Upload
colin-carson
View
220
Download
1
Embed Size (px)
Citation preview
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
AAI in EEF Projects
John White (Helsinki University)EMI Security Area Leader
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Authentication and Authorization Infrastructures (AAI) deployments
• Authentication: Who are you?• Authorization: What are you allowed to do?– EGI– GEANT– DEISA/PRACE– Ensuring co-operation of the services.– Deployment of the co-operating service
02/11/2010 European E-infrastructure Forum, CERN 2
Outline
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• EGI has inherited the infrastructures of NGIs– gLite:
• Short-Lived Credential Service (SLCS). Shib (SAML) to X.509• VOMS Attributes from Shibboleth (VASH)• Security Token Service (STS)
– UNICORE:• Username/password for short lived certicate (SLC)• GridShib-CA with embedded SAML assertions• Web adapter interacts GridShib-CA Service Provider (SP), Identity Povider (IdP)
Where Are You From-Discovery Service (WAYF-DS)• DEISA connection...
• Notes:– X.509 used for Authentication to above \Grids"– X.509+Fully-Qualied Attribute Name (FQAN)/SAML used for
Authorization later
02/11/2010 European E-infrastructure Forum, CERN 3
AAI in EGI
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Aim: Global federated namespace, single sign-on• Authentication X.509-based PKI. IGTF accredited CAs• Users may acquire X.509 from SLCS or Terena Certificate
Service (TCS)• DEISA Authorization done using LDAP information
(attributes)• Other projects Authorization use X.509+FQAN• Updates Authorization DBs (UNICORE UUDB and GT4 grid-
mapfile)• DEISA options:
– Operate a VOMS server feeding the information from the LDAP system?
– Import VOMS information into LDAP system?02/11/2010 European E-infrastructure Forum, CERN 4
AAI for DEISA/PRACE
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• Networking...• eduroam: secure roaming access
– Hierarchical series of RADIUS servers
• eduGAIN: Confederation of Identity Providers– SOAP+RADIUS, Shibboleth, PAPI, A-Select, simpleSAMLphp
• eduPKI: Federated CAs– X.509
• educonf: Collaborative environment• GIdP: GEANT Identity Provider, temporary before eduGAIN
02/11/2010 European E-infrastructure Forum, CERN 5
AAI for GEANT
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• “Proposed approach for ensuring co-operation of the service across the EEF infrastructures."
• “Service"? Authentication• X.509 for Authentication.• Common service/protocol to obtain X.509:
Shibboleth/SAML.• “Service"? Authorization• Authorization by X.509+FQAN or SAML• Proposed common Authorization: Argus
02/11/2010 European E-infrastructure Forum, CERN 6
Future Direction
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• “Steps necessary to deploy the co-operating service in production and possible timeline"
• Next talk...
02/11/2010 European E-infrastructure Forum, CERN 7
Future Direction
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
• EMI has held a workshop at EGI TF– “AAI needs of DCIs“
https://www.egi.eu/indico/sessionDisplay.py?sessionId=11&slotId=0&confId=48#2010-09-14
• Many (11) communities projects/represented• Repeated themes:
– Federated Identity– User confidentiality– Users do not like to handle credentials
• Document (still) under work!
02/11/2010 European E-infrastructure Forum, CERN 8
Future Direction
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
02/11/2010 European E-infrastructure Forum, CERN 9
No VASH
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
02/11/2010 European E-infrastructure Forum, CERN 10
VASH
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
02/11/2010 European E-infrastructure Forum, CERN 11
STS
EMI I
NFS
O-R
I-261
611
EMI I
NFS
O-R
I-261
611
02/11/2010 European E-infrastructure Forum, CERN 12
STS