slcs and vash service
play

SLCS and VASH Service Interoperability of Shibboleth and gLite - PowerPoint PPT Presentation

Feb 27, 2023 •22 likes •272 views

Enabling Grids for E-sciencE SLCS and VASH Service Interoperability of Shibboleth and gLite Christoph Witzig, SWITCH (witzig@switch.ch) NREN Grid Workshop Nov 30th, 2007 - Malaga www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are

  1. Enabling Grids for E-sciencE SLCS and VASH Service Interoperability of Shibboleth and gLite Christoph Witzig, SWITCH (witzig@switch.ch) NREN Grid Workshop Nov 30th, 2007 - Malaga www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are registered trademarks

  2. Content Enabling Grids for E-sciencE • Introduction – Interoperability Shibboleth - gLite • Short-Lived Credential Service (SLCS) (Phase 1) • VOMS Attributes for SHibboleth (VASH) (Phase 2) • Outlook: SAML Support in Grids ( Phase 3) • Summary NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 2

  3. Federated Identity Enabling Grids for E-sciencE • Identity Providers (IdP) authenticate their users • Service Providers (SP) trust the Identity Providers (IdP) and authorize the users • Cross domain authentication and authorization based on trust relation NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 3

  4. Real and Virtual Organizations Enabling Grids for E-sciencE • Real organizations have built AAIs • Grids are being built around Virtual Organizations (VO) • How do you relate the member of the “real” organi- zation to the member of the organization? ? X.509 Username CA password Dora as member of Dora as member of the University of Malaga VO “Woman In Art” NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 4

  5. Interoperability Shibboleth - gLite Enabling Grids for E-sciencE • Interoperability Shibboleth - gLite by SWITCH – Part of EGEE-II • Focus is on – Interoperability (NO replacement for X.509) – Specific for EGEE II infrastructure (VOMS etc) – Integrate, re-use, re-engineer existing code, write new code only as needed Key Concepts: • – Home institution of the user should be the Identity Provider – Home institution provides some attributes – But VO is needed for (grid specific) attributes NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 5

  6. Overview of SLCS and VASH Enabling Grids for E-sciencE gLite UI SLCS = Short Lived Credential Service VASH = VOMS attributes from Shibboleth NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 6

  7. Enabling Grids for E-sciencE Short Lived Credential Service (SLCS) NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 7

  8. SLCS Profile Enabling Grids for E-sciencE • SLCS = Short Lived Credential Service • International Grid Trust Federation (IGTF) Profile • Minimum requirements: SLCS X.509 Certificate Certificate is generated “traditional” Registration based on Identity Authority (e.g. passport) Management system Lifetime < 1mio sec Lifetime < 1 year + 1 month Revocation handling Revocation handling optional mandatory NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 8

  9. SLCS Design Enabling Grids for E-sciencE • Private key is never transferred • Use commercial CA and only standard protocols • Modular design such that other people can use their own components • Shibboleth attributes determine DN NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 9

  10. SLCS Operation Enabling Grids for E-sciencE • For the user: • Command line: slcs-init --idp <providerId> • Part of gLite User Interface (gLite-UI 3.1) (can also be installed independently) • For the RA from web-based admin tool: • Can enable or disable individual users (only for his institution) • Requirements formulated in CP/CPS • Can obtain log information (audit) • SWITCH: • Operates the service for the SWITCHaai federation NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 10

  11. SWITCH SLCS Setup Enabling Grids for E-sciencE • 3 separate servers in increasingly secure environment (network and physical access) • Front End – Shibboleth SP • SLCS Server – Tomcat web app • Online CA – Microsoft Certificate Server – Hardware Security Module (HSM) • Offline CA – Sign the Online CA – Stored in a bank safe NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 11

  12. Status SLCS Enabling Grids for E-sciencE • Software development finished in 2006 • SWITCH SLCS Root CA accredited by EuGridPMA in February 2007 • SWITCH SLCS in production since April 2007 • http://www.switch.ch/grid/slcs NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 12

  13. Enabling Grids for E-sciencE VOMS attributes from Shibboleth (VASH) NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 13

  14. Problem Enabling Grids for E-sciencE • SLCS ties – AAI authentication to issuance of X.509 certificate – AAI attributes are used to construct the DN • SLCS intends to make AAI attributes available to grid resources for authorization decisions – Which AAI attributes are of interest to grid resource? – How does resource obtain attributes? (pull vs push) – Relation to VO attributes – Deployment issues NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 14

