1. Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney, Terry Fleury, Von Welch TeraGrid Round Table Update May 21, 2009

2. Big Picture: CASC Report  Tactical Recommendation 2.3.1a: The global federated system for identity management, authentication, and authorization that is supported by the InCommon Federation should be adopted with an initial focus on major research universities and colleges. After an initial deployment in research- oriented functions involving research universities, such an identity management strategy for CI should be implemented generally within funding agencies and other educational institutions. May 21, 2009 http://www.casc.org/papers/CASC-CCI_Workshop_Report_and_Recommendations.pdf

3. More Pragmatically  Long Term:  Show how CI projects can get out of the process of credentialing users  Leverage existing processes at the user’s campus.  Short Term:  Allow TG users to also use their campus logins to access TG. Augment, not replace, current authentication process. May 21, 2009

4. TeraGrid Campus Integration  The TeraGrid project is working in many ways to better integrate with campuses to support research and education  TeraGrid Campus Champions http://www.teragrid.org/eot/campuschamps.html  TeraGrid Client Software http://teragridforum.org/mediawiki/index.php?title=TeraGrid_Client_Software  Authentication and Authorization is just one aspect of TeraGrid’s Campus Integration effort May 21, 2009

5. Brass Tacks: Three activities  Technical deployment of Shibboleth CA, integration in to TGUP  Establish InCommon membership and relationship with campuses  Accreditation of Shibboleth CA with TAGPMA May 21, 2009

6. Deployment of Shibboleth CA and Integration with TGUP  Shibboleth CA deployed  Integration with TGUP delayed due to LifeRay Transition  Will integrate after transition completed  In the interim:  https://go.teragrid.org https://go.teragrid.org May 21, 2009  Replicates functionality of TGUP  GSISSH, GridFTP  Allows us to build trust relationships

7. Approach  Link Shibboleth identity to TG User Identity  An existing user authenticates to the TGUP via Shibboleth  The TGUP prompts for the user’s TGUP username and password  Automatically obtain PKI credentials based on Shibboleth authentication to TGUP  Transparently use PKI credentials with TGUP SSH Terminal and File Manager May 21, 2009

8. Establishing Trust on Two Fronts May 21, 2009 Shibboleth-CA/ go.teragrid.org/ TGUP Universities RPs InCommonTAGPMA ShibbolethPKI / TG SSO

9. TeraGrid and InCommon: Status  TeraGrid joined InCommon in July 2008  TeraGrid still needs to establish relationships with each campus to provide us with user identifiers.  InCommon provides the foundation for this, but it still is not free.  We are in the process of contacting campuses with > 50 TG users  Have established relationship with 12 so far See dropdown list on https://go.teragrid.org  Another ~3 who we are talking with May 21, 2009

10. TAGPMA Status  Accreditation of new Shibboleth CA achieved as of May 13, 2009  New Shibboleth CA now in TG tarball  Rolling out to RPs:  http://www.teragridforum.org/mediawiki/index.php?titl e=Status_of_new_CA_installation_at_TG_RPs May 21, 2009

11. Next Steps  Continue to build relationships with Campuses  Find initial users to kick the tires on process  Monitor TGUP transition and be prepared to jump in. May 21, 2009