identity federation for virtual organizations gridshib
play

Identity Federation for Virtual Organizations: GridShib and MyProxy - PowerPoint PPT Presentation

Oct 12, 2022 •189 likes •473 views

Identity Federation for Virtual Organizations: GridShib and MyProxy APAN Middleware Workshop Jan 22nd, 2006 Toyko, Japan Von Welch vwelch@ncsa.uiuc.edu Outline GridShib MyProxy Future plans: Shibboleth/MyProxy/GridShib

  1. Identity Federation for Virtual Organizations: GridShib and MyProxy APAN Middleware Workshop Jan 22nd, 2006 Toyko, Japan Von Welch vwelch@ncsa.uiuc.edu

  2. Outline • GridShib • MyProxy • Future plans: Shibboleth/MyProxy/GridShib integration Jan 22nd, 2006 APAN Middleware Workshop 2

  3. What is GridShib • NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit – Funded under NSF NMI program • GridShib team: NCSA, U. Chicago, ANL – Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch • Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team Jan 22nd, 2006 APAN Middleware Workshop 3

  4. Motivation • Many Grid VOs are focused on science or business other than IT support – Don’t have expertise or resources to run security services • We have a strong infrastructure in place for authentication in the form of Grid PKIs • Attribute authorities are emerging as the next important service Jan 22nd, 2006 APAN Middleware Workshop 4

  5. Shibboleth • http://shibboleth.internet2.edu/ • Internet2 project • Allows for inter-institutional sharing of web resources (via browsers) – Provides attributes for authorization between institutions • Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’ • Standards-based (SAML) • Being extended to non-web resources Jan 22nd, 2006 APAN Middleware Workshop 5

  6. Shibboleth • Identity Provider composed of single sign-on (SSO) and attribute authority (AA) services • SSO: authenticates user locally and issues authentication assertion with Handle – Assertion is short-lived bearer assertion – Handle is also short-lived and non-identifying – Handle is registered with AA • Attribute Authority responds to queries regarding handle Jan 22nd, 2006 APAN Middleware Workshop 6

  7. Shibboleth (Simplified) SAML Shibboleth Shibboleth IdP SP LDAP Attributes AA AR (e.g.) Handle SSO ACS Handle Jan 22nd, 2006 APAN Middleware Workshop 7

  8. Globus Toolkit • http://www.globus.org • Toolkit for Grid computing – Job submission, data movement, data management, resource management • Based on Web Services and WSRF • Security based on X.509 identity- and proxy-certificates – Maybe from conventional or on-line CAs Jan 22nd, 2006 APAN Middleware Workshop 8

  9. Grid PKI • Large investment in PKI at the international level for Grids – Dozens of CAs, thousands of users • International Grid Trust Federation – http://www.gridpma.org Jan 22nd, 2006 APAN Middleware Workshop 9

  10. Integration Approach • Conceptually, replace Shibboleth’s handle-based authentication with X509 – Provides stronger security for non-web browser apps – Works with existing PKI install base • To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible Jan 22nd, 2006 APAN Middleware Workshop 10

  11. SSL/TLS, WS-Security 11 GridShib (Simplified) APAN Middleware Workshop SAML Attributes DN DN Shibboleth DN SSO A Jan 22nd, 2006

  12. Authorization • Delivering attributes is half the story… • Currently have a simple authorization mechanisms – List of attributes required to use service or container – Mapping of attributes to local identity for job submission Jan 22nd, 2006 APAN Middleware Workshop 12

  13. Globus Authorization Framework • Authorization framework in Globus Toolkit – Siebenlist et. al. at Argonne – Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions • Work in OGSA-Authz WG to allow for callouts to third-party authorization services – E.G. PERMIS • Convert Attributes (SAML or X509) into common format for policy evaluation – XACML-based Jan 22nd, 2006 APAN Middleware Workshop 13

  14. GridShib Status • Beta release publicly available • Drop-in addition to GT 4.0 and Shibboleth 1.3 • Project website: – http://gridshib.globus.org • Very interested in feedback Jan 22nd, 2006 APAN Middleware Workshop 14

  15. W hat is MyProxy? • Project led by Jim Basney @ NCSA • A service for managing X.509 PKI credentials – A credential repository and certificate authority • An Online Credential Repository – Long-lived private keys never leave the server • An Online Certificate Authority – Issues short-lived X.509 End Entity Certificates • Supporting multiple authentication methods – Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie • Open Source Software – Included in Globus Toolkit 4.0 and CoG Kits – C, Java, Python, and Perl clients available Jan 22nd, 2006 APAN Middleware Workshop 15

