IAM Online Federated Services for Scientists Thursday, December 9, 2010 – 1 p.m. EST Rachana Ananthakrishnan Argonne National Laboratory & University of Chicago Jim Basney National Center for Supercomputing Applications University of Illinois

IAM Online is brought to you by InCommon, in cooperation with Internet2 and !the EDUCAUSE Identity and Access Management Working Group 1

Scientific & Scholarly Collaboration Online •  Should be as easy as current social networking, but with

suitable security & attribution

•  To do that we need … –  Valuable services to be online

•  Integrated wholes, not toolkits remaining to be assembled –  Scale up access to them

•  Federated access, both SAML and OpenID as appropriate •  InCommon & other federations to grow, and to support LoA

–  Get IT out of the way •  Campuses must up their game, implement Silver & uApprove •  Collaboration frameworks with standardized interfaces that make it

easy to dock domesticated applications

Two Steps Along the Road

•  Rachana Ananthakrishnan –  Principal Software Development Specialist, Argonne National

Lab/University of Chicago

•  Globus Online –  An integrated online cyber infrastructure service

•  Jim Basney –  Senior Research Scientist, National Center for Supercomputing

Applications, University of Illinois

•  CI Logon –  Providing federated access to cyber infrastructure

globusonline.org

globus online Reliable File Transfer. No IT Required.

Federated Access to Science Services and Infrastructures

Rachana Ananthakrishnan Argonne National Laboratory & University of Chicago

5 globusonline.org

Globus Toolkit Build the Grid

Components for building custom grid solutions

globustoolkit.org

Globus Online Use the Grid

Cloud-hosted"file transfer service

globusonline.org

Globus "www.globus.org

6 globusonline.org

User     Data  loca,on  

Characteris,cs    

1   Nuclear  Scien-st   Oakridge  to  NERSC  

Two  security  domains,  blocked  by  transfer,  repe--ve  task  

2   Visualiza-on  Specialist  

TeraGrid  (Kraken)  to  NERSC  

Two  security  domains,  no  dedicated  high  bandwidth  network,  ad  hoc  task  

3   System  Administrator   To  GFDL   Many  security  domains,  administra-ve  task,  deadline  bound  

4   System  Builder   To  and  from  NERSC  

Many  security  domains,  support  adhoc  users,  legacy  code  integra-on,  mul-ple  science  domains    

Problem Space Examples

7 globusonline.org

•  Hosted file transfer management capabilities –  Transfers and synchronizes files and directories

•  Asynchronous interfaces for –  Transfer –  Monitoring –  Notification

•  Multiple interfaces for integration –  REST API –  “CLI 2.0” using SSH/GSISSH –  Website

Globus Online Solution

8 globusonline.org

•  Easy “fire and forget” file transfers

•  Automatic fault recovery •  High performance •  Simplify use of multiple

security domains •  No client software

installation •  New features

automatically available •  Consolidated support and

troubleshooting

Benefits of Globus Online

Data Data

9 globusonline.org

•  Creates a new profile •  Configures profile •  Adds or discovers endpoints •  Activates endpoints •  Submits transfers •  Monitors transfers •  Receives notification of events

User Workflow

10 globusonline.org

•  User creates a profile at registration –  Uses an existing identity –  Can associate multiple identities with the profile

•  Website logins: –  OpenID Identity Provider –  MyProxy servers

•  CLI logins: –  SSH Public key –  X.509 Certificate

Profile Management

11 globusonline.org

Login

12 globusonline.org

Login Accounts

13 globusonline.org

CLI Accounts

14 globusonline.org

•  Configure endpoints: –  Host/port –  Default MyProxy server –  Public endpoints

•  Discover endpoints: –  Add to personal list

•  Endpoint activation: –  MyProxy or GSI SSH delegation –  Pause transfer and notify on credential

expiration –  Resume transfer on credential renewal

Endpoint Management

15 globusonline.org

Transfer

16 globusonline.org

Activation using MyProxy

17 globusonline.org

•  Transfer: –  Light-weight transfer agent –  Support for other transfer protocols –  Integration with Condor

•  Security: –  Accept campus credentials (InCommon Identity

Providers) –  Support OAuth based delegation - Facilitate sharing of transfer tasks

o Group and policy management

Planned Features

18 globusonline.org

•  Higher-level data management capabilities –  Data publication –  Replication

•  Job management capabilities •  Provisioning of collaboration tools

Future Work

19 globusonline.org

Thank You!

