Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch

Published byAshley Beasley Modified over 8 years ago

Similar presentations

Presentation on theme: "Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch"— Presentation transcript:

1 Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch vwelch@ncsa.uiuc.edu

2 July 1, 20052I2 Advanced CAMP Outline GridShib –Overview of Shibboleth and Globus –Our Motivation and Use Cases –Integration Approach –Status MyProxy –Overview –Local Authn Support

3 July 1, 20053I2 Advanced CAMP Shibboleth http://shibboleth.internet2.edu/ Internet2 project Allows for inter-institutional sharing of web resources (via browsers) –Provides attributes for authorization between institutions Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’ Standards-based (SAML) Being extended to non-web resources

4 July 1, 20054I2 Advanced CAMP Shibboleth Identity Provider composed of single sign-on (SSO) and attribute authority (AA) services SSO: authenticates user locally and issues authentication assertion with Handle –Assertion is short-lived bearer assertion –Handle is also short-lived and non-identifying –Handle is registered with AA Attribute Authority responds to queries regarding handle

5 July 1, 20055I2 Advanced CAMP Shibboleth Service Provider composed of Assertion Consumer and Attribute Requestor Assertion Consumer parses authentication assertion Attribute Requestor: request attributes from AA –Attributes used for authorization Where Are You From (WAYF) service determines user’s Identity Provider

6 July 1, 20056I2 Advanced CAMP Shibboleth (Simplified) AA SSO Shibboleth IdP Handle Attributes SAML AR ACS Shibboleth SP Handle LDAP (e.g.)

7 July 1, 20057I2 Advanced CAMP Globus Toolkit http://www.globus.org Toolkit for Grid computing –Job submission, data movement, data management, resource management Based on Web Services and WSRF Security based on X.509 identity- and proxy-certificates –Maybe from conventional or on-line CAs Some initial attribute-based authorization

8 July 1, 20058I2 Advanced CAMP Motivation Many Grid VOs are focused on science or business other than IT support –Don’t have expertise or resources to run security services Allow for leveraging of Shibboleth code and deployments run by campuses

9 July 1, 20059I2 Advanced CAMP Use Cases Project leveraging campus attributes –Simplest case Project-operated Shib service –Project operates own service, conceptually easy, but not ideal Campus-operated, project-administered Shib –Ideal mix, but need mechanisms for provisioning of attribute administration

10 July 1, 200510I2 Advanced CAMP Integration Approach Conceptually, replace Shibboleth’s handle-based authentication with X509 –Provides stronger security for non-web browser apps –Works with existing PKI install base To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible

11 July 1, 200511I2 Advanced CAMP GridShib (Simplified) A SSO Shibboleth DN Attributes DN SAML SSL/TLS, WS-Security

12 July 1, 200512I2 Advanced CAMP Integration Areas Assertion Transmission Attribute Authority Discovery Distribute Attribute Administration User Registration Pseudonymous Interaction Authorization

13 July 1, 200513I2 Advanced CAMP Assertion Transmission How to get SAML assertions from AA into Globus? Initially: Pull mode with Globus acting as a Shibboleth Attribute Requestor Will explore Pull modes to help with privacy and role combination Implement Grid Name Mapper to map X509 DNs to local identities used to obtain attributes

14 July 1, 200514I2 Advanced CAMP Attribute Authority Discovery No interactive WAYF service in the Grid Place identifier of Identity Provider in cert –Either in long-term EEC or short-term Proxy Cert Will explore pushing attributes –Avoids the problem –Might also address combined attributes from multiple AAs

15 July 1, 200515I2 Advanced CAMP Distributed Attribute Administration Campus is ideal for running services, but may not know all attributes of users How does a campus issue attributes for which it is not authoritative? –E.g. IEEE Membership of staff –In Grid case, Project Membership This may be the largest hurdle due to social, political and/or legal issues –Need accepted cookbook for process Plan on exploring signet –http://middleware.internet2.edu/signet/

16 July 1, 200516I2 Advanced CAMP LDAP Getting Attributes into a Site’s Attribute Authority uid: jdoe eduPersonAffiliation: … isMemberOf: … eduPersonEntitlement: … SIS HR On-site Authorities Loaders Person Registry Group Registry Grouper UI Privilege Registry Off-site Authorities Signet UI Attribute Authority Core Business Systems Shib/ GridShib using Shibboleth

