Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006.

Published byCharlotte Parrish Modified over 9 years ago

Similar presentations

Presentation on theme: "Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006."— Presentation transcript:

1 Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006

2 Jens G Jensen CCLRC e-Science The Problem Integrated Access (Authentication) Identity management Implemented locally… …integrate with future national efforts… …and international

3 Jens G Jensen CCLRC e-Science What’s in SSO? More than just “type password once” Identity mgmt, User mgmt Credential conversions –Certificates, AD/K5 –Protection of credentials Thin clients vs thick clients Passwords and –phrases validation –Single password to all resources

4 Jens G Jensen CCLRC e-Science What’s in SSO (authentication)? Portals MyProxy Account mgmt Java gsissh terminal SDSC SRB SRM Tapestore Active Directory Kerberos Challenge: get distinct components to talk together

5 Jens G Jensen CCLRC e-Science Authentication – web based If on-site, use federal id (Active Directory/Kerberos) If off-site, use certificate –if loaded into browser Otherwise username/password –Same as fed username/password –Not allowed to store password… System must know these are the same

6 Jens G Jensen CCLRC e-Science Java SSH Term Written in Java (no, really) –Standalone – untar and run –Applet xterm –Understands (most) ANSI control seqs

7 Jens G Jensen CCLRC e-Science Java SSH Term Took open source terminal (in sf.net) And GSISSH plugin contrib’d from Canada And developed: –Integration with myproxy –Various tweaks and fixes

8 Jens G Jensen CCLRC e-Science Java SSH Term > echo hello world hello world MyProxy User Interface ID databaseVOMS WN SRBSRM

9 Jens G Jensen CCLRC e-Science Java SSH Term Integrate with site Active Directory Works! But only with Java 1.6 –Available in beta

10 Jens G Jensen CCLRC e-Science Java SSH Term – User view Use “proper” Grid (X.509) cert –Upload a proxy to myproxy once a week –Terminal gets proxies where you need them Or use a proxy from the built-in CA No need for PKCS#12  PEM conv –Or even no need for understanding certs

11 Jens G Jensen CCLRC e-Science Java SSH Term – Admin view Can shut down vanilla ssh Key mgmt is Somebody Else’s Problem™ Decreased support load…(potentially) Must trust a MyProxy CA –UK: Tie into CA hierarchy

12 Jens G Jensen CCLRC e-Science Java SSH Term Try it! http://www.grid-support.ac.uk/

13 Jens G Jensen CCLRC e-Science User Management DLS and ISIS have 14-15000 users Already ~6-7000 unique users in DB –How to establish – and maintain – uniqueness? Users get accounts locally –Accounts set up by User Office –Give them Unix UID? RFIO and NFS use 16 bit UID… 

14 Jens G Jensen CCLRC e-Science Vintela Used by Diamond Light Source (synchroton) – not all of CCLRC/RAL Commercial Manage user accounts across Linux and Windows Uses RFC2307-with-extensions –“Make more scalable” Caching daemon makes system scalable

15 Jens G Jensen CCLRC e-Science Vintela “Active Roles” Users can unlock their own accounts –Questions Scriptable user creation NSS module for NIS PAM module calls out to Active Directory Suport for RH, SuSe, Solaris, HPUX, AIX

16 Jens G Jensen CCLRC e-Science Future work Better database integration (eduPerson++) Related Shib work with Oxford –Now funded, 2 p.yr. Authorisation –VOMS integration Ponder credential conversions/protection –Need extra info (staff, temp’ry, visitor) –Work on-going between CAs in IGTF

17 Jens G Jensen CCLRC e-Science Future work Integrate Grid services with UK-wide infrastructure (JISC) –Shibboleth for all higher and further ed –Lots of add’l middleware effort CCLRC involved in writing JISC 10 yr AAA roadmap

18 Jens G Jensen CCLRC e-Science Summary Terminal access to Grid –In production –Non-certificate access via myproxy To integrate with CA rollover –Handles all grid-proxy-init Much of account mgmt solved Integrating with future SSO efforts

Download ppt "Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Authentication and Integrated Identity Management HEPiX, CASPUR, Rome 3-7 April 2006."

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.

Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.

ACET The ASPiS project UK e-Science AHM Oxford, 08 Dec 2009 Jens Jensen, STFC.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.

ARCHER’s Security Requirements within the AAF. 2 Research Repository Requirements (relevant to AAF) Identity Management provided by the Federation  Single-sign-on.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.

A case for Shibboleth and grid security: are we paranoid about identity? UK e-Science All Hands Meeting, 2006 Mark Norman 19 Sept 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Technology on the NGS Pete Oliver NGS Operations Manager.

Technology on the NGS Pete Oliver NGS Operations Manager.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.

Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.

Similar presentations

Ads by Google