Presentation is loading. Please wait.

Presentation is loading. Please wait.

EMI is partially funded by the European Commission under Grant Agreement RI-261611 Security Token Service (STS) Transforming the Existing User Credentials.

Published byAmber Dixon Modified over 9 years ago

Similar presentations

Presentation on theme: "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Security Token Service (STS) Transforming the Existing User Credentials."— Presentation transcript:

1 EMI is partially funded by the European Commission under Grant Agreement RI-261611 Security Token Service (STS) Transforming the Existing User Credentials For the Grid Henri Mikkonen, Helsinki Institute of Physics EGI Technical Forum 2012 (AAI Workshop) 19.9.2012, Prague, Czech Republic

2 EMI INFSO-RI-261611 Security Token? – WS-Security: A collection of statements (claims) about a user or resource Any digital identity that can be attached into a SOAP message: X.509, SAML assertion, Kerberos ticket, … Security Token Service? – WS-Trust: A Web service used to issue, renew, validate and cancel security tokens Establishes a trust relationship between different application / security domains Terminology 19/09/2012Henri Mikkonen @ EGI Technical Forum 20122

3 EMI INFSO-RI-261611 SAML token -> X.509 token 19/09/2012Henri Mikkonen @ EGI Technical Forum 20123 STS CA SAML assertion -token Requests a certificate Issues a certificate STS Client Tool Username, Password, Home Institute Home Institute Username, Password SAML assertion X.509 & Private key to the filesystem X.509 certificate -token (public key + proof)

4 EMI INFSO-RI-261611 SAML token -> X.509 token 19/09/2012Henri Mikkonen @ EGI Technical Forum 20124 STS SAML assertion -token X.509 certificate -token Requests a certificate Issues a certificate STS Client Tool Username, Password, Home Institute Home Institute SAML Trust Domain Username, Password SAML assertion X.509 & Private key to the filesystem X.509 Trust Domain CA (public key + proof)

5 EMI INFSO-RI-261611 SAML token -> X.509 token 19/09/2012Henri Mikkonen @ EGI Technical Forum 20125

6 EMI INFSO-RI-261611 SAML token into a VOMS token 19/09/2012Henri Mikkonen @ EGI Technical Forum 20126 STS SAML assertion -token X.509 proxy certificate -token Requests a certificate Issues a certificate STS Client Tool Username, Password, Home Institute Home Institute SAML Trust Domain Username, Password SAML assertion X.509 proxy certificate chain & private key to the filesystem VOMS Requests attributes Issues an attribute certificate X.509 Trust Domain CA (public key + proof + VO-info)

7 EMI INFSO-RI-261611 SAML token into a VOMS token 19/09/2012Henri Mikkonen @ EGI Technical Forum 20127

8 EMI INFSO-RI-261611 SAML token into a VOMS token 19/09/2012Henri Mikkonen @ EGI Technical Forum 20128 SAML assertion -token Grid Portal Home Institute SAML Trust Domain Username, Password SAML assertion Access Grid Services using the user’s proxy Web browser access X.509 proxy certificate -token STS VOMS CA Requests a certificate Issues a certificate Requests attributes Issues an attribute certificate X.509 Trust Domain (public key + proof + VO-info)

9 EMI INFSO-RI-261611 SAML token into a VOMS token 19/09/2012Henri Mikkonen @ EGI Technical Forum 20129

10 EMI INFSO-RI-261611 Thursday 20.9.2012, 14:00 – 15:30, EMI Security for Grids and Clouds – Henri Mikkonen: “STS Status Update” – Carolina Lindqvist: “Exploring the SAML 2.0 ECP Profile” More details tomorrow 19/09/2012Henri Mikkonen @ EGI Technical Forum 201210

11 EMI is partially funded by the European Commission under Grant Agreement RI-261611 Thank you! Questions? Henri Mikkonen

Download ppt "EMI is partially funded by the European Commission under Grant Agreement RI-261611 Security Token Service (STS) Transforming the Existing User Credentials."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.

Cloud PIV Authentication and Authorization Demo PIV Card User Workstation Central Security Server In order to use Cloud Authentication and Authorization.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK.

EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
 Rich Randall Development Lead Microsoft Corporation BB44.

 Rich Randall Development Lead Microsoft Corporation BB44.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI - Identity Management Steven Newhouse Director, EGI.eu Federated Identity.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Core Web Service Security Patterns

Core Web Service Security Patterns
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,

Every effort has been made to make this seminar as complete and as accurate as possible but no warranty or fitness is implied. The presenter, authors,
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Similar presentations

Ads by Google