egi inspire
play

EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 - PowerPoint PPT Presentation

Mar 01, 2023 •119 likes •383 views

EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies Sergio Maffioletti <sergio.maffioletti@gc3.uzh.ch> Grid Computing Competence Centre, University of Zurich http://www.gc3.uzh.ch/ GridCertLib EGI

  1. EGI-InSPIRE GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies Sergio Maffioletti <sergio.maffioletti@gc3.uzh.ch> Grid Computing Competence Centre, University of Zurich http://www.gc3.uzh.ch/ GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  2. The Problem with Portals How to get a Grid proxy into the portal host? GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  3. What is GridCertLib? Java library to create an X.509 certificate and a VOMS proxy upon successful login to the portal. For Users: No interaction with Grid middleware required at all. For programmers: assures that, once a user has logged in, valid certificate and proxy are available. Key ingredients: • Shibboleth federated authentication • SLCS online CA GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  4. Shibboleth • HTTP-based operation • User credentials are authenticated by the home organization Identity Provider (IdP) server only • IdP controls what information about the authenticated user is sent to the Service Provider (SP) • Passwords and other sensitive data are never disclosed to Service Providers • Service Providers only need to trust the limited number of IdPs for authentication purposes. Shibboleth login workflow GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  5. The SWITCH AAI Infrastructure Switzerland-wide federated authentication infrastructure. • Based on Shibboleth 2.x • “Identity Providers” already operational at every University and several other research centres. • One login/password to access a variety of services (e.g., e-mail, ... and SLCS!) GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  6. Short-Lived Credential Service Web service to create an X.509 user certificate, valid for 11 days. • A new certificate at each successful invocation • Same subject DN every time • Command-line client (Java-based) available in gLite 3.x Uses AAI/Shibboleth authentication. SWITCH SLCS CA is already in the IGTF bundle • SLCS certificates can be used for normal Grid operations Already in use in SMSCG, the Swiss national Grid infrastructure. More on SLCS GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  7. Architecture GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  8. GridCertLib operation (1) 1 2 mod_shib mod_shib 3 Shibboleth/ Shibboleth/ SLCS SLCS AAI Idp AAI Idp ID-WSF ECP library 5 4 GridCertLib VOMS VOMS 6 Certificate storage Certificate storage Users log in to the web portal using Shibboleth single sign-on. GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  9. GridCertLib operation (2) 1 2 mod_shib mod_shib 3 Shibboleth/ Shibboleth/ SLCS SLCS AAI Idp AAI Idp ID-WSF ECP library 5 4 GridCertLib VOMS VOMS 6 Certificate storage Certificate storage Users are authenticated by their home organization “Identity Provider” (IdP). (This is all transparently handled by the Shibboleth software.) GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  10. GridCertLib operation (3) 1 2 mod_shib mod_shib 3 Shibboleth/ Shibboleth/ SLCS SLCS AAI Idp AAI Idp The portal calls GridCertLib . ID-WSF ECP library 5 4 GridCertLib retrieves the GridCertLib SAML2 assertion (Shibboleth VOMS VOMS 6 login data) from Apache’s mod shib . Certificate storage Certificate storage GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  11. GridCertLib operation (4) 1 2 The portal application code mod_shib mod_shib calls GridCertLib to obtain a 3 Shibboleth/ Shibboleth/ SLCS SLCS AAI Idp AAI Idp X.509 certificate. This step ID-WSF ECP requires delegation of the library 5 4 Shibboleth credentials (SAML2 GridCertLib assertion) VOMS VOMS to the SLCS login service. 6 done through Identity Domain Certificate storage Certificate storage - Web Service Framework (ID-WSF) ECP Web Service Client GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  12. GridCertLib operation (5) 1 2 mod_shib mod_shib 3 Shibboleth/ Shibboleth/ SLCS SLCS AAI Idp AAI Idp ID-WSF ECP library 5 4 GridCertLib generates an X.509 certificate, signs it using GridCertLib SLCS, and then generates a VOMS VOMS 6 VOMS proxy. Certificate storage Certificate storage GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  13. SLCS: Technical issues Obtaining a user certificate requires delegation of the Shibboleth credentials to the SLCS login service. • SLCS web service requires Shibboleth authentication... • ...but AuthN data is only valid towards SP! Delegation issue • Shibboleth 2.1.x supports delegation of credentials • but deployed IdP’s not (yet) up to that version Solution • use pre-production Shibboleth 2.2 IdP with delegation extension (at SWITCH) • register/manage portal user accounts there • will merge with the production infrastructure eventually GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  14. GridCertLib operations (5) Generate X.509 certificate: 1. Login to SLCS endpoint 1 2. SLCS server verifies AuthN data 2 mod_shib mod_shib with IdP 3 Shibboleth/ Shibboleth/ SLCS SLCS AAI Idp AAI Idp 3. SLCS replies with a “session” ID-WSF ECP library 5 token and information to 4 GridCertLib generate a CSR VOMS VOMS 6 4. Generate a private key and a CSR Certificate storage Certificate storage 5. Submit CSR to SLCS endpoint 6. Get back signed certificate in response Then, generate proxy and contact VOMS server. GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  15. GridCertLib operations (6) Store certificate and proxy on the disk, ready for use. (Encrypted with a random password, which is returned by the GridCertLib API.) Users only interact via WWW, and passwords are sent to the IdP only (and only once per login!) GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  16. P-GRADE integration Two main action items: • Enable Shibboleth login at the GridSphere level • Initially done by the Australian MAMS project • Requires some lengthy procedure to make login data compatible with the DB storage • Insert calls to GridCertLib into the login code • Java code calling Java code, no big issue • Disable P-GRADE’s native certificate handling • Certificate management is now handled by GridCertLib More on P-GRADE integration GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  17. Django integration Issue: How to bridge Python with Java? • Run GridCertLib servlets in parallel with Django. • Use HTTP redirects to pass information back and forth. Use Python decorators to mark view functions that require a certificate and/or Grid proxy. @proxy_required def submit_job(req): # do Grid work return HttpResponse(...) GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  18. Summary Java library to create an X.509 certificate and a VOMS proxy upon successful login to the portal. • No user interaction with Grid middleware required at all. • Once a user has logged in, valid certificate and proxy are available. Already integrated with P-GRADE and Django • Example servlets with commented code provided for integration in other portals. Key ingredients: • Shibboleth federated authentication • SLCS online CA GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  19. Any questions? website: http://gridcertlib.googlecode.com/ e-mail: info@lists.gc3.uzh.ch Credits Peter Kunszt (SystemsX.ch), Riccardo Murri (GC3/UZH), Valery Tschopp (SWITCH) GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  20. Additional material GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  21. Shibboleth login workflow / 1 (Images cour 1 User first connects to portal web server (SP) and is redirected to the “Where Are You From?” page (WAYF) GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  22. Shibboleth login workflow / 2 (Images cour 2 User chooses Home Organisation and is redirected to the IdP AuthN page GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  23. Shibboleth login workflow / 3 (Images cour 3 User posts username/password to IdP and is redirected to original page on SP • Detailed workflow much more convoluted; see extra slides GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu at end.

