Federated Identity Management for HEP David Kelsey STFC

WLCG • Data processing, storage and analysis for the CERN Large Hadron Collider Experiments

Endorsement of FIM paper • DPK presented the paper to – HEPi. X -

Federated Id. M in HEP • X. 509 certificates and VOMS ACs for Grid

Two proposals for pilot projects for WLCG • Browser based: a pilot using a

Browser-based • Not decided yet • At CERN or some other site? • Traditional

Non-browser • Access to WLCG Grid services • Hide the use of X. 509

Questions? 22 June 2012 Kelsey, HEP FIM 8

Questions? 22 June 2012 Kelsey, HEP FIM 10

Slides: 10

Download presentation

Federated Identity Management for HEP David Kelsey STFC – RAL Nijmegen workshop 22 June 2012

WLCG • Data processing, storage and analysis for the CERN Large Hadron Collider Experiments • Making data equally available to all partners, regardless of their physical location • WLCG is made up of • more than 140 computing centres • in ~ 35 countries • several * 100 K CPU Cores • several * 100 PB Storage • ~10 K users 22 June 2012 Kelsey, HEP FIM 2

Endorsement of FIM paper • DPK presented the paper to – HEPi. X - 26 April 2012 – https: //indico. cern. ch/contribution. Display. py? session. Id=7&co ntrib. Id=20&conf. Id=160737 – WLCG Grid Deployment Board – 9 May – https: //indico. cern. ch/conference. Display. py? conf. Id=155068 • Formally endorsed by WLCG Management Board – Meeting of 5 June 2012 22 June 2012 Kelsey, HEP FIM 3

Federated Id. M in HEP • X. 509 certificates and VOMS ACs for Grid services – Using TERENA Cert Service in some places – Grid also requires Delegation • But many other services (not just Grid) – Collaboration tools, wikis, mail lists, webs, agenda pages… • Today CERN has to manage thousands of user accounts, many of these are “external” • Which federations should we use? – R&E, Moonshot, Open. ID, …? • Choice should be based on the required level of assurance 22 June 2012 Kelsey, HEP FIM 4

Two proposals for pilot projects for WLCG • Browser based: a pilot using a WLCG collaborative Web application where users authenticate via their home-issued federated credential • Non-browser based: a service enabling access to WLCG Grid resources using homeissued federated credentials 22 June 2012 Kelsey, HEP FIM 5

Browser-based • Not decided yet • At CERN or some other site? • Traditional federated service – How do we cope with the scaling issues of joining many federations? 22 June 2012 Kelsey, HEP FIM 6

Non-browser • Access to WLCG Grid services • Hide the use of X. 509 certificates from end users • Using credential translation techniques – From federated identity credential – To short-lived X. 509 certificate (hidden) – For example using the new EMI STS • 2 slides from Romain Wartel (CERN) 22 June 2012 Kelsey, HEP FIM 7

Questions? 22 June 2012 Kelsey, HEP FIM 8

22 June 2012 Kelsey, HEP FIM 9

Questions? 22 June 2012 Kelsey, HEP FIM 10