Presentation is loading. Please wait.

Presentation is loading. Please wait.

Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.

Published byCharlene Evans Modified over 8 years ago

Similar presentations

Presentation on theme: "Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA."— Presentation transcript:

1 gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo trscavo@ncsa.uiuc.edu trscavo@ncsa.uiuc.edu NCSA

2 gridshib-tech-overview-apr062 Overview GridShib project details GridShib use cases GridShib implementation GridShib attribute pull profile GridShib-MyProxy integration GridShib browser profile

3 gridshib-tech-overview-apr063 What is GridShib? GridShib enables secure attribute sharing among Grid virtual organizations and higher-educational institutions The goal of GridShib is to integrate the Globus Toolkit® with Shibboleth® GridShib adds attribute-based authorization to Globus Toolkit

4 gridshib-tech-overview-apr064 Some Background Large scientific projects have spawned Virtual Organizations (VOs) The cyberinfrastructure and software systems to support VOs are called grids Globus Toolkit is the de facto standard software solution for grids Grid Security Infrastructure (GSI) provides basic security services for grids

5 gridshib-tech-overview-apr065 Grid Authentication Globus Toolkit provides authentication services via X.509 credentials When requesting a service, the user presents an X.509 certificate, usually a proxy certificate GridShib leverages the existing authentication mechanisms in GT

6 gridshib-tech-overview-apr066 Grid Authorization Today, Globus Toolkit provides identity- based authorization mechanisms: –Access control lists (called grid-mapfiles) map DNs to local identity (e.g., Unix logins) –Community Authorization Service (CAS) PERMIS and VOMS GridShib provides attribute-based authorization based on Shibboleth

7 gridshib-tech-overview-apr067 GridShib Project Motivation VOs are difficult to manage –Goal: Leverage existing identity management infrastructure Identity-based access control methods are inflexible and do not scale –Goal: Use attribute-based access control Solution: Integrate GT and Shibboleth!

8 gridshib-tech-overview-apr068 Tale of Two Technologies Grid Client Globus Toolkit X.509 Grid Security Infrastructure Existing GSI based on X.509…

9 gridshib-tech-overview-apr069 Tale of Two Technologies Grid Client Globus Toolkit Shibboleth X.509 SAML Grid Security Infrastructure Shibboleth Federation Graft Shib/SAML onto GSI/X.509

10 gridshib-tech-overview-apr0610 Why Shibboleth? What does Shibboleth bring to the table? –A large (and growing) installed base on campuses around the world –A standards-based, open source implementation –A standard attribute vocabulary (eduPerson) A well-developed, federated identity management infrastructure has sprung up around Shibboleth!

11 gridshib-tech-overview-apr0611 Shibboleth Federations A federation –Provides a common trust and policy framework –Issues credentials and distributes metadata –Provides discovery services for SPs Shibboleth-based federations: –InCommon (23 members) in U.S. –InQueue (157 members) in U.S. –SDSS (30 members) in U.K. –SWITCH (23 members) in Switzerland –HAKA (8 members) in Finland

12 gridshib-tech-overview-apr0612 InCommon Federation

13 gridshib-tech-overview-apr0613 Introduction

14 gridshib-tech-overview-apr0614 GridShib Project GridShib is a project funded by the NSF Middleware Initiative (NMI awards 0438424 and 0438385) GridShib is a joint project of NCSA, University of Chicago, and Argonne National Laboratory Project web site http://gridshib.globus.org/ http://gridshib.globus.org/

15 gridshib-tech-overview-apr0615 Milestones Dec 2004, GridShib project commences Feb 2005, Developers onboard Apr 2005, Globus Toolkit 4.0 released May 2005, GridShib Alpha released Jul 2005, Shibboleth 1.3 released Sep 2005, GridShib Beta released Apr 2006, GridShib-myVocs integration