  24. SLCS operations workflow 1. Login to SLCS endpoint • HTTP request, using SAML assertion as AuthN data 2. SLCS server verifies AuthN data with IdP • Need delegation functionality (Shibboleth 2.1) 3. SLCS replies with a “session” token and information to generate a CSR 4. Generate a private key and a CSR • Private key protected by random password known only to the portal 5. Submit CSR to SLCS endpoint • Use “session” token from step ?? 6. Get back signed certificate in response Back to SLCS Intro GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

  25. More technical issues Shibboleth authentication data has a limited time validity • By the time GridCertLib is called, it might have expired. Solution • Use a “RenewAssertion” servlet http://example.com/RenewAssertion?url=... • Forces Shibboleth logout • Redirects to whatever URL was specified in the initial request • If the URL is Shibboleth-protected, new login data will be generated. • No user interaction required until IdP session expires (default 8 hours) GridCertLib EGI TF 2012 EGI-InSPIRE RI-261323 / www.egi.eu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

In Indiana, the Times, They Are a-Changin' INSPIRE Is Changing INSPIRE Is Changing INSPIRE Is

In Indiana, the Times, They Are a-Changin' INSPIRE Is Changing INSPIRE Is Changing INSPIRE Is

In Indiana, the Times, They Are a-Changin' INSPIRE Is Changing INSPIRE Is Changing INSPIRE Is Changing 377 Academic, Public, School &amp; Institutional Libraries 847 Deliveries per Week 139 1-Day per week 126 2-Day per week 49

589 views • 25 slides
EGI-InSPIRE Status Update on Operations Portal www.egi.eu www.egi.eu EGI-InSPIRE

EGI-InSPIRE Status Update on Operations Portal www.egi.eu www.egi.eu EGI-InSPIRE

EGI-InSPIRE Status Update on Operations Portal www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323 Last release A) Monitoring of unsupported middleware version Information collected about old middleware version is

164 views • 4 slides
Grid Oversight, Status and Issues Ron Trompert COD 1 www.egi.eu www.egi.eu EGI-InSPIRE

Grid Oversight, Status and Issues Ron Trompert COD 1 www.egi.eu www.egi.eu EGI-InSPIRE

9/19/12 EGI-InSPIRE Grid Oversight, Status and Issues Ron Trompert COD 1 www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323 AP www.egi.eu EGI-InSPIRE RI-261323 History Transition from 10 ROCs to now 37 NGIs

