1 / 5

GGUS user a uthentication

GGUS user a uthentication. Tiziana Ferrari/EGI.eu Peter Solagna /EGI.eu 05 -02-2013. Requirements (1/2). (1) Information from GGUS tickets must be accessible to all users for traceability of issues and sharing of information across one or multiple Vos (WLCG)

mercury
Télécharger la présentation

GGUS user a uthentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu 05-02-2013 GGUS user authentication

  2. Requirements (1/2) • (1) Information from GGUS tickets must be accessible to all users for traceability of issues and sharing of information across one or multiple Vos (WLCG) • GGUS tickets must not include confidential information whatever user authentication mechanism is adopted (see following slide) • (2) Allow all users (including those not holding a X.509 certificate) to submit tickets • Usage of robot certificates and EuduGAIN credentials gaining popularity GGUS user authentication

  3. Requirements (2/2) • (3) Users must be authenticated • GGUS must be protected from spam  user e-mail verification needed • No identity vetting and e-mail verification when registering a new SSO account, membership of inspire-members SSO group does not satisfy (2) • (4) X.509 authentication must coexist with other user authentication mechanisms (WLCG) GGUS user authentication

  4. Confidentiality • Information available from GGUS must not be confidential • Service operations security policy • “You shall use logged information, including information provided to you by Users, other Resource Centres, Service operations or by the Infrastructure Organization, only for administrative, operational, accounting, monitoring and security purposes. You shall apply due diligence in maintaining the confidentiality of logged information” • IP addresses, middleware packages, log extracts must not include confidential information  the submitter must apply due diligence in this • Users holding a valid X.509 certificate are not necessarily more trustworthy GGUS user authentication

  5. For discussion • EGI SSO  no guarantee of user e-mail validity • Various implementation scenarios • Possible short term solution • Usage of an established IdP federation like REFED preferable • GGUS must become a Service Provider • GGUS service metadata to be distributed to IDPs of the federation and IDP metadata to be imported by GGUS • REFED can coexist with authentication of users with X.509 certificate who are not members of a federated IDP • E.g. of implementation: Portal of NGI_IT GGUS user authentication

More Related