For more information: www.globusonline.org support@globus.org

Federated Access to Science Services and Infrastructures

Jim Basney

jbasney@ncsa.uiuc.edu

CILogon

This material is based upon work supported by the National Science Foundation under grant number 0943633. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

CILogon www.cilogon.org 21

CILogon Goal •  Facilitate campus logon to CI

–  Leverage researchers’ existing credentials at their home institution

–  Ease credential management for researchers and CI providers

•  Bridge from: –  Credentials issued by

InCommon Federation members using SAML web browser single sign-on

•  Bridge to: –  X.509 certificates that satisfy

the requirements of CI projects

CILogon www.cilogon.org 22

Prior Work: go.teragrid.org •  Campus login to TeraGrid •  31 campuses so far

(including all CIC schools) •  In production since

September 2009 •  1000+ certificates issued so

far to 65+ users •  Integration with

portal.teragrid.org underway •  IDtrust 2010 paper:

“Federated Login to TeraGrid” (http://middleware.internet2.edu/idtrust/2010/)

CILogon www.cilogon.org 23

New Service: cilogon.org •  No TeraGrid account required •  Delivers certificates to

desktop, browser, and portals •  Available certificate lifetimes:

from 1 hour to 13 months •  3 Certification Authorities:

–  Silver: InCommon Silver IDs –  Basic: any InCommon IDs –  OpenID: any OpenIDs

•  Available now!

CILogon www.cilogon.org 24

CILogon Portal Delegation •  Grid Portals and Science Gateways

provide web interfaces to CI –  Portals/Gateways need certificates

to access CI on researchers’ behalf •  CILogon Delegation Service allows

researchers to approve certificate issuance to portals (via OAuth)

•  www.cilogon.org/portal-delegation

Web Browser

CILogon Portal

CI

access

request certificate

authenticate &

approve access

CILogon www.cilogon.org 25

Why certificates?

•  Command-line apps, non-web apps

•  Multi-stage, unattended batch workflows

•  Significant worldwide CI investment in PKI – Software, operations,

standards, etc.

CILogon www.cilogon.org 26

International Grid Trust Federation

•  Worldwide accreditation of grid CAs – Relying Parties: TeraGrid, Open Science Grid,

European Grid Infrastructure, Worldwide LHC Computing Grid, and others

– Standards: CA operations, key management, subscriber identity vetting, certificate profiles

www.igft.net

CILogon www.cilogon.org 27

CILogon and IGTF •  CILogon CA operations, key management,

and certificate profiles meet IGTF standards •  Issue: subscriber ID vetting & authentication

– Goal: rely on campuses for this – Need minimum standards for campus practices – Approach: rely on InCommon Identity Assurance

•  Status: – CILogon Silver CA accredited October 2010 – Now waiting for InCommon Silver campuses… – CILogon Basic & OpenID CAs operating w/o

IGTF accreditation

CILogon www.cilogon.org 28

Attribute Release •  The “boarding process” challenge:

– CI users are spread across many campuses – Often few CI users on each campus

•  Each campus must approve release of attributes to cilogon.org / go.teragrid.org – CILogon needs ePTID/ePPN, mail, givenName

and surname – Self-service sign-up:

https://cilogon.org/secure/testidp/ •  Good application for user consent based

attribute release (uApprove)

CILogon www.cilogon.org 29

Conclusions

•  We’re leveraging campus credentials for access to cyberinfrastructure – SAML to PKI bridges:

go.teragrid.org & cilogon.org •  We’re looking forward to new InCommon

capabilities –  Identity Assurance (Silver) – Consent-based attribute release (uApprove)

CILogon www.cilogon.org 30

Thanks

For more information:

www.cilogon.org

info@cilogon.org

Survey Please complete the survey about today’s IAM Online: http://www.surveymonkey.com/s/IAMOnline12 Next IAM Online www.incommon.org/iamonline Wednesday, January 12, 2010 – 3 p.m. EST Tentative Topic – Panel Discussion on Identifiers

Thank you to InCommon Affiliates for helping to make IAM Online possible.

Brought to you by InCommon, in cooperation with Internet2 !and the EDUCAUSE Identity and Access Management Working Group 31