EMI Development Plans for Identity Management

  • Published on
    12-Jan-2016

  • View
    22

  • Download
    0

DESCRIPTION

EMI Development Plans for Identity Management. Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop 7.7.2011 London, UK. Content. Motivation Questionnaires to potential customers AAI use cases Technology Introduction to WS-Trust WS-Trust interoperability & token profiles Implementation - PowerPoint PPT Presentation

Transcript

  • EMI Development Plans for Identity ManagementHenri Mikkonen / HIPMoonshot, Grid and HPC Workshop7.7.2011 London, UK

    EMI Hot Topic, JSC, FZJ

    EMI INFSO-RI-261611

    *ContentMotivationQuestionnaires to potential customersAAI use casesTechnologyIntroduction to WS-TrustWS-Trust interoperability & token profilesImplementationSecurity Token Service (STS)07/07/2011Henri Mikkonen @ Moonshot, Grid and HPC Workshop

    EMI Hot Topic, JSC, FZJ

    EMI INFSO-RI-261611

    *BackgroundAAI needs of the DCIs -workshop held at EGI Technical Forum (September / 2010) [1] Questionnaires for projects crossing national boundaries and NGIs3 User communitiesBiomed, Earth Sciences, HEP5 ESFRI projectsCLARIN, Lifewatch, ELIXIR, EuroFEL, ILL2 NGIsItaly, U.K.07/07/2011Henri Mikkonen @ Moonshot, Grid and HPC Workshop

    EMI Hot Topic, JSC, FZJ

    EMI INFSO-RI-261611

    *Results for the questionnaire [2]Grid users do not want to handle credentials themselvesGrid users would like to obtain X.509 credentials and VOMS attributes from other credentials and vice-versaProjects would like to use federated identitiesProjects recognize that both national and international identity federations will become more importantUser identities and actions on a Grid should be protected (anonymized)Projects realize that access to the majority of Grid infrastructures requires and will require in the future X.509 credentials07/07/2011Henri Mikkonen @ Moonshot, Grid and HPC Workshop

    EMI Hot Topic, JSC, FZJ

    EMI INFSO-RI-261611

    *AAI use cases [2]07/07/2011Henri Mikkonen @ Moonshot, Grid and HPC Workshop

    Use-caseDescriptionStatus1X.509 issuance based on AAI(another security domain)Solved (but needs improvement!)2AAI-enabled portals to Grid infrastructuresSolutions existSAML delegation new3AAI-enabled Grid information portalsLow priority4Security Token ServiceNew, general purpose service, high priority5Use of AAI attributes in GridInteresting, potentially very important6VO registration using AAI (identity vetting)Low priority

    EMI Hot Topic, JSC, FZJ

    EMI INFSO-RI-261611

    *WS-Trust specification [3]Builds on WS-Security specificationMethods for issuing, renewing, validating, and canceling security tokensTrust relationships brokeringSecurity token: a collection of statements (claims) about a user or resourceX.509 certificate, SAML assertion, Kerberos ticket, Username/Password, Security Token Service (STS): a service used to issue, renew, validate and cancel tokens07/07/2011Henri Mikkonen @ Moonshot, Grid and HPC Workshop

    EMI Hot Topic, JSC, FZJ

    EMI INFSO-RI-261611

    *WS-Trust schema fragment (1/2)

    Actual content model is non-deterministic, hence wildcard. The following shows intended content model:

Recommended

View more >