GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

Knowledge Environments for Science: Representative Projects Ian Foster Argonne National Laboratory University of Chicago

Globus Computing Infrustructure Software Globus Toolkit 11-2.

Widely Distributed Access Management Tom Barton University of Chicago.

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.

Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.

I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA

10/24/2015OSG at CANS1 Open Science Grid Ruth Pordes Fermilab

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006.

Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch

Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.

GRID Overview Internet2 Member Meeting Spring 2003 Sandra Redman Information Technology and Systems Center and Information Technology Research Center National.

Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.

Middleware Camp NMI (NSF Middleware Initiative) Program Director Alan Blatecky Advanced Networking Infrastructure and Research.

Ruth Pordes November 2004TeraGrid GIG Site Review1 TeraGrid and Open Science Grid Ruth Pordes, Fermilab representing the Open Science.

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.

Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch

GridShib Grid-Shibboleth Integration An Overview Von Welch

Challenges of Federated Authentication to TeraGrid and Open Science Grid Jim Basney

NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.

More Allergic Reactions Some Potential Next Steps Tom Barton University of Chicago.

GridChem Architecture Overview Rion Dooley. Presentation Outline Computational Chemistry Grid (CCG) Current Architectural Overview CCG Future Architectural.

Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.

Supporting education and research The JISC Core Middleware Call Brian Gilmore The University of Edinburgh and JISC Committee for Support of Research.

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

CAMP Shibboleth: Next Steps Steve Carmody, Brown University Ann West, Educause/Internet2/Michigan Tech.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

01 October 2001 “...By Any Other Name…”. Consequences and Truths (Ken) The Pieces and the Processes (Bob) Directories (Keith) Shibboleth and SAML (Scott)

Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.

University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability

2NCSA/University of Illinois

I2/NMI Update: Signet, Grouper, & GridShib

Shibboleth for Non-Web-Based Applications: GridShib

Overview and Development Plans

NSF Middleware Initiative: GridShib

GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,

TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch

A Grid Authorization Model for Science Gateways

NSF Middleware Initiative: GridShib

Presentation transcript:

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005

2GridShib Overview Some Background: Shibboleth Internet2 project Allows for controlled inter-institutional sharing of web resources –Federation of identities and attributes –Uses attribute-based authorization –Standards-based (SAML) Being extended to non-web applications Part of NMI/EDIT distribution

GlobusWORLD 20053GridShib Overview Some Background: Globus Toolkit Collaborative work from the Globus Alliance Toolkit for Grid computing –Job submission, data movement, data management, resource management Security based on X.509 identity- and proxy-certificates Mix of Web Services and pre-WS (e.g. GridFTP) protocols

GlobusWORLD 20054GridShib Overview What is GridShib? Formally known as: –NSF Middleware Initiative (NMI) Grant: Policy Controlled Attribute Framework We call it “GridShib” In a nutshell: Allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit 2 year project which kicked off December 1, 2004

GlobusWORLD 20055GridShib Overview Why? Attribute-based authorization has shown itself to be useful in large grid, far-flung participants with several types of roles among them NEESgrid, Earth System Grid, TeraGrid, Grid3 (GriPhyN, iVDGL, and PPDG), SCEC Identity-based approach not scaling Shibboleth is well supported and deployed by Internet2 project SAML is used by larger identity federation world, e.g. Liberty Alliance - integrating SAML support into Grids opens the door to leveraging this large technology space

GlobusWORLD 20056GridShib Overview Leveraging Internet2 Work Shibboleth & SAML have shown how to Authorize the anonymous user Extend integration of common infrastructure across administrative and operational domains Others are now trying non-browser-based “shibbolization” approaches roughly analogous to what we envision E.g. LionShare Plug: all code elements above are NMI components. We’re building on 3 years’ work of many people.

GlobusWORLD 20057GridShib Overview GridShib Integration Principles No modification to typical grid client applications Leverage shibboleth’s attribute administration and end-user maintenance of attribute release policies Leverage high-quality Campus Identity Provider operations Leverage high-quality Shib and Grid software Try to keep modifications to Grid Services and security clients (e.g. grid-proxy-init)

GlobusWORLD 20058GridShib Overview GridShib Challenges Integration of SAML and X.509 identity certificates –Use of X.509 certificate identifier as a subject handle for use by the Shib Attribute Authority (SAA) –Shibboleth v1.3 should help with this Integration of SAML and X.509 attribute certificates –E.g. Enable the use of both Shibbolath and VOMS for authorization decisions in the same runtime –Derive common attribute expression to allow for use of both/either of this in Globus runtime

GlobusWORLD 20059GridShib Overview GridShib Challenges (cont) Distributed Attribute Administration –What happens when the folks running the attribute authority are not the ones authoritative for the attributes? –Many projects don’t have resources to run a 7x24 security service, but are the only ones who know the attribute space. –Explore Signet, Grouper (from Internet2)

GlobusWORLD GridShib Overview GridShib Challenges (cont) Attribute Authority identification –“Where are you from” problem –Grids often have different identity providers and attribute authorities Plumbing interconnect

GlobusWORLD GridShib Overview Project objectives Priority 1: Pull mode operation –Globus services contact Shibboleth to obtain attributes about identified user –Support both GT4.x Web Services and pre- WS code Priority 2: Push mode operation –User obtains Shib attributes and push to service Allows role selection

GlobusWORLD GridShib Overview Timeline December 1, 2004: formal start February 1, 2005: Developers on board and coding Summer 2005: First release –Basic integration: code supporting pull model with user identified –Selection and simple implementation of policy description language –Targeting GT 4.2 –Shibboleth 1.3

GlobusWORLD GridShib Overview Acknowledgements Working in collaboration with Steven Carmody and the Internet2 Shibboleth Design team –Providers of much valuable advice. Funded under NSF award SCI

GlobusWORLD GridShib Overview Questions? Project website: – Or contact: For more information on NMI: –