c fermilab
play

=C=Fermilab Managed by Fermi Research Alliance, LLC for the U.S. - PowerPoint PPT Presentation

Jan 13, 2024 •349 likes •642 views

FERMILAB-SLIDES-18-102-CD =C=Fermilab Managed by Fermi Research Alliance, LLC for the U.S. Department of Energy Office of Science Federation At Fermilab Al Lilianstrom National Laboratories Information Technology Summit May 2015 This

  1. FERMILAB-SLIDES-18-102-CD =C=Fermilab Managed by Fermi Research Alliance, LLC for the U.S. Department of Energy Office of Science Federation At Fermilab Al Lilianstrom National Laboratories Information Technology Summit May 2015 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of Energy, Office of Science, Office of High Energy Physics.

  2. About Fermilab • Since 1967, Fermilab has worked to answer fundamental questions and enhance our understanding of everything we see around us. As the United States' premier particle physics laboratory, we work on the world's most advanced particle accelerators and dig down to the smallest building blocks of matter. • Fermilab collaborates with more than 20 countries on physics experiments based in the United States and elsewhere. • Fermilab's 6,800-acre site is located in Batavia, Illinois, and is managed by the Fermi Research Alliance LLC for the U.S. Department of Energy Office of Science. FRA is a partnership of the University of Chicago and Universities Research Association Inc., a consortium of 86 research universities. 2 ------------------------0 Fermilab Al Lilianstrom | Federation At Fermilab 4/17/2015

  3. Bison 3 ------------------------0 Fermilab Al Lilianstrom | Federation At Fermilab 4/17/2015

  4. Terms • ADFS – Active Directory Federation Services – https://technet.microsoft.com/en-us/windowsserver/dd448613.aspx • COTS - Commercial Off The Shelf • IdP – Identity Provider • InCommon – https://www.incommon.org/ • LDAP – Lightweight Directory Access Protocol – http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol • SP – Service Provider • SAML – Security Assertion Markup Language – http://saml.xml.org/about-saml • Shibboleth – https://shibboleth.net/ • SSL – Security Sockets Layer – http://en.wikipedia.org/wiki/Transport_Layer_Security • SSO – Single Sign On 4 Al Lilianstrom | Federation At Fermilab 4/17/2015

  5. Abstract • Fermilab is working to provide a seamless web for science and business applications by using federated identities from internal identity providers such as Active Directory Federation Services and Shibboleth and external identity providers such as InCommon Federation members and social identities such as Google. • This talk will focus on the complexities of internal and external identities, open source and COTS identity providers, and open source and COTS applications and how we are working to make the user experience for authentication as simple and secure as possible. 5 ------------------------0 Fermilab Al Lilianstrom | Federation At Fermilab 4/17/2015

  6. History • 2008 – Centrally managed LDAP service for web application authentication was brought online – Computer Security initiated push for web application owners to move from .htaccess files to LDAP over SSL – Not federation – just a single password • A big step in the right direction • 2010 – Fermilab hosted Shibboleth Installfest – 20+ attendees from Fermilab and several other institutions – Significant interest from all attendees *Shibboleth 1.0 - 2003 6 ------------------------0 Fermilab Al Lilianstrom | Federation At Fermilab 4/17/2015

  7. Crickets 7 ------------------------0 Fermilab Al Lilianstrom | Federation At Fermilab 4/17/2015

  8. History • 2013 – ADFS IdP in Production • 2014 – ADFS SP • SharePoint 2013 • Office 365 – Shibboleth IdP in Production • On premise • Managed Service – Joined InCommon Federation • 2015 – CiLogon SP 8 ------------------------0 • Shibboleth Service Fermilab Al Lilianstrom | Federation At Fermilab 4/17/2015

  9. Why Federate? • Passwords – Same password as LDAP Service • Single Logon • External identities – Social Media • Identity Proofing – Authoritative source • Control of Information • Platform Independent – OS/Application/etc • Security Boundaries 9 ------------------------0 Fermilab Al Lilianstrom | Federation At Fermilab 4/17/2015

