Presentation on theme: "GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch"— Presentation transcript:
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch email@example.com
Oct 3rd, 20052GGF15 What is GridShib NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit –Funded under NSF award SCI-0438424 GridShib team: NCSA, U. Chicago, ANL –Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team
Oct 3rd, 20053GGF15 Motivation Many Grid VOs are focused on science or business other than IT support –Don’t have expertise or resources to run security services Allow for leveraging of Shibboleth code and deployments run by campuses
Oct 3rd, 20054GGF15 Outline Overview of Shibboleth Overview of Globus/Grid PKI Approach Status and Future Plans
Oct 3rd, 20056GGF15 Student? Check out book… Access student records… Is student John Smith?
Oct 3rd, 20057GGF15 Check out book… Different protocols Privacy Different Schemas
Oct 3rd, 20058GGF15 Shibboleth http://shibboleth.internet2.edu/ Internet2 project Allows for inter-institutional sharing of web resources (via browsers) –Provides attributes for authorization between institutions Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’ Standards-based (SAML) Being extended to non-web resources
Oct 3rd, 20059GGF15 SAML Authn/Authz Uses SAML to express Identity and attributes to Allow for interoperability Uses short-lived identifiers To protest privacy of users.
Oct 3rd, 200510GGF15 Check out book… Pseudonymous Identifier Is a student Pseudonymous Identifier
Oct 3rd, 200511GGF15 Shibboleth Identity Provider composed of single sign-on (SSO) and attribute authority (AA) services SSO: authenticates user locally and issues authentication assertion with Handle –Assertion is short-lived bearer assertion –Handle is also short-lived and non-identifying –Handle is registered with AA Attribute Authority responds to queries regarding handle
Oct 3rd, 200512GGF15 Shibboleth Service Provider composed of Assertion Consumer and Attribute Requestor Assertion Consumer parses authentication assertion Attribute Requestor: request attributes from AA –Attributes used for authorization Where Are You From (WAYF) service determines user’s Identity Provider
Oct 3rd, 200513GGF15 Shibboleth (Simplified) AA SSO Shibboleth IdP Handle Attributes SAML AR ACS Shibboleth SP Handle LDAP (e.g.)
Oct 3rd, 200514GGF15 Globus Toolkit http://www.globus.org Toolkit for Grid computing –Job submission, data movement, data management, resource management Based on Web Services and WSRF Security based on X.509 identity- and proxy-certificates –Maybe from conventional or on-line CAs Some initial attribute-based authorization
Oct 3rd, 200515GGF15 Grid PKI Large investment in PKI at the international level for Grids –TAGPMA, GridPMA, APGridPMA –Dozens of CAs, thousands of users Really painful to establish But its working… –And it’s not going way easily
Oct 3rd, 200516GGF15 Integration Approach Conceptually, replace Shibboleth’s handle-based authentication with X509 –Provides stronger security for non-web browser apps –Works with existing PKI install base To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible
Oct 3rd, 200517GGF15 Use Cases Project leveraging campus attributes –Simplest case Project-operated Shib service –Project operates own service, conceptually easy, but not ideal Campus-operated, project-administered Shib –Ideal mix, but need mechanisms for provisioning of attribute administration
Oct 3rd, 200518GGF15 GridShib (Simplified) A SSO Shibboleth DN Attributes DN SAML SSL/TLS, WS-Security
Oct 3rd, 200519GGF15 Authorization Delivering attributes is half the story… Currently have a simple authorization mechanisms –List of attributes required to use service or container Developing finer-grain authorization for GRAM
Oct 3rd, 200520GGF15 Authorization Plans Develop authorization framework in Globus Toolkit –Siebenlist et. al. at Argonne –Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions Work in OGSA-Authz WG to allow for callouts to third-party authorization services –E.G. PERMIS Convert Attributes (SAML or X509) into common format for policy evaluation –XACML-based
Oct 3rd, 200521GGF15 GridShib Status Beta release publically available Drop-in addition to GT 4.0 and Shibboleth 1.3 Project website: –http://gridshib.globus.org Very interested in feedback
Oct 3rd, 200522GGF15 Future Plans Integration of GridShib with MyProxy Online CA –Allow for use of Grid Resources by users without long-term X509 credentials –Collaboration with Jim Basney Signet/Grouper integration for distributed attribute administration –See Tom Barton’s talk
Oct 3rd, 200523GGF15 Questions? My email: –firstname.lastname@example.org@ncsa.uiuc.edu Project website: –http://gridshib.globus.org
Your consent to our cookies if you continue to use this website.