17 July 1, 200517I2 Advanced CAMP User Registration How does the mapping from the User’s X509 DN to local Campus identity get made in NameMapper configuration? In initial version, this will be manual process Yes, far from ideal We envision –Something akin to a registration service that authenticates user’s X509 and local credentials and puts mapping in automatically –Or a portal that hides all the X509 from the user and also handles this mapping E.g. PURSE, GAMA

18 July 1, 200518I2 Advanced CAMP Pseudonymous Interaction How to maintain Shibboleth pseudonymous functionality with X509? Will develop online CA that issues certificates with non-identifying DNs –Register with AA just as SSO –Basically holder-of-key assertions

19 July 1, 200519I2 Advanced CAMP Authorization Develop authorization framework in Globus Toolkit Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions XACML used for expressing gathered identity, attribute and policy information –Convert Attributes into common format for policy evaluation –Allows for common evaluation of attributes expressed in SAML and X509 (and others…)

20 July 1, 200520I2 Advanced CAMP GridShib Status Testing initial version internal to project Will be a drop-in addition to GT 4.0 and Shibboleth 1.3 Plan on releasing Beta version 2-3 weeks after Shibboleth 1.3 is released Looking for interested testers Project website: –http://grid.ncsa.uiuc.edu/GridShib/http://grid.ncsa.uiuc.edu/GridShib/

21 July 1, 200521I2 Advanced CAMP Acknowledgements and Details NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit –Funded under NSF award SCI-0438424 GridShib team: NCSA, U. Chicago, ANL –Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team

22 MyProxy Enhancements for Local Integration Bill Baker, Jim Basney and Von Welch NCSA

23 July 1, 200523I2 Advanced CAMP What is MyProxy? Independent Globus Toolkit add-on since 2000 –To be included in Globus Toolkit 4.0 A service for securing private keys –Keys stored encrypted with user-chosen password –Keys never leave the MyProxy server A service for retrieving proxy credentials A commonly-used service for grid portal security –Integrated with OGCE, GridSphere, and GridPort, PURSE, GAMA

24 July 1, 200524I2 Advanced CAMP Proxy Credentials RFC 3820: Proxy Certificate Profile Associate a new private key and certificate with existing credentials Short-lived, unencrypted credentials for multiple authentications in a session –Restricted lifetime in certificate limits vulnerability of unencrypted key Credential delegation (forwarding) without transferring private keys CAUser Proxy A signs Proxy B signs

25 July 1, 200525I2 Advanced CAMP Proxy Delegation DelegatorDelegatee Generate new key pair Sign new proxy certificate Proxy Proxy certificate request Proxy 1 2 3 4

26 July 1, 200526I2 Advanced CAMP MyProxy System Architecture MyProxy server Credential repository Retrieve proxy Store proxy Proxy delegation over private TLS channel MyProxy client

27 July 1, 200527I2 Advanced CAMP MyProxy: Credential Mobility myproxy.teragrid.org tg-login.uc.teragrid.org tg-login.caltech.teragrid.org tg-login.sdsc.teragrid.org tg-login.ncsa.teragrid.orgca.ncsa.uiuc.edu Obtain certificate Store proxy Retrieve proxy

28 July 1, 200528I2 Advanced CAMP MyProxy and Grid Portals Portal MyProxy server GridFTP server Login Fetch proxy Access data

29 July 1, 200529I2 Advanced CAMP MyProxy and PAM MyProxy now has ability to use PAM for authentication –As a replacement for locally-stored password Users can use existing authentication mechanism to access Grid Credentials Has been tested with PAM modules for LDAP, Kerberos, OTP (CryptoCard) via RADIUS

30 July 1, 200530I2 Advanced CAMP LTER Grid Example MyProxy server PAM LTER LDAP LTER Portal Creds Job Submission GridFTP LDAP Username & Password Proxy

31 July 1, 200531I2 Advanced CAMP Status PAM Support in MyProxy v2.0 which is released Available at http://myproxy.ncsa.uiuc.edu http://myproxy.ncsa.uiuc.edu Pam-specific documentation: –http://grid.ncsa.uiuc.edu/myproxy/pam.htmlhttp://grid.ncsa.uiuc.edu/myproxy/pam.html PAM enhancements funded by NMI Grids Center

Download ppt "Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch"

Similar presentations

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
MyProxy NMI Integration Jim Basney, NCSA Marty Humphrey, University of Virginia

MyProxy NMI Integration Jim Basney, NCSA Marty Humphrey, University of Virginia
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

Similar presentations

Ads by Google