  10. Why Federate? • Identities – External identities • Business Partners • Social Media – Identity Proofing • How do you know who RadGenius@gmail.com really is? • Federation Members • Authoritative source – Termination – Authorization • Application Compatibility – Username – Email Address 10 Al Lilianstrom | Federation At Fermilab 4/17/2015

  11. Why Federate? • Control of Information – Links not E-Mail – Authentication Source • Platform Independent – Operating System – Application • SAML Support – SP – IdP – Client • Web Browser ------------------------0 Fermilab 11 Al Lilianstrom | Federation At Fermilab 4/17/2015

  12. Security Boundaries • Two types of logons at Fermilab – Interactive and Web – Password strength requirements are the same • Interactive – Logon to Linux or Windows – Remote Desktop – SSH • Web – SharePoint – Email • Interactive logons are not used to access web services • Web logons are not used for interactive access to computers – There is no direct connection between the services in the ------------------------0 Interactive and Web environments Fermilab 12 Al Lilianstrom | Federation At Fermilab 4/17/2015

  13. Security Boundaries 1/ • 7 - RSA ~cur lD Ql C Windows 1 CMS () () Radi us ~h i bbolet/ ~ o \~ c£ .. 1 VPN SharePoint CAF Web ~rviceNow 2013 13 Al Lilianstrom | Federation At Fermilab 4/17/2015

  14. Security Boundaries • Why? – Goal was to prevent compromised web credentials from gaining access to interactive systems • As more services move to the web is this a valid concern? • Some applications are designed around logon accounts being used to gain access to web services – Exchange – SharePoint • Can Federation provide a true SSO environment? ------------------------0 Fermilab 14 Al Lilianstrom | Federation At Fermilab 4/17/2015

  15. Security Boundaries • ADFS – Windows Integrated Authentication – ADFS in Windows Logon Domain • IdP as a RP to primary ADFS IdP – Logon credentials used to access web applications • Logon credentials are never presented to the web application • No passwords on the wire – Ever – Non-Windows clients can kinit against the Windows Domain and use the applications in the same manner* ------------------------0 Fermilab 15 Al Lilianstrom | Federation At Fermilab 4/17/2015

  16. Security Boundary • ADFS to ADFS (Active Directory) ' . ' . • ADFS Server in our primary Windows ADFS ADFS domain. SSO. FNAL.GOV FADFS. FN AL.GOV Windows Integrated Authentication is used t On Premise get ADFS token in Share Poi nt browser to access web SP apps without password No trust exists between FERMI and SERVICES Active Dir ectory Domains ADFS in SER V ICES accepts ADFS On Premise Exchan2e to kens from FERMI and issues claims SP based on contents C=Fermilab 16 Al Lilianstrom | Federation At Fermilab 4/17/2015

  17. Federation Service Today ADFS to Shibbol eth trust in Test On Premise Share Po i nt • SP Sh ibboleth ADFS IDP. FNALGOV SSO.FNAL. GOV Testing ADFS ADFS w'I be used Sh bboleth to ADFS for the Microsoft man ed service On Prem~ product line Apache Web Server,; SP ADFS Server in our Both Shibboleth and Windows domain. ADFS use the same AD Use WIA to get domain for ADFS token to 7 . authentication and access web apps 7 . attribute source thout password SERVICES ADFS (Active Directory) Windows Domain C=Fermilab 17 Al Lilianstrom | Federation At Fermilab 4/17/2015

  18. Federation Service Today • Hybrid Solution – ADFS • Microsoft stack – SharePoint – Office 365 – Shibboleth • Everything else  – InCommon – CiLogon – Central Web Services – Service Now – Apache Based Applications – Social Connections ------------------------0 Fermilab 18 Al Lilianstrom | Federation At Fermilab 4/17/2015

  19. Hybrid Solution • Issues – Usability • Two IdPs – IdP to IdP Trust – Support • Managed Service Issues – Compatibility • Claims – Formats ------------------------0 Fermilab 19 Al Lilianstrom | Federation At Fermilab 4/17/2015

