Jens G Jensen

CCLRC e-Science

Single Sign-on to the Grid

Federated Access and

Integrated Identity Management

Jens G Jensen

CCLRC e-Science

The Problem

• Integrated Access (Authentication)

• Identity management

• Implemented locally…

• …integrate with future national efforts…

• …and international

Jens G Jensen

CCLRC e-Science

What’s in SSO?

• Identity mgmt, User mgmt

• Credential conversions

– Certificates, AD/K5

– Protection of credentials

• Thin clients vs thick clients

• Passwords and -phrases

– Single password to all resources

Jens G Jensen

CCLRC e-Science

What’s in SSO?

Portals

MyProxy

VOMS

Java gsissh terminal

SDSC SRB

SRM

Tapestore

Active DirectoryKerberos

Challenge: get distinct components to talk together

Jens G Jensen

CCLRC e-Science

Authentication – web based

• If on-site, use federal id (Active Directory/Kerberos)

• If off-site, use certificate

– if loaded into browser

• Otherwise username/password

– Same as fed username/password

– Not allowed to store password…

• System must know these are the same

Jens G Jensen

CCLRC e-Science

Web (HTTPS) based SSO

• Easier to implement servers– Apache can do Everything™– Not trivial to integrate with existing Java

portals– Apache vs Tomcat, StringBeans, uPortal,

CHEF, SAKAI,…• Lots of HTTP tools that understand security• Future proof, when UK goes to Shibboleth

Jens G Jensen

CCLRC e-Science

Client Side – from outside CCLRC

P

O

R

T

A

L

VOMS

THE GRID

Certificate

SRB

(old slide)

Jens G Jensen

CCLRC e-Science

Client Side – from within CCLRC

P

O

R

T

A

L

MyProxy VOMSMicrosoft

ActiveDirectory

THE GRID

SRB

(old slide)

Jens G Jensen

CCLRC e-Science

SRB

• SRB provides SSO• But ∫ with everybody

else’s…• S commands can be

used with GSI and with username/password

• inQ doesn’t understand certificates

THE GRID

SRB

THE BEAM

Jens G Jensen

CCLRC e-Science

MyProxy

• MyProxy essential to SSO to Grid

– Because Grid requires X.509 certs

• Call out to site authentication

– For username/password maintenance

• Investigating new MyProxy+PAM

Jens G Jensen

CCLRC e-Science

Status – Users

• Need certificates for Grid work• Once every year, obtain/renew cert

– Usability of CA improved with upgrade– Will resurrect applets

• Once every week, renew proxy– Upload tool in Java, another in python

• Once every day– Log in to Windows (or Linux kinit)

Jens G Jensen

CCLRC e-Science

Status – software

• Prototype portal (python)

– Thin clients (web browser)

– Fetches proxy from myproxy

– AD/K5 works with IE and certain Linux browsers

• Components for thick clients

– Fetches proxy locally from MyProxy

Jens G Jensen

CCLRC e-Science

MicrosoftActive

Directory

Authorisation

CorporateData Repository

LDAP

VOMS

MyProxy

Gridmapfile

Jens G Jensen

CCLRC e-Science

Combining Grid Authorisation

LDAP

LDAP

LDAP

CCLRC

NGS

LCG

GridAUZ

Jens G Jensen

CCLRC e-Science

Future work

• VOMS• Extending collaboration

– Related Shib work with Oxford• Grid access for non-certificate users• DLS & IB very interested

(+BDWorld?)• Ponder credential conversions/protection

– Work on-going between CAs in IGTF

Jens G Jensen

CCLRC e-Science

Summary

• Prototype SSO access to Grid

• Existing implementations, added glue

• Loads of other minor things that need doing

• Integrating with other SSO efforts

• Facilities’ user offices maintain ids

• More authorisation work req’d