  16. MyProxy Authentication • Key Passphrase • X.509 Certificate – Used for credential renewal • Pluggable Authentication Modules (PAM) – Kerberos password – One Time Password (OTP) – Lightweight Directory Access Protocol (LDAP) password • Simple Authentication and Security Layer (SASL) – Kerberos ticket (SASL GSSAPI) • PubCookie Jan 22nd, 2006 APAN Middleware Workshop 16

  17. MyProxy Online Credential Repository • Stores X.509 End Entity and Proxy credentials – Private keys encrypted with user-chosen passphrases – Credentials may be stored directly or via proxy delegation – Users can store multiple credentials from different CAs • Access to credentials controlled by user and administrator policies – Set authentication requirements – Control whether credentials can be retrieved directly or if only proxy delegation is allowed – Restrict lifetime of retrieved proxy credentials • Can be deployed for a single user, a site, a virtual organization, a resource provider, a CA, etc. Jan 22nd, 2006 APAN Middleware Workshop 17

  18. MyProxy Online Certificate Authority • Issues short-lived X.509 End Entity Certificates – Leverages MyProxy authentication mechanisms – Compatible with existing MyProxy clients • Ties in to site authentication and accounting – Using PAM and/or Kerberos authentication – “Gridmap” file maps username to certificate subject • LDAP support for mapping • Avoid need for long-lived user keys • Server can function as both CA and repository – Issues certificate if no credentials for user are stored Jan 22nd, 2006 APAN Middleware Workshop 18

  19. MyProxy and Pubcookie • Combines web and grid single sign-on – Authenticate to MyProxy with Pubcookie granting cookie Campus Verify login Pubcookie Authentication Login Server Server Redirect to authenticate and obtain granting cookie Web Retrieve proxy MyProxy Browser Application server Server Jonathan Martin, Jim Basney, and Marty Humphrey, "Extending Existing Campus Trust Relationships to the Grid through the Integration of Pubcookie and MyProxy," 2005 International Conference on Computational Science (ICCS 2005), Emory University, Atlanta, GA, May 22-25, 2005. Jan 22nd, 2006 APAN Middleware Workshop 19

  20. Example: TeraGrid User Portal • Use TeraGrid-wide Kerberos username and password for portal authentication – Obtain PKI credentials for resource access across TeraGrid sites via portal & externally • \ Jan 22nd, 2006 APAN Middleware Workshop 20

  21. Example: LTER Grid Pilot Study • Build a portal for environmental acoustics analysis • Leverage existing LDAP usernames and passwords for portal authentication – Obtain PKI credentials for job submission and data transfer – Using MyProxy PAM LDAP authentication Long Term Ecological Research Network Information System Jan 22nd, 2006 APAN Middleware Workshop 21

  22. Example: NERSC OTP PKI • Address usability issues for One Time Passwords – Obtain session credentials using OTP authentication • Prototyping MyProxy CA with PAM Radius authentication – ESnet Radius Authentication Fabric federates OTP authentication across sites National Energy Research Scientific Computing Center Jan 22nd, 2006 APAN Middleware Workshop 22

  23. Example: NCSA OTP & Kerberos PKI • Can use either OTP or Kerberos password to obtain X509 credentials • PAM configurations tries both in turn and returns X509 credentials if either suceeds Jan 22nd, 2006 APAN Middleware Workshop 23

  24. Future Plans: GridShib/MyProxy Integration • Allow for leveraging of Shibboleth SSO for Grids – Need to convert Shib SAML into X509 • Accomplish by adding SAML authentication support to MyProxy – Ala Pubcookie • Continue to use current GridShib work for Shibboleth-issued attributes to Grid resources • Two motivating use cases… – Command-line users – Portal users Jan 22nd, 2006 APAN Middleware Workshop 24

  25. GridShib/MyProxy Integration 25 APAN Middleware Workshop Jan 22nd, 2006

  26. GridShib/MyProxy Integration 26 APAN Middleware Workshop Jan 22nd, 2006

  27. GridShib/MyProxy Integration • Challenge is one of name management • User’s local name must be mapped to X509 DN and then back to name meaningful to attribute authority • Is algorithmic approach better or can we assume database of mappings? • Who should do the mappings? Jan 22nd, 2006 APAN Middleware Workshop 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3

ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3

ACOnet Identity Federation Policy Experiences Peter Schober ACOnet TERENA EuroCAMP @ 4 th GN3 Symposium 15-16 October 2012 Agenda 1. The Politics behind Federation Policies 2. Tales from a Federation Operator: On-boarding of prospective

195 views • 16 slides
Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client

Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client

Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client software combines tools and utilities to extend a Web Application to: Enable login via federated SSO like eduGAIN Retrieve a SAML2 Identity Assertion

385 views • 24 slides
OpenStack Identity Federation Many thanks to: Who are we? Joe Savak Rackspace Product

