slcs and vash service
play

SLCS and VASH Service Interoperability of Shibboleth and gLite - PowerPoint PPT Presentation

Feb 27, 2023 •22 likes •272 views

Enabling Grids for E-sciencE SLCS and VASH Service Interoperability of Shibboleth and gLite Christoph Witzig, SWITCH (witzig@switch.ch) NREN Grid Workshop Nov 30th, 2007 - Malaga www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are

  1. Enabling Grids for E-sciencE SLCS and VASH Service Interoperability of Shibboleth and gLite Christoph Witzig, SWITCH (witzig@switch.ch) NREN Grid Workshop Nov 30th, 2007 - Malaga www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are registered trademarks

  2. Content Enabling Grids for E-sciencE • Introduction – Interoperability Shibboleth - gLite • Short-Lived Credential Service (SLCS) (Phase 1) • VOMS Attributes for SHibboleth (VASH) (Phase 2) • Outlook: SAML Support in Grids ( Phase 3) • Summary NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 2

  3. Federated Identity Enabling Grids for E-sciencE • Identity Providers (IdP) authenticate their users • Service Providers (SP) trust the Identity Providers (IdP) and authorize the users • Cross domain authentication and authorization based on trust relation NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 3

  4. Real and Virtual Organizations Enabling Grids for E-sciencE • Real organizations have built AAIs • Grids are being built around Virtual Organizations (VO) • How do you relate the member of the “real” organi- zation to the member of the organization? ? X.509 Username CA password Dora as member of Dora as member of the University of Malaga VO “Woman In Art” NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 4

  5. Interoperability Shibboleth - gLite Enabling Grids for E-sciencE • Interoperability Shibboleth - gLite by SWITCH – Part of EGEE-II • Focus is on – Interoperability (NO replacement for X.509) – Specific for EGEE II infrastructure (VOMS etc) – Integrate, re-use, re-engineer existing code, write new code only as needed Key Concepts: • – Home institution of the user should be the Identity Provider – Home institution provides some attributes – But VO is needed for (grid specific) attributes NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 5

  6. Overview of SLCS and VASH Enabling Grids for E-sciencE gLite UI SLCS = Short Lived Credential Service VASH = VOMS attributes from Shibboleth NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 6

  7. Enabling Grids for E-sciencE Short Lived Credential Service (SLCS) NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 7

  8. SLCS Profile Enabling Grids for E-sciencE • SLCS = Short Lived Credential Service • International Grid Trust Federation (IGTF) Profile • Minimum requirements: SLCS X.509 Certificate Certificate is generated “traditional” Registration based on Identity Authority (e.g. passport) Management system Lifetime < 1mio sec Lifetime < 1 year + 1 month Revocation handling Revocation handling optional mandatory NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 8

  9. SLCS Design Enabling Grids for E-sciencE • Private key is never transferred • Use commercial CA and only standard protocols • Modular design such that other people can use their own components • Shibboleth attributes determine DN NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 9

  10. SLCS Operation Enabling Grids for E-sciencE • For the user: • Command line: slcs-init --idp <providerId> • Part of gLite User Interface (gLite-UI 3.1) (can also be installed independently) • For the RA from web-based admin tool: • Can enable or disable individual users (only for his institution) • Requirements formulated in CP/CPS • Can obtain log information (audit) • SWITCH: • Operates the service for the SWITCHaai federation NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 10

  11. SWITCH SLCS Setup Enabling Grids for E-sciencE • 3 separate servers in increasingly secure environment (network and physical access) • Front End – Shibboleth SP • SLCS Server – Tomcat web app • Online CA – Microsoft Certificate Server – Hardware Security Module (HSM) • Offline CA – Sign the Online CA – Stored in a bank safe NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 11

  12. Status SLCS Enabling Grids for E-sciencE • Software development finished in 2006 • SWITCH SLCS Root CA accredited by EuGridPMA in February 2007 • SWITCH SLCS in production since April 2007 • http://www.switch.ch/grid/slcs NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 12

  13. Enabling Grids for E-sciencE VOMS attributes from Shibboleth (VASH) NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 13

  14. Problem Enabling Grids for E-sciencE • SLCS ties – AAI authentication to issuance of X.509 certificate – AAI attributes are used to construct the DN • SLCS intends to make AAI attributes available to grid resources for authorization decisions – Which AAI attributes are of interest to grid resource? – How does resource obtain attributes? (pull vs push) – Relation to VO attributes – Deployment issues NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 14

