Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006.

Published byPenelope Jenkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006."— Presentation transcript:

1 Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006

2 Jens G Jensen CCLRC e-Science Contents (approximately) Goals Current status –Site authentication –Grid authentication –Authorisation Terminal access

3 Jens G Jensen CCLRC e-Science The Problem Integrated Access (Authentication) Identity management Implemented locally… …integrate with future national efforts… …and international

4 Jens G Jensen CCLRC e-Science What is SSO? Central password management –Don’t reuse the same password –Stored securely in one location Central account management –ISIS, DLS, CLF – 14500 users –Keep up to date –User office can add new ones

5 Jens G Jensen CCLRC e-Science What is SSO? Use account with all resources –cf. Grid – certificate used with all grids (well, sort of) –Shibboleth, with web resources –Generally requires consistent attribute management (resp., VOM(S), AAs)

6 Jens G Jensen CCLRC e-Science Authentication – web based If on-site, use federal id (Active Directory/Kerberos) If off-site, use certificate –if loaded into browser Otherwise username/password –Same as fed username/password –Not allowed to store password… System must know these are the same

7 Jens G Jensen CCLRC e-Science Account Management DLS: Vintela for account management –Commercial –Accounts and password managed across Windows & Linux –PAM module for Linux –Allows users to reset passwords &c

8 Jens G Jensen CCLRC e-Science Site Authentication Microsoft Active Directory (2000  2003) –Compatible with Kerberos 5 As long as server is MS –Publishing data “Corporate Data Repository”  RFC2307

9 Jens G Jensen CCLRC e-Science Grids GridPP –More complex middleware stack –Plain ol’ ssh login –Uses VOMS for authorsation NGS & SCARF –Basic Globus 2.4 toolkit (VDT dist) –gsissh login (more later) –Basic (Unix group) or no VO mgmt

10 Jens G Jensen CCLRC e-Science “Data Grids” i.e., SRB (new one will be different?) –Can use X.509 or username/password –Password stored in file in ~ –Not integrated: inQ uses username/password only X.509 must be compiled in –Integrate with everything else? Separate db column for SRB ids?

11 Jens G Jensen CCLRC e-Science Shibboleth Site password to common web resources Web-resources –Depends on http proto (eg redirects) SWITCH in EGEE –Work on Shibifying middleware, starting with gatekeeper Shib2 will be less web-specific

12 Jens G Jensen CCLRC e-Science Shibboleth deployment SDSS –JISC funded, under core middleware programme –Early deployment of UK Federation UK Federation will encompass all HEI and FEI –SDSS will become UK Federation

13 Jens G Jensen CCLRC e-Science Shibboleth Deployment CCLRC has IdP in SDSS –Doesn’t cover all site, only ShibGrid project –ShibGrid? Shibboleth access to Grid Collab ‘tween Oxford & CCLRC IdP? –SSO (password) and AA (attributes)

14 Jens G Jensen CCLRC e-Science Shibboleth Deployment Shibboleth Service Provider: –Portals (for NGS) to access Grid “ShibGrid” project –MyProxy Used for credential conversion

15 Jens G Jensen CCLRC e-Science Java SSH Term Written in Java (no, really) –Standalone – untar and run –Applet xterm –Understands (most) ANSI control seqs

16 Jens G Jensen CCLRC e-Science Java SSH Term Took open source terminal (in sf.net) And GSISSH plugin contrib’d from Canada Authenticate: –With site AD/K5 magic biscuit (see later) –Via MyProxy (username/password) –Via certificate (private key passphrase)

17 Jens G Jensen CCLRC e-Science Java SSH Term Picks up magic AD/K5 biscuit –Integrated with site Active Directory –Callout, no naughty storing passwords Works! But only with Java 1.6 for this –Available in beta

18 Jens G Jensen CCLRC e-Science Java SSH Term > echo hello world hello world MyProxy User Interface ID databaseVOMS WN SRBSRM

19 Jens G Jensen CCLRC e-Science Java SSH Term – User view Use “proper” Grid (X.509) cert –Upload a proxy to myproxy once a week –Terminal gets proxies where you need them Or use a proxy from the built-in CA No need for PKCS#12  PEM conv –Or even no need for understanding certs

20 Jens G Jensen CCLRC e-Science Java SSH Term – Admin view Can shut down vanilla ssh Key mgmt is Somebody Else’s Problem™ Decreased support load…(potentially) Must trust a MyProxy CA –UK: Tie into CA hierarchy –Separate hierarchy for NGS

21 Jens G Jensen CCLRC e-Science (planned) UK hierarchy e-Science ROOT e-Science CA Credential conversion top level Institutional CC CA Institutional CC CA Institutional CC CA NGS Training and Monitoring Trusted CA (Explicit Trust) Accredited CA

22 Jens G Jensen CCLRC e-Science Java SSH Term Try it! http://www.grid-support.ac.uk/ Public link may be for the non-AD/K5 one –Secret link for the Java 1.6 version –Until Java 1.6 is out –Email me

23 Jens G Jensen CCLRC e-Science User Management DLS and ISIS have 14-15000 users Already ~6-7000 unique users in DB –How to establish – and maintain – uniqueness? Users get accounts locally –Accounts set up by User Office –Give them Unix UID? RFIO and NFS use 16 bit UID… 

24 Jens G Jensen CCLRC e-Science Vintela Used by Diamond Light Source (synchroton) – not all of CCLRC/RAL Commercial Manage user accounts across Linux and Windows Uses RFC2307-with-extensions –“Make more scalable” Caching daemon makes system scalable

25 Jens G Jensen CCLRC e-Science Vintela “Active Roles” Users can unlock their own accounts –Questions Scriptable user creation NSS module for NIS PAM module calls out to Active Directory Suport for RH, SuSe, Solaris, HPUX, AIX

26 Jens G Jensen CCLRC e-Science Future work Better database integration (  eduPerson) –Identity management (next slide) –Users may have different ids in different contexts?  Authorisation needed –VOMS integration –Site attributes, maybe? VO attributes! –Combined?

27 Jens G Jensen CCLRC e-Science Identity Management – TODO Tie together all the identities in central DB –Grid certificates –Low assurance (credential conversion) certificates –SRB identities –Tapestore ids –Unix user ids How to populate with initial data…

28 Jens G Jensen CCLRC e-Science Summary Terminal access to Grid –In production –Non-certificate access via myproxy To integrate with CA rollover –Handles all grid-proxy-init Much of account mgmt solved Integrating with future SSO efforts

Download ppt "Jens G Jensen CCLRC e-Science Single Sign-on at RAL (and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006."

Similar presentations

MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.

Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.
ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.

ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.

ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Technology on the NGS Pete Oliver NGS Operations Manager.

Technology on the NGS Pete Oliver NGS Operations Manager.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.

Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Integrating HPC and the Grid – the STFC experience Matthew Viljoen, STFC RAL EGEE 08 Istanbul.

Integrating HPC and the Grid – the STFC experience Matthew Viljoen, STFC RAL EGEE 08 Istanbul.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Similar presentations

Ads by Google