16 gridshib-tech-overview-apr0616 Related Projects Globus Toolkit http://www.globus.org/toolkit/ http://www.globus.org/toolkit/ Shibboleth http://shibboleth.internet2.edu/ http://shibboleth.internet2.edu/ MyProxy http://grid.ncsa.uiuc.edu/myproxy/ http://grid.ncsa.uiuc.edu/myproxy/ SHEBANGS http://www.sve.man.ac.uk/Research/Ato Z/SHEBANGS http://www.sve.man.ac.uk/Research/Ato Z/SHEBANGS

17 gridshib-tech-overview-apr0617 Leveraged Standards X.509 Public Key Infrastructure (RFC 3280) Proxy certificates (RFC 3820) OASIS SAML 1.1 http://www.oasis- open.org/committees/tc_home.php?wg_abbrev =security#samlv11 http://www.oasis- open.org/committees/tc_home.php?wg_abbrev =security#samlv11 Internet2 Shibboleth http://shibboleth.internet2.edu/docs/internet2- mace-shibboleth-arch-protocols-latest.pdf http://shibboleth.internet2.edu/docs/internet2- mace-shibboleth-arch-protocols-latest.pdf

18 gridshib-tech-overview-apr0618 GridShib Use Cases Three use cases under consideration: 1.Established grid user (non-browser) 2.New grid user (non-browser) 3.Portal grid user (browser) Initial efforts concentrated on the established grid user Current efforts are focused on the new grid user

19 gridshib-tech-overview-apr0619 Established Grid User User possesses an X.509 end entity certificate User may or may not use MyProxy Server to manage X.509 credentials User authenticates to Grid SP with proxy certificate obtained from MyProxy The current GridShib implementation addresses this use case

20 gridshib-tech-overview-apr0620 New Grid User User does not possess an X.509 end entity certificate User relies on GridShib CA to issue short-lived X.509 certificates User authenticates to Grid SP using short-lived X.509 credential The myVocs-GridShib integration addresses this use case

21 gridshib-tech-overview-apr0621 Portal Grid User User does not possess an X.509 cert User accesses Grid SP via a browser interface, that is, the client delegates a web application to request a service at the Grid SP MyProxy issues a short-lived X.509 certificate via a back-channel exchange GridShib Browser Profiles apply

22 gridshib-tech-overview-apr0622 GridShib Implementation

23 gridshib-tech-overview-apr0623 Software Components GridShib for Globus Toolkit –A plugin for Globus Toolkit 4.0 GridShib for Shibboleth –A plugin for Shibboleth 1.3 IdP GridShib Certificate Authority –A web-based CA for new grid users Visit the GridShib Downloads page: http://gridshib.globus.org/download.html http://gridshib.globus.org/download.html

24 gridshib-tech-overview-apr0624 GridShib for Globus Toolkit GridShib for Globus Toolkit is a plugin for GT4 Features: –Standalone attribute requester –SAML attribute consumption –Attribute-based access control –Attribute-based local account mapping –SAML metadata consumption

25 gridshib-tech-overview-apr0625 Standalone Attribute Requester A standalone attribute requester will query a Shib AA for attributes –By “standalone” we mean a query separate from a Shib browser profile The attribute query is based on –The Subject DN of the proxy cert or –A SAML authn assertion embedded in an end-entity certificate

26 gridshib-tech-overview-apr0626 Attribute-based Access Control Access control based on authorization policy with respect to attributes DN-based access control Attribute caching for efficiency

27 gridshib-tech-overview-apr0627 GridShib for Shibboleth GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later) Features: –Name Mapper –SAML name identifier implementations X509SubjectName, emailAddress, etc. –Certificate Registry

28 gridshib-tech-overview-apr0628 GridShib Name Mapper The Name Mapper is a container for name mappings Multiple name mappings are supported: –File-based name mappings –DB-based name mappings NameMapFile NameMapTable NameMapper

