centralized authorization in non uniform federation
play

Centralized Authorization in Non-Uniform Federation Communities of - PowerPoint PPT Presentation

FERMILAB-SLIDES-18-105-CD Centralized Authorization in Non-Uniform Federation Communities of Interest Olga Terlyga NLIT 2018 May 22, 2018 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359


  1. FERMILAB-SLIDES-18-105-CD Centralized Authorization in Non-Uniform Federation Communities of Interest Olga Terlyga NLIT 2018 May 22, 2018 This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of Energy, Office of Science, Office of High Energy Physics. This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of Energy, Office of Science, Office of High Energy Physics.

  2. Centralized Authorization • Why do we care? • What should we do? ----------------------------- OFermilab 2 5/22/2018 Olga Terlyga | NLIT 2018

  3. (Semi) Open Science Scientific process is based on free exchange of ideas. Scientific collaborations require us to be more open than ever, while emphasis on cyber security puts pressure to become more closed off . The role of IT is to enable exchange of ideas and data balanced with security concerns. Non-Scientific resources Exchange of information happens and is necessary in many other areas of Laboratory operations ----------------------------- OFermilab 3 5/22/2018 Olga Terlyga | NLIT 2018

  4. Global collaboration era 9 Centro Bras il eiro de Pesquisa .. . 9 Aligarh Mus li m Uni ve rsi ty Hor .. . 9 Fermilab 9 Universi ty of Florida 9 Universi ty of Geneva 9 Universidad De Guanajuato 9 Hampton Uni ve rsi ty 9 Massachusetts Co ll ege Of Li .. . 9 Indian Inst i tute of Sc ience Ed .. . 9 Northwestern Uni ve rsi ty 9 Oregon State Uni ve rsi ty 9 Otte rbein Uni ve rsi ty North Ar/antic 9 Pontifica l Catho li c Universi ty .. Oce1n 9 Uni ve rsi ty of Pi ttsbu r gh 9 Uni ve rsi ty of Rochester 9 Rutger s-New Br unsw i ck 9 Tufts Uni ve rsi ty 9 Universi ty of Minnesota Dul uth 9 National Uni ve rsi ty of Engine .. . 9 Universidad Tecnica Feder ico Sourh .. . Pacific 9 Ewell Ha ll Ocean Sc ulhA frtca 9 Universi ty of Oxford 9 Universi ty of Mississippi 9 Universi ty of Pennsylvania 9 Universi ty ofW roct aw Southern MINERVA collaboration OFermilab 4 5/22/2018 Olga Terlyga | NLIT 2018

  5. Global collaboration era OSG Computing Grid \ Extreme Science and Englnei!rlng Discovery Environment OFermilab 5 5/22/2018 Olga Terlyga | NLIT 2018

  6. Access = Authentication + Authorization Accountability Access always needs to be managed Even open science is not 100% open OFermilab 6 5/22/2018 Olga Terlyga | NLIT 2018

  7. On Premise => More Control ...... , • On premise authentication – Typically Single Sign-On – Maybe LDAP – … • On premise authorization – Active Directory Security groups – Individual Service Provider’s Database – Identity Management – … -------------------------- OFermilab 7 5/22/2018 Olga Terlyga | NLIT 2018

  8. On Premise => Constraints • Users don’t want to maintain another set of credentials – Passwords – Usernames – Registration process • Admins don’t want to maintain another set of credentials – Expirations dates – Source of truth – HR involved in registration process – Short lived accounts – Price? ----------------------------- OFermilab 8 5/22/2018 Olga Terlyga | NLIT 2018

  9. Federation O Federati ons 1 11 eduGA I N Me mbers 51 Each person is uniquely identified within organization and within Federation Vo ting- on ly 5 Me mbers 13 Candidates Federation A Metadata Service ldPs 2711 SPs 1 947 Standalone AAs 6 Federation C Service Provider ----------------------------- OFermilab 9 5/22/2018 Olga Terlyga | NLIT 2018

  10. Federation 0 Invaluable collaboration tool! IdP Federation A Metadata • Placing every SP in federation is not practical • Each SP maintains authorization data? • Not every IdP is in Federation Service Provider Federation C C) IdP 0 IdP Are there possibilities here for centralized authorization? OFermilab 10 5/22/2018 Olga Terlyga | NLIT 2018

  11. Identity and Access Management products Typically "°""- + l•VSJNHSSUIITl - • Portal style - . ,~I Roamb i ORACLE t3 workday sen,,cem,w • Combine Authentication and Authorization -- splun k> - Go, ig le EJ G Mail J!:i Calendar • More useful in self contained C. a 0ne0nve Ill• Outlook P' c1TR1x l:nc organizations Go i le L. ,.,, "' o," Some do integrate with federations Y<JIRA EGN * TE Yammer· " Do \A , G .> gl Password fare Pi.1 G Cisco ex OFermilab 11 5/22/2018 Olga Terlyga | NLIT 2018

  12. Federation Hub This looks more centralized from Authentication point of view. External On-premise SP IdP External On-premise SP On-premise IdP IdP External On-premise SP IdP ----------------------------- OFermilab Are there possibilities here for centralized authorization? 12 5/22/2018 Olga Terlyga | NLIT 2018

  13. Centralized Authorization in Non-Uniform Federation Communities of Interest What should we do? ----------------------------- OFermilab 13 5/22/2018 Olga Terlyga | NLIT 2018

Recommend


More recommend