  15. VASH Design (1) Enabling Grids for E-sciencE VASH: • – VOMS Attributes from Shibboleth • Shibboleth SP – Browser-based – Specific for � Federation � VO • “lightweight” SP – No administrator duties – No management of attributes – Simply transfers attributes upon user request NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 15

  16. VASH Design (2) Enabling Grids for E-sciencE • X.509 and proxy X.509 with VOMS AC unchanged • No change in VOMS – Requires VOMS version 1.7.10 or higher • VO registration not changed • Administrative domain between Shibboleth federation and VOMS fully decoupled • User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509) NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 16

  17. Web Interface VASH Service Enabling Grids for E-sciencE NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 17

  18. Deployment Options Enabling Grids for E-sciencE • Option 1: – As an add-on to an existing VOMS-based VO • Option 2: – As a registration tool which allows the member of a Shibboleth IdP become a member of a VOMS-based VO � Suitable for production VOs as well as temporary VOs (e.g. summer schools, grid classes) NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 18

  19. Status VASH Enabling Grids for E-sciencE • Software implementation done • MJRA1.5 document: https://edms.cern.ch/document/807849/1 • Plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource available – Access to VOMS AC – LCAS/LCMAPS plugin NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 19

  20. Enabling Grids for E-sciencE Outlook: SAML Support in Grids NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 20

  21. Phase 3: SAML Support Enabling Grids for E-sciencE • Goal of phase 3: Extend use of SAML in grids beyond what is already provided by phase 1 and 2 • SAML-enable those services, with which the user interacts directly – WMS – File access • Benefits: – (Average) User has no certificates anymore – Introduce SAML gently beyond phase 1 and 2, gain experience – Compatible with Shibboleth roadmap (2.0, 2.1) and WS-Trust STS implementation – Options open for future Requires: A mean for service to transform a security tokens it has • into a security token it needs NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 21

  22. Security Token Service (STS) Enabling Grids for E-sciencE • Based on OASIS WS-Trust Standard • Converts one security token into another – Initial focus on � username/password SAML � SAML X.509 • Supports token request, renewal, validity check, destruction • Capable of obtaining attributes from different sources (e.g. Shibboleth IdP, VOMS) NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 22

  23. Use Cases Enabling Grids for E-sciencE • Grid: – A central Grid resource (e.g. resource broker) obtains a user job with a SAML assertion as credential – Conversion into a security token that the other Grid services understand (X.509) • Non-browser based Shibboleth applications: – User agent contacts Shibboleth IdP with credential (e.g. username, password) – User agent receives SAML assertion to be sent to a Shibboleth SP NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 23

  24. Summary Enabling Grids for E-sciencE • Interoperability Shibboleth - gLite – Phase 1: SLCS � Online CA issuing short-lived X.509 certificates based upon authentication at Shibboleth IdP � Operative and in production – Phase 2: VASH � Transfers Shibboleth attributes into VOMS � Shib attributes are available to grid resources as part of VOMS AC � Software development finished – Phase 3: SAML � Actual phase: design of a WS-Trust STS for SAML and proxy X.509 � Idea to SAML-enable a selected (small) number of grid services (those close to the user: WMS, …) • Leverage the existing SWITCHaai Shibboleth federation NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 24

  25. Enabling Grids for E-sciencE Q & A NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Short Lived Credential Service SLCS Tony J. Genovese Lawrence Berkeley National Laboratory USA

Short Lived Credential Service SLCS Tony J. Genovese Lawrence Berkeley National Laboratory USA

Short Lived Credential Service SLCS Tony J. Genovese Lawrence Berkeley National Laboratory USA November 29, 2005 Outline Background What is SLCS? Document overview Examples Issues and Status Future Profiles? Asian

638 views • 11 slides
Shibboleth Interoperability - Short-Lived Credential Service (SLCS) Valry Tschopp, SWITCH

Shibboleth Interoperability - Short-Lived Credential Service (SLCS) Valry Tschopp, SWITCH

Enabling Grids for E-sciencE - II Shibboleth Interoperability - Short-Lived Credential Service (SLCS) Valry Tschopp, SWITCH JRA1 All Hands Meeting, Abingdon, 9 Nov 2006 www.eu-egee.org INFSO-RI-031688 Presentation Outline Enabling Grids