  15. VASH Design (1) Enabling Grids for E-sciencE VASH: • – VOMS Attributes from Shibboleth • Shibboleth SP – Browser-based – Specific for � Federation � VO • “lightweight” SP – No administrator duties – No management of attributes – Simply transfers attributes upon user request NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 15

  16. VASH Design (2) Enabling Grids for E-sciencE • X.509 and proxy X.509 with VOMS AC unchanged • No change in VOMS – Requires VOMS version 1.7.10 or higher • VO registration not changed • Administrative domain between Shibboleth federation and VOMS fully decoupled • User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509) NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 16

  17. Web Interface VASH Service Enabling Grids for E-sciencE NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 17

  18. Deployment Options Enabling Grids for E-sciencE • Option 1: – As an add-on to an existing VOMS-based VO • Option 2: – As a registration tool which allows the member of a Shibboleth IdP become a member of a VOMS-based VO � Suitable for production VOs as well as temporary VOs (e.g. summer schools, grid classes) NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 18

  19. Status VASH Enabling Grids for E-sciencE • Software implementation done • MJRA1.5 document: https://edms.cern.ch/document/807849/1 • Plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource available – Access to VOMS AC – LCAS/LCMAPS plugin NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 19

  20. Enabling Grids for E-sciencE Outlook: SAML Support in Grids NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 20

  21. Phase 3: SAML Support Enabling Grids for E-sciencE • Goal of phase 3: Extend use of SAML in grids beyond what is already provided by phase 1 and 2 • SAML-enable those services, with which the user interacts directly – WMS – File access • Benefits: – (Average) User has no certificates anymore – Introduce SAML gently beyond phase 1 and 2, gain experience – Compatible with Shibboleth roadmap (2.0, 2.1) and WS-Trust STS implementation – Options open for future Requires: A mean for service to transform a security tokens it has • into a security token it needs NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 21

  22. Security Token Service (STS) Enabling Grids for E-sciencE • Based on OASIS WS-Trust Standard • Converts one security token into another – Initial focus on � username/password SAML � SAML X.509 • Supports token request, renewal, validity check, destruction • Capable of obtaining attributes from different sources (e.g. Shibboleth IdP, VOMS) NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 22

  23. Use Cases Enabling Grids for E-sciencE • Grid: – A central Grid resource (e.g. resource broker) obtains a user job with a SAML assertion as credential – Conversion into a security token that the other Grid services understand (X.509) • Non-browser based Shibboleth applications: – User agent contacts Shibboleth IdP with credential (e.g. username, password) – User agent receives SAML assertion to be sent to a Shibboleth SP NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 23

  24. Summary Enabling Grids for E-sciencE • Interoperability Shibboleth - gLite – Phase 1: SLCS � Online CA issuing short-lived X.509 certificates based upon authentication at Shibboleth IdP � Operative and in production – Phase 2: VASH � Transfers Shibboleth attributes into VOMS � Shib attributes are available to grid resources as part of VOMS AC � Software development finished – Phase 3: SAML � Actual phase: design of a WS-Trust STS for SAML and proxy X.509 � Idea to SAML-enable a selected (small) number of grid services (those close to the user: WMS, …) • Leverage the existing SWITCHaai Shibboleth federation NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 24

  25. Enabling Grids for E-sciencE Q & A NREN Grid Workshop - Nov 30th, 2007 EGEE-II INFSO-RI-031688 25

Recommend

Short Lived Credential Service SLCS Tony J. Genovese Lawrence Berkeley National Laboratory USA

Short Lived Credential Service SLCS Tony J. Genovese Lawrence Berkeley National Laboratory USA

Short Lived Credential Service SLCS Tony J. Genovese Lawrence Berkeley National Laboratory USA November 29, 2005 Outline Background What is SLCS? Document overview Examples Issues and Status Future Profiles? Asian

638 views • 11 slides
Shibboleth Interoperability - Short-Lived Credential Service (SLCS) Valry Tschopp, SWITCH

Shibboleth Interoperability - Short-Lived Credential Service (SLCS) Valry Tschopp, SWITCH

Enabling Grids for E-sciencE - II Shibboleth Interoperability - Short-Lived Credential Service (SLCS) Valry Tschopp, SWITCH JRA1 All Hands Meeting, Abingdon, 9 Nov 2006 www.eu-egee.org INFSO-RI-031688 Presentation Outline Enabling Grids

452 views • 12 slides
SLCS Preparedness &amp; Response Plan 2020-2021 Return to School 08.10.2020 Tonights

