iam online federated services for scientists - … online federated services for scientists ... •...
TRANSCRIPT
IAM Online Federated Services for Scientists Thursday, December 9, 2010 – 1 p.m. EST Rachana Ananthakrishnan Argonne National Laboratory & University of Chicago Jim Basney National Center for Supercomputing Applications University of Illinois
IAM Online is brought to you by InCommon, in cooperation with Internet2 and !the EDUCAUSE Identity and Access Management Working Group 1
Scientific & Scholarly Collaboration Online • Should be as easy as current social networking, but with
suitable security & attribution
• To do that we need … – Valuable services to be online
• Integrated wholes, not toolkits remaining to be assembled – Scale up access to them
• Federated access, both SAML and OpenID as appropriate • InCommon & other federations to grow, and to support LoA
– Get IT out of the way • Campuses must up their game, implement Silver & uApprove • Collaboration frameworks with standardized interfaces that make it
easy to dock domesticated applications
Two Steps Along the Road
• Rachana Ananthakrishnan – Principal Software Development Specialist, Argonne National
Lab/University of Chicago
• Globus Online – An integrated online cyber infrastructure service
• Jim Basney – Senior Research Scientist, National Center for Supercomputing
Applications, University of Illinois
• CI Logon – Providing federated access to cyber infrastructure
globusonline.org
globus online Reliable File Transfer. No IT Required.
Federated Access to Science Services and Infrastructures
Rachana Ananthakrishnan Argonne National Laboratory & University of Chicago
5 globusonline.org
Globus Toolkit Build the Grid
Components for building custom grid solutions
globustoolkit.org
Globus Online Use the Grid
Cloud-hosted"file transfer service
globusonline.org
Globus "www.globus.org
6 globusonline.org
User Data loca,on
Characteris,cs
1 Nuclear Scien-st Oakridge to NERSC
Two security domains, blocked by transfer, repe--ve task
2 Visualiza-on Specialist
TeraGrid (Kraken) to NERSC
Two security domains, no dedicated high bandwidth network, ad hoc task
3 System Administrator To GFDL Many security domains, administra-ve task, deadline bound
4 System Builder To and from NERSC
Many security domains, support adhoc users, legacy code integra-on, mul-ple science domains
Problem Space Examples
7 globusonline.org
• Hosted file transfer management capabilities – Transfers and synchronizes files and directories
• Asynchronous interfaces for – Transfer – Monitoring – Notification
• Multiple interfaces for integration – REST API – “CLI 2.0” using SSH/GSISSH – Website
Globus Online Solution
8 globusonline.org
• Easy “fire and forget” file transfers
• Automatic fault recovery • High performance • Simplify use of multiple
security domains • No client software
installation • New features
automatically available • Consolidated support and
troubleshooting
Benefits of Globus Online
Data Data
9 globusonline.org
• Creates a new profile • Configures profile • Adds or discovers endpoints • Activates endpoints • Submits transfers • Monitors transfers • Receives notification of events
User Workflow
10 globusonline.org
• User creates a profile at registration – Uses an existing identity – Can associate multiple identities with the profile
• Website logins: – OpenID Identity Provider – MyProxy servers
• CLI logins: – SSH Public key – X.509 Certificate
Profile Management
14 globusonline.org
• Configure endpoints: – Host/port – Default MyProxy server – Public endpoints
• Discover endpoints: – Add to personal list
• Endpoint activation: – MyProxy or GSI SSH delegation – Pause transfer and notify on credential
expiration – Resume transfer on credential renewal
Endpoint Management
17 globusonline.org
• Transfer: – Light-weight transfer agent – Support for other transfer protocols – Integration with Condor
• Security: – Accept campus credentials (InCommon Identity
Providers) – Support OAuth based delegation - Facilitate sharing of transfer tasks
o Group and policy management
Planned Features
18 globusonline.org
• Higher-level data management capabilities – Data publication – Replication
• Job management capabilities • Provisioning of collaboration tools
Future Work
Federated Access to Science Services and Infrastructures
Jim Basney
CILogon
This material is based upon work supported by the National Science Foundation under grant number 0943633. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.
