Securing HPC using federated authentication

Andrew Prout; Anna Klein; Peter Michaleas; Lauren Milechin; Julie Mullen; Antonio Rosa; Siddharth Samsi; Charles Yee; Albert Reuther; Jeremy Kepner; William Arcand; David Bestor; Bill Bergeron; Chansup Byun; Vijay Gadepally; Michael Houle; Matthew Hubbell; Michael Jones

doi:10.1109/HPEC.2019.8916255

Securing HPC using federated authentication

Andrew Prout, Anna Klein, Peter Michaleas, Lauren Milechin, Julie Mullen, Antonio Rosa, Siddharth Samsi, Charles Yee, Albert Reuther, Jeremy Kepner, William Arcand, David Bestor, Bill Bergeron, Chansup Byun, Vijay Gadepally, Michael Houle, Matthew Hubbell, Michael Jones

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Federated authentication can drastically reduce the overhead of basic account maintenance while simultaneously improving overall system security. Integrating with the user's more frequently used account at their primary organization both provides a better experience to the end user and makes account compromise or changes in affiliation more likely to be noticed and acted upon. Additionally, with many organizations transitioning to multi-factor authentication for all account access, the ability to leverage external federated identity management systems provides the benefit of their efforts without the additional overhead of separately implementing a distinct multi-factor authentication process. This paper describes our experiences and the lessons we learned by enabling federated authentication with the U.S. Government PKI and In Common Federation, scaling it up to the user base of a production HPC system, and the motivations behind those choices. We have received only positive feedback from our users.

Original language	English
Title of host publication	2019 IEEE High Performance Extreme Computing Conference, HPEC 2019
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9781728150208
DOIs	https://doi.org/10.1109/HPEC.2019.8916255
State	Published - Sep 2019
Externally published	Yes
Event	2019 IEEE High Performance Extreme Computing Conference, HPEC 2019 - Waltham, United States Duration: Sep 24 2019 → Sep 26 2019

Publication series

Name	2019 IEEE High Performance Extreme Computing Conference, HPEC 2019

Conference

Conference	2019 IEEE High Performance Extreme Computing Conference, HPEC 2019
Country/Territory	United States
City	Waltham
Period	09/24/19 → 09/26/19

Keywords

Federated Authentication
Federated Identity Management
High Performance Computing
Multi-Factor Authentication
PKI
Public Key Infrastructure
Security

Access to Document

10.1109/HPEC.2019.8916255

Cite this

Prout, A., Klein, A., Michaleas, P., Milechin, L., Mullen, J., Rosa, A., Samsi, S., Yee, C., Reuther, A., Kepner, J., Arcand, W., Bestor, D., Bergeron, B., Byun, C., Gadepally, V., Houle, M., Hubbell, M., & Jones, M. (2019). Securing HPC using federated authentication. In 2019 IEEE High Performance Extreme Computing Conference, HPEC 2019 [8916255] (2019 IEEE High Performance Extreme Computing Conference, HPEC 2019). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/HPEC.2019.8916255

Prout, Andrew ; Klein, Anna ; Michaleas, Peter ; Milechin, Lauren ; Mullen, Julie ; Rosa, Antonio ; Samsi, Siddharth ; Yee, Charles ; Reuther, Albert ; Kepner, Jeremy ; Arcand, William ; Bestor, David ; Bergeron, Bill ; Byun, Chansup ; Gadepally, Vijay ; Houle, Michael ; Hubbell, Matthew ; Jones, Michael. / Securing HPC using federated authentication. 2019 IEEE High Performance Extreme Computing Conference, HPEC 2019. Institute of Electrical and Electronics Engineers Inc., 2019. (2019 IEEE High Performance Extreme Computing Conference, HPEC 2019).

@inproceedings{1a8acc6831c04ac8add49262de097e3d,

title = "Securing HPC using federated authentication",

abstract = "Federated authentication can drastically reduce the overhead of basic account maintenance while simultaneously improving overall system security. Integrating with the user's more frequently used account at their primary organization both provides a better experience to the end user and makes account compromise or changes in affiliation more likely to be noticed and acted upon. Additionally, with many organizations transitioning to multi-factor authentication for all account access, the ability to leverage external federated identity management systems provides the benefit of their efforts without the additional overhead of separately implementing a distinct multi-factor authentication process. This paper describes our experiences and the lessons we learned by enabling federated authentication with the U.S. Government PKI and In Common Federation, scaling it up to the user base of a production HPC system, and the motivations behind those choices. We have received only positive feedback from our users.",

keywords = "Federated Authentication, Federated Identity Management, High Performance Computing, Multi-Factor Authentication, PKI, Public Key Infrastructure, Security",

author = "Andrew Prout and Anna Klein and Peter Michaleas and Lauren Milechin and Julie Mullen and Antonio Rosa and Siddharth Samsi and Charles Yee and Albert Reuther and Jeremy Kepner and William Arcand and David Bestor and Bill Bergeron and Chansup Byun and Vijay Gadepally and Michael Houle and Matthew Hubbell and Michael Jones",

note = "Funding Information: Our first implementation task was to decide what SAML SP software to use on our system; as the SAML standard is widely adopted for federated identity management, there are myriad commercial and open-source products available to choose from. We chose the open-source SimpleSAMLphp project because our login processes were already written in PHP and the product is well supported by a team led by UNINETT, a state-owned company responsible for Norway{\textquoteright}s National Research and Education Network. We realized that it would be trivial to integrate this framework into our existing workflow and allow users to choose their preferred authentication method, verify their identity, and establish session persistence using cookies. Many of the other SAML authentication alternatives we investigated were deeply integrated with Apache and would deliver a great deal less implementation flexibility. Publisher Copyright: {\textcopyright} 2019 IEEE.; null ; Conference date: 24-09-2019 Through 26-09-2019",

year = "2019",

month = sep,

doi = "10.1109/HPEC.2019.8916255",

language = "English",

series = "2019 IEEE High Performance Extreme Computing Conference, HPEC 2019",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "2019 IEEE High Performance Extreme Computing Conference, HPEC 2019",

