1 / 16

Single Sign-on to the Grid

Single Sign-on to the Grid. Federated Access and Integrated Identity Management. The Problem. Integrated Access (Authentication) Identity management Implemented locally… …integrate with future national efforts… …and international. What’s in SSO?. Identity mgmt, User mgmt

Anita
Download Presentation

Single Sign-on to the Grid

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Single Sign-on to the Grid Federated Access and Integrated Identity Management

  2. The Problem • Integrated Access (Authentication) • Identity management • Implemented locally… • …integrate with future national efforts… • …and international

  3. What’s in SSO? • Identity mgmt, User mgmt • Credential conversions • Certificates, AD/K5 • Protection of credentials • Thin clients vs thick clients • Passwords and -phrases • Single password to all resources

  4. What’s in SSO? Portals Java gsissh terminal MyProxy SDSC SRB VOMS Active Directory Kerberos SRM Tapestore Challenge: get distinct components to talk together

  5. Authentication – web based • If on-site, use federal id (Active Directory/Kerberos) • If off-site, use certificate • if loaded into browser • Otherwise username/password • Same as fed username/password • Not allowed to store password… • System must know these are the same

  6. Web (HTTPS) based SSO • Easier to implement servers • Apache can do Everything™ • Not trivial to integrate with existing Java portals • Apache vs Tomcat, StringBeans, uPortal, CHEF, SAKAI,… • Lots of HTTP tools that understand security • Future proof, when UK goes to Shibboleth

  7. Client Side – from outside CCLRC P O R T A L THE GRID Certificate SRB VOMS (old slide)

  8. Client Side – from within CCLRC P O R T A L THE GRID SRB Microsoft Active Directory MyProxy VOMS (old slide)

  9. SRB provides SSO But ∫ with everybody else’s… S commands can be used with GSI and with username/password inQ doesn’t understand certificates SRB THE GRID THE BEAM SRB

  10. MyProxy • MyProxy essential to SSO to Grid • Because Grid requires X.509 certs • Call out to site authentication • For username/password maintenance • Investigating new MyProxy+PAM

  11. Status – Users • Need certificates for Grid work • Once every year, obtain/renew cert • Usability of CA improved with upgrade • Will resurrect applets • Once every week, renew proxy • Upload tool in Java, another in python • Once every day • Log in to Windows (or Linux kinit)

  12. Status – software • Prototype portal (python) • Thin clients (web browser) • Fetches proxy from myproxy • AD/K5 works with IE and certain Linux browsers • Components for thick clients • Fetches proxy locally from MyProxy

  13. Authorisation Gridmap file L D A P Microsoft Active Directory MyProxy VOMS Corporate Data Repository

  14. Combining Grid Authorisation Grid AUZ L D A P L D A P CCLRC L D A P NGS LCG

  15. Future work • VOMS • Extending collaboration • Related Shib work with Oxford • Grid access for non-certificate users • DLS & IB very interested (+BDWorld?) • Ponder credential conversions/protection • Work on-going between CAs in IGTF

  16. Summary • Prototype SSO access to Grid • Existing implementations, added glue • Loads of other minor things that need doing • Integrating with other SSO efforts • Facilities’ user offices maintain ids • More authorisation work req’d

More Related