welch adv camp july05

Information about welch adv camp july05

Published on October 2, 2007

Author: Breezy

Source: authorstream.com

Content

Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005:  Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch [email protected] Outline:  Outline GridShib Overview of Shibboleth and Globus Our Motivation and Use Cases Integration Approach Status MyProxy Overview Local Authn Support Shibboleth:  Shibboleth http://shibboleth.internet2.edu/ Internet2 project Allows for inter-institutional sharing of web resources (via browsers) Provides attributes for authorization between institutions Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’ Standards-based (SAML) Being extended to non-web resources Shibboleth:  Shibboleth Identity Provider composed of single sign-on (SSO) and attribute authority (AA) services SSO: authenticates user locally and issues authentication assertion with Handle Assertion is short-lived bearer assertion Handle is also short-lived and non-identifying Handle is registered with AA Attribute Authority responds to queries regarding handle Shibboleth:  Shibboleth Service Provider composed of Assertion Consumer and Attribute Requestor Assertion Consumer parses authentication assertion Attribute Requestor: request attributes from AA Attributes used for authorization Where Are You From (WAYF) service determines user’s Identity Provider Shibboleth (Simplified):  Shibboleth (Simplified) AA SSO Shibboleth IdP Handle Attributes SAML AR ACS Shibboleth SP Handle LDAP (e.g.) Globus Toolkit:  Globus Toolkit http://www.globus.org Toolkit for Grid computing Job submission, data movement, data management, resource management Based on Web Services and WSRF Security based on X.509 identity- and proxy-certificates Maybe from conventional or on-line CAs Some initial attribute-based authorization Motivation:  Motivation Many Grid VOs are focused on science or business other than IT support Don’t have expertise or resources to run security services Allow for leveraging of Shibboleth code and deployments run by campuses Use Cases:  Use Cases Project leveraging campus attributes Simplest case Project-operated Shib service Project operates own service, conceptually easy, but not ideal Campus-operated, project-administered Shib Ideal mix, but need mechanisms for provisioning of attribute administration Integration Approach:  Integration Approach Conceptually, replace Shibboleth’s handle-based authentication with X509 Provides stronger security for non-web browser apps Works with existing PKI install base To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible GridShib (Simplified):  GridShib (Simplified) A SSO Shibboleth DN Attributes DN DN SAML SSL/TLS, WS-Security Integration Areas:  Integration Areas Assertion Transmission Attribute Authority Discovery Distribute Attribute Administration User Registration Pseudonymous Interaction Authorization Assertion Transmission:  Assertion Transmission How to get SAML assertions from AA into Globus? Initially: Pull mode with Globus acting as a Shibboleth Attribute Requestor Will explore Pull modes to help with privacy and role combination Implement Grid Name Mapper to map X509 DNs to local identities used to obtain attributes Attribute Authority Discovery:  Attribute Authority Discovery No interactive WAYF service in the Grid Place identifier of Identity Provider in cert Either in long-term EEC or short-term Proxy Cert Will explore pushing attributes Avoids the problem Might also address combined attributes from multiple AAs Distributed Attribute Administration:  Distributed Attribute Administration Campus is ideal for running services, but may not know all attributes of users How does a campus issue attributes for which it is not authoritative? E.g. IEEE Membership of staff In Grid case, Project Membership This may be the largest hurdle due to social, political and/or legal issues Need accepted cookbook for process Plan on exploring signet http://middleware.internet2.edu/signet/ Getting Attributes into a Site’s Attribute Authority:  LDAP Getting Attributes into a Site’s Attribute Authority