}

Prout, A, Klein, A, Michaleas, P, Milechin, L, Mullen, J, Rosa, A, Samsi, S, Yee, C, Reuther, A, Kepner, J, Arcand, W, Bestor, D, Bergeron, B, Byun, C, Gadepally, V, Houle, M, Hubbell, M & Jones, M 2019, Securing HPC using federated authentication. in 2019 IEEE High Performance Extreme Computing Conference, HPEC 2019., 8916255, 2019 IEEE High Performance Extreme Computing Conference, HPEC 2019, Institute of Electrical and Electronics Engineers Inc., 2019 IEEE High Performance Extreme Computing Conference, HPEC 2019, Waltham, United States, 09/24/19. https://doi.org/10.1109/HPEC.2019.8916255

Securing HPC using federated authentication. / Prout, Andrew; Klein, Anna; Michaleas, Peter; Milechin, Lauren; Mullen, Julie; Rosa, Antonio; Samsi, Siddharth; Yee, Charles; Reuther, Albert; Kepner, Jeremy; Arcand, William; Bestor, David; Bergeron, Bill; Byun, Chansup; Gadepally, Vijay; Houle, Michael; Hubbell, Matthew; Jones, Michael.

2019 IEEE High Performance Extreme Computing Conference, HPEC 2019. Institute of Electrical and Electronics Engineers Inc., 2019. 8916255 (2019 IEEE High Performance Extreme Computing Conference, HPEC 2019).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Securing HPC using federated authentication

AU - Prout, Andrew

AU - Klein, Anna

AU - Michaleas, Peter

AU - Milechin, Lauren

AU - Mullen, Julie

AU - Rosa, Antonio

AU - Samsi, Siddharth

AU - Yee, Charles

AU - Reuther, Albert

AU - Kepner, Jeremy

AU - Arcand, William

AU - Bestor, David

AU - Bergeron, Bill

AU - Byun, Chansup

AU - Gadepally, Vijay

AU - Houle, Michael

AU - Hubbell, Matthew

AU - Jones, Michael

N1 - Funding Information: Our first implementation task was to decide what SAML SP software to use on our system; as the SAML standard is widely adopted for federated identity management, there are myriad commercial and open-source products available to choose from. We chose the open-source SimpleSAMLphp project because our login processes were already written in PHP and the product is well supported by a team led by UNINETT, a state-owned company responsible for Norway’s National Research and Education Network. We realized that it would be trivial to integrate this framework into our existing workflow and allow users to choose their preferred authentication method, verify their identity, and establish session persistence using cookies. Many of the other SAML authentication alternatives we investigated were deeply integrated with Apache and would deliver a great deal less implementation flexibility. Publisher Copyright: © 2019 IEEE.

PY - 2019/9

Y1 - 2019/9

N2 - Federated authentication can drastically reduce the overhead of basic account maintenance while simultaneously improving overall system security. Integrating with the user's more frequently used account at their primary organization both provides a better experience to the end user and makes account compromise or changes in affiliation more likely to be noticed and acted upon. Additionally, with many organizations transitioning to multi-factor authentication for all account access, the ability to leverage external federated identity management systems provides the benefit of their efforts without the additional overhead of separately implementing a distinct multi-factor authentication process. This paper describes our experiences and the lessons we learned by enabling federated authentication with the U.S. Government PKI and In Common Federation, scaling it up to the user base of a production HPC system, and the motivations behind those choices. We have received only positive feedback from our users.

AB - Federated authentication can drastically reduce the overhead of basic account maintenance while simultaneously improving overall system security. Integrating with the user's more frequently used account at their primary organization both provides a better experience to the end user and makes account compromise or changes in affiliation more likely to be noticed and acted upon. Additionally, with many organizations transitioning to multi-factor authentication for all account access, the ability to leverage external federated identity management systems provides the benefit of their efforts without the additional overhead of separately implementing a distinct multi-factor authentication process. This paper describes our experiences and the lessons we learned by enabling federated authentication with the U.S. Government PKI and In Common Federation, scaling it up to the user base of a production HPC system, and the motivations behind those choices. We have received only positive feedback from our users.

KW - Federated Authentication

KW - Federated Identity Management

KW - High Performance Computing

KW - Multi-Factor Authentication

KW - PKI

KW - Public Key Infrastructure

KW - Security

UR - http://www.scopus.com/inward/record.url?scp=85076712304&partnerID=8YFLogxK

U2 - 10.1109/HPEC.2019.8916255

DO - 10.1109/HPEC.2019.8916255

M3 - Conference contribution

AN - SCOPUS:85076712304

T3 - 2019 IEEE High Performance Extreme Computing Conference, HPEC 2019

BT - 2019 IEEE High Performance Extreme Computing Conference, HPEC 2019

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 24 September 2019 through 26 September 2019

ER -

Securing HPC using federated authentication

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this