452 views • 12 slides
SLCS Preparedness &amp; Response Plan 2020-2021 Return to School 08.10.2020 Tonights

SLCS Preparedness &amp; Response Plan 2020-2021 Return to School 08.10.2020 Tonights

SLCS Preparedness &amp; Response Plan 2020-2021 Return to School 08.10.2020 Tonights Presentation Why we are recommending a remote start What does a remote start look like? How we will phase back in-person instruction using a

648 views • 23 slides
SLCS Return to School Michigans 20-21 Return to School Roadmap and Our Districts Response

SLCS Return to School Michigans 20-21 Return to School Roadmap and Our Districts Response

SLCS Return to School Michigans 20-21 Return to School Roadmap and Our Districts Response Tonights Presentation Background and context for Michigans Return to School Roadmap A closer look at the roadmap and how our district

589 views • 56 slides
SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF ROTARY DISTRICT

SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF ROTARY DISTRICT

April 10, 2020 SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF ROTARY DISTRICT 5870 CENTRAL TEXAS ZOOM SERIES #3 Hill Country Ministries WAYS TO SUPPORT -Tiesa Hollaway #1 - Monetary Donations $25 = 100 meals

579 views • 7 slides
SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF ROTARY DISTRICT

SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF ROTARY DISTRICT

May 1, 2020 SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF ROTARY DISTRICT 5870 CENTRAL TEXAS ZOOM SERIES #6 ACTION STEPS DAP Grants COVID-19 Response Submit final DAP REPORTS ASAP Options for CURRENT PROJECTS

482 views • 4 slides
How smart APIs are different. @berndruecker Some Service Some Some Service Service Some

How smart APIs are different. @berndruecker Some Service Some Some Service Service Some

Moving beyond request-reply: How smart APIs are different. @berndruecker Some Service Some Some Service Service Some Service But keep it local! Some Service Failure will happen. Be resilient. Accept it! Some Some Service Service

1.08k views • 91 slides
More Service. Better Service. Your Service. Why Reimagining? 12 6.0 Millions 0 10 5.0 0

More Service. Better Service. Your Service. Why Reimagining? 12 6.0 Millions 0 10 5.0 0

More Service. Better Service. Your Service. Why Reimagining? 12 6.0 Millions 0 10 5.0 0 Annual Boardings Est. 80 4.0 60 3.0 METRO has experienced a significant drop in local bus ridership 40 2.0 20 1.0 0 0.0 YEAR 1999 2000

209 views • 16 slides
From research to policy The South African salt experience Edelweiss Wentzel-Viljoen Centre of

From research to policy The South African salt experience Edelweiss Wentzel-Viljoen Centre of

From research to policy The South African salt experience Edelweiss Wentzel-Viljoen Centre of Excellence for Nutrition North-West University Thanks to colleagues Melvyn Freeman DoH, NCDs Krisela Steyn UCT Vash Singh SAHSF Karen

717 views • 40 slides
Telemedicine Service for Care Homes What is the service? Telemedicine is a service allowing

Telemedicine Service for Care Homes What is the service? Telemedicine is a service allowing

Telemedicine Service for Care Homes What is the service? Telemedicine is a service allowing assessment and clinical support of residents using teleconferencing. The service is provided by Hampshire Hospitals Foundation Trust (HHFT) How to

514 views • 28 slides
New Service Development ShinMing Guo NKUST Service Innovation Service Design and

New Service Development ShinMing Guo NKUST Service Innovation Service Design and

New Service Development ShinMing Guo NKUST Service Innovation Service Design and Service Package Service Design Examples Review: Service Package Supporting Facility : The physical resources that must be in place before

583 views • 14 slides
Service Strategy Service Strategies Strategies and Operations Service Package Role

Service Strategy Service Strategies Strategies and Operations Service Package Role

Service Strategy Service Strategies Strategies and Operations Service Package Role of Information Review: Nature of Service Customer Participation : attention to facility design, opportunities for coproduction, concern for

236 views • 12 slides
Service Strategy Service Strategies Strategies and Operations Service Package Role

Service Strategy Service Strategies Strategies and Operations Service Package Role

Service Strategy Service Strategies Strategies and Operations Service Package Role of Information Review: Nature of Service Customer Participation : attention to facility design, opportunities for co production, concern for

