Federating HPC Access via SAML: Towards a Plug-and-Play Solution

  • Jens Köhler
  • Michael Simon
  • Martin Nussbaumer
  • Hannes Hartenstein
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7905)


Many potential users hesitate to use HPC resources due to sometimes complex procedures that are necessary to get access. Furthermore, HPC providers need up-to-date identity information to make correct access control decisions. Federated identity management addresses both issues by enforcing access control based on the users’ familiar accounts at their home organizations. SAML-based federations consisting of home organizations and web-services are already established, but the integration of non web-based services such as HPC resources is not trivial due to the absence of a browser as a user client or missing trust between web-portals and HPC resources. In this paper, we propose a concept that enables non web-based services to join SAML-based federations. From the service’s point-of-view, our approach is transparent and appears to be a local LDAP directory. From the federations point-of-view, our approach can be integrated like an ordinary SAML service provider. Due to this separation of concerns, integration effort is considerably reduced. Furthermore, we will show how our approach can be extended to enable federated access to semi-trusted web-portals.


High Performance Computing Service Client Local Account Identity Provider Security Assertion Markup Language 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [Koe2012]
    Köhler, J., Labitzke, S., Simon, M., Nussbaumer, M., Hartenstein, H.: Facius: An easy-to-deploy SAML-based approach to federate non webbased services. In: Proc. of the 11th IEEE Int. Conf. on Trust, Security and Privacy in Computing and Communications, TrustCom (2012)Google Scholar
  2. [Bar2006]
    Barton, T., Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V., Ananthakrishnan, R., Baker, B., Goode, M., Keahey, K.: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy. In: 5th Annual PKI R&D Workshop (2006)Google Scholar
  3. [Bas2010]
    Basney, J., Fleury, T., Welch, V.: Federated Login to TeraGrid. In: Proc. of the 9th Symposium on Identity and Trust on the Internet, IDTRUST (2010)Google Scholar
  4. [Spe2006]
    Spence, D., Geddes, N., Jensen, J., Richards, A., Viljoen, M., Martin, A., Dovey, M., Norman, M., Tang, K., Trefethen, A., Wallom, D., Allan, R., Meredith, D.: ShibGrid: Shibboleth Access for the UK National Grid Service. In: Proc. of the IEEE Int. Conf. on e-Science and Grid Computing, e-Science (2006)Google Scholar
  5. [Wan2009]
    Wang, X.D., Jones, M., Jensen, J., Richards, A., Wallom, D., Ma, T., Frank, R., Spence, D., Young, S., Devereux, C., Geddes, N.: Shibboleth Access for Resources on the National Grid Service (SARoNGS). In: Proc. of the Int. Conf. on Information Assurance and Security, IAS (2009)Google Scholar
  6. [Gri2007]
    Grimm, C., Groeper, R., Makedanz, S., Pfeiffenberger, H., Gietz, P., Haase, M., Schiffers, M., Ziegler, D.W.: Trust Issues in Shibboleth-Enabled Federated Grid Authentication and Authorization Infrastructures Supporting Multiple Grid Middleware. In: Proc. of the 3rd Int. Conf. on e-Science and Grid Computing, e-Science (2007)Google Scholar
  7. [Hug2005]
    Hughes, J., Cantor, S., Hodges, J., Hirsch, F., Mishra, P., Philpott, R., Maler, E.: Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Std. (2005)Google Scholar
  8. [Mur2011]
    Murri, R., Kunszt, P.Z., Maffioletti, S., Tschopp, V.: GridCertLib: A Single Sign-on Solution for Grid Web Applications and Portals. Journal of Grid Computing 9(4), 441–453 (2011)CrossRefGoogle Scholar
  9. [Mil2008]
    Milinovic, M., Rauschenbach, J., Winter, S., Florio, L., Simonsen, D., Howlett, J.: Deliverable DS5.1.1: eduroam Service Definition and Implementation Plan. GÉANT2. Tech. Rep. (2008)Google Scholar
  10. [Nov2001]
    Novotny, J., Tuecke, S., Welch, V.: An online credential repository for the Grid: MyProxy. In: Proc. of the 10th IEEE Int. Symp. on High Performance Distributed Computing, HPDC (2001)Google Scholar
  11. [Li2011]
    Li, X., Palit, H., Foo, Y.S., Hung, T.: Building an HPC-as-a-Service Toolkit for User-interactive HPC services in the Cloud. In: Proc. of the IEEE Workshops of the Int. Conf. on Advanced Information Networking and Applications, WAINA (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Jens Köhler
    • 1
  • Michael Simon
    • 1
  • Martin Nussbaumer
    • 1
  • Hannes Hartenstein
    • 1
  1. 1.Karlsruhe Institute of Technology (KIT)Steinbuch Centre for Computing (SCC)KarlsruheGermany

Personalised recommendations