MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.

Slides:



Advertisements
Similar presentations
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
GT 4 Security Goals & Plans Sam Meder
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
Constructing Campus Grids Experiences adapting myVocs to UABgrid John-Paul Robinson High Performance Computing Services Office of the Vice President for.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
GridShib CIP Seminar December 6th, 2005 Tom Scavo Von Welch NCSA.
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
GridShib Grid-Shibboleth Integration An Overview Von Welch
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
GSI: Security On Teragrid A Introduction To Security In Cyberinfrastructure By Dru Sepulveda.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
An Integrated Collaboration Platform John-Paul Robinson Internet2 Member Meeting Fall 2006.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
2NCSA/University of Illinois
LIGO Identity and Access Management
I2/NMI Update: Signet, Grouper, & GridShib
Shibboleth for Non-Web-Based Applications: GridShib
NSF Middleware Initiative: GridShib
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
TeraGrid 08 The Third Annual TeraGrid Conference
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
NSF Middleware Initiative: GridShib
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

myVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center for Supercomputing Applications

Outline Introduction: What are we trying to do, and why? myVocs Overview GridShib Overview myVocs-GridShib Integration Q & A

Acknowledgments myVocs and GridShib are funded by the NSF National Middleware Initiative (NMI awards , and ). Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. We would also like to thank: –Serge Aumont, Olivier Salaun (CRU) –Nate Klingenstein –Tom Barton –Tim Freeman –Raj Kettimuthu

What’s a Virtual Organization? A set of collaborators bound together by a project of common interest –very large scale science projects eg: Teragrid –Half a dozen or so collaborators in a funded multidisciplinary project –Physicians at 60 cancer centers wanting to share clinical data to increase N or focus on special sub- populations –An Internet2 Working Group; a conference planning committee. In general, VO members are from different institutions

VO Requirements Ideally, VO resource access would use cross-domain SSO What architecture can support this requirement? –For myVocs: web-based applications –For grids: app’s that use grid certificates

What Cross-Domain Security Architectures Exist? GRIDS –Digital Certificates (X.509 / PKI) –Cross-domain trust can be managed scalably thru Bridged CA’s –Carry only a user identifier (DN) FEDERATIONS (SAML, Shibboleth, WS- Security) –Digitally signed security assertions –Carry Identity, AuthN method, other attributes

Don’t Existing Solutions Provide What Is Needed by VO’s? (No!) Single Domain solutions inadequate End-user certificate distribution and management has proven to be troublesome and non-scalable Essential VO (Group) Membership information not provided consistently by either one Most collaboration tools accessed by web browser (not client software w. certificate)

What does Shibboleth bring to the table? A large (and growing) installed base A standards-based, open source implementation Working SAML 1.1 code A standard attribute vocabulary (eduPerson) A well-developed, federated identity management infrastructure has sprung up around Shibboleth

Motivation 1 The size and vast number of VOs makes it difficult for administrators to manage the identity of each user in the VO (and VO members don’t want more passwords to remember) –Goal: Leverage existing identity management infrastructure eduPerson/Shibboleth infrastructure appeared promising for identity management

Motivation 2 Identity-based access control methods are inflexible and do not scale –Goal: Use attribute-based access control Shibboleth, an attribute transport mechanism linked to identity management, appeared promising

Motivation 3 The most important attribute for VOs is: “member of VO-XYZ” Who is authoritative for VO attributes? –The enterprise? (No) –The VO? (Yes!) How are VO attributes created? Where are VO attributes stored?

myVocs Overview A brief introduction to the myVocs system environment

myVocs Manages Attributes This point is central to myVocs (and deserves a slide of its own)

Virtual Organization Aspects Virtual Organizations are Collections of Attributes Virtual Organizations are Collaborations Manifest Virtual Organizations cross Institutional Boundaries Virtual Organizations are Autonomous

Virtual Organization Realities Lighten their load and use trusted attributes Resist complication of inconsistent policies Influence poor so little hope for attribute sponsors They are a lot like real organizations

myVocs Supports VOs myVocs lets you create and manage VOs and supplies key collaboration tools to the members of the VO

A Look Inside myVocs Attributes Users VO Roles VO Members VOs

A Look Inside myVocs Attributes Users VO Roles VO Membe rs VOs AppApp1AppNApp3App2

A Look Inside myVocs Attributes Users VO Roles VO Membe rs VOs App Mail List Your App CMSWiki

A Look Inside myVocs Attributes Users VO Roles VO Membe rs VOs App Mail List Your App CMSWiki Shibboleth IdP Shib SP

A Look Inside myVocs Attributes Users List Roles List Membe rs Lists App Mail List Your App CMSWiki Shibboleth IdP Shib SP

Why myVocs Uses Sympa Mailing lists are central to Collaborations Specify a collection of individuals Define useful member roles Generally autonomous Sympa mailing list software supports Shibboleth Sympa developers were active collaborators

Why myVocs Uses Sympa Simply by creating and managing mailing lists with a familiar web interface the end user can manage VOs their membership and privileges

A Look Inside myVocs Sympa Users List Roles List Membe rs Lists App Mail List Your App CMSWiki Shibboleth IdP Shib SP

