Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Published byLeah Butler Modified over 11 years ago

Similar presentations

Presentation on theme: "Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management."— Presentation transcript:

1 Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management

2 Jens G Jensen CCLRC e-Science The Problem Scope: CCLRC –But extending CCLRC facilities –DLS, ISIS, CLF, SRD Access to Grid –NGS, SCARF –The SRBs –Atlas Tapestore

3 Jens G Jensen CCLRC e-Science Whats in SSO? Identity and User Management Credential conversions –Certificates, AD/K5 –Protection of credentials Thin clients vs thick clients Passwords and -phrases –Single password to all resources

4 Jens G Jensen CCLRC e-Science Authentication – web based If on-site, use federal id If off-site, use certificate –if loaded into browser Otherwise username/password –Same as fed username/password –Not allowed to store password… System must know these are the same

5 Jens G Jensen CCLRC e-Science Web (HTTPS) based SSO Easier to implement servers –Apache can do Everything –Not trivial to integrate with existing Java portals –Apache vs Tomcat, StringBeans, uPortal, CHEF, SAKAI,… Lots of HTTP tools that understand security Future proof, when UK goes to Shibboleth

6 Jens G Jensen CCLRC e-Science Client Side – from outside CCLRC PORTALPORTAL VOMS THE GRID Certificate SRB (old slide)

7 Jens G Jensen CCLRC e-Science Client Side – from within CCLRC PORTALPORTAL MyProxyVOMS Microsoft Active Directory THE GRID SRB (old slide)

8 Jens G Jensen CCLRC e-Science SRB SRB provides SSO But with everybody elses… S commands can be used with GSI and with username/password inQ doesnt understand certificates THE GRID SRB THE BEAM

9 Jens G Jensen CCLRC e-Science DetectorADSC RAID 2TB ADSC RAID 2TB ADSC RAID 2TB 20TB SRB Vault ADS Resource 20TB SRB Vault 160TB SRB Vault SRB space … … Proposed DIAMOND Infrastructure Slide sto borrowed from P Berrisford

10 Jens G Jensen CCLRC e-Science Proposed DIAMOND Phase 1 Test Infrastructure 20 TB Vault SRB ADS cache SRB ADS tape resource SRB Storage Server SRB MCAT Server SRB ADS Server MCAT Database Data Management Group Data Storage Group DIAMOND Slide borrowed from P Berrisford

11 Jens G Jensen CCLRC e-Science Whats in a name Federal id – jj47@fed.cclrc.ac.uk DN - /C=UK/O=eScience/OU=CLRC/L=RAL/CN=jens g jensen SRB username, fed id or based on CN Tapestore username – arbitrary: jj47 –or based on VO (via SRM or SRB)

12 Jens G Jensen CCLRC e-Science Status – User Office Set up identities Maintain identities Registration Authority for CA Needs user office friendly tools Challenge: ensure user offices are consistent –Namespaces, identities

13 Jens G Jensen CCLRC e-Science Status – Users Need certificates for Grid work Once every year, obtain/renew cert –Usability of CA improved with upgrade –Will resurrect applets Once every week, renew proxy –Upload tool in Java, another in python Once every day –Log in to Windows (or Linux kinit )

14 Jens G Jensen CCLRC e-Science Status – software Prototype portal (python) –Thin clients (web browser) –Fetches proxy from myproxy –AD/K5 works with IE and certain Linux browsers Components for thick clients –Fetches proxy locally from MyProxy

15 Jens G Jensen CCLRC e-Science Authorisation – VO mgmt Agree roles (between facilities) Need for tools –Track project proposal Infrastructure –LDAP/GridMap –VOMS –(future things)

16 Jens G Jensen CCLRC e-Science User Information CDR User Database DLS, SRS ISIS Grid SSTD, CLF,… e.g. NGS, SCARF, Datastore

17 Jens G Jensen CCLRC e-Science Microsoft Active Directory Authorisation CDR LDAPLDAP VOMS MyProxy? Gridmap file

18 Jens G Jensen CCLRC e-Science Combining Grid Authorisation LDAPLDAP LDAPLDAP LDAPLDAP CCLRC NGS LCG Grid AUZ

19 Jens G Jensen CCLRC e-Science Keeping identities First attempt Second attempt

20 Jens G Jensen CCLRC e-Science The Who CCLRC e-Science/GOSC –D Byard, M Viljoen (code) CCLRC e-Science Data Management –SRB work CCLRC e-Science Atlas Tapestore CCLRC BITD –Database Facilities – Diamond, ISIS, CLF, SRD

21 Jens G Jensen CCLRC e-Science Future work VOMS Extending collaboration –Related Shib work with Oxford Grid access for non-certificate users DLS & IB very interested (+BDWorld?) Ponder credential conversions –And protection

22 Jens G Jensen CCLRC e-Science Summary Prototype SSO access to Grid Existing implementations, added glue Loads of other minor things that need doing Integrating with other SSO efforts Facilities user offices maintain ids More authorisation work reqd

Download ppt "Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management."

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.

30-31 Jan 2003J G Jensen, RAL/WP5 Storage Elephant Grid Access to Mass Storage.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
VO Support and directions in OMII-UK Steven Newhouse, Director.

VO Support and directions in OMII-UK Steven Newhouse, Director.
Peter Berrisford RAL – Data Management Group SRB Services.

Peter Berrisford RAL – Data Management Group SRB Services.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.

Andrew McNab - Manchester HEP - 2 May 2002 Testbed and Authorisation EU DataGrid Testbed 1 Job Lifecycle Software releases Authorisation at your site Grid/Web.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.

ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,

Holding slide prior to starting show. Supporting Collaborative Working of Construction Industry Consortia via the Grid - P. Burnap, L. Joita, J.S. Pahwa,
ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.

ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Technology on the NGS Pete Oliver NGS Operations Manager.

Technology on the NGS Pete Oliver NGS Operations Manager.
Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.

Joining the Grid Andrew McNab. 28 March 2006Andrew McNab – Joining the Grid Outline ● LCG – the grid you're joining ● Related projects ● Getting a certificate.

Similar presentations

Ads by Google