1 / 24

Federated A(A(A))I

Federated A(A(A))I. Jens Jensen hepsysman , RAL, 20110701. Example: Shibboleth. Login with home id Like Kerberos Issues SAML assertions To work with web servers Based on HTTP redirects. Shibboleth. IdP AA. WAYF. User. Web server. Shibboleth. IdP AA. WAYF. User. Web server.

wilda
Download Presentation

Federated A(A(A))I

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701

  2. Example: Shibboleth • Login with home id • Like Kerberos • Issues SAML assertions • To work with web servers • Based on HTTP redirects

  3. Shibboleth IdP AA WAYF User Web server

  4. Shibboleth IdP AA WAYF User Web server

  5. Shibboleth IdP AA WAYF User Web server

  6. Shibboleth IdP AA WAYF User Web server

  7. Shibboleth IdP AA WAYF User Web server

  8. What’s good? • Implementation of federated identity • Needs federation policies • Gives SSO to (web) resources • Scales authentication • Solves the NxM problem • Based on standards (SAML, HTTP) • Wide national uptake across EU, AU, US, … • Can be superfederated

  9. Issues • Attributes • Q: Who can set the attributes? (A: IdP) • Who defines the ARP? • Scaling attribute management? • What can be released (policy-wise)? • Implementation • Actual infrastructure stability? (e.g. against upgrades) • Webby

  10. Making Use of Existing Infra • Using existing credentials • E.g. SAML assertions, or RFC3281 ACs • Standards based... • Convert credentials to something else • Example: grid needs certificates • Example: “export” K5

  11. Making use of existing infrastructures: Credential Conversion

  12. Shib for CC Resource access Password Shibboleth Create certificates instead (portal)

  13. Convert a Credential • Example, based on MyProxy from NCSA • Shibboleth login • “Silently” creates a certificate (and keys) • Adds VO attributes

  14. MyProxy for CC http://grid.ncsa.uiuc.edu/myproxy/ Grids (NGS, gLite/GridPP, SRB) Kerberos or Active Directory

  15. And now for something completely the same – back to Federations

  16. Other Federation Tech • OpenID • Certificates – IGTF, bridge/hierarchies • WS-Federation • Kerberos – cross domain trust • eduRoam • Moonshot

  17. Features (or Not) • Authentication • Credentials: named or anonymised • Traceability: can trace orig user • Supports delegation • LoA and LoWF • Security • Policies & trust • Accounting

  18. Cloud Federations Contrail: http://contrail-project.eu/

  19. Role of Federation • Make use of existing identity management • Provide harmonised accounting • Built-in AA, also make use of ext’l;

  20. Delegation • Of identity (“impersonation”) • Cf. GSI proxies • Of authority • More like roles • Or other attributes • Or specific actions on objects

  21. Authorisation • Access control – granting access to some resource to do some thing at some time • According to some policy • Based on • Identity • Roles (RBAC) • Group memberships • Phase of moon  • Etc

  22. Federations in HEP? • Grids: already federated (eg IGTF, NGIs) • Universities: local SSO • Integrated into UK AMF (= Shib) • eduRoam • Moonshot (in progress) • Outside universities • Er…

  23. Implications for HEP? • Users: • Convenience – single login • And inconvenience – single login • Sites • SEP

  24. Final Words... • Fed = Tech + Policies + Support (sort of) • Give techies time to play with tech • Need to evaluate and interoperate • Watch Moonshot • ... and Contrail of course  • OGF: delegation, federations, cloudsec

More Related