CILogon www.cilogon.org 21
CILogon Goal • Facilitate campus logon to CI
– Leverage researchers’ existing credentials at their home institution
– Ease credential management for researchers and CI providers
• Bridge from: – Credentials issued by
InCommon Federation members using SAML web browser single sign-on
• Bridge to: – X.509 certificates that satisfy
the requirements of CI projects
CILogon www.cilogon.org 22
Prior Work: go.teragrid.org • Campus login to TeraGrid • 31 campuses so far
(including all CIC schools) • In production since
September 2009 • 1000+ certificates issued so
far to 65+ users • Integration with
portal.teragrid.org underway • IDtrust 2010 paper:
“Federated Login to TeraGrid” (http://middleware.internet2.edu/idtrust/2010/)
CILogon www.cilogon.org 23
New Service: cilogon.org • No TeraGrid account required • Delivers certificates to
desktop, browser, and portals • Available certificate lifetimes:
from 1 hour to 13 months • 3 Certification Authorities:
– Silver: InCommon Silver IDs – Basic: any InCommon IDs – OpenID: any OpenIDs
• Available now!
CILogon www.cilogon.org 24
CILogon Portal Delegation • Grid Portals and Science Gateways
provide web interfaces to CI – Portals/Gateways need certificates
to access CI on researchers’ behalf • CILogon Delegation Service allows
researchers to approve certificate issuance to portals (via OAuth)
• www.cilogon.org/portal-delegation
Web Browser
CILogon Portal
CI
access
request certificate
authenticate &
approve access
CILogon www.cilogon.org 25
Why certificates?
• Command-line apps, non-web apps
• Multi-stage, unattended batch workflows
• Significant worldwide CI investment in PKI – Software, operations,
standards, etc.
CILogon www.cilogon.org 26
International Grid Trust Federation
• Worldwide accreditation of grid CAs – Relying Parties: TeraGrid, Open Science Grid,
European Grid Infrastructure, Worldwide LHC Computing Grid, and others
– Standards: CA operations, key management, subscriber identity vetting, certificate profiles
www.igft.net
CILogon www.cilogon.org 27
CILogon and IGTF • CILogon CA operations, key management,
and certificate profiles meet IGTF standards • Issue: subscriber ID vetting & authentication
– Goal: rely on campuses for this – Need minimum standards for campus practices – Approach: rely on InCommon Identity Assurance
• Status: – CILogon Silver CA accredited October 2010 – Now waiting for InCommon Silver campuses… – CILogon Basic & OpenID CAs operating w/o
IGTF accreditation
CILogon www.cilogon.org 28
Attribute Release • The “boarding process” challenge:
– CI users are spread across many campuses – Often few CI users on each campus
• Each campus must approve release of attributes to cilogon.org / go.teragrid.org – CILogon needs ePTID/ePPN, mail, givenName
and surname – Self-service sign-up:
https://cilogon.org/secure/testidp/ • Good application for user consent based
attribute release (uApprove)
CILogon www.cilogon.org 29
Conclusions
• We’re leveraging campus credentials for access to cyberinfrastructure – SAML to PKI bridges:
go.teragrid.org & cilogon.org • We’re looking forward to new InCommon
capabilities – Identity Assurance (Silver) – Consent-based attribute release (uApprove)
Survey Please complete the survey about today’s IAM Online: http://www.surveymonkey.com/s/IAMOnline12 Next IAM Online www.incommon.org/iamonline Wednesday, January 12, 2010 – 3 p.m. EST Tentative Topic – Panel Discussion on Identifiers
Thank you to InCommon Affiliates for helping to make IAM Online possible.
Brought to you by InCommon, in cooperation with Internet2 !and the EDUCAUSE Identity and Access Management Working Group 31