easing access to grids using identity federations
play

Easing access to Grids using identity federations Daniel Kouil T - PowerPoint PPT Presentation

Oct 31, 2023 •44 likes •154 views

Easing access to Grids using identity federations Daniel Kouil T erena NREN & Grid Workshop 2008, Dublin PKI & Grids what we learnt The Grid authentication mechanism A lot of achievements Promising principles ...

  1. Easing access to Grids using identity federations Daniel Kouřil T erena NREN & Grid Workshop 2008, Dublin

  2. PKI & Grids – what we learnt  The Grid authentication mechanism  A lot of achievements  Promising principles  ... but a lot of details to cope with  Revocation checks, private key management, ...  Security reduced in deployment  Easier way of certificate management?

  3. Shibboleth-based Federations  Linking services and user management systems  standardized protocols  home institution keeps the most current data  services trust clients‘ institutions  eduid.cz in Czech Republic  SAML assertions  Attributes for AuthZ  suitable for large infrastructures  Primarily for web-based applications

  4. Common Access Toolkit for Federations  Project supported by CESNET FD and Masaryk University  Support for federation concepts in non- web world  Collaborative environments  PKI and „federated“ certificates  transporting IdP‘s assertions  Framework & user tools  OS integration

  5. Transparent PKI at Masaryk University  University computer hall & faculty facilities  Automatical generation of certificates  Standard Windows authN  Kerberos  Translating mechanism from Kerberos to X.509  The same identity, only different format  Enlarging the SSO area  Accessing services without explicit authentication

  6. Credential Translation WIN AD MyProxy CA Windows PC KRB5 X.509

  7. Federated CA  on-line CA running as SP  federation-based identity vetting  GridShib CA, SWITCH SLCS CA  CESNET CA – multiple instances (one to be accredited by IGTF)  certificates contain users attributes  X.509 extension (value or reference)  key & certificate management done by browser

  8. Management of certificates using CAT  browser-based solution not ideal  No overview of certificates, etc.  GUI desired  Network Identity Manager (NIM)  Widely used by Krb5 community  extensible by plugins  Obtaining certificates  explicit logging into federation  transparently

  9. NIM Plugins  plugin to manage „federated“ certificates  embedded browser to obtain certificate  MS CertStore  Authentication explicit or transparent  Depending on particular CA policy  Plugin to manage proxy certificates also available  Can access CertStore or MyProxy repository

  10. NIM plugin

  11. Conclusion  Transparent PKI to improve/retain security  Focusing on non-web world  Tools to obtain and manage certificates  From both local and federated CAs

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest /

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest /

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest / Hungary Agenda Education & Research Identity Federations SAML Terminology Overview of SAML auth call flow WebRTC Identity model

1.09k views • 52 slides
Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &

Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &

Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project & Project Development Officer, TERENA schofield@terena.org 15 October 2012 Building Federated Identity Policy, GN3 Symposium, Vienna, Austria Innovation

157 views • 12 slides
Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase Automation and Security. Identity Management (IAM, IdM) defining and managing the roles and access privileges of individual network users, and the

2.89k views • 13 slides
Integrating non web-based services with identity federations Jens Khler, Michael Simon,

Integrating non web-based services with identity federations Jens Khler, Michael Simon,

bw IDM Integrating non web-based services with identity federations Jens Khler, Michael Simon, Sebastian Labitzke, Tobias Dussa, Martin Nubaumer bw IDM The bwIDM project Services of the state of Baden-Wrttemberg placed at

560 views • 11 slides
The Collaboration Game Niels van Dijk, Technical Product Manager SURFnet Topics - Identity

The Collaboration Game Niels van Dijk, Technical Product Manager SURFnet Topics - Identity

The Collaboration Game Niels van Dijk, Technical Product Manager SURFnet Topics - Identity federations 2010 - The Collaboration Game - A distributed landscape - Enter Domestication - The future of Domestication Identity federations 101

434 views • 39 slides
Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate

Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate

Connect. Communicate. Collaborate Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate Federations Connect. Communicate. Collaborate Same federating principles applied to federations themselves Own

510 views • 22 slides
Easing the Pain of Astronomical Database Access Disclaimer: I usually present this software to

Easing the Pain of Astronomical Database Access Disclaimer: I usually present this software to

Easing the Pain of Astronomical Database Access Disclaimer: I usually present this software to non VO-savvy people What is VODb? A desktop application that aims to simplify the process of querying astronomical databases A little history

414 views • 38 slides
PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007

PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007

Everything you never wanted to know about PKI in federations - approach to non-web services Milan Sova, CESNET EuroCAMP, Dubrovnik, 2007 SAMLized applications HTTPS web browser What about email access network access

141 views • 11 slides
Kantara F2F Berlin Closing Session Summary slides from: Business Cases for Trusted Federations

Kantara F2F Berlin Closing Session Summary slides from: Business Cases for Trusted Federations