A Look Inside myVocs Sympa Users List Roles List Membe rs Lists App Mail List Your App CMSWiki Shibboleth IdP Shib SP

A Look Inside myVocs Sympa Users List Roles List Membe rs Lists App Mail List Your App CMSWiki Shibboleth IdP Shib SP

A Look Inside myVocs VO Attribute Authority Users List Roles List Membe rs Lists App Mail List Your App CMSWiki Shibboleth IdP Shib SP

A Look Inside myVocs VO Attribute Authority Users VO Roles VO Membe rs VOs App Mail List Your App CMSWiki Shibboleth IdP Shib SP

A Look Inside myVocs VO Attribute Authority Users VO Roles VO Membe rs VOs App Mail List Your App CMSWiki VO IdP Shib SP

A Look Inside myVocs VO Attribute Authority Users VO Roles VO Membe rs VOs App Mail List Your App CMSWiki VO IdP VO SP

A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP

A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP

A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space

A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space

A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space Shibboleth SP

This is myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space Shibboleth SP myVocs

This is myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space Shibboleth SP myVocs

A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space Shibboleth SP UAB IdP

myVocs A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space Shibboleth SP UAB IdP U. Chicago IdP

myVocs A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space Shibboleth SP UAB IdP UIUC IdP U. Chicago IdP

myVocs A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space Shibboleth SP UAB IdP UIUC IdP openidp.org IdP U. Chicago IdP

myVocs A Look Inside myVocs VO Attribute Authority App Mail List Your App CMSWiki VO IdP VO SP VO Space Shibboleth SP UAB IdP UIUC IdP openidp.org IdP U. Chicago IdP Identity Space

myVocs Manages Attributes Users VO Roles VO Membe rs VOs App Mail List Your App CMSWiki UAB IdP UIUC IdP openidp.org IdP U. Chicago IdP

myVocs Manages Attributes Users VO Roles VO Membe rs VOs App Mail List Your App CMSWiki UAB IdP UIUC IdP openidp.org IdP U. Chicago IdP

myVocs Manages Attributes Users VO Roles VO Membe rs VOs App Mail List Your App CMSWiki UAB IdP UIUC IdP openidp.org IdP U. Chicago IdP

myVocs Manages Attributes Users VO Roles VO Membe rs VOs App Mail List Your App CMSWiki UAB IdP UIUC IdP openidp.org IdP U. Chicago IdP

Shibboleth Drives myVocs The user accesses a web resource. The browser is guided through any required steps by standard Shibboleth mechanisms. The system components remain invisible.

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib Identity Attributes

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib VO Attribs

Shibboleth Drives myVocs Client Web Browser CMS openidp.org VO Attribs WAYF VO SPVO IdP ID SP myVocs ShibIdentity Federation Shib

myVocs Visual Experience User Selects VO Resource

myVocs Visual Experience User Selects Identity Provider

myVocs Visual Experience User Validates Identity

myVocs Visual Experience User Accesses VO Resource

myVocs User Experience

Last Year's Wish Today's Reality Make it possible for a VO to add it's own grid resources A good example: Enable registering a group of desktops owned by film animation students working on different campuses so they can render their animation on their own grid resources Keep up with what GridShib is doing

GridShib Overview

What is GridShib? GridShib enables secure attribute sharing among Grid virtual organizations and higher-educational institutions The goal of GridShib is to integrate the Globus Toolkit® with Shibboleth® GridShib adds attribute-based authorization to Globus Toolkit

Some Background Large scientific projects have spawned Virtual Organizations (VOs) The cyberinfrastructure and software systems to support VOs are called grids Globus Toolkit is the de facto standard software solution for grids Grid Security Infrastructure (GSI) provides basic security services for grids

Grid Authentication Globus Toolkit provides authentication services via X.509 credentials When requesting a service, the user presents an X.509 certificate, usually a proxy certificate GridShib leverages the existing authentication mechanisms in GT

Grid Authorization Today, Globus Toolkit provides identity- based authorization mechanisms: –Access control lists (called grid-mapfiles) map DNs to local identity (e.g., Unix logins) –Community Authorization Service (CAS) PERMIS and VOMS GridShib provides attribute-based authorization based on Shibboleth

GridShib Project Motivation VOs are difficult to manage –Goal: Leverage existing identity management infrastructure Identity-based access control methods are inflexible and do not scale –Goal: Use attribute-based access control Solution: Integrate GT and Shibboleth!

Tale of Two Technologies Grid Client Globus Toolkit X.509 Grid Security Infrastructure Existing GSI based on X.509…

Tale of Two Technologies Grid Client Globus Toolkit Shibboleth X.509 SAML Grid Security Infrastructure Shibboleth Federation Graft Shib/SAML onto GSI/X.509

Why Shibboleth? What does Shibboleth bring to the table? –A large (and growing) installed base on campuses around the world –A standards-based, open source implementation –A standard attribute vocabulary (eduPerson) A well-developed, federated identity management infrastructure has sprung up around Shibboleth!

