Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

Similar presentations


Presentation on theme: "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph."— Presentation transcript:

1 EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph Witzig, SWITCH NORDUnet Conference April 9, 2008

2 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Content Introduction to AAIs –Why interoperability AAI - Grids –Authentication and authorization (AA) in Grids and Shibboleth Interoperability Shibboleth - Grid within EGEE –Short-lived credential service (SLCS) –Attribute exchange to VOMS –Future developments within EGEE Other activities in interoperability Shibboleth - Grids Summary

3 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Security Models AAI solve the old problem of access control to resources There are various technologies in use - their usefulness depends on the underlying infrastructure 1.Crusader Castle 2.League of Nations 3.Federations

4 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Crusader Castle Appropriate for few, non-mobile users

5 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, University A Library B University C Student Admin Web Mail e-Learning Literature DB e-Learning Research DB Authorization User Administration Authentication Resource Credentials e-Journals Tedious user registration at all resources Unreliable and outdated user data at resources Different login processes Many different passwords Many resources not protected due to difficulties Often IP-based authorization Costly implementation of inter-institutional access Crusader Castle

6 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, University A University C League of Nations Student Admin Web Mail e-Learning Research DB Authorization User Administration Authentication Resource Credentials User registration process with CA User has one credential to present to resources authN and authZ at resource User has to manage credential Standard use in grids (IGTF) Delegation mechanism Standardized Credentials (International Conference on Passports 1920) Passport Issuer (CA) X.509 credentials

7 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, University A Library B University C Federated Identity Management Student Admin Web Mail e-Learning Literature DB e-Learning Research DB Authorization User Administration Authentication Resource Credentials e-Journals No user registration and user data maintenance at resource needed Single login process for the users Many new resources available for the users Enlarged user communities for resources Efficient implementation of inter-institutional access Shibboleth open source internet2 SAML Web-based Single Sign-on authN at Identity Provider authZ at Service Provider based on users attributes as provided by IdP Privacy Federated Identity Management

8 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Example of an AAI: SWITCHaai

9 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Why Interoperability AAI - Grid ? For AAI Federations: Add grid resources to federation For Grids: Add huge user base (campus network) For e-Science: Unified user base Bring stakeholders together (NRENs - Grids) For Users: Simpler management of credentials Easy access to grids

10 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Interoperability Challenges authN at grid resource Attribute-based authZ Federation attributes vs VO attributes Delegation Renewal of credentials

11 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Content Introduction to AAIs –Why interoperability AAI - Grids –Authentication and authorization (AA) in Grids and Shibboleth Interoperability Shibboleth - Grid within EGEE –Short-lived credential service (SLCS) –Attribute exchange to VOMS –Future developments within EGEE Other activities in interoperability Shibboleth - Grids Summary

12 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Overview Phase 1 and 2 SLCS = Short lived credential service VASH = VOMS attributes from Shibboleth

13 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Design Decisions SLCS CA and VOMS SP independent of each other –Separate Service Providers –Deployed independently SLCS CA independent of the Grid middleware VOMS SP only dependent on VOMS

14 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Short Lived Credential Service (SLCS)

15 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, SLCS Profile SLCS = Short Lived Credential Service International Grid Trust Federation (IGTF) Profile Minimum requirements: SLCSX.509 Certificate Certificate is generated based on Identity Management system traditional Registration Authority (e.g. passport) Lifetime < 1mio secLifetime < 1 year + 1 month Revocation handling optional Revocation handling mandatory

16 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, SLCS Design Private key is never transferred Use commercial CA and only standard protocols Modular design such that other people can use their own components Shibboleth attributes determine DN

17 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, SLCS Operation For the user: Command line: slcs-init --idp Part of gLite User Interface (gLite-UI 3.1) (can also be installed independently) For the RA from web-based admin tool: Can enable or disable individual users (only for his institution) Requirements formulated in CP/CPS Can obtain log information (audit) SWITCH: Operates the service for the SWITCHaai federation

18 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Status SLCS Software development finished in 2006 SWITCH SLCS Root CA accredited by EuGridPMA in February 2007 SWITCH SLCS in production since April 2007

19 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Attribute exchange to VOMS VOMS attributes from Shibboleth (VASH)

20 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Problem SLCS ties –AAI authentication to issuance of X.509 certificate –AAI attributes are used to construct the DN SLCS intends to make AAI attributes available to grid resources for authorization decisions –Which AAI attributes are of interest to grid resource? –How does resource obtain attributes? (pull vs push) –Relation to VO attributes –Deployment issues

