Accessing TeraGrid via InCommon or How to have one less password

1. Accessing TeraGrid via InCommonorHow to have one less password Jim Basney, Terry Fleury, Von Welch TeraGrid09 June 25, 2009

2. Big Picture: CASC Report • Tactical Recommendation 2.3.1a: The global federated system for identity management, authentication, and authorization that is supported by the InCommon Federation should be adopted with an initial focus on major research universities and colleges. After an initial deployment in research- oriented functions involving research universities, such an identity management strategy for CI should be implemented generally within funding agencies and other educational institutions. http://www.casc.org/papers/CASC-CCI_Workshop_Report_and_Recommendations.pdf June 25, 2009

3. We’re In What? • InCommon • http://www.incommonfederation.org/ • “The mission of the InCommon Federation is to create and support a common framework for trustworthy shared management of access to on-line resources in support of education and research in the United States.” • My words: A collection of organizations seeking to allow access to resources based on login at a user’s home organization. • Shibboleth • http://shibboleth.internet2.edu/ • “The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries.” • My words: The technology that allows access to resources based on a login at a user’s home organization. June 25, 2009

4. Pragmatically • Long Term: • Show how CI projects can leverage existing logins (username and password) at the user’s campus. • Short Term: • Allow TG users to also use their campus logins to access TG. • Do not replace current TG vetting process or logins. • Bind Shibboleth login to existing TG user, similar to SSH pubkey or grid credential. June 25, 2009

5. We want You!If you are friendly and forgiving… • We are in friendly user mode. • Friendly user == someone who won’t get mad if it breaks. • Won’t go full production until integrated with TeraGrid User Portal • Best guess is by year’s end. • We are looking for good tire kickers to help work the kinks out! when June 25, 2009

6. What do I get to kick? • https://go.teragrid.org • Prototype of what will be in TeraGrid User Portal. • Replicates functionality of TGUP to access TG resources: • SSH, GridFTP June 25, 2009

7. How does it work? • First time: • You will log in with your TeraGrid account and your campus account. • After that: • You will log in with just your campus account. • Then use built-in SSH or GridFTP clients • Or download grid credential to desktop. June 25, 2009

8. What do we need from Campus? • Campus needs to be in InCommon • Campus needs to release your identity to TeraGrid • Technical-speak: ePPN or ePTID • More technical speak: we need to understand the campus identity re-issuance policy. June 25, 2009

9. Current Campuses that work Today • Columbia U. • Cornell U. • Indiana U. • MIT • Michigan State • Northwestern • Penn State • Purdue • Stanford • U. California, David • UCSD • U. Chicago • U. Illinois • U. Iowa • U. Michigan • U. Minnesota • U. Southern Cal. • U. Texas – Austin • U. Utah June 25, 2009

10. I’m not at one of those campuses! • If you just want to try it out: • http://www.protectnetwork.org/ • Register for a “End User UserID” and try it out • Free, easy. • If your campus is in InCommon, let us know and we can talk to your Shibboleth administrator. • http://www.incommonfederation.org/participants/ • If your campus is not in InCommon, please encourage them to join. • Doing this right takes time… June 25, 2009

11. Questions? • Contact: • Me: vwelch@ncsa.illinois.edu • Technical for go.teragrid.org: go-admin@teragrid.org • In case you missed it:https://go.teragrid.org • Many thanks: InCommon, Shibboleth, NSF NMI program, Tom Barton, all our testers so far. June 25, 2009