29 gridshib-tech-overview-apr0629 GridShib Certificate Registry A Certificate Registry is integrated into GridShib for Shibboleth 0.5: https://authdev.it.ohio- state.edu/twiki/bin/view/GridShib/GridShibCertificateRegistry https://authdev.it.ohio- state.edu/twiki/bin/view/GridShib/GridShibCertificateRegistry An established grid user authenticates and registers an X.509 end-entity cert The Registry binds the cert to the principal name and persists the binding in a database On the backend, GridShib maps the DN in a query to a principal name in the DB

30 gridshib-tech-overview-apr0630

31 gridshib-tech-overview-apr0631 GridShib CA The GridShib Certificate Authority is a web- based CA for new grid users: https://authdev.it.ohio- state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority https://authdev.it.ohio- state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority The GridShib CA is protected by a Shib SP and backended by the MyProxy Online CA The CA issues short-term credentials suitable for authentication to a Grid SP Credentials are downloaded to the desktop via Java Web Start

32 gridshib-tech-overview-apr0632

33 gridshib-tech-overview-apr0633 Future Work Solve IdP discovery problem for grids Provide name mapping maintenance tools (for administrators) Implement a profile for attribute push Produce SAML metadata Design metadata repositories and tools

34 gridshib-tech-overview-apr0634 GT Authorization Framework Work is underway to develop and enhance the authorization framework in Globus Toolkit –Siebenlist et al. at Argonne –Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions Work in OGSA-Authz WG to allow for callouts to third-party authorization services –E.g., PERMIS Convert Attributes (SAML or X.509) into common format for policy evaluation –XACML-based

35 gridshib-tech-overview-apr0635 Classic GridShib Profile

36 gridshib-tech-overview-apr0636 The GridShib Actors Standard (non-browser) Grid Client Globus Toolkit with GridShib installed (called a “Grid SP”) Shibboleth IdP with GridShib installed IdP Grid SP CLIENTCLIENT CLIENTCLIENT

37 gridshib-tech-overview-apr0637 GridShib Attribute Pull Profile In the “Classic GridShib” profile, a Grid SP “pulls” attributes from a Shib IdP The Client is assumed to have an account (i.e., local principal name) at the IdP The Grid SP and the IdP have been assigned a unique identifier (providerId) 3 4 2 1 IdP Grid SP CLIENTCLIENT CLIENTCLIENT

38 gridshib-tech-overview-apr0638 1 GridShib Attribute Pull Step 1 The Grid Client requests a service at the Grid SP The Client presents an X.509 certificate to the Grid SP The Client also provides a pointer to its preferred IdP –This is the so-called IdP Discovery problem IdP Grid SP CLIENTCLIENT CLIENTCLIENT

39 gridshib-tech-overview-apr0639 IdP Discovery The Grid SP needs to know the Client’s preferred IdP One approach is to embed the IdP providerId in the proxy certificate Another approach is to use an IdP proxy (such as myVocs) Currently the IdP providerId is configured into the Grid SP

40 gridshib-tech-overview-apr0640 2 1 GridShib Attribute Pull Step 2 The Grid SP authenticates the Client and extracts the DN from the proxy cert The Grid SP queries the Attribute Authority (AA) at the IdP using the DN as a SAML name identifier IdP Grid SP CLIENTCLIENT CLIENTCLIENT

41 gridshib-tech-overview-apr0641 Attribute Query The Grid SP formulates a SAML attribute query: CN=GridShib,OU=NCSA,O=UIUC The Resource attribute is the Grid SP providerId The NameQualifier attribute is the IdP providerId The NameIdentifier is the DN from the proxy cert Zero or more AttributeDesignator elements call out the desired attributes (but empty queries are the norm today)

42 gridshib-tech-overview-apr0642 32 1 GridShib Attribute Pull Step 3 The AA authenticates the requester and maps the DN to a local principal name The AA returns an attribute assertion to the Grid SP –The assertion is subject to Attribute Release Policy (ARP) at the IdP IdP Grid SP CLIENTCLIENT CLIENTCLIENT