Kantara F2F Berlin Closing Session Summary slides from: Business Cases for Trusted Federations Trust Framework Meta Model Telecommunications Identity Open Source Support Initiative Privacy Framework eGovernment Board of Trustees BCTF

322 views • 17 slides
Identity and Access Management with the INDIGO IAM service Andrea Ceccanti

Identity and Access Management with the INDIGO IAM service Andrea Ceccanti

Identity and Access Management with the INDIGO IAM service Andrea Ceccanti andrea.ceccanti@cnaf.infn.it EOSC-Hub AAI Tech Talk Europe, Earth, June 15th 2018 INDIGO Identity and Access Management service Flexible authentication support (SAML,

430 views • 24 slides
Conference 2018 Shift into the future with predictions for Identity & Access Management BCNET

Conference 2018 Shift into the future with predictions for Identity & Access Management BCNET

Conference 2018 Shift into the future with predictions for Identity & Access Management BCNET Identity & Access Management Community of Practice Panelists: Corey Scholefield Vera Merkusheva Isabel Wong Sabrina da Silva 2 Conference

622 views • 19 slides
Agenda Identity & Access management About company midPoint Clients &

Agenda Identity & Access management About company midPoint Clients &

Agenda Identity & Access management About company midPoint Clients & partners Conclusion Identity management System Requester Users admin Approver Application Application Provisioning system Identity A

826 views • 45 slides
Lets get a federated identity Do you have access to your email? Youll need a valid email

Lets get a federated identity Do you have access to your email? Youll need a valid email

Lets get a federated identity Do you have access to your email? Youll need a valid email address Intro to Federated Identity Do you have an account from Protect Network or Twitter You can skip ahead! EuroCAMP Training for

104 views • 7 slides
Making energy access through mini-grids affordable: The role of governments and international

Making energy access through mini-grids affordable: The role of governments and international

Making energy access through mini-grids affordable: The role of governments and international climate finance African Mini-grids Community of Practice Meeting 7 16 April 2020 LEDS GP Finance Working Group The LEDS GP Finance Working Group

273 views • 13 slides
Marcin Lawenda Pozna Supercomputing and Networking Center 4th TERENA NRENs and Grids Workshop,

Marcin Lawenda Pozna Supercomputing and Networking Center 4th TERENA NRENs and Grids Workshop,

Marcin Lawenda Pozna Supercomputing and Networking Center 4th TERENA NRENs and Grids Workshop, Amsterdam, Dec. 6-7, 2006 Why Vlabs Why labs ? VERY VERY limited limited limited access access access VERY VERY limited access Main

345 views • 21 slides
A Method for Remote Initial Vetting of Identity with PKI

A Method for Remote Initial Vetting of Identity with PKI

A Method for Remote Initial Vetting of Identity with PKI Credential International Symposium on Grids & Clouds 2017 9 March 2017 Academia Sinica, Taipei, Taiwan

689 views • 17 slides
Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding

Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding

Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding Principles Use Unicode restricted as needed to provide interoperability and future extensibility A single set of string preparation rules for all

173 views • 14 slides
Lecture 9 - Authentication CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 9 - Authentication CSE497b - Spring 2007 Introduction Computer and Network Security

Lecture 9 - Authentication CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger

224 views • 20 slides
Latin square determinants and permanents Ken Johnson Penn State Abington College (Joint work

Latin square determinants and permanents Ken Johnson Penn State Abington College (Joint work

Latin square determinants and permanents Ken Johnson Penn State Abington College (Joint work with D. Donovan and I. Wanless) Outline 1)The basic idea 2) Motivation 3) Summary of the group case 4) Results on latin square

763 views • 15 slides
ADDITION AND COUNTING: THE ARITHMETIC OF PARTITIONS Scott Ahlgren and Ken Ono At first glance the

ADDITION AND COUNTING: THE ARITHMETIC OF PARTITIONS Scott Ahlgren and Ken Ono At first glance the

ADDITION AND COUNTING: THE ARITHMETIC OF PARTITIONS Scott Ahlgren and Ken Ono At first glance the stuff of partitions seems like childs play: 4 = 3 + 1 = 2 + 2 = 2 + 1 + 1 = 1 + 1 + 1 + 1 . Therefore, there are 5 partitions of the number 4.

172 views • 13 slides
A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained

A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained

A Talk about MS-SFU Kerberos Extensions: Protocol Transition (S4U2Self) & Constrained Delegation (S4U2Proxy). Isaac Boukris SambaXP 2019 Agenda Why S4U2Self is important for Samba. How does it work in local and cross realm.

84 views • 6 slides
Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides
Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication

Authentication Scenarios 2. Users share a password with a trusted authority (authentication servers) Kerberos Challenge-response Symm.Key What do we learn from previous attacks? Timestamps: are valid only in a small time window

334 views • 22 slides
Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions Principal Names are not remapped in cross-realm The destination KDC is not involved in cross-realm Privacy of principal names 1 Why Remap

534 views • 19 slides

More recommend