1 / 28

Single Sign-on at RAL (and DLS too)

Single Sign-on at RAL (and DLS too). Authentication and Integrated Identity Management. hepsysman Cambridge, 23 Oct 2006. Contents (approximately). Goals Current status Site authentication Grid authentication Authorisation Terminal access. The Problem.

sorena
Download Presentation

Single Sign-on at RAL (and DLS too)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Single Sign-on at RAL(and DLS too) Authentication and Integrated Identity Management hepsysman Cambridge, 23 Oct 2006

  2. Contents (approximately) • Goals • Current status • Site authentication • Grid authentication • Authorisation • Terminal access

  3. The Problem • Integrated Access (Authentication) • Identity management • Implemented locally… • …integrate with future national efforts… • …and international

  4. What is SSO? • Central password management • Don’t reuse the same password • Stored securely in one location • Central account management • ISIS, DLS, CLF – 14500 users • Keep up to date • User office can add new ones

  5. What is SSO? • Use account with all resources • cf. Grid – certificate used with all grids (well, sort of) • Shibboleth, with web resources • Generally requires consistent attribute management (resp., VOM(S), AAs)

  6. Authentication – web based • If on-site, use federal id (Active Directory/Kerberos) • If off-site, use certificate • if loaded into browser • Otherwise username/password • Same as fed username/password • Not allowed to store password… • System must know these are the same

  7. Account Management • DLS: Vintela for account management • Commercial • Accounts and password managed across Windows & Linux • PAM module for Linux • Allows users to reset passwords &c

  8. Site Authentication • Microsoft Active Directory (20002003) • Compatible with Kerberos 5 • As long as server is MS • Publishing data • “Corporate Data Repository” • RFC2307

  9. Grids • GridPP • More complex middleware stack • Plain ol’ ssh login • Uses VOMS for authorsation • NGS & SCARF • Basic Globus 2.4 toolkit (VDT dist) • gsissh login (more later) • Basic (Unix group) or no VO mgmt

  10. “Data Grids” • i.e., SRB (new one will be different?) • Can use X.509 or username/password • Password stored in file in ~ • Not integrated: • inQ uses username/password only • X.509 must be compiled in • Integrate with everything else? • Separate db column for SRB ids?

  11. Shibboleth • Site password to common web resources • Web-resources • Depends on http proto (eg redirects) • SWITCH in EGEE • Work on Shibifying middleware, starting with gatekeeper • Shib2 will be less web-specific

  12. Shibboleth deployment • SDSS • JISC funded, under core middleware programme • Early deployment of UK Federation • UK Federation will encompass all HEI and FEI • SDSS will become UK Federation

  13. Shibboleth Deployment • CCLRC has IdP in SDSS • Doesn’t cover all site, only ShibGrid project • ShibGrid? Shibboleth access to Grid • Collab ‘tween Oxford & CCLRC • IdP? • SSO (password) and AA (attributes)

  14. Shibboleth Deployment • Shibboleth Service Provider: • Portals (for NGS) to access Grid • “ShibGrid” project • MyProxy • Used for credential conversion

  15. Java SSH Term • Written in Java (no, really) • Standalone – untar and run • Applet • xterm • Understands (most) ANSI control seqs

  16. Java SSH Term • Took open source terminal (in sf.net) • And GSISSH plugin contrib’d from Canada • Authenticate: • With site AD/K5 magic biscuit (see later) • Via MyProxy (username/password) • Via certificate (private key passphrase)

  17. Java SSH Term • Picks up magic AD/K5 biscuit • Integrated with site Active Directory • Callout, no naughty storing passwords • Works! • But only with Java 1.6 for this • Available in beta

  18. Java SSH Term SRB SRM User Interface > echo hello world hello world WN WN MyProxy ID database VOMS

  19. Java SSH Term – User view • Use “proper” Grid (X.509) cert • Upload a proxy to myproxy once a week • Terminal gets proxies where you need them • Or use a proxy from the built-in CA • No need for PKCS#12  PEM conv • Or even no need for understanding certs

  20. Java SSH Term – Admin view • Can shut down vanilla ssh • Key mgmt is Somebody Else’s Problem™ • Decreased support load…(potentially) • Must trust a MyProxy CA • UK: Tie into CA hierarchy • Separate hierarchy for NGS

  21. (planned) UK hierarchy Trusted CA (Explicit Trust) e-Science ROOT Accredited CA e-Science CA Credential conversion top level NGS Training and Monitoring Institutional CC CA Institutional CC CA Institutional CC CA

  22. Java SSH Term • Try it! • http://www.grid-support.ac.uk/ • Public link may be for the non-AD/K5 one • Secret link for the Java 1.6 version • Until Java 1.6 is out • Email me

  23. User Management • DLS and ISIS have 14-15000 users • Already ~6-7000 unique users in DB • How to establish – and maintain – uniqueness? • Users get accounts locally • Accounts set up by User Office  • Give them Unix UID? • RFIO and NFS use 16 bit UID… 

  24. Vintela • Used by Diamond Light Source (synchroton) – not all of CCLRC/RAL • Commercial • Manage user accounts across Linux and Windows • Uses RFC2307-with-extensions • “Make more scalable” • Caching daemon makes system scalable

  25. Vintela • “Active Roles” • Users can unlock their own accounts • Questions • Scriptable user creation • NSS module for NIS • PAM module calls out to Active Directory • Suport for RH, SuSe, Solaris, HPUX, AIX

  26. Future work • Better database integration (eduPerson) • Identity management (next slide) • Users may have different ids in different contexts? • Authorisation needed • VOMS integration • Site attributes, maybe? VO attributes! • Combined?

  27. Identity Management – TODO • Tie together all the identities in central DB • Grid certificates • Low assurance (credential conversion) certificates • SRB identities • Tapestore ids • Unix user ids • How to populate with initial data…

  28. Summary • Terminal access to Grid • In production • Non-certificate access via myproxy • To integrate with CA rollover • Handles all grid-proxy-init • Much of account mgmt solved • Integrating with future SSO efforts

More Related