  20. Hybrid Solution • Why not just use one? • ADFS – Microsoft Documentation – Microsoft Applications – Open Source Applications • Evil Empire  – PowerShell – Internal Support • System Configuration – Hardware – Software – Quirks – ADFS is an excellent choice for a Windows shop ------------------------0 Fermilab 20 Al Lilianstrom | Federation At Fermilab 4/17/2015

  21. Hybrid Solution • Shibboleth – Microsoft Applications • Supported but … – Open Source Applications – Documentation – Product Support • Paid – https://shibboleth.net/community/consultants.html • Free – Not always friendly – Internal Support • System Configuration – Hardware – Software 21 Al Lilianstrom | Federation At Fermilab 4/17/2015

  22. Changing the Solution • Federation is starting to gain acceptance at Fermilab – Multiple SPs testing • Central web services • Content Management • Cloud SaaS • Issues with current solution – Support – Reliability • Need a robust supported solution – Internal Support – Vendor – Third-party ------------------------0 Fermilab 22 Al Lilianstrom | Federation At Fermilab 4/17/2015

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The High Intensity Horizon at Fermilab R. Tschirhart Fermilab Fermilab Users Meeting June 13 th

The High Intensity Horizon at Fermilab R. Tschirhart Fermilab Fermilab Users Meeting June 13 th

The High Intensity Horizon at Fermilab R. Tschirhart Fermilab Fermilab Users Meeting June 13 th , 2012 Project-X: Evolution of the existing Fermilab accelerator complex with the revolution in Super-Conducting RF Technology. any

587 views • 32 slides
Fermilab Users Meeting Fermilab Users Meeting Fermilab Users Meeting Fermilab Users

Fermilab Users Meeting Fermilab Users Meeting Fermilab Users Meeting Fermilab Users

Fermilab Users Meeting Fermilab Users Meeting Fermilab Users Meeting Fermilab Users Meeting CMS Physics from Early LHC Running Dan Green Fermilab For the CMS Collaboration FNAL Users Meeting June 2010 1 Outline Outline

617 views • 25 slides
Searching for Muon to electron conversion: The Mu2e experiment at Fermilab Richie Bonventre

Searching for Muon to electron conversion: The Mu2e experiment at Fermilab Richie Bonventre

This document was prepared by Mu2e collaboration using the resources of the Fermi National FERMILAB-SLIDES-19-078-ND Accelerator Laboratory (Fermilab), a U.S. Department of Energy, Office of Science, HEP User Facility. Fermilab is managed by

878 views • 66 slides
A Beam-Based Production Target Monitor for the Mu2e Experiment at Fermilab APS DPF 2019

A Beam-Based Production Target Monitor for the Mu2e Experiment at Fermilab APS DPF 2019

This document was prepared by Mu2e collaboration using the resources of the Fermi National Accelerator Laboratory (Fermilab), a U.S. FERMILAB-SLIDES-19-084-CCD-OCIO Department of Energy, Office of Science, HEP User Facility. Fermilab is managed by

536 views • 29 slides
Welcome to Fermilab and the 13th annual Fermilab-CERN HCPSS! 13 th annual Fermilab-CERN Hadron

Welcome to Fermilab and the 13th annual Fermilab-CERN HCPSS! 13 th annual Fermilab-CERN Hadron

Welcome to Fermilab and the 13th annual Fermilab-CERN HCPSS! 13 th annual Fermilab-CERN Hadron Collider Physics Summer School August 20-31, 2018 Fermilab hcpss.fnal.gov/hcpss18 Jim Hirschauer and Estia Eichten 20 Aug 2018 Introductions

158 views • 13 slides
Fermilab Quantum Computing Testbed Approaches James Amundson, Fermilab with contributions from

Fermilab Quantum Computing Testbed Approaches James Amundson, Fermilab with contributions from

Fermilab Quantum Computing Testbed Approaches James Amundson, Fermilab with contributions from James Kowalkowski, Adam Lyon, Alexandru Macridin, Gabriel Perdue and Panagiotis Spentzouris December 6, 2017 Background Fermilab and Fermilab

