jens g jensen cclrc e-science single sign-on to the grid federated access and integrated identity...
TRANSCRIPT
![Page 1: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/1.jpg)
Jens G Jensen
CCLRC e-Science
Single Sign-on to the Grid
Federated Access and
Integrated Identity Management
![Page 2: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/2.jpg)
Jens G Jensen
CCLRC e-Science
The Problem
• Integrated Access (Authentication)
• Identity management
• Implemented locally…
• …integrate with future national efforts…
• …and international
![Page 3: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/3.jpg)
Jens G Jensen
CCLRC e-Science
What’s in SSO?
• Identity mgmt, User mgmt
• Credential conversions
– Certificates, AD/K5
– Protection of credentials
• Thin clients vs thick clients
• Passwords and -phrases
– Single password to all resources
![Page 4: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/4.jpg)
Jens G Jensen
CCLRC e-Science
What’s in SSO?
Portals
MyProxy
VOMS
Java gsissh terminal
SDSC SRB
SRM
Tapestore
Active DirectoryKerberos
Challenge: get distinct components to talk together
![Page 5: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/5.jpg)
Jens G Jensen
CCLRC e-Science
Authentication – web based
• If on-site, use federal id (Active Directory/Kerberos)
• If off-site, use certificate
– if loaded into browser
• Otherwise username/password
– Same as fed username/password
– Not allowed to store password…
• System must know these are the same
![Page 6: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/6.jpg)
Jens G Jensen
CCLRC e-Science
Web (HTTPS) based SSO
• Easier to implement servers– Apache can do Everything™– Not trivial to integrate with existing Java
portals– Apache vs Tomcat, StringBeans, uPortal,
CHEF, SAKAI,…• Lots of HTTP tools that understand security• Future proof, when UK goes to Shibboleth
![Page 7: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/7.jpg)
Jens G Jensen
CCLRC e-Science
Client Side – from outside CCLRC
P
O
R
T
A
L
VOMS
THE GRID
Certificate
SRB
(old slide)
![Page 8: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/8.jpg)
Jens G Jensen
CCLRC e-Science
Client Side – from within CCLRC
P
O
R
T
A
L
MyProxy VOMSMicrosoft
ActiveDirectory
THE GRID
SRB
(old slide)
![Page 9: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/9.jpg)
Jens G Jensen
CCLRC e-Science
SRB
• SRB provides SSO• But ∫ with everybody
else’s…• S commands can be
used with GSI and with username/password
• inQ doesn’t understand certificates
THE GRID
SRB
THE BEAM
![Page 10: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/10.jpg)
Jens G Jensen
CCLRC e-Science
MyProxy
• MyProxy essential to SSO to Grid
– Because Grid requires X.509 certs
• Call out to site authentication
– For username/password maintenance
• Investigating new MyProxy+PAM
![Page 11: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/11.jpg)
Jens G Jensen
CCLRC e-Science
Status – Users
• Need certificates for Grid work• Once every year, obtain/renew cert
– Usability of CA improved with upgrade– Will resurrect applets
• Once every week, renew proxy– Upload tool in Java, another in python
• Once every day– Log in to Windows (or Linux kinit)
![Page 12: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/12.jpg)
Jens G Jensen
CCLRC e-Science
Status – software
• Prototype portal (python)
– Thin clients (web browser)
– Fetches proxy from myproxy
– AD/K5 works with IE and certain Linux browsers
• Components for thick clients
– Fetches proxy locally from MyProxy
![Page 13: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/13.jpg)
Jens G Jensen
CCLRC e-Science
MicrosoftActive
Directory
Authorisation
CorporateData Repository
LDAP
VOMS
MyProxy
Gridmapfile
![Page 14: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/14.jpg)
Jens G Jensen
CCLRC e-Science
Combining Grid Authorisation
LDAP
LDAP
LDAP
CCLRC
NGS
LCG
GridAUZ
![Page 15: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/15.jpg)
Jens G Jensen
CCLRC e-Science
Future work
• VOMS• Extending collaboration
– Related Shib work with Oxford• Grid access for non-certificate users• DLS & IB very interested
(+BDWorld?)• Ponder credential conversions/protection
– Work on-going between CAs in IGTF
![Page 16: Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management](https://reader036.vdocument.in/reader036/viewer/2022081515/56649dd15503460f94ac7cd8/html5/thumbnails/16.jpg)
Jens G Jensen
CCLRC e-Science
Summary
• Prototype SSO access to Grid
• Existing implementations, added glue
• Loads of other minor things that need doing
• Integrating with other SSO efforts
• Facilities’ user offices maintain ids
• More authorisation work req’d