UK e-Infrastructure Security & Access Management WG

Last updated:

4 months 2 weeks ago

Group Manager

At the request of the Research Councils UK e-Infrastructure group, Janet established a working group from 2013-2016 to support those providing and using e-infrastructure services in achieving an approach that both protects services from threats and is usable by practitioners. More detail about the group can be found in the Terms of Reference The Working Group published the following papers: E-infrastructures: Access and Security (summary paper) (Jan 16) Federated Authentication for e-Infrastructures (Sep 14) Technical Security for e-Infrastructures (Nov 14) Authorisation/Group Management for e-Infrastructures (May 15) Policies for e-Infrastructures (Jan 16) Accounting and e-Infrastructures (Nov 16) Information about the Working Group's activities, as well as discussion documents, links and recommendations is linked under the following categories. Unless marked otherwise, all items are works-in-progress and we very much welcome your comments and contributions. Meetings Presentations Case Studies Discussions Technologies References Andrew Cormack (WG Chair)

Group administrators:

Andrew Cormack

Recent members:

Mapping Shibboleth to Proxy Certificates

Stephen Booth

12 January 2015 at 4:53pm

Recently I have been trying to review the options for mapping UK-Federation identities to X509 Proxy certificates. This has been motivated by the observation that many of our potential users have UK-Federation identities but the ability to delegate proxy certificates make them a very useful technogy for building portals and other tools.

There is nothing new about this observation a whole series of previous UK projects such as SARoNGS have explored this space in the past. The basic technology needed to do this (myproxy) is well established. Myproxy acts as a "drop-box" for proxy certificates. Users can create proxies and upload them to the myproxy service setting a download password. They can then give the download password to the portal site which retrieves the proxy. Crucially when combined with an external authentication mechanism myproxy can also be configured as a CA dynamically generating certificates and proxies. This is the default mechanism that globus-online uses to implement globus-connect-server. A local myproxy server issues certificates corresponding to local LDAP identities. These certificates are only valid for the machine that issued them but this is sufficient as a different certificate can be used on the other end of the transfer. Unfortunately in the default mode the login credentials flow through the globus-online server requiring it to be fully trusted. This problem has now been addressed by myproxy-oauth. Instead of having to trust all portals a single trusted OAUTH server is deployed alongside the myproxy. The portal authenticates against this server using a OAUTH protocol extended to include an additional operation to allow it to retrieve the proxy.

In the US a quite impressive software stack has been built using this technology. It is currently deployed for the InCommon federation by CILogin. Federated shibboleth identities are converted into OAUTH and X509 identities. It would be very nice if we could do something similar with the UK-Federation. Portal integration and proxy retreival is nothing new, SARoNGS does something similar using browser redirects but the strong adoption of myproxy-oauth in the US means that it might be the right tool to build new tools on.