GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

Slides:



Advertisements
Similar presentations
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA
Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November.
GT 4 Security Goals & Plans Sam Meder
OSG/TeraGrid Interopations: The Authz Perspective Von Welch (NCSA) Presenting work by Christopher A. Baumbauer (Purdue U.) Greg Cross (U. Chicago) Stuart.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.
TeraGrid Plans for Authentication and Authorization Testbed Dane Skow, Argonne National Laboratory Computation Institute Seminar September 28, 2006.
TeraGrid VO Support and Plans for AAA Testbed Dane Skow, Deputy Director TeraGrid University of Chicago / Argonne National Laboratory Internet2 Member.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006.
JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick
CHEP03 Mar 25Mary Thompson Fine-grained Authorization for Job and Resource Management using Akenti and Globus Mary Thompson LBL,Kate Keahey ANL, Sam Lang.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
GridShib CIP Seminar December 6th, 2005 Tom Scavo Von Welch NCSA.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Grid Authorization Landscape and Futures Von Welch NCSA
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
GridShib Grid-Shibboleth Integration An Overview Von Welch
2005 GRIDS Community Workshop1 Learning From Cyberinfrastructure Initiatives Grid Research Integration Development & Support
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008 Tom Scavo, Jim Basney, Terry Fleury, Von Welch.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
2NCSA/University of Illinois
I2/NMI Update: Signet, Grouper, & GridShib
e-Infrastructure Workshop 28th March 2006, University of Leeds
Advances in Middleware Security - a Globus perspective
Shibboleth for Non-Web-Based Applications: GridShib
Overview and Development Plans
NSF Middleware Initiative: GridShib
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
NSF Middleware Initiative: GridShib
Presentation transcript:

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

April 11, 20052GridShib: UK eScience Security Workshop What is GridShib? NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit –Funded under NSF award SCI Goal: GT 4.2 & Shibboleth 1.3 GridShib team: NCSA, U. Chicago, ANL –Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team

April 11, 20053GridShib: UK eScience Security Workshop Why? Someone else… Leverage Shibboleth code base –Someone else is writing and debugging it Leverage Shibboleth deployments –Someone else is supporting them Leverage larger issues going on in Identity Federation world –Someone else is helping to write them –Even more someone else’s will be writing and deploying them –SAML standard, profiles Leverage someone else’s attributes? –Are campus attributes useful to Grids?

April 11, 20054GridShib: UK eScience Security Workshop Outline Low-level technical discussion –Shibboleth –GridShib Higher-level discussion of Identity Federation for Grids –How do sites federate to support a VO?

April 11, 20055GridShib: UK eScience Security Workshop Shibboleth Federation Model Attrs IDs Attrs IDs SAML

April 11, 20056GridShib: UK eScience Security Workshop Shibboleth (Simplified) Attrs IDs Shibboleth Handle Attributes SAML

April 11, 20057GridShib: UK eScience Security Workshop GridShib (Simplified) Attrs IDs Shibboleth DN Attributes DN SAML SSL/TLS, WS-Security

April 11, 20058GridShib: UK eScience Security Workshop GridShib Goals Work with others to standardize X509 profile for Shibboleth/SAML AA Change as little as possible on Shibboleth side –Limit to installation of new NameMapper plug-in for Shibboleth to recognize and map DNs to local identities Privacy –In “V2”

April 11, 20059GridShib: UK eScience Security Workshop GridShib Goals (cont) Modifications to GT to request, receive and parse SAML attributes from Shib –Frank Siebenlist’s earlier talk General PDP functionality –Grid uses cases can be very complicated and varied in terms of authz policy –Try to support union of many “simple” cases –Allow for deployment of custom PDPs

April 11, GridShib: UK eScience Security Workshop Higher-level Issues How does Identity federation apply to Grids? Shibboleth model is very good for allowing a single site to federate their user’s attributes If the site attributes are all the matter, then this is all you need –E.g. a “campus grid” for campus users

April 11, GridShib: UK eScience Security Workshop VO Attributes However, most VOs have their own attributes –Domain-specific, VO-organization, etc. This means multiple attribute authorities for the same set of user How do these multiple attributes get served up?

April 11, GridShib: UK eScience Security Workshop VO runs Shibboleth Server Requires a large, resourced VO –Must have skills, support staff, time Requires more complexity in authorization –Need to map attributes to authority To some extend defeats the purpose

April 11, GridShib: UK eScience Security Workshop Campus runs Shibboleth Puts services in the right place –Campuses are good at running production services Requires campus to somehow outsource administration of attributes Two sub-models: –One campus for VO attributes for all VO users –Each campus handles VO attributes for own users

April 11, GridShib: UK eScience Security Workshop Prediction Arranging for administration of each VO user’s attributes will be hard at first –Significant social issues with campuses Initially, we will be finding one campus to serve attributes for each VO –That campus out sources administration for a VO attribute space to that VO –Allows remote administration by VO –They still run services

April 11, GridShib: UK eScience Security Workshop Questions? Project website: – Or contact: For more information on NMI: –

April 11, GridShib: UK eScience Security Workshop Extra Slides

April 11, GridShib: UK eScience Security Workshop Shibboleth Internet2 project Allows for inter-institutional sharing of web resources (via browsers) –Federation of identities and attributes –Uses attribute-based authorization –Standards-based (SAML) Being extended to non-web resources

April 11, GridShib: UK eScience Security Workshop Globus Toolkit Collaborative work from the Globus Alliance Toolkit for Grid computing –Job submission, data movement, data management, resource management Based on Web Services and WSRF Security based on X.509 identity- and proxy-certificates

April 11, GridShib: UK eScience Security Workshop Campus Grid Use Case Campus running Grid, Shibboleth service Users with campus-issued certificates –Maybe a few outside users Desires to use campus attributes to authorize use of campus grid E.g. USC

April 11, GridShib: UK eScience Security Workshop Grid Deployment Use Case Multi-site Grid based around a virtual organization Users have certificates from one or more Grid CAs, probably not run by VO Grid wishes to establish attributes for their users to do role-based authorization Grid is either large enough to establish and run their own Shibboleth AA or someone is willing to do it for them E.g. TeraGrid, OSG

April 11, GridShib: UK eScience Security Workshop Hybrid Use Case Grid based on virtual organization but wants to make resources available to larger community –E.g. Allow all chemists to access some dataset Users have certificates from one or more Grid CAs, probably not run by VO Want to use campus-asserted attributes, from campus-run Shibboleth services to authorize access to VO resources Currently done by issuing light-weight Grid credentials to users via a portal E.g. ESG

April 11, GridShib: UK eScience Security Workshop GridShib Integration Goals Use Shibboleth 1.3 out of box –With additional NameMapper module to handle mapping X.509 identities to local names –Work with Shib identity provider metadata –Working with Shib developers to achieve Don’t require modification to typical grid client applications for simple use cases Most of work going into Grid services

April 11, GridShib: UK eScience Security Workshop Project objectives Priority 1: Pull mode operation –Globus services contact Shibboleth to obtain attributes about identified user Priority 2: Push mode operation –User obtains Shib attributes and push to service Allows role selection Priority 3: Pseudonymous access with MyProxy/GridLogon

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.