Speaker
Mr
Andrey Kiryanov
(PNPI)
Description
Identity Federation (IdF, aka Federated Identity) is the means of interlinking people's electronic identities stored across multiple distinct identity management systems. This technology has gained momentum in the last several years and is becoming popular in academic organisations involved in international collaborations.
One example of such federation is eduGAIN, which interconnects European educational and research organisations, and enables trustworthy exchange of identity-related information.
In this work we will show an integrated Web-oriented solution code-named Kipper with a goal of providing access to WLCG resources using a user's IdF credentials from their home institute with no need for user-acquired X.509 certificates.
Kipper achieves “X.509-free” access to Grid resources with the help of two additional services: STS and IOTA CA. STS allows credential translation from SAML2 format used by Identity Federation to the VOMS-enabled X.509 used by most of the Grid, and the IOTA CA is responsible for automatic issuing of short-lived X.509 certificates.
Kipper comes with a JavaScript API considerably simplifying development of rich and convenient “X.509-free” Web-interfaces to Grid resources, and also advocating adoption of IOTA-class CAs among WLCG sites.
We will describe a working prototype of IdF support in the WebFTS interface to the FTS3 data transfer engine, enabled by integration of multiple services: WebFTS, CERN SSO (member of eduGAIN), CERN IOTA CA, STS, and VOMS.
Primary author
Mr
Andrey Kiryanov
(PNPI)