GridShib Use Cases Three use cases under consideration: 1.Established grid user (non-browser) 2.New grid user (non-browser) 3.Portal grid user (browser) Initial efforts concentrated on the established grid user Current efforts are focused on the new grid user

Established Grid User User possesses an X.509 end entity certificate User may or may not use MyProxy Server to manage X.509 credentials User authenticates to Grid SP with proxy certificate obtained from MyProxy The current GridShib implementation addresses this use case

New Grid User User does not possess an X.509 end entity certificate User relies on GridShib CA to issue short- lived X.509 certificates User authenticates to Grid SP using short- lived X.509 credential The myVocs-GridShib integration addresses this use case

Software Components GridShib for Globus Toolkit –A plugin for GT 4.0 GridShib for Shibboleth –A plugin for Shibboleth 1.3 IdP GridShib CA –A web-based CA for new grid users Visit the GridShib Downloads page:

GridShib for Globus Toolkit GridShib for Globus Toolkit is a plugin for GT4 Features: –Standalone attribute requester –SAML attribute consumption –Attribute-based access control –Attribute-based local account mapping –SAML metadata consumption

Standalone Attribute Requester A standalone attribute requester will query a Shib AA for attributes –By “standalone” we mean a query separate from a Shib browser profile The attribute query is based on –The Subject DN of the proxy cert or –A SAML authn assertion embedded in an end-entity cert

GridShib for Shibboleth GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later) Features: –Name Mapper –SAML name identifier implementations X509SubjectName, Address, etc. –Certificate Registry

GridShib Name Mapper The Name Mapper is a container for name mappings Multiple name mappings are supported: –File-based name mappings –DB-based name mappings NameMapFile NameMapTable NameMapper

GridShib Certificate Registry A Certificate Registry is integrated into GridShib for Shibboleth: state.edu/twiki/bin/view/GridShib/GridShibCertificateRegistry state.edu/twiki/bin/view/GridShib/GridShibCertificateRegistry An established grid user authenticates and registers an X.509 end-entity cert The Registry binds the cert to the principal name and persists the binding in a database On the backend, GridShib maps the DN in a query to a principal name in the DB

GridShib CA The GridShib Certificate Authority is a web-based CA for new grid users: state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority The GridShib CA is protected by a Shib SP and backended by the MyProxy Online CA The CA issues short-term credentials suitable for authentication to a Grid SP Credentials are downloaded to the desktop via Java Web Start

GridShib Attribute Pull Profile In the “Classic GridShib” profile, a Grid SP “pulls” attributes from a Shib IdP The Client is assumed to have an account (i.e., local principal name) at the IdP The Grid SP and the IdP have been assigned a unique identifier (providerId) IdP Grid SP CLIENTCLIENT CLIENTCLIENT

1 GridShib Attribute Pull Step 1 The Grid Client requests a service at the Grid SP The Client presents a X.509 certificate to the Grid SP The Client also provides a pointer to its preferred IdP –This is the so-called IdP Discovery problem IdP Grid SP CLIENTCLIENT CLIENTCLIENT

2 1 GridShib Attribute Pull Step 2 The Grid SP authenticates the Client and extracts the DN from the proxy cert The Grid SP queries the Attribute Authority (AA) at the IdP using the DN as a SAML name identifier IdP Grid SP CLIENTCLIENT CLIENTCLIENT

32 1 GridShib Attribute Pull Step 3 The AA authenticates the requester and maps the DN to a local principal name The AA returns an attribute assertion to the Grid SP –The assertion is subject to Attribute Release Policy (ARP) at the IdP IdP Grid SP CLIENTCLIENT CLIENTCLIENT

GridShib Attribute Pull Step 4 The Grid SP parses the attribute assertion and performs the requested service The attributes are cached as necessary A response is returned to the Grid Client IdP Grid SP CLIENTCLIENT CLIENTCLIENT

Future Work Solve IdP discovery problem for grids Provide name mapping maintenance tools (for administrators) Implement a profile for attribute push Produce SAML metadata Design metadata repositories and tools

Results of Integration

Motivation Review myVocs allows for VOs based on Shibboleth identities GridShib authorizes use of Grid Services based on Shibboleth identities Goal of Integration: Creation and Management of Grid VOs based on Shibboleth Identities

What we have enabled Turn-key Grid VO creation through the integration of GridShib and myVocs myVocs used to create and manage VOs GridShib allows myVocs users to create Grid credentials and access Grid resources Grid resources obtains, and allows access, based on attributes from myVocs

Key Components myVocs –VO creation and management GridShib CA creates Grid credentials from Shibboleth identities GridShib Certificate Registry and IdP Plugin maps Grid identities to Shibboleth identities GridShib GT plugin issues SAML attributes queries from GT to myVocs/Shibboleth

System Walk-through A quick tour of the integrated system Architecture view on these slides User view on the other projector

User Registers with myVocs Identity Auth

VO Admin Adds User to VO

Grid Logon Identity Auth Identity Grid Creds. Grid Id

Grid Service Invocation VO Attributes Grid Creds. Grid Id

Remaining Challenges Name binding on global scale Attribute Aggregation Defining VO membership, roles and attributes Group and role management

Questions? For more information: GridShib: myVocs:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.