Presentation is loading. Please wait.

Presentation is loading. Please wait.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Published byShannon Holland Modified over 8 years ago

Similar presentations

Presentation on theme: "AAI WG EMI Christoph Witzig on behalf of EMI AAI WG."— Presentation transcript:

1 AAI WG EMI Christoph Witzig on behalf of EMI AAI WG

2 EMI INFSO-RI-261611 Comments Disclaimer: This is work in progress that has just started We are aware that some of these issues have already been discussed within EuGridPMA 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 2

3 EMI INFSO-RI-261611 Content EMI AAI WG Identified use-cases Security Token Service Policy issues Next steps 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 3

4 EMI INFSO-RI-261611 EMI AAI WG EMI proposal mentions interoperability of EMI / Grid with AAIs, in particular – „Easier“ credential handling for the user – Interoperability with Shibboleth and kerberos domains Members from – CNAF, HIP, NKUOA, SWITCH, UWAR 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 4

5 EMI INFSO-RI-261611 Objectives 1.Identify use-cases how EMI could support AAI 2.Support sub-set of identified use-cases within EMI 3.Reachout to other parties involved – EuGridPMA  Trust – ESFRI, EGI, … 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 5

6 EMI INFSO-RI-261611 Use Case 1: Obtaining a X.509 Based on token from another domain 1a) short-lived credential  next slide 1b) long-lived credential Well-known for EuGridPMA  SLCS, MICS profile 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 6

7 EMI INFSO-RI-261611 SLCS 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 7 slcs-init: command line tool User Agent handles WebSSO mechanism

8 EMI INFSO-RI-261611 Portal obtains X.509 from – Certificate store (e.g. myproxy) – „CA“ Note: CA has a very broad meaning here – not necessarily EUGridPMA CA Based on portal request (portal acting on behalf of user) Based on SAML issued by IdP (delegation)  next slide Note: New use-case, becoming available now 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 8 Use Case 2: AAI-enabled portals to Grid infrastructures

9 EMI INFSO-RI-261611 Use Case 2: AAI-enabled portals 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 9

10 EMI INFSO-RI-261611 Use Case 3: AAI-enabled portals for displaying and accessing Grid information Any portal can easily be accessed through AAI – Low priority  typical Grid administrator already has X.509 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 10

11 EMI INFSO-RI-261611 Use Case 4 : Security Token Service A service obtains a security token and needs to convert it into another security token in order to access another service (e.g. Grid service) Example: – Incoming token: SAML, kerberos – Outgoing token: X.509 Note: very general use-case 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 11

12 EMI INFSO-RI-261611 Use Case 5: Use of AAI attributes in Grid services Today: attributes are issued by VOMS Tomorrow: non-VO attributes can be issued by AAI Attributes in question are few, simple but possibly very important, such as Employing institution Afflilation (student, professor,...) Study branch (biology, physics 5th semester) Question: What requirements should be put on AA? 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 12

13 EMI INFSO-RI-261611 Use Case 6: VO Registration Identity vetting based on AAI in registration process – Possibly involving AAI attributes – Low priority established mechanism exists Interesting if other communities bring large number of users 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 13

14 EMI INFSO-RI-261611 Use-cases: Summary Use- case DescriptionStatus 1X.509 issuance based on AAI„Solved“ (but needs improvement!) 2AAI-enabled portalsSolutions exist SAML delegation new 3AAI-enabled Grid info portalsLow priority 4STSNew, general purpose service, high priority 5Use of AAI attributes in GridInteresting, potentially very important 6VO registrationLow priority 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 14

15 EMI INFSO-RI-261611 Security Token Service: Functionality (1/2) Authenticates and authorizes users based on security tokens Transforms a security token (the claim) into another security token suitable for the requested service Username token into SAML token SAML token into X.509 token Aggregates required information from external Attribute Authorities Establishes a trust relation between different application domains Shibboleth domain vs Grid domain 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 15

16 EMI INFSO-RI-261611 Security Token Service: Functionality (2/2) Web Service (SOAP) based protocol WS-Trust profile – Version 0 (dated Jan 2008!) http://www.switch.ch/grid/support/documents/ http://www.switch.ch/grid/support/documents/ – Basic Operations: Request token Renew token Cancel token Validate token Easy expansion to handle new tokens Prospect: Integrated with Shibboleth IdP 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 16

17 EMI INFSO-RI-261611 Security Token Service: Architecture Profile Handler implements WS-Trust profile Token Authority manages security tokens Resolver retrieves information, attributes from external authorities (LDAP, Online CA, VOMS,...) 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 17 Note: Prospect of building on Shibboleth (IdP v3)

18 EMI INFSO-RI-261611 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 18 Trust Model: X.509 to SAML X.509 Validation – Service A and STS validate the X.509 token (X.509 trust based on the IGTF trust anchors) SAML Validation – Service B must validate and trust the SAML token issued by the STS (SAML Trust Domain)

19 EMI INFSO-RI-261611 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 19 Trust Model: SAML to X.509 SAML Validation – Service A and STS must validate and trust the SAML token issued by an IdP/AA (SAML Trust Domain) X.509 Validation – Service B validates the X.509 token issued by the STS (based on the IGTF trust)

20 EMI INFSO-RI-261611 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 20 SAML Trust Model SAML Token Issuance – STS must be able to issue SAML token to another service (signed and encrypted?) SAML Token Validation and Trust – Services must be able to validate and trust a SAML token issued by another service (STS, IdP, Attribute Authority, …) => SAML Trust Domain must be defined – Using Metadata (Shibboleth) Entity ID (uniquely identifies a SP, IdP, AA, …) Key-Info (X.509 certificate for signature/encryption)

21 EMI INFSO-RI-261611 Issues / Questions Handling trust between trust domains – Authentication assertions – Attributes handling (VOMS, IdP) – What requirements do you put on STS and other trust domain?  linking trust domains Issuance of certificates – proxies – Interaction STS/IdP/VOMS – Private key handling Attribute handling / attribute trust? 12/05/2010 STS SAML Trust Domain, EUGridPMA Meeting 21

22 EMI is partially funded by the European Commission under Grant Agreement RI-261611 Thank you! 12/05/2010 22 STS SAML Trust Domain, EUGridPMA Meeting

Download ppt "AAI WG EMI Christoph Witzig on behalf of EMI AAI WG."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
CLARIN AAI, Web Services Security Requirements

CLARIN AAI, Web Services Security Requirements
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EMI INFSO-RI-261611 Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH

EMI INFSO-RI Session Summary AAI Needs for DCIs John White, HIP Christoph Witzig, SWITCH
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

Similar presentations

Ads by Google