SLCS Preparedness &amp; Response Plan 2020-2021 Return to School 08.10.2020 Tonights

SLCS Preparedness &amp; Response Plan 2020-2021 Return to School 08.10.2020 Tonights Presentation Why we are recommending a remote start What does a remote start look like? How we will phase back in-person instruction using a

648 views • 23 slides
SLCS Return to School Michigans 20-21 Return to School Roadmap and Our Districts Response

SLCS Return to School Michigans 20-21 Return to School Roadmap and Our Districts Response

SLCS Return to School Michigans 20-21 Return to School Roadmap and Our Districts Response Tonights Presentation Background and context for Michigans Return to School Roadmap A closer look at the roadmap and how our district

589 views • 56 slides
SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF ROTARY DISTRICT

SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF ROTARY DISTRICT

April 10, 2020 SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF ROTARY DISTRICT 5870 CENTRAL TEXAS ZOOM SERIES #3 Hill Country Ministries WAYS TO SUPPORT -Tiesa Hollaway #1 - Monetary Donations $25 = 100 meals

579 views • 7 slides
SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF ROTARY DISTRICT

SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF ROTARY DISTRICT

May 1, 2020 SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF SERVICE ABOVE SELF ROTARY DISTRICT 5870 CENTRAL TEXAS ZOOM SERIES #6 ACTION STEPS DAP Grants COVID-19 Response Submit final DAP REPORTS ASAP Options for CURRENT PROJECTS

482 views • 4 slides
How smart APIs are different. @berndruecker Some Service Some Some Service Service Some

How smart APIs are different. @berndruecker Some Service Some Some Service Service Some

Moving beyond request-reply: How smart APIs are different. @berndruecker Some Service Some Some Service Service Some Service But keep it local! Some Service Failure will happen. Be resilient. Accept it! Some Some Service Service

1.08k views • 91 slides
More Service. Better Service. Your Service. Why Reimagining? 12 6.0 Millions 0 10 5.0 0

More Service. Better Service. Your Service. Why Reimagining? 12 6.0 Millions 0 10 5.0 0

More Service. Better Service. Your Service. Why Reimagining? 12 6.0 Millions 0 10 5.0 0 Annual Boardings Est. 80 4.0 60 3.0 METRO has experienced a significant drop in local bus ridership 40 2.0 20 1.0 0 0.0 YEAR 1999 2000

209 views • 16 slides
From research to policy The South African salt experience Edelweiss Wentzel-Viljoen Centre of

From research to policy The South African salt experience Edelweiss Wentzel-Viljoen Centre of

From research to policy The South African salt experience Edelweiss Wentzel-Viljoen Centre of Excellence for Nutrition North-West University Thanks to colleagues Melvyn Freeman DoH, NCDs Krisela Steyn UCT Vash Singh SAHSF Karen

717 views • 40 slides
Telemedicine Service for Care Homes What is the service? Telemedicine is a service allowing

Telemedicine Service for Care Homes What is the service? Telemedicine is a service allowing

Telemedicine Service for Care Homes What is the service? Telemedicine is a service allowing assessment and clinical support of residents using teleconferencing. The service is provided by Hampshire Hospitals Foundation Trust (HHFT) How to

514 views • 28 slides
New Service Development ShinMing Guo NKUST Service Innovation Service Design and

New Service Development ShinMing Guo NKUST Service Innovation Service Design and

New Service Development ShinMing Guo NKUST Service Innovation Service Design and Service Package Service Design Examples Review: Service Package Supporting Facility : The physical resources that must be in place before

583 views • 14 slides
Service Strategy Service Strategies Strategies and Operations Service Package Role

Service Strategy Service Strategies Strategies and Operations Service Package Role

Service Strategy Service Strategies Strategies and Operations Service Package Role of Information Review: Nature of Service Customer Participation : attention to facility design, opportunities for coproduction, concern for

236 views • 12 slides
Service Strategy Service Strategies Strategies and Operations Service Package Role

Service Strategy Service Strategies Strategies and Operations Service Package Role

Service Strategy Service Strategies Strategies and Operations Service Package Role of Information Review: Nature of Service Customer Participation : attention to facility design, opportunities for co production, concern for

296 views • 13 slides
New Service Development Shin Ming Guo NKFUST Service Innovation Service Blueprinting

New Service Development Shin Ming Guo NKFUST Service Innovation Service Blueprinting

New Service Development Shin Ming Guo NKFUST Service Innovation Service Blueprinting Service System Design I. Innovation in Services Idea Generation: Customers, Employees, Competitors, Technology Basic Research : Pursue a