OpenStack Identity Federation Many thanks to: Who are we? Joe Savak Rackspace Product

OpenStack Identity Federation Many thanks to: Who are we? Joe Savak Rackspace Product Manager ( ) Brad Topol IBM Distinguished Engineer \_( )_/ Jorge Williams Rackspace Principal Architect ~*

380 views • 26 slides
SaaS Platform Identity Verification True Professionals Organizations need to automate their

SaaS Platform Identity Verification True Professionals Organizations need to automate their

Identity Verification SaaS Platform Identity Verification True Professionals Organizations need to automate their onboarding processes making sure they know who is on the other side. Challenges Ideal Solution Expectations As the majority

454 views • 4 slides
The Semi-Rigid Pavement with Higher Performances for Roads and Parking Aprons Dr Wu, D.Q., Daud

The Semi-Rigid Pavement with Higher Performances for Roads and Parking Aprons Dr Wu, D.Q., Daud

29 th CONFERENCE OF THE ASEAN FEDERATION OF ENGINEERING ORGANIZATIONS (CAFEO 2011) 29 th Conference of the Asean Federation of Engineering Organizations (CAFEO 2011) 27-30 November, 2011 The Rizqun International Hotel, Brunei Darussalam The

377 views • 22 slides
REPORT FROM DIRECTOR GENERAL About IFIA A federation of organizations that provide

REPORT FROM DIRECTOR GENERAL About IFIA A federation of organizations that provide

ANNUAL GENERAL MEETING 2012 REPORT FROM DIRECTOR GENERAL About IFIA A federation of organizations that provide testing, inspection and certification (TIC) services, internationally Established in 1982 Global membership of 40

312 views • 19 slides
to improve Identity Federation Scalability Daniela Phn and Wolfgang Hommel Agenda

to improve Identity Federation Scalability Daniela Phn and Wolfgang Hommel Agenda

Automated User Information Conversion to improve Identity Federation Scalability Daniela Phn and Wolfgang Hommel Agenda Introduction and Motivation Generic Conversion Rule Repository Functionality Workflows Architecture

244 views • 20 slides
Software Agents in Virtual Organizations: Good Faith and Trust Francisco Andrade, Paulo Novais,

Software Agents in Virtual Organizations: Good Faith and Trust Francisco Andrade, Paulo Novais,

Software Agents in Virtual Organizations: Good Faith and Trust Francisco Andrade, Paulo Novais, Jos Machado and Jos Neves Universidade do Minho - Portugal PROVE 2008 Poznan, Poland September, 9 th Introduction Virtual organizations

384 views • 26 slides
Modelling and Analysing an Identity Federation Protocol: Federated Network Providers Scenario

Modelling and Analysing an Identity Federation Protocol: Federated Network Providers Scenario

Modelling and Analysing an Identity Federation Protocol: Federated Network Providers Scenario Maurice ter Beek (FMT, ISTICNR, Pisa, Italy) joint work with Marinella Petrocchi (IITCNR, Pisa, Italy) Corrado Moiso (Telecom Italia, Torino,

559 views • 28 slides
Gender Identity and Expression Human Rights and Organizations Pre-Class Materials Gender Terms

Gender Identity and Expression Human Rights and Organizations Pre-Class Materials Gender Terms

Gender Identity and Expression Human Rights and Organizations Pre-Class Materials Gender Terms 5 Young Trans Activists Asia Kate Dillon/To Gender Nonbinary People Growing Up Trans Documentary (PBS) Concepts **Social and Cultural

480 views • 15 slides
Identity Theft Identity Theft Identity theft occurs when your personal information is stolen

Identity Theft Identity Theft Identity theft occurs when your personal information is stolen

Identity Theft Identity Theft Identity theft occurs when your personal information is stolen and used without your knowledge to commit fraud or other crimes Identity theft can cost you time and money. Tips for Preventing Identity Theft

322 views • 10 slides
BUFLA Charity Bangladesh Unity Federation of Los Angeles Dr.M.A.Hashem Bangladesh Unity

BUFLA Charity Bangladesh Unity Federation of Los Angeles Dr.M.A.Hashem Bangladesh Unity

BUFLA Charity Bangladesh Unity Federation of Los Angeles Dr.M.A.Hashem Bangladesh Unity Federation of Los Angeles (BUFLA) is a federation of many different Bangladeshi Organizations of greater Los Angeles.Bangladesh Unity Federation of Los

478 views • 3 slides
Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase Automation and Security. Identity Management (IAM, IdM) defining and managing the roles and access privileges of individual network users, and the

2.89k views • 13 slides
IDENTITY What is the Relationship Between Identity and the College Experience? What Role

IDENTITY What is the Relationship Between Identity and the College Experience? What Role

