Presentation is loading. Please wait.

Presentation is loading. Please wait.

The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

Published byGeorgiana Lauren Campbell Modified over 9 years ago

Similar presentations

Presentation on theme: "The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007."— Presentation transcript:

1 The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007

2 What is VOMS VOMS is…  An Attribute Authority.  A VO Management System.  A source of trust for authorization. VOMS is not…  A policy system.  An AuthN/AuthZ framework.

3 VOMS: The problem In a grid environment, VOs tend to be extremely large and change frequently.  Hundreds or even thousands of users. Sites need to know the users because of the need to prepare local accounts and eventually apply authorization policies. It is not scalable to manage them by hand

4 VOMS: The solution Organize users into groups and grant them roles.  Allows for full RBAC authorization. Also, adds other general-purpose attributes.

5 Who uses VOMS? Egee  10 VOs, 2 servers InfnGrid  15 VOs, 2 servers OSG  29 VOs, ? servers

6 VOMS Architecture VOMSDB VOMS-ADMIN Secure

7 What is VOMS-Admin? A web application that manages the contents of the VOMS database Used by VO Administrators mainly to  add/remove users to the VO,  put them in VOMS groups,  assign VOMS roles to them Provides a WSDL interface to its functions Has a command line client Has a web-based user interface

8 VOMS-Admin architecture

9 What is VOMSd VOMSd is the component which listens for user requests and creates Attribute Certificates.  All communication is secured and mutually authenticated.  Allows high customization of ACs. Which roles to present, validity length, targeting, etc…

10 VOMSd Architecture VOMSd DBBACKENDDBBACKEND DBINTERFACEDBINTERFACE I/OINTERFACEI/OINTERFACE Internal Logic

11 VOMS data format Attributes (groups, roles, general purpose) returned by VOMS are inserted into an RFC-3281 compliant Attribute Certificate.  The exact profile is described here: https://forge.gridforum.org/sf/go/doc13797?nav=1  ACs are the natural choice in a X.509 world. The grid is a X.509 world. The provided clients insert the AC in a non-critical extension of the user proxy.  Immediate compatibility with non-VOMS aware software.

12 What is a proxy? A proxy is a short-lived certificate that has as issuer a user certificate.  Standardized in RFC 3820.  Commonly used throughout the grid for authentication and authorization purposes.

13 VOMS clients The clients provided are command-line based.  But APIs are available in C,C++ and JAVA. You could write your own client.

14 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s Subject

15 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s issuer

16 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Certificate’s subject

17 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Type of proxy

18 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s key strength

19 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s Location

20 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s validity

21 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 VO Name

22 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Owner’s Data

23 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Owner’s Group membership

24 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 General-Purpose attributes

25 Example of data: [marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 AC validity

26 Voms & Shibboleth

27 Shibboleth Structure IdPSP WAYF

28 Shibboleth: Protocol Description User Service Provider Wayf Identity Provider

29 A common misconception: VOMSShibboleth = IdP

30 Similarities VOMS and a Shibboleth IdP both…  Maintain lists of user identities.  Add attributes to user identities.  Offer a way to distribute such attributes.

31 Differences Shibboleth IdPVOMS Has good support for federationsHas basic support for federations Does not support X.509Supports X.509 Supports SAMLSAML support in development Allows third parties to get information on usersDoes not allow third parties to get information on users. Pull modelPush model Mostly geared to website authorizationMostly geared to grid authorization Delegation of credentials not well supportedDelegation of credentials well supported

32 Shibboleth and Grids: The problem “The Shibboleth System is NOT usable in non-Browser scenarios (without a lot of hard thinking)”  “Introduction to Shibboleth – Phases of Deployment” Steve Carmody, 2006 Shibboleth Camp Unfortunately, grid access and usage relies heavily on non-browser access.  Implies that some translation mechanism is necessary for shib users to access a grid.

33 An example submission Broker Execution Storage Job Data Job Data

34 Shibboleth and Grids: The Solution Insert Shib attributes directly in a VOMS proxy and use said proxy for grid access.  Implemented by VASH  Collaboration by SWITCH and INFN within EGEE.  Details in my colleague’s presentation.

35 The VOMS team Vincenzo Ciaschini  vincenzo.ciaschini@cnaf.infn.it Valerio Venturi  valerio.venturi@cnaf.infn.it Andrea Ceccanti  andrea.ceccanti@cnaf.infn.it

Download ppt "The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.

OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.

A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Www.infotech.monash.edu.au Presented by Xiaoyu Qin 21637881 Virtualized Access Control & Firewall Virtualization.

Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.
1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.

1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Similar presentations

Ads by Google