TY - GEN
T1 - Securing HPC using federated authentication
AU - Prout, Andrew
AU - Klein, Anna
AU - Michaleas, Peter
AU - Milechin, Lauren
AU - Mullen, Julie
AU - Rosa, Antonio
AU - Samsi, Siddharth
AU - Yee, Charles
AU - Reuther, Albert
AU - Kepner, Jeremy
AU - Arcand, William
AU - Bestor, David
AU - Bergeron, Bill
AU - Byun, Chansup
AU - Gadepally, Vijay
AU - Houle, Michael
AU - Hubbell, Matthew
AU - Jones, Michael
N1 - Funding Information:
Our first implementation task was to decide what SAML SP software to use on our system; as the SAML standard is widely adopted for federated identity management, there are myriad commercial and open-source products available to choose from. We chose the open-source SimpleSAMLphp project because our login processes were already written in PHP and the product is well supported by a team led by UNINETT, a state-owned company responsible for Norway’s National Research and Education Network. We realized that it would be trivial to integrate this framework into our existing workflow and allow users to choose their preferred authentication method, verify their identity, and establish session persistence using cookies. Many of the other SAML authentication alternatives we investigated were deeply integrated with Apache and would deliver a great deal less implementation flexibility.
Publisher Copyright:
© 2019 IEEE.
PY - 2019/9
Y1 - 2019/9
N2 - Federated authentication can drastically reduce the overhead of basic account maintenance while simultaneously improving overall system security. Integrating with the user's more frequently used account at their primary organization both provides a better experience to the end user and makes account compromise or changes in affiliation more likely to be noticed and acted upon. Additionally, with many organizations transitioning to multi-factor authentication for all account access, the ability to leverage external federated identity management systems provides the benefit of their efforts without the additional overhead of separately implementing a distinct multi-factor authentication process. This paper describes our experiences and the lessons we learned by enabling federated authentication with the U.S. Government PKI and In Common Federation, scaling it up to the user base of a production HPC system, and the motivations behind those choices. We have received only positive feedback from our users.
AB - Federated authentication can drastically reduce the overhead of basic account maintenance while simultaneously improving overall system security. Integrating with the user's more frequently used account at their primary organization both provides a better experience to the end user and makes account compromise or changes in affiliation more likely to be noticed and acted upon. Additionally, with many organizations transitioning to multi-factor authentication for all account access, the ability to leverage external federated identity management systems provides the benefit of their efforts without the additional overhead of separately implementing a distinct multi-factor authentication process. This paper describes our experiences and the lessons we learned by enabling federated authentication with the U.S. Government PKI and In Common Federation, scaling it up to the user base of a production HPC system, and the motivations behind those choices. We have received only positive feedback from our users.
KW - Federated Authentication
KW - Federated Identity Management
KW - High Performance Computing
KW - Multi-Factor Authentication
KW - PKI
KW - Public Key Infrastructure
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=85076712304&partnerID=8YFLogxK
U2 - 10.1109/HPEC.2019.8916255
DO - 10.1109/HPEC.2019.8916255
M3 - Conference contribution
AN - SCOPUS:85076712304
T3 - 2019 IEEE High Performance Extreme Computing Conference, HPEC 2019
BT - 2019 IEEE High Performance Extreme Computing Conference, HPEC 2019
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 24 September 2019 through 26 September 2019
ER -