GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist, Von Welch
Goals Allow users to use existing Campus Idm systems to authenticate to the Grid Assume Shibboleth every where Allow Grid access to campus attributes Hide as much of X.509 from users as possible Sep 11-12, 2006 GGF 18
Previous Work (from GGF 16) Integration with Shibboleth AA with GT GT can query Shib AA, get attributes and use attributes to make authz decisions Drop-in addition to GT 4.0 and Shibboleth 1.3 Shib Idp plug-in to allow mapping of X509 DNs to Shib principal names GridShib-CA Beta release publicly available Expect to officially release in GT 4.1/4.2 Sep 11-12, 2006 GGF 18
Shib Authorization in GT Currently have a simple authorization mechanisms List of attributes required to use service or container Mapping of attributes to local identity for GRAM job submission Sep 11-12, 2006 GGF 18
Recent Work: Authn Assertions in Certificates IdP discovery and name specification in GT via SAML Authn assertion embedded in certificate Provides pointer to IdP and NameId to use Big picture is it lets the credential issuer control the name binding Allows certificate issuer to tell Grid Service what IdP (AA) to contact and what name (w/Format and qualifier) to use Allows use of standard AA as it doesn’t have to be involed in X.509 anymore Also allow for trusted EECs to put identity into first-level proxy certificate Intended for Grid Portals and Science Gateways Sep 11-12, 2006 GGF 18
nanoHUB nanoHUB Portal AA User authenticates to portal X.509 w/SAML Authn AA SAML Attribute Query Sep 11-12, 2006 GGF 18
myVocs integration Collaboration with Jill Gemmill and John-Paul Robinson U. Alabama-Birmingham myVocs allows for formation of Shibboleth-based VO’s Coupling with GridShib allows for myVocs-based VOs to access Grid Resources Sep 11-12, 2006 GGF 18
GridShib-myVocs Integration GridShib CA Sep 11-12, 2006 GGF 18
User Registers with myVocs Identity GridShib CA Auth Mention this is one-time event Sep 11-12, 2006 GGF 18
Sep 11-12, 2006 GGF 18
Sep 11-12, 2006 GGF 18
Sep 11-12, 2006 GGF 18
VO Admin Adds User to VO VO attributes GridShib CA Sep 11-12, 2006 GGF 18
Grid Logon Identity Identity Auth Grid Creds. GridShib CA User with existing credentials could also got to Grid credential registratry Sep 11-12, 2006 GGF 18
Sep 11-12, 2006 GGF 18
Sep 11-12, 2006 GGF 18
Sep 11-12, 2006 GGF 18
Sep 11-12, 2006 GGF 18
Grid Service Invocation GridShib CA VO Attributes Grid Id User with existing credentials could also got to Grid credential registratry Grid Creds. Sep 11-12, 2006 GGF 18
Sep 11-12, 2006 GGF 18
Sep 11-12, 2006 GGF 18
Future Plans: Attribute Push Turning to attribute push Our observation is that most Grid use cases want: Persistent Id from Home Institution Attributes from VO Shib/X.509 Gateway is natural point to collection Attributes from home institution and VO and push to Grid Push model seems to be easier - Shib2, VOMS, CAS Sep 11-12, 2006 GGF 18
Attribute-push mode User authenticates to Portal Could be GridShib-CA Portal gather up Shibboleth-issued attributes Combines with VO-issued attributes Pushes attributes in X.509 certificate Including original Shibboleth Assertions Can include Authn assertion if Grid service wants to query for more Sep 11-12, 2006 GGF 18
SAML/X509 Binding Specification SAML V1.1 Profiles for X.509 Subjects http://www.oasis-open.org/committees/document.php?document_id=19996&wg_abbrev=security Includes the following profiles: X.509 SAML Subject Profile SAML Assertion Profile for X.509 Subjects SAML Attribute Query Profile for X.509 Subjects SAML Attribute Self-Query Profile for X.509 Subjects Sep 11-12, 2006 GGF 18
More Information http://gridshib.globus.org Tom Barton, Jim Basney, Tim Freeman, Tom Scavo, Frank Siebenlist, Von Welch, Rachana Ananthakrishnan, Bill Baker, Monte Goode, and Kate Keahey. Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Gridshib, and MyProxy. In 5th Annual PKI R&D Workshop, April 2006. http://grid.ncsa.uiuc.edu/papers/gridshib-pki06-final.pdf GridShib is a project funded by the NSF Middleware Initiative (NMI awards 0438424 and 0438385) dev.globus incubator: http://dev.globus.org/wiki/Incubator/GridShib Sep 11-12, 2006 GGF 18