621 views • 23 slides
Monthly Webinar April 24, 2019 inspire THE SANFORD INSPIRE MOVEMENT PREPARES AND

Monthly Webinar April 24, 2019 inspire THE SANFORD INSPIRE MOVEMENT PREPARES AND

Monthly Webinar April 24, 2019 inspire THE SANFORD INSPIRE MOVEMENT PREPARES AND SUPPORTS INSPIRATIONAL TEACHERS. Thought leaders in You can education will receive sharing OUR a recorded Co-hosted topics to version by

573 views • 33 slides
USING EVERYDAY LIFE TO INSPIRE EXTRAORDINARY LEARNING USING EVERYDAY LIFE TO INSPIRE

USING EVERYDAY LIFE TO INSPIRE EXTRAORDINARY LEARNING USING EVERYDAY LIFE TO INSPIRE

USING EVERYDAY LIFE TO INSPIRE EXTRAORDINARY LEARNING USING EVERYDAY LIFE TO INSPIRE EXTRAORDINARY LEARNING Museum Renovation Overview Forces at Play Background Development and design Workshop Q&amp;A/Open discussion

390 views • 37 slides
Inspire Micro-piano Task By 2017 Inspire Students 1. What year was it first heard or recorded?

Inspire Micro-piano Task By 2017 Inspire Students 1. What year was it first heard or recorded?

Inspire Micro-piano Task By 2017 Inspire Students 1. What year was it first heard or recorded? It was Written by a group of people who saw the london bridge in 1636. Hoping to make suggestions that the government of to which it would adhere. 2.

332 views • 9 slides
Dynamic analysis, reporting and visualization of data catalogs Use cases INSPIRE Dashboard for

Dynamic analysis, reporting and visualization of data catalogs Use cases INSPIRE Dashboard for

Dynamic analysis, reporting and visualization of data catalogs Use cases INSPIRE Dashboard for all Member States and EEA MedSea project at Ifremer INSPIRE Directive in Europe INSPIRE is based on the infrastructures for spatial information

679 views • 42 slides
Archives Inspire Changes to the first floor 2016-17 Lee Oliver 22 November 2016 Archives

Archives Inspire Changes to the first floor 2016-17 Lee Oliver 22 November 2016 Archives

Archives Inspire Changes to the first floor 2016-17 Lee Oliver 22 November 2016 Archives Inspire We will inspire the public with new ways of using and experiencing our collection Re-imagine our Kew site as a vibrant, welcoming,

214 views • 9 slides
Operations Portal Cyril LOrphelin CCIN2P3/CNRS 1 www.egi.eu www.egi.eu EGI-InSPIRE

Operations Portal Cyril LOrphelin CCIN2P3/CNRS 1 www.egi.eu www.egi.eu EGI-InSPIRE

EGI-InSPIRE Operations Portal Cyril LOrphelin CCIN2P3/CNRS 1 www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323 Tool Overview - Features Application Hosted By CCIN2P3 Team : Cyril L'Orphelin , Olivier Lequeux , Pierre

309 views • 9 slides
EGI-InSPIRE Cheminformatics platform for drug discovery application Hsi-Kai, Wang Academic

EGI-InSPIRE Cheminformatics platform for drug discovery application Hsi-Kai, Wang Academic

EGI-InSPIRE Cheminformatics platform for drug discovery application Hsi-Kai, Wang Academic Sinica Grid Computing EGI User Forum, 13, April, 2011 1 www.egi.eu www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE RI-261323 Introduction to drug

661 views • 37 slides
CANON INTRODUCTION Radu Dinu Partner Manager Resellers CANON Romania Inspire Canon: your

CANON INTRODUCTION Radu Dinu Partner Manager Resellers CANON Romania Inspire Canon: your

CANON INTRODUCTION Radu Dinu Partner Manager Resellers CANON Romania Inspire Canon: your guide Inspire Weve been inspiring customers to explore the power of imaging for over 80 years. Inspire And today were still working together 5

558 views • 37 slides
Welcome Challenge Inspire Support Inspire Challenge Empower

Welcome Challenge Inspire Support Inspire Challenge Empower

Welcome Challenge Inspire Support Inspire Challenge Empower 2011-12 Budget Hearing Budget Hearing Agenda School Finance / Budgeting Overview Impact of the States 2011-13 Biennial Budget Overview of

651 views • 40 slides
Welcome Challenge Inspire Support Inspire Challenge Empower

Welcome Challenge Inspire Support Inspire Challenge Empower

Welcome Challenge Inspire Support Inspire Challenge Empower 2010-11 Budget Hearing Budget Hearing Agenda School Finance / Budgeting Overview Overview of 2010-11 Preliminary Budget What will this mean