uid: jdoe eduPersonAffiliation: … isMemberOf: … eduPersonEntitlement: … SIS HR On-site Authorities Loaders Person Registry Group Registry Grouper UI Privilege Registry Off-site Authorities Signet UI Attribute Authority Core Business Systems Shib/ GridShib using Shibboleth User Registration:  User Registration How does the mapping from the User’s X509 DN to local Campus identity get made in NameMapper configuration? In initial version, this will be manual process Yes, far from ideal We envision Something akin to a registration service that authenticates user’s X509 and local credentials and puts mapping in automatically Or a portal that hides all the X509 from the user and also handles this mapping E.g. PURSE, GAMA Pseudonymous Interaction:  Pseudonymous Interaction How to maintain Shibboleth pseudonymous functionality with X509? Will develop online CA that issues certificates with non-identifying DNs Register with AA just as SSO Basically holder-of-key assertions Authorization:  Authorization Develop authorization framework in Globus Toolkit Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions XACML used for expressing gathered identity, attribute and policy information Convert Attributes into common format for policy evaluation Allows for common evaluation of attributes expressed in SAML and X509 (and others…) GridShib Status:  GridShib Status Testing initial version internal to project Will be a drop-in addition to GT 4.0 and Shibboleth 1.3 Plan on releasing Beta version 2-3 weeks after Shibboleth 1.3 is released Looking for interested testers Project website: http://grid.ncsa.uiuc.edu/GridShib/ Acknowledgements and Details:  Acknowledgements and Details NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit Funded under NSF award SCI-0438424 GridShib team: NCSA, U. Chicago, ANL Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team MyProxy Enhancements for Local Integration:  MyProxy Enhancements for Local Integration Bill Baker, Jim Basney and Von Welch NCSA What is MyProxy?:  What is MyProxy? Independent Globus Toolkit add-on since 2000 To be included in Globus Toolkit 4.0 A service for securing private keys Keys stored encrypted with user-chosen password Keys never leave the MyProxy server A service for retrieving proxy credentials A commonly-used service for grid portal security Integrated with OGCE, GridSphere, and GridPort, PURSE, GAMA Proxy Credentials:  Proxy Credentials RFC 3820: Proxy Certificate Profile Associate a new private key and certificate with existing credentials Short-lived, unencrypted credentials for multiple authentications in a session Restricted lifetime in certificate limits vulnerability of unencrypted key Credential delegation (forwarding) without transferring private keys Proxy A signs signs Proxy B signs Proxy Delegation:  Proxy Delegation Delegator Delegatee Generate new key pair Sign new proxy certificate Proxy Proxy certificate request Proxy Proxy 1 2 3 4 MyProxy System Architecture:  MyProxy System Architecture MyProxy server Credential repository Retrieve proxy Store proxy Proxy delegation over private TLS channel MyProxy client MyProxy: Credential Mobility:  MyProxy: Credential Mobility myproxy.teragrid.org tg-login.uc.teragrid.org tg-login.caltech.teragrid.org tg-login.sdsc.teragrid.org tg-login.ncsa.teragrid.org ca.ncsa.uiuc.edu Obtain certificate Store proxy Retrieve proxy MyProxy and Grid Portals:  MyProxy and Grid Portals Portal MyProxy server GridFTP server Login Fetch proxy Access data MyProxy and PAM:  MyProxy and PAM MyProxy now has ability to use PAM for authentication As a replacement for locally-stored password Users can use existing authentication mechanism to access Grid Credentials Has been tested with PAM modules for LDAP, Kerberos, OTP (CryptoCard) via RADIUS LTER Grid Example:  LTER Grid Example MyProxy server PAM LTER LDAP LTER Portal Creds Job Submission GridFTP LDAP Username & Password Proxy Status:  Status PAM Support in MyProxy v2.0 which is released Available at http://myproxy.ncsa.uiuc.edu Pam-specific documentation: http://grid.ncsa.uiuc.edu/myproxy/pam.html PAM enhancements funded by NMI Grids Center