43 gridshib-tech-overview-apr0643 Attribute Assertion The assertion contains an attribute statement: CN=GridShib,OU=NCSA,O=UIUC member student The Subject is identical to the Subject of the query Attributes may be single-valued or multi-valued Attributes may be scoped (e.g., member@uchicago.edu )

44 gridshib-tech-overview-apr0644 Name Mapping File An IdP does not issue X.509 certs so it has no prior knowledge of the DN Solution: Create a name mapping file at the IdP (similar to the grid-mapfile at the Grid SP) # Default name mapping file CN=GridShib,OU=NCSA,O=UIUC gridshib "CN=some user,OU=People,DC=doegrids" test The DN must conform to RFC 2253

45 gridshib-tech-overview-apr0645 Name Mapping Table The Name Mapper supports table- based name mappings (in addition to files) Define a JDBC source in a config file (JDBC driver, JDBC URL, etc.) Relational scripts and tools are provided

46 gridshib-tech-overview-apr0646 3 4 2 1 GridShib Attribute Pull Step 4 The Grid SP parses the attribute assertion and performs the requested service The attributes are cached as necessary A response is returned to the Grid Client IdP Grid SP CLIENTCLIENT CLIENTCLIENT

47 gridshib-tech-overview-apr0647 GridShib-MyProxy Integration

48 gridshib-tech-overview-apr0648 Shib Browser Profile Consider a Shib browser profile stripped to its bare essentials Authentication and attribute assertions are produced at steps 2 and 5, resp. The SAML Subject in the authentication assertion becomes the Subject of the attribute query at step 4 5 6 4 3 IdP SP CLIENTCLIENT 1 2

49 gridshib-tech-overview-apr0649 GridShib Non-Browser Profile Replace the SP with a Grid SP and the browser client with a non-browser client Three problems arise: –Client must possess X.509 credential to authenticate to Grid SP –Grid SP needs to know what IdP to query (IdP Discovery) –The IdP must map the SAML Subject to a local principal IdP Grid SP CLIENTCLIENT

50 gridshib-tech-overview-apr0650 The Role of MyProxy Consider a new grid user instead of the established grid user For a new grid user, we are led to a significantly different solution Obviously, we must issue an X.509 credential to a new grid user A short-lived credential is preferred Enter MyProxy Online CA…

51 gridshib-tech-overview-apr0651 MyProxy-first Attribute Pull MyProxy with Online CA MyProxy inserts a SAML authN assertion into a short-lived, reusable EEC IdP collocated with MyProxy 6 54 3 2 1 IdP Grid SP MyProxy CLIENTCLIENT

52 gridshib-tech-overview-apr0652 1 MyProxy-first Attribute Pull Step 1 A MyProxy Client sends a MyProxy Protocol request to a MyProxy Server Any authentication method supported by MyProxy may be used IdP Grid SP MyProxy CLIENTCLIENT

53 gridshib-tech-overview-apr0653 2 1 MyProxy-first Attribute Pull Step 2 The MyProxy Server authenticates the requester MyProxy issues an X.509 credential with embedded authN assertion The credential is returned in a MyProxy Protocol response IdP Grid SP MyProxy CLIENTCLIENT

54 gridshib-tech-overview-apr0654 Authentication Assertion MyProxy inserts an assertion containing a minimal authentication statement into the certificate: user@idp.example.org AuthenticationMethod may be used by Grid SP The NameQualifier attribute is the IdP providerId The IdP easily maps the NameIdentifier to the desired local principal

55 gridshib-tech-overview-apr0655 3 2 1 MyProxy-first Attribute Pull Step 3 A Grid Client requests a service at a Grid SP The client presents the decorated X.509 certificate obtained from MyProxy IdP Grid SP MyProxy CLIENTCLIENT

