Bridging the SAML + PKI worlds - Terena

learningsnortΑσφάλεια

3 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

70 εμφανίσεις

Presenter or main title…

Session Title or subtitle…

TF
-
EMC
2

Lyon
-

14/02/2011

Accessing e
-
Infrastructure

Christopher Brown

Digital Infrastructure




April 2006


March 2009


Followed UK’s 5 year investment in e
-
Science infrastructure


Aims:


Increase the benefits to, and use of, e
-
Infrastructure by a wider user
base


Ensure that e
-
Infrastructure builds on and shares common core services


Explore the ways in which the benefits of the capabilities being
developed in grid computing can be transferred to other domains


4 thematic areas:


Community engagement and support


e
-
Infrastructure

security


Grid services and tools


Knowledge organisation and semantic

services

http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/

e
-
Infrastructure Programme

14/02/2011 Slide
2




Aims to facilitate UK research by providing access to a broad range of
computational and data based resources.


Deliver a production quality e
-
infrastructure to support academic research
across all Higher Education Institutes


(
HEIs
) in the UK


Provide core services to enable collaborative access to computing and data
resources in support of UK researchers


Ensures UK researchers can efficiently exploit computing facilities across
the globe


developed partnerships with infrastructures in EU, US, etc.


http://www.ngs.ac.uk/


http://www.flickr.com/photos/14171139@N08/2041447039/sizes/z/in/photostream

National Grid Service (NGS)

14/02/2011 Slide
3




Free to use for UK academics


Joining process:


Apply for your personal e
-
Science Certificate from the UK Certification
Authority


Download your certificate into your browser


Apply for a NGS Grid Account


Backup your Certificate and Private Key from your browser


Run the Certificate Wizard to set up your computer


Get started using NGS tools


http://www.ngs.ac.uk/


http://www.flickr.com/photos/chough/3600381635/sizes/m/in/photostream/

National Grid Service (NGS)

14/02/2011 Slide 4



To deliver into production a Shibboleth based infrastructure for the NGS, to
enable HEI users/researchers to access NGS resources using their institutional
identities as provided through membership of the UK federation.


Goals:


Broaden the NGS user base.


Easier access for researchers who are not technology specialists


Easier support for the Service Provider


Prevent unauthorised access


Deliver a production service


Access to NGS resources:


People use X.509 Certificates


Trusted globally


IGTF


Sometimes seen as challenging to use

http://http://www.flickr.com/photos/pjh/187636402/sizes/z/in/photostream//

SARoNGS

(Jan 2008


March 2009)

14/02/2011 Slide
5




In
SARoNGS


People who have certificates can keep using them


Created transparently for people who don’t


Users don’t even know they have certificates


What’s in it for you?


Users get non
-
certificate access to the NGS, mainly via portals


SPs

can hook into NGS SP/portal (if you wish), particularly if you require
X.509


Use NGS’ VO management infrastructure


Non
-
UK federations: can be reused


http://www.jisc.ac.uk/whatwedo/programmes/einfrastructure/sarongs.aspx


https://cts.ngs.ac.uk/


http://www.flickr.com/photos/dicknella/503494947/

SARoNGS

14/02/2011 Slide
6




4main activities











to provide grid authentication tied to the UK AMF (a new service based upon
outputs from the
ShibGrid

project)


to link this authentication token with VO attributes from the grid computing domain


to translate attributes within the context of UK AMF into attributes suitable for
consumption by grid computing infrastructures (a new service based upon the
outputs of the SHEBANGS project)


to demonstrate these via both subject based and generic demonstrator
applications


http://www.flickr.com/photos/brothermagneto/3528084605/sizes/z/in/photostream/

SARoNGS

SHEBANGS

VPMan

ShibGrid

MIMAS

Grid
Authn

Translate attributes

Authorisation

Demonstrator

SARoNGS

14/02/2011 Slide
7



http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/

CTS

MyProxy

User and management portals

The NGS Grid

VO Management

CTS access control

research resources

(MIMAS)


