single sign on to the grid n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Single Sign-on to the Grid PowerPoint Presentation
Download Presentation
Single Sign-on to the Grid

Loading in 2 Seconds...

play fullscreen
1 / 16

Single Sign-on to the Grid - PowerPoint PPT Presentation


  • 165 Views
  • Uploaded on

Single Sign-on to the Grid. Federated Access and Integrated Identity Management. The Problem. Integrated Access (Authentication) Identity management Implemented locally… …integrate with future national efforts… …and international. What’s in SSO?. Identity mgmt, User mgmt

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Single Sign-on to the Grid' - Anita


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
single sign on to the grid

Single Sign-on to the Grid

Federated Access and

Integrated Identity Management

the problem
The Problem
  • Integrated Access (Authentication)
  • Identity management
  • Implemented locally…
  • …integrate with future national efforts…
  • …and international
what s in sso
What’s in SSO?
  • Identity mgmt, User mgmt
  • Credential conversions
    • Certificates, AD/K5
    • Protection of credentials
  • Thin clients vs thick clients
  • Passwords and -phrases
    • Single password to all resources
what s in sso1
What’s in SSO?

Portals

Java gsissh terminal

MyProxy

SDSC SRB

VOMS

Active Directory

Kerberos

SRM

Tapestore

Challenge: get distinct components to talk together

authentication web based
Authentication – web based
  • If on-site, use federal id (Active Directory/Kerberos)
  • If off-site, use certificate
    • if loaded into browser
  • Otherwise username/password
    • Same as fed username/password
    • Not allowed to store password…
  • System must know these are the same
web https based sso
Web (HTTPS) based SSO
  • Easier to implement servers
    • Apache can do Everything™
    • Not trivial to integrate with existing Java portals
    • Apache vs Tomcat, StringBeans, uPortal, CHEF, SAKAI,…
  • Lots of HTTP tools that understand security
  • Future proof, when UK goes to Shibboleth
client side from outside cclrc
Client Side – from outside CCLRC

P

O

R

T

A

L

THE GRID

Certificate

SRB

VOMS

(old slide)

client side from within cclrc
Client Side – from within CCLRC

P

O

R

T

A

L

THE GRID

SRB

Microsoft

Active

Directory

MyProxy

VOMS

(old slide)

slide9
SRB provides SSO

But ∫ with everybody else’s…

S commands can be used with GSI and with username/password

inQ doesn’t understand certificates

SRB

THE GRID

THE BEAM

SRB

myproxy
MyProxy
  • MyProxy essential to SSO to Grid
    • Because Grid requires X.509 certs
  • Call out to site authentication
    • For username/password maintenance
  • Investigating new MyProxy+PAM
status users
Status – Users
  • Need certificates for Grid work
  • Once every year, obtain/renew cert
    • Usability of CA improved with upgrade
    • Will resurrect applets
  • Once every week, renew proxy
    • Upload tool in Java, another in python
  • Once every day
    • Log in to Windows (or Linux kinit)
status software
Status – software
  • Prototype portal (python)
    • Thin clients (web browser)
    • Fetches proxy from myproxy
    • AD/K5 works with IE and certain Linux browsers
  • Components for thick clients
    • Fetches proxy locally from MyProxy
authorisation
Authorisation

Gridmap

file

L

D

A

P

Microsoft

Active

Directory

MyProxy

VOMS

Corporate

Data Repository

combining grid authorisation
Combining Grid Authorisation

Grid

AUZ

L

D

A

P

L

D

A

P

CCLRC

L

D

A

P

NGS

LCG

future work
Future work
  • VOMS
  • Extending collaboration
    • Related Shib work with Oxford
      • Grid access for non-certificate users
      • DLS & IB very interested (+BDWorld?)
  • Ponder credential conversions/protection
    • Work on-going between CAs in IGTF
summary
Summary
  • Prototype SSO access to Grid
  • Existing implementations, added glue
  • Loads of other minor things that need doing
  • Integrating with other SSO efforts
  • Facilities’ user offices maintain ids
  • More authorisation work req’d