applications

9 Testbed Next Steps Get friendly users kicking the tires
Peer with some more campuses to allow this Currently U. of Illinois, U. of Chicago, ProtectNetwork, OpenIdp Try out some incident response dry runs National Center for Supercomputing Applications

10 Questions? vwelch@ncsa.uiuc.edu
National Center for Supercomputing Applications

Download ppt "TeraGrid Identity Federation Testbed Update I2MM April 25, 2007"

Similar presentations

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign InCommon and TeraGrid Campus Champions Jim Basney

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign InCommon and TeraGrid Campus Champions Jim Basney
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

Similar presentations

Ads by Google