676 views • 38 slides
Experience with Crystals at Fermilab Vladimir SHILTSEV (Fermilab) Workshop on Acceleration In

Experience with Crystals at Fermilab Vladimir SHILTSEV (Fermilab) Workshop on Acceleration In

Experience with Crystals at Fermilab Vladimir SHILTSEV (Fermilab) Workshop on Acceleration In Crystals and Nanostructures June 24-25, 2019 - Fermilab Past Experience at Fermilab Slow extraction (Tevatron Run I): 1990s R.Carrigan, et

429 views • 40 slides
Re Report on Fermilab and Community y Strategies Interface of Fermilab with Snowmass SNOWMASS

Re Report on Fermilab and Community y Strategies Interface of Fermilab with Snowmass SNOWMASS

Re Report on Fermilab and Community y Strategies Interface of Fermilab with Snowmass SNOWMASS 2021 Fermilab PAC, July 20, 2019 Marcela Carena Fermilab Marcela Carena | Fermilab PAC 20.07.2019 European Particle Physics Strategy Update

216 views • 18 slides
Fermilab Theory Status and Plans Marcela Carena Fermilab PAC Meeting July 17, 2018 Role of

Fermilab Theory Status and Plans Marcela Carena Fermilab PAC Meeting July 17, 2018 Role of

Fermilab Theory Status and Plans Marcela Carena Fermilab PAC Meeting July 17, 2018 Role of Fermilab theorists Focus core strengths in key research areas directly related to the Fermilab experimental program Conduct world-leading theoretical

961 views • 54 slides
T evatron Highlights FERMILAB-SLIDES-18-094-E D CDF Fermilab Users Meeting This document

T evatron Highlights FERMILAB-SLIDES-18-094-E D CDF Fermilab Users Meeting This document

T evatron Highlights FERMILAB-SLIDES-18-094-E D CDF Fermilab Users Meeting This document was prepared by [CDF and D0 Collaborations] using the resources of the Fermi National Accelerator Laboratory (Fermilab), a U.S. Department of Energy,

207 views • 19 slides
The Science & Computing @Fermilab Sharan Kalwani w/numerous contributions from everyone @

The Science & Computing @Fermilab Sharan Kalwani w/numerous contributions from everyone @

The Science & Computing @Fermilab Sharan Kalwani w/numerous contributions from everyone @ Fermilab Chicago UniForum meetup.com Tuesday, October 28, 2014 What is Fermilab? What do we do here? Fermilab is America's particle physics and

716 views • 57 slides
New Ini(a(ves in Fermilab Par(cle Astrophysics (a.k.a.

New Ini(a(ves in Fermilab Par(cle Astrophysics (a.k.a.

New Ini(a(ves in Fermilab Par(cle Astrophysics (a.k.a. non-accelerator physics) Aaron S. Chou Wilson Fellow, FNAL 2010 Fermilab Users Mee(ng Energy

467 views • 27 slides
Beams Stability at Fermilab Complex Alexey Burov Fermilab Many thanks to R. Ainsworth, Y.

Beams Stability at Fermilab Complex Alexey Burov Fermilab Many thanks to R. Ainsworth, Y.

Beams Stability at Fermilab Complex Alexey Burov Fermilab Many thanks to R. Ainsworth, Y. Alexahin, C. Bhat, V. Lebedev, A. Macridin, E. Metral, K. Seiya, C.Y. Tan, T. Zolkin MW Rings, Fermilab, May 2018 1 AB Accelerator complex H -

562 views • 19 slides
Fermilab Storage Strategy Bo Jayatilaka (Fermilab SCD) 2nd International Computing Advisory

Fermilab Storage Strategy Bo Jayatilaka (Fermilab SCD) 2nd International Computing Advisory

Fermilab Storage Strategy Bo Jayatilaka (Fermilab SCD) 2nd International Computing Advisory Committee Meeting 15 October 2019 Current storage landscape Custodial and active storage for all Fermilab experiments scientific data - This

200 views • 18 slides
RCS for Multi-MW Facility at Fermilab Jeffrey Eldred MW Rings Workshop at Fermilab May 2018