Related presentations


Other presentations created by Breezy

Plant Anatomy
03. 01. 2008
0 views

Plant Anatomy

Learning Long Division
15. 06. 2007
0 views

Learning Long Division

ADO Net
24. 10. 2007
0 views

ADO Net

Ch 2 Chemistry of Life
05. 01. 2008
0 views

Ch 2 Chemistry of Life

REORGANIZATION
27. 09. 2007
0 views

REORGANIZATION

Enhanced Fujita Scale 6 23 04
05. 10. 2007
0 views

Enhanced Fujita Scale 6 23 04

severe convection punkka
07. 10. 2007
0 views

severe convection punkka

lsad07 psp
09. 10. 2007
0 views

lsad07 psp

idioms1
10. 10. 2007
0 views

idioms1

SabadosCiencia2006
13. 10. 2007
0 views

SabadosCiencia2006

Rousset EID06
19. 10. 2007
0 views

Rousset EID06

TheodoreRoosevelt
22. 10. 2007
0 views

TheodoreRoosevelt

Timss
17. 10. 2007
0 views

Timss

Wynn ASA 2000
04. 10. 2007
0 views

Wynn ASA 2000

aas strom
29. 08. 2007
0 views

aas strom

element connections
29. 08. 2007
0 views

element connections

hwr clustering
29. 08. 2007
0 views

hwr clustering

Pov map 20060717 1
29. 11. 2007
0 views

Pov map 20060717 1

CONSTRUCTING BUD VASES ADN BOWS
11. 12. 2007
0 views

CONSTRUCTING BUD VASES ADN BOWS

nobel talk
15. 10. 2007
0 views

nobel talk

18 FOSIS
24. 10. 2007
0 views

18 FOSIS

Lec 08 FO1 06 Urbanisation
01. 11. 2007
0 views

Lec 08 FO1 06 Urbanisation

America vs The World
22. 10. 2007
0 views

America vs The World

Vasco Da Gama Slide Show
07. 11. 2007
0 views

Vasco Da Gama Slide Show

Fliess
15. 11. 2007
0 views

Fliess

01 threat
19. 11. 2007
0 views

01 threat

Konsolen
21. 11. 2007
0 views

Konsolen

the dancers
23. 11. 2007
0 views

the dancers

Probil
26. 11. 2007
0 views

Probil

UNE Benz
27. 11. 2007
0 views

UNE Benz

Galaxies
29. 08. 2007
0 views

Galaxies

DB2 XML DatabaseFINAL
23. 10. 2007
0 views

DB2 XML DatabaseFINAL

akzonobel
15. 10. 2007
0 views

akzonobel

ilana
29. 08. 2007
0 views

ilana

lauter
07. 11. 2007
0 views

lauter

GradSch GPOs
04. 10. 2007
0 views

GradSch GPOs

PHYS402 01
16. 10. 2007
0 views

PHYS402 01

cry beloved
02. 08. 2007
0 views

cry beloved

curtis
02. 08. 2007
0 views

curtis

Chaplet of Divine Mercy
02. 08. 2007
0 views

Chaplet of Divine Mercy

CS583 opinion mining
02. 08. 2007
0 views

CS583 opinion mining

A TIME FOR ANDREW Pres 2
02. 08. 2007
0 views

A TIME FOR ANDREW Pres 2

arthur powerpoint 11 20 03
02. 08. 2007
0 views

arthur powerpoint 11 20 03

cheryl toner ific
02. 08. 2007
0 views

cheryl toner ific

bats
02. 08. 2007
0 views

bats

23 stavros thurs
02. 08. 2007
0 views

23 stavros thurs

aas04 jeff
29. 08. 2007
0 views

aas04 jeff

moustakis
29. 08. 2007
0 views

moustakis

irsurveys07
29. 08. 2007
0 views

irsurveys07

venice oct03
29. 08. 2007
0 views

venice oct03

Office of Homeleand Security
29. 10. 2007
0 views

Office of Homeleand Security

agn presentation 102106
29. 08. 2007
0 views

agn presentation 102106