676 views • 51 slides
PROJECT AIM PROJECT AIM ACHIEVE- -INSPIRE INSPIRE- -MOTIVATE MOTIVATE ACHIEVE Philosophy

PROJECT AIM PROJECT AIM ACHIEVE- -INSPIRE INSPIRE- -MOTIVATE MOTIVATE ACHIEVE Philosophy

PROJECT AIM PROJECT AIM ACHIEVE- -INSPIRE INSPIRE- -MOTIVATE MOTIVATE ACHIEVE Philosophy Philosophy The choices we make dictate the life we lead. Based on empowerment, personal accountability and respect for Based on empowerment,

586 views • 35 slides
Introduction to the Inspire Movement Rev Dr Brian Yeich, Lead Missioner in USA

Introduction to the Inspire Movement Rev Dr Brian Yeich, Lead Missioner in USA

Introduction to the Inspire Movement Rev Dr Brian Yeich, Lead Missioner in USA (inspiremovement.org) The Inspire Movement is an international network of Christians who are committed to developing mission-shaped discipleship in the leadership and

421 views • 4 slides
Cases from the INSPIRE Project Dr Jose Christian Lecturer at CENTRIM / Brighton Business School

Cases from the INSPIRE Project Dr Jose Christian Lecturer at CENTRIM / Brighton Business School

THA Best Practices: Cases from the INSPIRE Project Dr Jose Christian Lecturer at CENTRIM / Brighton Business School / University of Brighton The INSPIRE project Open innovation and SMEs Data and methodology INSPIRE cases

551 views • 25 slides
XCache deployment experience What is XCache? Basically an xrootd proxy server that also stores

XCache deployment experience What is XCache? Basically an xrootd proxy server that also stores

XCache deployment experience What is XCache? Basically an xrootd proxy server that also stores data passing through it. On next access it delivers data from disk. It needs: a) Dedicated node b) Local storage c) IP d) Secrets (to

390 views • 9 slides
List of content Energy efficient thermal packaging 1. Introduction to thermal issues 2.

List of content Energy efficient thermal packaging 1. Introduction to thermal issues 2.

Chalmers University of Technology Chalmers University of Technology List of content Energy efficient thermal packaging 1. Introduction to thermal issues 2. Introduction to electronics packaging Johan Liu 3. Solutions to achieve energy

238 views • 11 slides
Towards understanding todays and tomorrow's scheduling challenges in HPC systems Gonzalo P.

Towards understanding todays and tomorrow's scheduling challenges in HPC systems Gonzalo P.

Towards understanding todays and tomorrow's scheduling challenges in HPC systems Gonzalo P. Rodrigo - gonzalo@cs.umu.se Erik Elmroth elmroth@cs.umu.se Lavanya Ramakrishnan lramakrishnan@lbl.gov P-O stberg p-o@cs.umu.se

553 views • 54 slides
Cryptography for software engineers: Protocols

Cryptography for software engineers: Protocols

Cryptography for software engineers: Protocols KATHOLIEKE

476 views • 43 slides
MCUBoot Attestation David Brown What is MCUboot MCUboot Secure bootloader Its History

MCUBoot Attestation David Brown What is MCUboot MCUboot Secure bootloader Its History

MCUBoot Attestation David Brown What is MCUboot MCUboot Secure bootloader Its History Manages signed images Handles updates, maintaining security Currently, custom manifest (SUIT maybe some day) What is TF-M Reference

91 views • 8 slides
Secure remote management with virtualization Daniel P. Berrang &lt;berrange@redhat.com&gt;

Secure remote management with virtualization Daniel P. Berrang &lt;berrange@redhat.com&gt;

Secure remote management with virtualization Daniel P. Berrang &lt;berrange@redhat.com&gt; libvirt: Background API for management of hypervisors Community (Red Hat, Fujitsu, Bull) Isolates apps from HV specific APIs Driver

608 views • 11 slides
RSA-PSS Provable Secure RSA Signatures and their Implementation Overview What is RSA-PSS?

RSA-PSS Provable Secure RSA Signatures and their Implementation Overview What is RSA-PSS?

RSA-PSS Provable Secure RSA Signatures and their Implementation Overview What is RSA-PSS? Why RSA-PSS? Comparing original and standardized PSS Status of Protocols, Standards and Imple- mentations RSA-PSS in X.509

718 views • 19 slides
SSL, X.509, HTTPS How to configure your HTTPS server Hanno Bck, http://hboeck.de/ HTTPS

SSL, X.509, HTTPS How to configure your HTTPS server Hanno Bck, http://hboeck.de/ HTTPS

SSL, X.509, HTTPS How to configure your HTTPS server Hanno Bck, http://hboeck.de/ HTTPS It's complex Two protocols involving crypto X.509 (for the certificates) and SSL/TLS (for the data transport) Many things can go wrong

537 views • 22 slides

More recommend