RCS for Multi-MW Facility at Fermilab Jeffrey Eldred MW Rings Workshop at Fermilab May 2018

FERMILAB-SLIDES-18-132-AD-APC RCS for Multi-MW Facility at Fermilab Jeffrey Eldred MW Rings Workshop at Fermilab May 2018 This document was prepared by [DUNE Collaboration] using the resources of the Fermi National Accelerator Laboratory

776 views • 40 slides
Fermilab Test Beam Facility Fermilab Test Beam Facility and and LArIAT Experiment LArIAT

Fermilab Test Beam Facility Fermilab Test Beam Facility and and LArIAT Experiment LArIAT

AC02-07CH11359. Alliance, LLC (FRA), acting under Contract No. DE- Facility. Fermilab is managed by Fermi Research Department of Energy, Office of Science, HEP User National Accelerator Laboratory (Fermilab), a U.S. Collaboration] using the

734 views • 44 slides
Privacy matters in directories Jose A. Accino 1 Victoriano Giralt 1 Javier Masa 2 1 Central

Privacy matters in directories Jose A. Accino 1 Victoriano Giralt 1 Javier Masa 2 1 Central

The problem The solution The implementation Summary Privacy matters in directories Jose A. Accino 1 Victoriano Giralt 1 Javier Masa 2 1 Central Computing Facility University of Malaga 2 RedIRIS Seville, June 21 th 2007 Jose A. Accino,

1.14k views • 87 slides
Distributed File Systems Early networking and files Had FTP to transfer files Telnet to

Distributed File Systems Early networking and files Had FTP to transfer files Telnet to

4/4/2014 Distributed File Systems Early networking and files Had FTP to transfer files Telnet to remote login to other systems with files Distributed Computing Systems But want more transparency! local computing with remote

532 views • 16 slides
D ISTRIBUTED S YSTEMS [COMP9243] Lecture 8a: Naming Basic Concepts Naming Services

D ISTRIBUTED S YSTEMS [COMP9243] Lecture 8a: Naming Basic Concepts Naming Services

D ISTRIBUTED S YSTEMS [COMP9243] Lecture 8a: Naming Basic Concepts Naming Services Attribute-based Naming (aka Directory Services) Distributed hash tables D ISTRIBUTED S YSTEMS [COMP9243] 1 W HAT IS N AMING ? Systems manage a wide

591 views • 40 slides
UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity System UCSBnetID authentication UCSB-wide student and employee info http://www.identity.ucsb.edu/ LDAP Overview Lightweight Directory Access Protocol

604 views • 24 slides
Single Sign On SimpleSAMLphp CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org +

Single Sign On SimpleSAMLphp CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org +

Single Sign On SimpleSAMLphp CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR Enterprise level user account costs Administration Setup Retire Support Password resets

669 views • 24 slides
MC714 - Sistemas Distribuidos slides by Maarten van Steen (adapted from Distributed System - 3rd

MC714 - Sistemas Distribuidos slides by Maarten van Steen (adapted from Distributed System - 3rd

MC714 - Sistemas Distribuidos slides by Maarten van Steen (adapted from Distributed System - 3rd Edition) Chapter 05: Naming Version: April 2, 2019 Naming: Names, identifiers, and addresses Naming Essence Names are used to denote entities in

1.25k views • 46 slides
The Sun Network File System (NFS) An implementation and a specification of a software system

The Sun Network File System (NFS) An implementation and a specification of a software system

The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs . NFS The implementation is part of the Solaris and SunOS operating systems running on Sun workstations

327 views • 3 slides
IMAP Installation, Configuration & Security HARICHARAN PADMANABAN hari20@siu.edu What is

IMAP Installation, Configuration & Security HARICHARAN PADMANABAN hari20@siu.edu What is

IMAP Installation, Configuration & Security HARICHARAN PADMANABAN hari20@siu.edu What is IMAP? IMAP Internet Message Access Protocol or Internet Mail Access Protocol Allows user to perform certain operations on the messages remotely

592 views • 15 slides

More recommend