274 views • 11 slides
1 What does this mean? Limits the species of service animals to dogs; Makes clear that

1 What does this mean? Limits the species of service animals to dogs; Makes clear that

2010 ADA Regulations: Service Animals 22nd Annual ADA Update Mid-Atlantic ADA Center Baltimore, Maryland September 17 18, 2015 Service Animals Adds service animal definition and service animal provisions to title II; and

428 views • 7 slides
Casey Rosenthal @caseyrosenthal Part One. SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E

Casey Rosenthal @caseyrosenthal Part One. SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E

Casey Rosenthal @caseyrosenthal Part One. SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E SERVICE F SERVICE G SERVICE A SERVICE B SERVICE C SERVICE D SERVICE E SERVICE F SERVICE G SERVICE A SERVICE B SERVICE C SERVICE D

905 views • 58 slides
D4 &amp; Club Service z Hello, We are Your D4 Service Co-chairs! Sheena Poole &amp; Judy

D4 &amp; Club Service z Hello, We are Your D4 Service Co-chairs! Sheena Poole &amp; Judy

2019 Area Meetings / Workshops z D4 &amp; Club Service z Hello, We are Your D4 Service Co-chairs! Sheena Poole &amp; Judy Powers z Overview As a service committee, we recognize the range of understanding of what is a service project

1.27k views • 24 slides
New Service Development Shin Ming Guo NKFUST Service Innovation Service Blueprinting

New Service Development Shin Ming Guo NKFUST Service Innovation Service Blueprinting

New Service Development Shin Ming Guo NKFUST Service Innovation Service Blueprinting Service System Design Case Questions What are order qualifiers and order winners of custom made wedding cakes? What are key issues

304 views • 13 slides
Web-Service Example Service Oriented Architecture 1 Fundamentals Roles Service

Web-Service Example Service Oriented Architecture 1 Fundamentals Roles Service

Web-Service Example Service Oriented Architecture 1 Fundamentals Roles Service provider Service Consumer Registry Operations Publish (by provider) Find (by requester) Bind (by requester or invoker)

250 views • 13 slides
THE CIVIL SERVICE INTO THE 21 ST CENTURY 1 WHY DOES IT MATTER? THE CIVIL SERVICE AND THE

THE CIVIL SERVICE INTO THE 21 ST CENTURY 1 WHY DOES IT MATTER? THE CIVIL SERVICE AND THE

THE CIVIL SERVICE INTO THE 21 ST CENTURY 1 WHY DOES IT MATTER? THE CIVIL SERVICE AND THE CONSTITUTION THE SCALE OF THE CIVIL SERVICE THE CIVIL SERVICE IMPACT ON SOCIAL AND ECONOMIC WELFARE 2 WHAT DOES IT DO? Advises Ministers on policy and

562 views • 14 slides
Lecture 12: Web Service Lisa (Ling) Liu Web service? An XML web service is a unit of code

Lecture 12: Web Service Lisa (Ling) Liu Web service? An XML web service is a unit of code

Chair of Softw are Engineering C# Programming in Depth Prof. Dr. Bertrand Meyer March 2007 May 2007 Lecture 12: Web Service Lisa (Ling) Liu Web service? An XML web service is a unit of code hosted by a web server that can be accessed

528 views • 27 slides
Service Animals Adds service animal definition and service animal provisions to title

Service Animals Adds service animal definition and service animal provisions to title

2010 ADA Regulations: Service Animals 22nd Annual ADA Update Mid-Atlantic ADA Center Baltimore, Maryland September 17 18, 2015 Service Animals Adds service animal definition and service animal provisions to title II; and

307 views • 10 slides
First 2 Physio Service The service is provided by Chapman Physiotherapy Limited from Devonshire

First 2 Physio Service The service is provided by Chapman Physiotherapy Limited from Devonshire

First 2 Physio Service The service is provided by Chapman Physiotherapy Limited from Devonshire House, South Parade, Doncaster, DN1 2DJ The service is a triage and advice service that aims to reduce pressure on GP appointments for patients with

250 views • 5 slides
Welcome to the Farm Service Agency What is the Farm Service Agency The Farm Service Agency (FSA)

Welcome to the Farm Service Agency What is the Farm Service Agency The Farm Service Agency (FSA)

Welcome to the Farm Service Agency What is the Farm Service Agency The Farm Service Agency (FSA) is part of the U.S. Department of Agriculture and provides programs and loans to help farmers and ranchers provide food, fuel and fiber to

214 views • 7 slides

More recommend