ReginaSchulteLadbeck 042104
29. 08. 2007
0 views

ReginaSchulteLadbeck 042104

Weingarten
03. 01. 2008
0 views

Weingarten

Presentation NASDAQ
24. 02. 2008
0 views

Presentation NASDAQ

nov retail ebony
24. 02. 2008
0 views

nov retail ebony

APAsymp04AIDMAN
02. 08. 2007
0 views

APAsymp04AIDMAN

Ray Flores Roadmap
04. 03. 2008
0 views

Ray Flores Roadmap

Beloved
02. 08. 2007
0 views

Beloved

2004 4050S1 11 Levin
02. 08. 2007
0 views

2004 4050S1 11 Levin

Konstantinidis
29. 09. 2007
0 views

Konstantinidis

Qin and Han Dynasties
25. 03. 2008
0 views

Qin and Han Dynasties

andy powell presentation
02. 08. 2007
0 views

andy powell presentation

arena rome minier
13. 11. 2007
0 views

arena rome minier

Presentation010605
10. 04. 2008
0 views

Presentation010605

03edclark lecture
13. 04. 2008
0 views

03edclark lecture

richard mushotzky
29. 08. 2007
0 views

richard mushotzky

Lawrence D Boston 2006
14. 04. 2008
0 views

Lawrence D Boston 2006

DMCH13
16. 04. 2008
0 views

DMCH13

ERates
17. 04. 2008
0 views

ERates

JHAN 14
18. 04. 2008
0 views

JHAN 14

4884061 firstfileFILE
22. 04. 2008
0 views

4884061 firstfileFILE

ppt26
23. 12. 2007
0 views

ppt26

Operations
28. 04. 2008
0 views

Operations

CH10 Outline
07. 04. 2008
0 views

CH10 Outline

CIM research
30. 04. 2008
0 views

CIM research

komossa
29. 08. 2007
0 views

komossa

ieee sp 2004
18. 06. 2007
0 views

ieee sp 2004

icws 2006 3
18. 06. 2007
0 views

icws 2006 3

ICTP intro
18. 06. 2007
0 views

ICTP intro

human mating beh 2005
18. 06. 2007
0 views

human mating beh 2005

IMDS CIESP
14. 11. 2007
0 views

IMDS CIESP

Glycosylation
15. 06. 2007
0 views

Glycosylation

Making a Story Board
15. 06. 2007
0 views

Making a Story Board

Story Literary Elements
15. 06. 2007
0 views

Story Literary Elements

Life Cycle of Plants and Animals
15. 06. 2007
0 views

Life Cycle of Plants and Animals

Session1Alila
02. 11. 2007
0 views

Session1Alila

beetleborers
02. 01. 2008
0 views

beetleborers

2006 IADB
10. 10. 2007
0 views

2006 IADB

robo wk1
03. 01. 2008
0 views

robo wk1

Rosemary Panama
22. 10. 2007
0 views

Rosemary Panama

ec06nicapan
25. 10. 2007
0 views

ec06nicapan

Allies Pre Training Module
02. 08. 2007
0 views

Allies Pre Training Module

Carmona
30. 12. 2007
0 views

Carmona

TheSuccessofSingapor e2006
27. 03. 2008
0 views

TheSuccessofSingapor e2006

Advisory Board Presentation
02. 08. 2007
0 views

Advisory Board Presentation

Cameron SAS44 A Century of OA
27. 02. 2008
0 views

Cameron SAS44 A Century of OA

dubrovnik
16. 10. 2007
0 views

dubrovnik

sprfett
07. 01. 2008
0 views

sprfett

mccune albright syndrome
15. 10. 2007
0 views

mccune albright syndrome

michael soendermann 2007
18. 10. 2007
0 views

michael soendermann 2007

astro12Summer12
29. 08. 2007
0 views

astro12Summer12

familyweek1
19. 02. 2008
0 views

familyweek1