56 gridshib-tech-overview-apr0656 4 3 2 1 MyProxy-first Attribute Pull Step 4 The Grid SP authenticates the Client and processes the assertion The Grid SP queries the Shib Attribute Authority (AA) referred to in the assertion IdP Grid SP MyProxy CLIENTCLIENT

57 gridshib-tech-overview-apr0657 54 3 2 1 MyProxy-first Attribute Pull Step 5 The AA authenticates the requester and returns an attribute assertion to the Grid SP The assertion is subject to policy IdP Grid SP MyProxy CLIENTCLIENT

58 gridshib-tech-overview-apr0658 6 54 3 2 1 MyProxy-first Attribute Pull Step 6 The Grid SP parses the attribute assertion and makes an access control decision A response is returned to the Client IdP Grid SP MyProxy CLIENTCLIENT

59 gridshib-tech-overview-apr0659 MyProxy-first Advantages Relatively easy to implement Requires only one round trip by the client Requires no modifications to the Shib IdP Requires no modifications to the Client Supports multiple authentication mechanisms out-of-the-box Uses transparent, persistent identifiers: –No coordination of timeouts necessary –Mapping to local principal is straightforward

60 gridshib-tech-overview-apr0660 IdP-first Non-Browser Profiles The IdP-first profiles require no shared state between MyProxy and the IdP Supports separate security domains Leverages existing name identifier mappings at the IdP IdP-first profiles may be used with either Attribute Pull or Attribute Push

61 gridshib-tech-overview-apr0661 Attribute Pull or Push? attributes user AA Grid SP user AA request attributes Pull Push

62 gridshib-tech-overview-apr0662 IdP-first Attribute Pull MyProxy with Online CA MyProxy consumes and produces SAML authN assertions The Client authenticates to MyProxy with a SAML authN assertion 8 7 6 5 4 3 2 1 IdP Grid SP MyProxy CLIENTCLIENT

63 gridshib-tech-overview-apr0663 IdP-first Attribute Push The IdP “pushes” an attribute assertion to the Client The Client authenticates to MyProxy with a SAML authN assertion MyProxy consumes both SAML authN and attribute assertions 5 6 4 3 1 2 IdP Grid SP MyProxy CLIENTCLIENT

64 gridshib-tech-overview-apr0664 IdP-first Advantages Since IdP controls both ends of the flow: –Mapping NameIdentifier to a local principal is straightforward –Choice of NameIdentifier format is left to the IdP Attribute push simplifies IdP config and trust relationships Reusable by grid portal use case

65 gridshib-tech-overview-apr0665 GridShib Browser Profiles

66 gridshib-tech-overview-apr0666 IdP-first Browser Profiles As a consequence of the IdP-first Non- Browser profiles, MyProxy gains the ability to consume SAML assertions If we replace the non-browser client with a web component, we can reuse that functionality in the following GridShib Browser Profile

67 gridshib-tech-overview-apr0667 IdP-first Attribute Pull The first three steps are normal Shib Browser/POST A Shib SP is protecting a web version of MyProxy Client 5 6 4 3 1 2 IdP Grid SP MyProxy CLIENTCLIENT SP 78 910

68 gridshib-tech-overview-apr0668 The 3-tier Problem How does the browser user delegate authority to the web component to retrieve an X.509 credential on its behalf? This problem is an instance of the so- called n-tier problem (n = 3)

69 gridshib-tech-overview-apr0669 Delegation Profile No widely accepted solution to this problem exists today The Shib Project is proposing Liberty WSF 2.0: https://authdev.it.ohio- state.edu/twiki/bin/view/Shibboleth/Liber tyAllianceProject https://authdev.it.ohio- state.edu/twiki/bin/view/Shibboleth/Liber tyAllianceProject The implications for GridShib are not clear at this point

Download ppt "Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

Similar presentations

Ads by Google