SARoNGS

Architecture

14/02/2011 Slide
8



http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/

SARoNGS

Architecture

14/02/2011 Slide
9



http://www.flickr.com/photos/triplemaximus/
156523870
/sizes/z/in/photostream/

SARoNGS

Architecture

14/02/2011 Slide
10



http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/

SARoNGS

Architecture

14/02/2011 Slide
11



http://www.flickr.com/photos/triplemaximus/
156523870
/sizes/z/in/photostream/

SARoNGS

Architecture

14/02/2011 Slide
12



http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/

SARoNGS

Architecture

14/02/2011 Slide
13



http://www.flickr.com/photos/triplemaximus/
156523870
/sizes/z/in/photostream/

SARoNGS

Architecture

14/02/2011 Slide
14



http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/

SARoNGS

Architecture

14/02/2011 Slide
15



http://www.flickr.com/photos/triplemaximus/
156523870
/sizes/z/in/photostream/

Demo

14/02/2011 Slide
16




VRE funded project


Connects different institutional portals through Access Grid (AG) technologies


Connection through AG venues managed by VOMS certificates


Using
SARoNGS

for
OneVRE

VO Management


User logs in to portal using Proxy Cert issued by
SARoNGS
, includes all
the
VOs

the user is a member of


VOs

are basis for accessing the AG virtual venues on
OneVRE

servers


OneVRE

also allows users to securely share data and apps across
different AG and
OneVRE

servers


http://wiki.rcs.manchester.ac.uk/community/OneVRE

http://www.flickr.com/photos/kubina/471164507/sizes/z/in/photostream/

OneVRE

14/02/2011 Slide
17




Certs

are only as good as the material on which they are based


NGS would’ve liked to have the
SARoNGS

CA to become accredited with the
IGTF like the UK e
-
Science CA.


Not possible:


Permitted reuse of
eduPersonTargetedId



Names are not published


Id Management Policies too numerous/varied


Revocation
vs

Lifetime

http://www.flickr.com/photos/kubina/471164507/sizes/z/in/photostream/

Limitations of the
SARoNGS

Grid Credentials

14/02/2011 Slide
18




http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/

Collaboration

GFIVO

CUCKOO

NGS

SARoNGS

SHINTAU

VPMAN

Identification

UK federation

OpenID

Review

NAMES

Data Sharing

ASPiS

ES
-
LoA

iREAD

AGAST

SPIDER

Personalisation

GOLDDUST

DPIE2

Identity

The Identity
Project


Past

14/02/2011 Slide
19



AIM Programme


1
st

Jan 2009 to 31
st

March 2011 (
IdM

Toolkit Pilots


Feb
-
Aug 2011)


Focus:


Process


Policy


Technology


Objectives


Build foundations for production systems that universities might adopt
in the future


Prepare the sector for future developments


Improve user experience


Increase value and make AIM relevant to wider community


Enable integrated systems architecture


Develop practical tools to enable AIM

14/02/2011
|

Slide 20

Exploring Innovative
new areas

http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/



AIM Programme


UK Access Management Federation


Support


Expand


Improve


Increase uptake


Funding


Shibboleth Consortium (JISC, Internet2, SWITCH)


Technical roadmap


Governance mechanisms


Operate open source project => Shibboleth Foundation?


Extending Access Mgmt into BCE


Publisher Support


WAYFless

URLs



14/02/2011 Slide
21

http://www.flickr.com/photos/triplemaximus/156523870/sizes/z/in/photostream/



AIM Projects


NGS


A Proxy Credential Auditing Infrastructure for the UK e
-
Science National Grid
Service


Develop proxy certificate auditing infrastructure that supports
monitoring/auditing use of proxy credential


General usage monitoring


Patterns of use and prediction of misuse


Exploit and harden existing software for this


Globus

Incubator project


Extensions to support


VO
-
specific monitoring and usage


Resource
-
specific monitoring and usage


Demonstrate in numerous projects and roll out to NGS


Case studies:
nanoCMOS
, ENROLLER, DAMES,
NeISS

projects


includes usage of NGS,
ScotGrid
,
TeraGrid
, D

Grid


Wie

Jie

Thames Valley University

15 months

14
/
02
/
2011
Slide
22

http://www.flickr.com/photos/argonne/4244642347/sizes/m/in/photostream/





AIM Projects


Web Services

Fiona Culloch

EDINA

12 months

14/02/2011 Slide
23

http://www.flickr.com/photos/aqua
-
marina/840167789/sizes/m/in/photostream/



WSTIERIA
(
Web Services Tiered Internet Authorization
)


Make web services work with UK federation


Investigating two approaches:


using “
façade” to handle authentication


new
Shib

features to invoke web service between
SPs


Tested on two application domains:


Geospatial web service (SEE
-
GEO)


WebDAV

(widely deployed remote file
-
access protocol layered on
HTTP)


Community Benefit


Web services interoperate with FAM


Improve end
-
user experience by application componentization


Real components need authorization


Access presently hidden web services


Discussing with MIMAS, SDSS, Shibboleth




AIM Projects


Social Net and
Shib


Identity and Access Management using Social Networking Technologies


FOAF is an RDF (Resource Description Framework) vocabulary mainly
aimed at describing links between people and memberships


produce a functional
WebID

(formerly FOAF+SSL) based Authentication
system for Shibboleth based
IdP

and an Authentication and Authorisation
system for
Globus

based grids


Bridge to SAML/Shibboleth


Converting information available in RDF into SAML attributes


e.g.
WebID

URI into
eduPersonPrincipalName


Easy to derive membership of a project or (virtual) organisation based on
the FOAF relations


Easier ad
-
hoc collaborations (potentially with people outside the federation
too)



Mike Jones

University of Manchester

9 months

14/02/2011 Slide
24

http://www.flickr.com/photos/marc_smith/4511843933/sizes/m/in/photostream/



Any questions?

14
/
02
/
2011
Slide
25