Successfully reported this slideshow.
Your SlideShare is downloading. ×

Shibboleth Access to Resources on the NGS

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
NWCSC March 2022 event.pptx
NWCSC March 2022 event.pptx
Loading in …3
×

Check these out next

1 of 31 Ad
Advertisement

More Related Content

Similar to Shibboleth Access to Resources on the NGS (20)

Recently uploaded (20)

Advertisement

Shibboleth Access to Resources on the NGS

  1. 1. Shibboleth Access to Resources on the NGS Mike Jones
  2. 2. 2 #NGSSEM Why Shibboleth & Federated Access • User Friendly • Scalable • Secure – Enough for resources – Discourage less secure activities
  3. 3. 3 #NGSSEM User Focus • Remove certificates – not gone but hidden • Familiar Log-on – Inherited from UK Federated Access • Use Portals – Remove tooling from user maintenance – Opportunity for VO hosted Portals
  4. 4. 4 #NGSSEM • Outsource Identity Management – We're doing it anyhow (Matriculation) – Reduce support costs • Systems already exist at institutes – Increase Security • Phishing harder (familiar URL, branding, distributed, etc.) • Identity checked more regularly • Less ad-hoc than normal RA-CA operations UK Federation UK Federation
  5. 5. 5 #NGSSEM Grid Authentication • Need robust security – Risks • IP, data and Identity theft • Meeting SLA • Licensing – Impact • Inconvenience, Litigation, Publicity, Reputation. → Need to be very secure
  6. 6. 6 #NGSSEM Virtual Organisations • VOs grid's answer to scaling • Shibboleth doesn't do this well – IdP can assert role inside organisation – Can IdP assert role inside VO? • SARoNGS has VO tooling – Attributes specific to Federation via Shib – Attributes directly from VO too SARoNGS proxy-ing
  7. 7. 7 #NGSSEM Joining the NGS VO https://cts.ngs.ac.uk/scgi-bin/RegNGS.pl http://bit.ly/RegNGS
  8. 8. 8 #NGSSEM Portals • Users don't have the grid tools • Users usually have browsers – So we make Portals • Use Browsers • Provide grid tools • Shibboleth is browser based
  9. 9. 9 #NGSSEM How does it work
  10. 10. 10 #NGSSEM Start Here
  11. 11. 11 #NGSSEM
  12. 12. 12 #NGSSEM
  13. 13. 13 #NGSSEM
  14. 14. 14 #NGSSEM
  15. 15. 15 #NGSSEM
  16. 16. 16 #NGSSEM
  17. 17. 17 #NGSSEM
  18. 18. 18 #NGSSEM
  19. 19. 19 #NGSSEM
  20. 20. 20 #NGSSEM
  21. 21. 21 #NGSSEM 'Applications' • Directly (via Portal) – NGS Portal – MIMAS Landmap demo ('09) – Manchester's BioPortal – OneVRE – WRG's P-Grade Portal • Taverna 1 Demo http://youtu.be/E6RKQQ1GGoM • NeISS Portal integration • Indirect – GSI-SSH, MEG, Globus Tools, WMS, SRB
  22. 22. 22 #NGSSEM Applying it • Put in your portals • “Login via NGS” button • Use grid enabled services • Accept UK eScience SARoNGS CA • Accept UK NGS hosted VOs • or Accept ukfederation.ngs.ac.uk VO
  23. 23. 23 #NGSSEM •ukfederation.ngs.ac.uk • Says you logged-in via the UK federation • you have a valid UK account • Can assert your scope • (the institution you came from) • Can assert your affiliation • role: (staff, member, alum, academic)
  24. 24. 24 #NGSSEM APIs • We don't really know the VO-scape • Portals have a better idea – They know where you're going – They know what you're doing – They may be able to guess required credentials • Documentation via NeISS and ETF • http://bit.ly/NeISSSARoNGS • Further functionality negotiable
  25. 25. 25 #NGSSEM Some API Examples • External VOMS – https://cts.ngs.ac.uk/API – VO=vomss://voms.ngs.ac.uk:15017/manchester. ac.uk – RetURL=http://www.yourportal.login • Internal VOMS from – https://cts.ngs.ac.uk/API – VO=vomss://cts.ngs.ac.uk:443/ukfederation.ngs. ac.uk/manchester.ac.uk – RetURL=http://www.yourportal.login
  26. 26. 26 #NGSSEM Trust • Federation – Names – get EduPersonTargetedID – Roles – member, staff, alum, faculty, ... – Audit • CA – IGTF – realistic name, record retention reuse policy – MyProxy • VOMS – AUP – Third party control – VOMS Hosting
  27. 27. 27 #NGSSEM Trust2
  28. 28. 28 #NGSSEM Experiences • Even experts have certificate problems • Cannot debug a federation • Difficult to convince Resource providers to trust us and UK-Fed • International trust difficult
  29. 29. 29 #NGSSEM Future • Upgrade to Shibboleth 2 • Short JISC funded project “CONSENT” • To explore and enhance community usage with NSCCS • To provide Labs space for experimental integration
  30. 30. 30 #NGSSEM Summary • Authentication based on UK Federation • Outsourcing trust and support • Long but trustable audit trail • User Focussed and easy to use • Elimination of bad security practices • Alignment with community needs
  31. 31. 31 #NGSSEM Questions? Seminar series Twitter tag - #NGSSEM

×