Main Image
Volume 270 - International Symposium on Grids and Clouds (ISGC) 2016 (ISGC 2016) - Networking, Security, Infrastructure & Operations
Kipper – a Grid bridge to Identity Federation
A. Kiryanov,* A. Manzi, O. Keeble
*corresponding author
Full text: pdf
Published on: 2017 January 11
Identity Federation (IdF, aka Federated Identity) is the means of interlinking people's
electronic identities stored across multiple distinct identity management systems. This
technology has gained momentum in the last several years and is becoming popular in academic
organisations involved in international collaborations. One example of such a federation is
eduGAIN, which interconnects European educational and research organisations, and enables
trustworthy exchange of identity-related information. In this work we will show an integrated
Web-oriented solution code-named “Kipper” with a goal of providing access to WLCG
resources using a user's IdF credentials from their home institute with no need for user-acquired
X.509 certificates. Kipper achieves “X.509-free” access to Grid resources with the help of two
additional services: STS and IOTA CA. STS allows credential translation from the SAML2
format used by Identity Federation to the VOMS-enabled X.509 used by most of the Grid, and
the IOTA CA is responsible for automatic issuing of short-lived X.509 certificates. Kipper
comes with a JavaScript API considerably simplifying development of rich and convenient
“X.509-free” Web-interfaces to Grid resources, and also encouraging adoption of IOTA-class
CAs among WLCG sites. We will describe a working prototype of IdF support in the WebFTS
interface to the FTS3 data transfer engine, enabled by integration of multiple services: WebFTS,
CERN SSO (member of eduGAIN), CERN IOTA CA, STS, and VOMS.
Open Access
Creative Commons LicenseCopyright owned by the author(s) under the term of the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.