LIGO Pilot Update - AARC project

Apr 12, 2018 - o Start switching my SPs over (e.g. Cardiff GitLab, wiki, Webserver, JupyterHub …. ) ✓ Long term: o Switch away from my.ligo.org to CILogon ...
355KB Sizes 0 Downloads 101 Views
Authentication and Authorisation for Research and Collaboration

LIGO Pilot Update SAML Proxy

Paul Hopkins Cardiff University LIGO Scientific Collaboration

AARC2 Third Meeting, Athens April, 12th 2018 https://aarc-project.eu

Current Infrastructure

grid-proxy-init

Internal User (LIGOLab, LSC, Virgo,....)

ligo-proxy-init

my.ligo.org (Onboarding & Management)

SAML Proxy (SATOSA) 2

Grouper

CILogon

login.ligo.org IdP

CILogon Proxy Certificate

LDAP

IGTF Proxy Certificate gsissh gsiscp

Kerberos

eduGAIN

Shibboleth

Attribute pull

Attribute pull

Attribute pull

Grace DB https://aarc-project.eu

Wiki

200+ SPs

DCC

P&P

Vote

Cluster (web)

grid-mapfile (LGMM)

Cluster (gsissh)

2

Progress ✓ Aims: o Add a SAML proxy for internal usage o Start moving SPs to the SAML proxy o Document changes required to SP configuration o Investigate PyFF for metadata aggregation and discovery service

✓ Progress:

o Working closely with Scott Koranda (LIGO / Spherical Cow Group) and Jouke Roorda o Plan to implement Dockerised solution o Document changes required to SP configuration

✓ Next steps:

o Actually create SAML Proxy and use internal LIGO IdP o Start switching my SPs over (e.g. Cardiff GitLab, wiki, Webserver, JupyterHub …. )

✓ Long term:

o Switch away from my.ligo.org to CILogon hosted instance of COMangage?

https://aarc-project.eu

3

Limitations of Federated Identities ✓ Observatories: o LIGO Observatories are in rural locations o WAN often fails o Currently replicate authentication, IdP, and SPs o Would need to retain dedicated LIGO authentication for observatory staff and visitors

✓ SSH Access:

o Still struggling to find good federated solution for SSH access o As well as CILogon proxy certificate + gsissh switching to password and/or centrally managed SSH key o In a federated world we could create a dedicated password for SSH access

✓ Virgo:

o LIGO work closely with Virgo collaboration and share many resources o Virgo does not use any SSO solution or federated identities.

https://aarc-project.eu

4

Thank you Any Questions? [email protected]

https://aarc-project.eu

© GÉANT on behalf of the AARC project. The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 730941 (AARC2).

https://aarc-project.eu