Presentation is loading. Please wait.

Presentation is loading. Please wait.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

Published byAdam Charles Modified over 8 years ago

Similar presentations

Presentation on theme: "GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,"— Presentation transcript:

1 GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist, Von Welch

2 2 Acknowledgments l GridShib is a project funded by the NSF Middleware Initiative u NMI awards 0438424 and 0438385 l Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. l Also many thanks to Internet2

3 3 GridShib Goals l Allow the Grid to scale by leveraging existing campus identity management (IdM) u Shibboleth has the potential to become the interface to campus IdM systems l Making joining the Grid as easy as possible for users u No new passwords, certificates, etc l Allow campuses attributes to be used by the Grid

4 Some background

5 5 Grid Authentication l Globus Toolkit provides authentication services via X.509 credentials l When requesting a service, the user presents an X.509 certificate, usually a proxy certificate l GridShib leverages the existing authentication mechanisms in GT

6 6 Grid Authorization l Today, Globus Toolkit provides identity- based authorization mechanisms: u Access control lists (called grid-mapfiles) map DNs to local identity (e.g., Unix logins) u Community Authorization Service (CAS) l Some attribute-based authorization has appeared and is proving useful u E.g. VOMS

7 7 Shibboleth l Allows for inter-organization access to web resources l Exposes campus identity and attributes in standard format u Based on SAML as defined by OASIS u Policies for attribute release and transient handles to allow privacy

8 8 Why Shibboleth? l What does Shibboleth bring to the table? l A large (and growing) installed base on campuses around the world l Professional development and support team l A standards-based, open source implementation l A standard attribute vocabulary (eduPerson)

9 9 GridShib Software Components l GridShib for Globus Toolkit u A plugin for GT 4.0 l GridShib for Shibboleth u A plugin for Shibboleth 1.3 IdP l GridShib CA u A web-based CA for new grid users

10 10 GridShib for Globus Toolkit l GridShib for Globus Toolkit is a plugin for GT4 l Features: u SAML Authentication consumer u SAML attribute consumption u Attribute-based access control u Attribute-based local account mapping u SAML metadata consumption

11 11 GridShib for Shibboleth l GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later) l Features: u Name Mapper u SAML name identifier implementations l X509SubjectName, emailAddress, etc. u Certificate Registry

12 12 GridShib Name Mapper l Users may be known by a number of names l The Name Mapper is a container for name mappings l Multiple name mappings are supported: u File-based name mappings u DB-based name mappings NameMapFile NameMapTable NameMapper

13 13 GridShib Certificate Registry l A Certificate Registry is integrated into GridShib for Shibboleth l An established grid user authenticates and registers an X.509 end-entity cert l The Registry binds the cert to the principal name and persists the binding in a database l On the backend, GridShib maps the DN in a query to a principal name in the DB

14 14 GridShib CA l The GridShib Certificate Authority is a web-based CA for new grid users l The GridShib CA is protected by a Shib SP and back- ended by the MyProxy Online CA l The CA issues short-term credentials suitable for authentication to a Grid SP l Credentials are downloaded to the desktop via Java Web Start

15 Example Deployments

16 16 nanoHub l Nanotechnology Portal l Expose user attributes via Shib AA l Use GridShib for GT to point Grid at nanoHub AA l Allows for Grid authorization of nanoHub users based on nanoHub attributes

17 17 nanoHUB nanoHUB Portal AA X.509 w/SAML Authn User authenticates to portal SAML Attribute Query

18 18 TeraGrid Testbed l Work underway with NSF TeraGrid project to build an testbed built on Shibboleth and GridShib technologies l Goals: l Allow for scalable access by leveraging campus authentication l Allow for attribute-based authorization to define communities l Ease of use for users

19 19 Testbed

20 20 GridShib-myVocs Integration l myVocs developed by Gemmill @ UAB l myVocs allows for VOs based on Shibboleth identities l GridShib authorizes use of Grid Services based on Shibboleth identities l Integration allows for the creation and management of Grid Vos based on Shibboleth l http://www.myvocs.org

21 21 Future Plans: Attribute Push l Turning to attribute push l Our observation is that most Grid use cases want: u Persistent Id from Home Institution u Attributes from VO l Shib/X.509 Gateway is natural point to collection Attributes from home institution and combine with VO attributes and push to Grid u Gateway could be the GridShib-CA or a domain- portal, e.g. a TeraGrid Science Gateway

22 22 Summary l GridShib has a number of tools for leveraging Shibboleth for the Grid l Both for user authentication and attribute-based authorization l Deploys easily on Shibboleth 1.3 and Globus 4.0 l Available under Apache2 license For more information and software: l http://gridshib.globus.org l vwelch@ncsa.uiuc.edu l http://dev.globus.org/wiki/Incubator/GridShib

Download ppt "GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.

I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.

Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Similar presentations

Ads by Google