21 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, VASH Design (1) VASH: –VOMS Attributes from Shibboleth Shibboleth SP –Browser-based –Specific for Federation VO lightweight SP –No administrator duties –No management of attributes –Simply transfers attributes upon user request

22 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, VASH Design (2) X.509 and proxy X.509 with VOMS AC unchanged No change in VOMS –Requires VOMS version or higher VO registration not changed Administrative domain between Shibboleth federation and VOMS fully decoupled User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509)

23 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Deployment Options Option 1: –As an add-on to an existing VOMS-based VO Option 2: –As a registration tool which allows the member of a Shibboleth IdP become a member of a VOMS-based VO Suitable for production VOs as well as temporary VOs (e.g. summer schools, grid classes)

24 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Status VASH Software implementation done MJRA1.5 document: https://edms.cern.ch/document/807849/1 https://edms.cern.ch/document/807849/1 Plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource available –Access to VOMS AC –LCAS/LCMAPS plugin

25 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Future developments within EGEE SAML Support in Grids

26 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, SAML Support Goal: Extend use of SAML in grids beyond what is already provided by EGEE-II (SLCS, VASH) Benefits: –(Average) User has no certificates anymore –Introduce SAML gently beyond phase 1 and 2, gain experience –Compatible with Shibboleth roadmap (2.0, 2.1) and WS-Trust STS implementation –Options open for future Requires: A mean for service to transform a security tokens it has into a security token it needs

27 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Security Token Service WS-Trust defines mechanisms for brokering trust to an authority called Security Token Service (STS) The Security Token Service have a trust relationship with both the client and the service.

28 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Use Cases Grid: –Shibboleth user wants to access a Grid resource (e.g. WMS, File Catalogue, Storage Element…) –He needs to obtains security token that the Grid services understand (X.509) Non-browser based Shibboleth applications: –User agent contacts Shibboleth IdP with credential (e.g. username, password) –User agent receives SAML assertion to be sent to a Shibboleth SP

29 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Content Introduction to AAIs –Why interoperability AAI - Grids –Authentication and authorization (AA) in Grids and Shibboleth Interoperability Shibboleth - Grid within EGEE –Short-lived credential service (SLCS) –Attribute exchange to VOMS –Future developments within EGEE Other activities in interoperability Shibboleth - Grids Summary

30 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Other Activities GridShib –Globus –Community Access to TeraGrid through gateways Activities in UK –Shebangs and ShibGrid –Shintau: attribute aggregation from multiple IdPs OMII-Europe: –SAML assertions from VOMS

31 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, GridShib Software Components GridShib for Globus Toolkit –A plugin for GT 4.0 GridShib for Shibboleth –A plugin for Shibboleth 1.3 IdP GridShib CA –A web-based CA for new grid users GridShib SAML Tools –Tools for portals and users to embed attributes into X.509 credentials All at: Slide: Courtesy of Von Welch, NCSA

32 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, GridShib SAML Tools Attributes Web Portal Authenticate Grid Requests Community Access via Science Gateway GridShib for GT Local Attributes (may be dynamic) GridShib for Shib Slide: Courtesy of Von Welch, NCSA

33 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Summary Interoperability AAI - Grids makes the Grid accessible for a large user community Interoperability Grid - Shibboleth in EGEE: –SLCS service Online CA issuing X.509 certificates based upon authN at Shibboleth IdP –VASH service Transfers Shibboleth attributes into VOMS Shib attributes are available to grid resources as part of VOMS AC –SLCS and VASH can be used independent of gLite –SAML support in Grids through Security Token Service (STS) Other Interoperability Efforts –GridShib –UK e-Science: ShibGrid, Shintau,

34 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Q & A

35 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, SWITCH SLCS Setup 3 separate servers in increasingly secure environment (network and physical access) Front End –Shibboleth SP SLCS Server –Tomcat web app Online CA –Microsoft Certificate Server –Hardware Security Module (HSM) Offline CA –Sign the Online CA –Stored in a bank safe

36 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Web Interface VASH Service

37 Enabling Grids for E-sciencE EGEE-II INFSO-RI NORDUnet, Helsinki April 9, Multiple Security Domains A client may need to communicate with services that operate across trust boundaries (i.e. Shibboleth SAML vs Grid X.509) Multiple STS can be used in a trust chain across security domains (delegated trust)


Download ppt "EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph."

Similar presentations


Ads by Google