2. Outline
§ What is a Science Gateway ?
§ The Catania Science Gateway Framework
§ General Architecture
§ Authentication, Authorisation and Roles
§ Catania Grid Engine
§ Roles
§ Use Case:
§ The DECIDE Science Gateway
§ The GARR Science Gateway
Riccardo Rotondo
Tutorial on Science Gateways, Roma, 03.06.2013
9. Federated Identity Management (FIdM)
§ In the web technology arena many approaches
are available to federate authentication
§ A standard provided by OASIS defines the
Security Assertion Markup Language (SAML)
§ Several tools are available, e.g.:
§ Shibboleth
§ SimpleSAMLphp
§ Organisations can rely on traditional tools to
manage users:
§ LDAP, CAS, plain text, etc.
§ Free and Open Source
Riccardo Rotondo
Tutorial on Science Gateways, Roma, 03.06.2013
10. Enabling SGs to FIdM
§ Access to e-Infrastructure services requires
authentication.
§ The distributed/cross-domain nature of
resources requires, in some case, strong
security mechanisms
§ SGs willing to provide easy access to these
services
§ Some institutions want to maintain the control
of their own users’ authentication
Riccardo Rotondo
Tutorial on Science Gateways, Roma, 03.06.2013
11. So a federation is made of…
§ A collection of Identity Providers that follows a
defined set of rules and policy.
§ Identity providers (IdPs) are responsible for
authenticating a closed group of users (i.e. of
the same organisation)
§ Each IdPs regulate access to a set of Service
Providers (i.e. mail server of the mentioned
organisation)
Riccardo Rotondo
Tutorial on Science Gateways, Roma, 03.06.2013
14. Authorisation request
§ The first time users access the Science
Gateway their IdP authenticates them
§ LDAP server connected to the Service Provider
(SP) cannot authorise the users
§ SP leads users automatically to the registration
form
§ A part from them data, users can request for a
specific role
Riccardo Rotondo
Tutorial on Science Gateways, Roma, 03.06.2013
17. Registration
§ Users not belonging to any of the enabled
federation can register to the catch all Identity
Provider of the GrIDP federation
Riccardo Rotondo
Tutorial on Science Gateways, Roma, 03.06.2013
23. Applications accessing grid services
§ 12 applications developed among 5 different
countries and 3 continents (Europe, Latin
America and Asia);
§ 4 scientific domains:
§
§
§
§
Life Science;
Mathematic & Computer Science;
High Energy Physics;
Cultural Heritage.
Riccardo Rotondo
Tutorial on Science Gateways, Roma, 03.06.2013
30. Roles & Privileges
§ Surfing a Science Gateway changes according
different roles
§ Mapping between Liferay roles and LDAP group
§ Similar mapping available on grid (i.e. voms
roles)
§ Liferay allows administrator to fully customize
users experience assigning different roles to
each components (pages, wikis, plugins, data)
Riccardo Rotondo
Tutorial on Science Gateways, Roma, 03.06.2013