Download
ggus user a uthentication n.
Skip this Video
Loading SlideShow in 5 Seconds..
GGUS user a uthentication PowerPoint Presentation
Download Presentation
GGUS user a uthentication

GGUS user a uthentication

107 Vues Download Presentation
Télécharger la présentation

GGUS user a uthentication

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu 05-02-2013 GGUS user authentication

  2. Requirements (1/2) • (1) Information from GGUS tickets must be accessible to all users for traceability of issues and sharing of information across one or multiple Vos (WLCG) • GGUS tickets must not include confidential information whatever user authentication mechanism is adopted (see following slide) • (2) Allow all users (including those not holding a X.509 certificate) to submit tickets • Usage of robot certificates and EuduGAIN credentials gaining popularity GGUS user authentication

  3. Requirements (2/2) • (3) Users must be authenticated • GGUS must be protected from spam  user e-mail verification needed • No identity vetting and e-mail verification when registering a new SSO account, membership of inspire-members SSO group does not satisfy (2) • (4) X.509 authentication must coexist with other user authentication mechanisms (WLCG) GGUS user authentication

  4. Confidentiality • Information available from GGUS must not be confidential • Service operations security policy • “You shall use logged information, including information provided to you by Users, other Resource Centres, Service operations or by the Infrastructure Organization, only for administrative, operational, accounting, monitoring and security purposes. You shall apply due diligence in maintaining the confidentiality of logged information” • IP addresses, middleware packages, log extracts must not include confidential information  the submitter must apply due diligence in this • Users holding a valid X.509 certificate are not necessarily more trustworthy GGUS user authentication

  5. For discussion • EGI SSO  no guarantee of user e-mail validity • Various implementation scenarios • Possible short term solution • Usage of an established IdP federation like REFED preferable • GGUS must become a Service Provider • GGUS service metadata to be distributed to IDPs of the federation and IDP metadata to be imported by GGUS • REFED can coexist with authentication of users with X.509 certificate who are not members of a federated IDP • E.g. of implementation: Portal of NGI_IT GGUS user authentication