1 / 20

Perspectives of Integrating AAI with Grid in EGEE-2

Perspectives of Integrating AAI with Grid in EGEE-2. Christoph Witzig Amsterdam, October 17, 2005. Outline . Introduction Overview of SWITCH SWITCH activities in AAI and Grid SWITCHaai: The Swiss Shibboleth-based AAI How it works Shibboleth concepts EGEE security framework

nelly
Download Presentation

Perspectives of Integrating AAI with Grid in EGEE-2

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005

  2. Outline • Introduction • Overview of SWITCH • SWITCH activities in AAI and Grid • SWITCHaai: The Swiss Shibboleth-based AAI • How it works • Shibboleth concepts • EGEE security framework • Introduction EGEE • How it works • Grid security concepts • SWITCH proposal for interoperability Shibboleth - gLite • Related efforts • Summary

  3. Introduction • SWITCH has four strategic business areas • Network: operating the Swiss Research and Eduction network • Domain name registration for .ch and .li • Security • Operates (among other things) SWITCHpki • NetServices • providing services on top of the network for academic users • NetServices • Video conferences, streaming technologies, support for (physical) mobility • SWITCHaai: Shibboleth-based AAI for the Swiss academic sector • Grid: targeted Grid services as new strategic direction • There is no Swiss grid program • Various grid efforts at some universities Introduction

  4. SWITCHaai • Main efforts: • > 110’000 users ( 50%) of the Swiss higher education sector are currently “AAI-enabled”. • Federally funded cooperation projects will complete the national roll-out and increase the number of new resources. • Define cooperation with other federations. • Develop accounting (AAAI) services. SWITCHaai = federated, national, Shibboleth-based authentication and authorization infrastructure (AAI). Introduction

  5. SWITCH Activities in Grid Computing • Two main strategic efforts: • Within the context of EGEE-2 we want to add interoperability between Shibboleth and the gLite middleware stack. • Within the national context we want to work together with our partners (universities, computing centers) to build up such a national grid infrastructure based on the AAI-enabled gLite middleware. Grid support = new strategic direction: national AAI-enabled grid infrastructure in Switzerland. Introduction

  6. Disclaimer • Decision of EU regarding EGEE-2 proposal is pending • Assuming a positive answer from the EU EGEE-2 will start in April 2006 and last for two years Introduction

  7. The World without AAI University A • Tedious user registration at all resources • Unreliable and outdated user data at resources • Different login processes • Many different passwords • Many resources not protected due to difficulties • Often IP-based authorization • Costly implementation of inter-institutional access Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials SWITCHaai

  8. The World with AAI University A • No user registration and user data maintenance at resource needed • Single login process for the users • Many new resources available for the users • Enlarged user communities for resources • Authorization independent of location • Efficient implementation of inter-institutional access AAI Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials SWITCHaai

  9. How it works SWITCHaai

  10. Shibboleth Concepts • Based on SAML • Initial focus on Web-based resources SWITCHaai

  11. EGEE: Enabling Grids for E-sciencE • EU sponsored grid project within FP6 • Funding 2004 - 2006: 32 Mio € • Proposal for second phase submitted (2006 - 2008) • Emphasis is on • not software development • operating a production grid and supporting the end-users • Hardening, re-engineering and extending existing middleware functionality • Large collaboration • > 180 sites • 20 VO’s • > 800 registered users EGEE

  12. EGEE Security Framework EGEE

  13. EGEE Security Concepts EGEE

  14. Interoperability Shibboleth - gLite • Part of EGEE-2 proposal (by SWITCH in EGEE NREN Federation) • Focus is on • Interoperability (NO replacement for X.509) • Specific for EGEE infrastructure (VOMS etc) • Integrate, re-use, re-engineer existing code, write new code only as needed • Key Concepts: • Home institution of the user should be the Identity Provider • Home institution provides some attributes • But VO is needed for (grid specific) attributes • Proposal of doing work in three phases: • Two initial, shorter phases with the intention of hooking SWITCHaai up to the grid with a minimal amount of effort to have a working system • A third phase with adding support for SAML at the resource (service provider) Interop. Shib gLite

  15. Phase 1 and 2 • Note: • no changes at the Resource • Work is more than just software (policies) Interop. Shib gLite

  16. Access for Grid Users to Shib SP • Intention: add “symmetry” between enabling access for Shib and grid users • Test-bed between SWITCH and INFN in 2006 Interop. Shib gLite

  17. SAML Support at the Resource • Third (and main) phase of project • Goal: Support for SAML for authentication and authorization without relying on X.509 (on a configurable basis) • Should be based on SAML2 • Supports ECP Profile (constrained delegation) • Will be used in Shibboleth 2 Interop. Shib gLite

  18. Related Efforts • GridShib: • Emphasis is on providing attributes based authorization • Based on GT4 and Shib 1.3 • Beta version available since Sept 05 • OGSA authZ working group: • Defines specifications for basic interoperability and pluggability of authorization modules in OGSA framework • Condor Shibboleth Merger Project • Phase I: Shib enabled Condor web portal • Phase II: Shib enabled Condor fat client • Shibboleth - grid activities in UK • ESP-Grid • Further work is planned (JISC) to look at CA/Shib issues • Issue of attribute management between IdP and VO (e.g. Signet) Related Efforts

  19. Summary • There is interest and activity for interoperability AAI / Shibboleth - grid • But X.509 is still the standard security mechanism for grids (and likely to remain so for quite some time) • Issue is not only authentication but also attribute sharing between IdP, VO, SP • Opportunity and need for NREN and Grid communities to interoperate • GridShib: • beta version available • GT4 and Shib 1.3 • SWITCH participates in EGEE-2 to add interoperability Shibboleth - gLite • Pending approval by EU (expected in November) • We are interested in learn about other activities, share experiences and coordinate efforts

More Related