Presentation is loading. Please wait.

Presentation is loading. Please wait.

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)"— Presentation transcript:

1 PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

2 03/06/08PKI SSO2 Single Sign On l Web Applications u http/https protocol u Browser, wget clients l Other Applications u GridFTP, OpenDAP etc. u DML, UberFTP/GridFTP clients

3 03/06/08PKI SSO3 PKI-X509 as SSO Solution l Online CA to issue short term credentials u Works with authentication system u E.g Shares username/password with registration system l User “logs in” to get credential u Transparent to user, downloaded on login l Clients leverage credentials transparently l User “logs out” by destroying local credentials l Same CA can be used to provide application certificates

4 03/06/08PKI SSO4 Online-CA AuthN Svc Application Client + PKI Client PKI Login AuthN DB uname password Application Server Trust Online CA

5 03/06/08PKI SSO5 Online-CA AuthN Svc Application Client + PKI Client PKI Login AuthN DB uname password 1. login User/pass 2. AuthN 3. Short term X509 credentials 4. Access using X509 Credentials Application Server Trust Online CA

6 03/06/08PKI SSO6 MyProxy as Online CA l Open source software from NCSA l Provides among other things Online CA capabilities l Allows plugging in of any authentication system using PAM module l Shipped with Globus Toolkit, supported on various platforms l Client package as separate deployment, including Java clients and API

7 03/06/08PKI SSO7 Auto-Provisioning l SSO solutions require configuration of trust-roots u Identity providers, Certification authorities u Revocation lists l Up-to-date configuration required at servers and clients u Scalability issues, e.g 8K clients l MyProxy provides auto-provisioning option u Integrated with login u Transparently updates CAs and CRLs u Can be extended to use for provisioning servers also

8 03/06/08PKI SSO8 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning 0. Trusted CA/CRLs AuthN DB Provisioning Database

9 03/06/08PKI SSO9 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning 1. login User/pass 2. AuthN 3. Short term X509 credentials, CAs, CRLs 0. Trusted CA/CRLs AuthN DB Provisioning Database

10 03/06/08PKI SSO10 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning 1. login User/pass 2. AuthN 3. Short term X509 credentials, CAs, CRLs 4. Access using X509 Credentials 0. Trusted CA/CRLs AuthN DB Provisioning Database

11 03/06/08PKI SSO11 Online-CA AuthN Svc Application Client + PKI Client App Svc MyProxy Login with Provisioning AuthN DB 1. login User/pass 2. AuthN 3. Short term X509 credentials, CAs, CRLs 4. Access using X509 Credentials 0. Trusted CA/CRLs 5. Update trust roots Provisioning Database

12 03/06/08PKI SSO12 Gateway Deployments l MyProxy Server u PAM module to talk to authentication mechanism l CA certificate for MyProxy Server l Provisioning database u Up-to-date list of CAs/CRLs

13 03/06/08PKI SSO13 Client Deployments l Client download contains u MyProxy Logon client u Bootstrap CA certificate l Application clients integrate with MyProxy u Scripts that use myproxy-logon and grid- proxy-destroy u C library level integration u Java API integration

14 03/06/08PKI SSO14 Application Server l Use of PKI X509 Certificates for authentication u If using SSL, no additional changes l Install trusted certificates on the application server l For automatic updates, set up task to run myproxy-logon periodically u Need to extend MyProxy to allow server only authentication to get certificates

15 03/06/08PKI SSO15 MyProxy Demo l MyProxy Online CA set up on plussed.mcs.anl.gov:7512 l UberFTP server set up on plussed.mcs.anl.gov to trust the above MyProxy Online CA l Instructions and sample run: u http://www- unix.mcs.anl.gov/~ranantha/esg/PKISSO.ht ml

16 03/06/08PKI SSO16 Some next steps l Demo trials and feedback l MyProxy u Extend to allow server trust root provisioning u Customize MyProxy Logon Java Web Start application for ESG l Discuss integration with application servers l Integration with gateway software u Evaluate distribution with gateway software

17 03/06/08PKI SSO17 AuthN DB uname password PKI Client Online-CA AuthN Svc WebSSO AuthN Svc Browser Client Web SvcPKI App Svc u/p => X509 credsu/p => cookie http-redirect + cookie X509 PK-authN trusts CA =><= trusts authN Svc Integrated WebSSO & PKI-SSO

Download ppt "PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)"

Similar presentations

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
PKI Administration Using EJBCA and OpenCA

PKI Administration Using EJBCA and OpenCA
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.

Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.
National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney

National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Similar presentations

Ads by Google