2/15/2019 Jordan Truex Agenda or Summary Layout The Road to SelfAuthorship NonTraditional Students Effective Interview Strategies Meeting the Student Where They Are IDENTITY What is the Relationship Between Identity and the

367 views • 10 slides
Web 2.0-mashups Modules of Virtual Organizations Hong Chun Oliver Bohl ISNM 2006 What is

Web 2.0-mashups Modules of Virtual Organizations Hong Chun Oliver Bohl ISNM 2006 What is

Web 2.0-mashups Modules of Virtual Organizations Hong Chun Oliver Bohl ISNM 2006 What is mashup? Mashup originated from pop music. From two different songs (usually belong to different styles) it is mixed singing and musical instruments,

1.11k views • 9 slides
Federation monitoring Jaime Prez < jaime.perez@ j p @ rediris.es> Virginia

Federation monitoring Jaime Prez < jaime.perez@ j p @ rediris.es> Virginia

TF-NOC meeting Brussels, October 2011 Federation monitoring Jaime Prez < jaime.perez@ j p @ rediris.es> Virginia Martn-Rubio < virgini ia.martinrubio@rediris.es> What is an identity fed deration? A set of

585 views • 29 slides
Cayuse 424 Training 1. Entering Applications in Cayuse 424 2. Open Discussion/Questions Cayuse

Cayuse 424 Training 1. Entering Applications in Cayuse 424 2. Open Discussion/Questions Cayuse

Cayuse 424 Training 1. Entering Applications in Cayuse 424 2. Open Discussion/Questions Cayuse 424 Entering Application Updated: July 25, 2018 Training Outline Overview of Cayuse 424 Cayuse 424 Hands-on Lab Professional Profiles

331 views • 9 slides
The Handle Turns Itself... Adventures In Account Management Toby Blake Craig Strachan School of

The Handle Turns Itself... Adventures In Account Management Toby Blake Craig Strachan School of

The Handle Turns Itself... Adventures In Account Management Toby Blake Craig Strachan School of Informatics University of Edinburgh The Good Old Days UID text file or similar /etc/passwd Username Make it up or ask the user Today LDAP

345 views • 18 slides
Credential Mapping in Grids Esteban Talavera Gonzlez Center for Parallel Computers (PDC) Royal

Credential Mapping in Grids Esteban Talavera Gonzlez Center for Parallel Computers (PDC) Royal

Overview Background Our solution Conclusions Credential Mapping in Grids Esteban Talavera Gonzlez Center for Parallel Computers (PDC) Royal Institute of Technology (KTH) Stockholm March 16, 2007 Esteban Talavera Gonzlez Credential

569 views • 44 slides
/-J Los Alamos NATIONA L LABOR ATOR Y ---- EH.1941 ---- Los Alamos National Laboratory, an

/-J Los Alamos NATIONA L LABOR ATOR Y ---- EH.1941 ---- Los Alamos National Laboratory, an

0 s\ \ '6 LA-UR- 0 <=\ - Approved for public release; distribution is unlimited. Title: Kerberized Network File System for Clusters Author(s): Ian Burns Christoph er Hoffman Paige Ashlynn Intended for: Electronic/World-wide Web Academi c

459 views • 17 slides
+ Scyld

+ Scyld

+ Scyld Cloud Workstation Shailesh Shenoy

486 views • 13 slides
Integrity measurements for stronger cloud-based authentication John Zic 1 Thomas Hardjono 2 1

Integrity measurements for stronger cloud-based authentication John Zic 1 Thomas Hardjono 2 1

Integrity measurements for stronger cloud-based authentication John Zic 1 Thomas Hardjono 2 1 CSIRO Computational Informatics 2 MIT Kerberos and Internet of Trust Trust in the Digital World: Enabling the Economies of Trust Zic and

371 views • 19 slides
Introduction to PDC environment Xin Li PDC Center for High Performance Computing KTH Royal

Introduction to PDC environment Xin Li PDC Center for High Performance Computing KTH Royal

Introduction to PDC environment Xin Li PDC Center for High Performance Computing KTH Royal Institute of Technology SF2568, January 2019 Xin Li (PDC) Introduction to PDC environment 15 Jan 2019 1 / 36 PDC Overview Outline PDC Overview 1

710 views • 36 slides
IHE: A Proven Process IHE: A Proven Process for HL7 Standards for HL7 Standards Implementation

IHE: A Proven Process IHE: A Proven Process for HL7 Standards for HL7 Standards Implementation

IHE: A Proven Process IHE: A Proven Process for HL7 Standards for HL7 Standards Implementation Implementation Glen F. Marshall, Glen F. Marshall, Co- -chair, IHE IT Infrastructure Planning chair, IHE IT Infrastructure Planning Co 1 What

457 views • 17 slides

More recommend