296 views • 13 slides
New Service Development Shin Ming Guo NKFUST Service Innovation Service Blueprinting

New Service Development Shin Ming Guo NKFUST Service Innovation Service Blueprinting

New Service Development Shin Ming Guo NKFUST Service Innovation Service Blueprinting Service System Design I. Innovation in Services Idea Generation: Customers, Employees, Competitors, Technology Basic Research : Pursue a

274 views • 11 slides
1 What does this mean? Limits the species of service animals to dogs; Makes clear that

1 What does this mean? Limits the species of service animals to dogs; Makes clear that

2010 ADA Regulations: Service Animals 22nd Annual ADA Update Mid-Atlantic ADA Center Baltimore, Maryland September 17 18, 2015 Service Animals Adds service animal definition and service animal provisions to title II; and

428 views • 7 slides
Casey Rosenthal @caseyrosenthal Part One. SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E

Casey Rosenthal @caseyrosenthal Part One. SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E

Casey Rosenthal @caseyrosenthal Part One. SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E SERVICE F SERVICE G SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E SERVICE F SERVICE G SERVICE A SERVICE B SERVICE C SERVICE D

905 views • 58 slides
E NGAGING P RACTICE IN STEM VIA U NIVERSITY -C OMMUNITY C OLLABORATIONS Presented by California

E NGAGING P RACTICE IN STEM VIA U NIVERSITY -C OMMUNITY C OLLABORATIONS Presented by California

D EVELOPING E FFECTIVE AND E NGAGING P RACTICE IN STEM VIA U NIVERSITY -C OMMUNITY C OLLABORATIONS Presented by California State University Long Beach, Department of Science Education Project supported by the California State University

536 views • 16 slides
NCAR Strategic Plan 2020-2024 Overarching Theme: Delivering Science with Impact

NCAR Strategic Plan 2020-2024 Overarching Theme: Delivering Science with Impact

The Next NCAR Strategic Plan 2020-2024 Working in Partnership with the Research Community Scott W. McIntosh Interim NCAR Director Members of the NCAR Executive Committee 8 January 2019 Discussion with AMS Community NCAR Strategic Plan 2020-2024

371 views • 15 slides
Governing Provider Relationships: Tips for Protecting Your Deal After the Ink Is Dry Bob Kriss

Governing Provider Relationships: Tips for Protecting Your Deal After the Ink Is Dry Bob Kriss

Governing Provider Relationships: Tips for Protecting Your Deal After the Ink Is Dry Bob Kriss Partner 312.701.7165 rkriss@mayerbrown.com Brad Peterson Partner 312.701.8586 bpeterson @mayerbrown.com February 28, 2017 Technology

680 views • 27 slides
Available for Public Use Available for Public Use Available for Public Use

Available for Public Use Available for Public Use Available for Public Use

Available for Public Use Available for Public Use Available for Public Use Acronym Meaning FCC Federal Communications Commission HCF Healthcare Connect Fund FY Funding Year HCP Health Care Provider (the site receiving

917 views • 65 slides
Debian Med A service for scientists in medicine and biomedical research Andreas Tille Debian

Debian Med A service for scientists in medicine and biomedical research Andreas Tille Debian

Debian Med A service for scientists in medicine and biomedical research Andreas Tille Debian Brussels, 02. February 2013 Andreas Tille (Debian) Debian Med Brussels, 02. February 2013 1 / 12 What is Debian Med? practice management system

610 views • 39 slides
A Virtual Deadline Scheduler for Window-Constrained Service Guarantees Yuting Zhang, Richard

A Virtual Deadline Scheduler for Window-Constrained Service Guarantees Yuting Zhang, Richard

Computer Science A Virtual Deadline Scheduler for Window-Constrained Service Guarantees Yuting Zhang, Richard West, Xin Qi Boston University RTSS 2004 RTSS 2004 Motivating Applications Computer Science Multimedia &amp; weakly-hard

406 views • 25 slides
Imagining the Future and the Role of Human- Centered Design

Imagining the Future and the Role of Human- Centered Design

Imagining the Future and the Role of Human- Centered Design in Smart Service Systems Paul Maglio, University of California, Merced John Carroll, Penn

479 views • 15 slides
Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Advanced Systems Security: Security-Enhanced Linux Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Security-Enhanced Linux Trent

474 views • 26 slides

More recommend