GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
Advertisements

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
GT 4 Security Goals & Plans Sam Meder
From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…
X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.
TeraGrid Plans for Authentication and Authorization Testbed Dane Skow, Argonne National Laboratory Computation Institute Seminar September 28, 2006.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
GridShib Grid-Shibboleth Integration An Overview Von Welch
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008 Tom Scavo, Jim Basney, Terry Fleury, Von Welch.
An Integrated Collaboration Platform John-Paul Robinson Internet2 Member Meeting Fall 2006.
1 Globus Toolkit Security Java Components Rachana Ananthakrishnan Frank Siebenlist.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
2NCSA/University of Illinois
Von Welch Emerging NCSA Security R&D NSF CyberSecurity Summit September 28th, 2004 Von Welch
OGSA-WG Basic Profile Session #1 Security
I2/NMI Update: Signet, Grouper, & GridShib
TeraGrid Plans for Authentication and Authorization Testbed
e-Infrastructure Workshop 28th March 2006, University of Leeds
Advances in Middleware Security - a Globus perspective
OGF 21 Seattle Washington
Topics The simple life The Simple Life GUI The full IdM life
Shibboleth for Non-Web-Based Applications: GridShib
NSF Middleware Initiative: GridShib
TeraGrid 08 The Third Annual TeraGrid Conference
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
Middleware for Mailing List Software
Shibboleth Deployment Overview
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
NSF Middleware Initiative: GridShib
Presentation transcript:

GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist, Von Welch

Goals Allow users to use existing Campus Idm systems to authenticate to the Grid Assume Shibboleth every where Allow Grid access to campus attributes Hide as much of X.509 from users as possible Sep 11-12, 2006 GGF 18

Previous Work (from GGF 16) Integration with Shibboleth AA with GT GT can query Shib AA, get attributes and use attributes to make authz decisions Drop-in addition to GT 4.0 and Shibboleth 1.3 Shib Idp plug-in to allow mapping of X509 DNs to Shib principal names GridShib-CA Beta release publicly available Expect to officially release in GT 4.1/4.2 Sep 11-12, 2006 GGF 18

Shib Authorization in GT Currently have a simple authorization mechanisms List of attributes required to use service or container Mapping of attributes to local identity for GRAM job submission Sep 11-12, 2006 GGF 18

Recent Work: Authn Assertions in Certificates IdP discovery and name specification in GT via SAML Authn assertion embedded in certificate Provides pointer to IdP and NameId to use Big picture is it lets the credential issuer control the name binding Allows certificate issuer to tell Grid Service what IdP (AA) to contact and what name (w/Format and qualifier) to use Allows use of standard AA as it doesn’t have to be involed in X.509 anymore Also allow for trusted EECs to put identity into first-level proxy certificate Intended for Grid Portals and Science Gateways Sep 11-12, 2006 GGF 18

nanoHUB nanoHUB Portal AA User authenticates to portal X.509 w/SAML Authn AA SAML Attribute Query Sep 11-12, 2006 GGF 18

myVocs integration Collaboration with Jill Gemmill and John-Paul Robinson U. Alabama-Birmingham myVocs allows for formation of Shibboleth-based VO’s Coupling with GridShib allows for myVocs-based VOs to access Grid Resources Sep 11-12, 2006 GGF 18

GridShib-myVocs Integration GridShib CA Sep 11-12, 2006 GGF 18

User Registers with myVocs Identity GridShib CA Auth Mention this is one-time event Sep 11-12, 2006 GGF 18

Sep 11-12, 2006 GGF 18

Sep 11-12, 2006 GGF 18

Sep 11-12, 2006 GGF 18

VO Admin Adds User to VO VO attributes GridShib CA Sep 11-12, 2006 GGF 18

Grid Logon Identity Identity Auth Grid Creds. GridShib CA User with existing credentials could also got to Grid credential registratry Sep 11-12, 2006 GGF 18

Sep 11-12, 2006 GGF 18

Sep 11-12, 2006 GGF 18

Sep 11-12, 2006 GGF 18

Sep 11-12, 2006 GGF 18

Grid Service Invocation GridShib CA VO Attributes Grid Id User with existing credentials could also got to Grid credential registratry Grid Creds. Sep 11-12, 2006 GGF 18

Sep 11-12, 2006 GGF 18

Sep 11-12, 2006 GGF 18

Future Plans: Attribute Push Turning to attribute push Our observation is that most Grid use cases want: Persistent Id from Home Institution Attributes from VO Shib/X.509 Gateway is natural point to collection Attributes from home institution and VO and push to Grid Push model seems to be easier - Shib2, VOMS, CAS Sep 11-12, 2006 GGF 18

Attribute-push mode User authenticates to Portal Could be GridShib-CA Portal gather up Shibboleth-issued attributes Combines with VO-issued attributes Pushes attributes in X.509 certificate Including original Shibboleth Assertions Can include Authn assertion if Grid service wants to query for more Sep 11-12, 2006 GGF 18

SAML/X509 Binding Specification SAML V1.1 Profiles for X.509 Subjects http://www.oasis-open.org/committees/document.php?document_id=19996&wg_abbrev=security Includes the following profiles: X.509 SAML Subject Profile SAML Assertion Profile for X.509 Subjects SAML Attribute Query Profile for X.509 Subjects SAML Attribute Self-Query Profile for X.509 Subjects Sep 11-12, 2006 GGF 18

More Information http://gridshib.globus.org Tom Barton, Jim Basney, Tim Freeman, Tom Scavo, Frank Siebenlist, Von Welch, Rachana Ananthakrishnan, Bill Baker, Monte Goode, and Kate Keahey. Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Gridshib, and MyProxy. In 5th Annual PKI R&D Workshop, April 2006. http://grid.ncsa.uiuc.edu/papers/gridshib-pki06-final.pdf GridShib is a project funded by the NSF Middleware Initiative (NMI awards 0438424 and 0438385) dev.globus incubator: http://dev.globus.org/wiki/Incubator/GridShib Sep 11-12, 2006 GGF 18

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.