SLIDE 1
2 2014-12-11 Paul Millar – DFN meeting, DESY
VOMS
The grid X.509 (user) certificates
The Grid
Proxy Certificate User Certificate
A t t r c e r t
Data Services Integration Team WP1 Federated Identity Paul Millar, - - PowerPoint PPT Presentation
Data Services Integration Team WP1 Federated Identity Paul Millar, - - PowerPoint PPT Presentation
Data Services Integration Team WP1 Federated Identity Paul Millar, Patrick Fuhrmann, Bernd Schuller, Arsen Hayrapetyan, Marcus Hardt, Shiraz Memon, Shahbaz Memon, Christian Bernardt, Tigran Mkrtchyan, Dennis Klein The grid X.509 (user)
SLIDE 2
SLIDE 3
3 2014-12-11 Paul Millar – DFN meeting, DESY
The problem: typical user reaction to X.509
SLIDE 4
4 2014-12-11 Paul Millar – DFN meeting, DESY
Need a bridge between users and X.509
- The problem:
- Infrastructure needs X.509
(isn't changing any time soon)
- User experience is terrible
(isn't changing any time soon)
- Assume that:
- users work with a web-browser
- have a home institute that's part of DFN-AAI
- We want that a web-portal somehow gets an X.509 credential for a user
Portal interacts with resources on users behalf.
SLIDE 5
5 2014-12-11 Paul Millar – DFN meeting, DESY
Use-case: Globus Transfer Service
User Globus
File Transfer Service
dCache GlobusFTP
X.509
CTS
Data
WAYF IdP
X.509
SLIDE 6
6 2014-12-11 Paul Millar – DFN meeting, DESY
Use-case: 'Science Gateway' portal
Provide a common place for interacting with “big” resources
Large-scale resources
(needs X.509 authn)
Science Gateway CTS
X . 5 9
Federation
X . 5 9
SLIDE 7
7 2014-12-11 Paul Millar – DFN meeting, DESY
Use-case: life-cycle management
SLIDE 8
8 2014-12-11 Paul Millar – DFN meeting, DESY
Types of solution: in-band vs out-of-band
IdP CTS Portal 1. 2. 3. 4. 5. 6. 7.
SAML X.509
I D I D
IdP CTS Portal 1. 2. 3.
SAML SAML
4. 5.
X.509
in-band
- ut-of-band
SAML Delegation
SLIDE 9
9 2014-12-11 Paul Millar – DFN meeting, DESY
This is not an original idea...
- USA InCommon: CI-Login [in-band]
- UK NGS: SHEBANGS [in-band], SARoNGS [in-band]
- Switzerland SWITCH: WS-Trust, GridCertLib [out-of-band]
- EGI: robot certificates [out-of-band]
- ShibGrid [in-band?]
- EMI: STS (software, WS-Trust) [out-of-band]
- ...
SLIDE 10
10 2014-12-11 Paul Millar – DFN meeting, DESY
OAuth-based in-band
IdP Portal 1. 4. 5. 6. 7. 2. 3.
SAML
CSR ID
MyProxy- OAuth
SAML WebSSO MyProxy-OAuth
T emp- ID T emp- ID
8. 9.
ID
X.509
SLIDE 11
11 2014-12-11 Paul Millar – DFN meeting, DESY
OAuth (MyProxy-OAuth, CI-Login-OAuth, ...)
SAML WebSSO
CTS Portal User's laptop
SLIDE 12
12 2014-12-11 Paul Millar – DFN meeting, DESY
SHEBANGS (portal first) solution (detail)
Diagram stolen from http://pos.sissa.it/archive/conferences/162/150/EGICF12-EMITC2_150.pdf
SLIDE 13
13 2014-12-11 Paul Millar – DFN meeting, DESY
SARoNGS solution (detail)
Diagram stolen from http://pos.sissa.it/archive/conferences/162/150/EGICF12-EMITC2_150.pdf
SLIDE 14
14 2014-12-11 Paul Millar – DFN meeting, DESY
SLIDE 15
15 2014-12-11 Paul Millar – DFN meeting, DESY
EGI Federated Cloud and Science Gateways
“The EGI Federated Cloud is a seamless grid of academic private clouds and virtualised resources, built around open standards and focusing on the requirements
- f the scientific community.”
→ i.e., lots of IaaS services.
The EGI Science gateways are “a popular and rapidly developing tool used by researchers to access the European Grid Infrastructure.”
→ i.e., lots of portals that want to use Federated Cloud resources.
- EGI also needs to solve these problems, too – potential for collaboration.
SLIDE 16
16 2014-12-11 Paul Millar – DFN meeting, DESY
Thanks for watching Questions?
SLIDE 17
17 2014-12-11 Paul Millar – DFN meeting, DESY