GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

Slides:



Advertisements
Similar presentations
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
Advertisements

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.
TeraGrid Plans for Authentication and Authorization Testbed Dane Skow, Argonne National Laboratory Computation Institute Seminar September 28, 2006.
TeraGrid VO Support and Plans for AAA Testbed Dane Skow, Deputy Director TeraGrid University of Chicago / Argonne National Laboratory Internet2 Member.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
GridShib CIP Seminar December 6th, 2005 Tom Scavo Von Welch NCSA.
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
GridShib Grid-Shibboleth Integration An Overview Von Welch
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008 Tom Scavo, Jim Basney, Terry Fleury, Von Welch.
Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
Dynamic Accounts: Identity Management for Site Operations Kate Keahey R. Ananthakrishnan, T. Freeman, R. Madduri, F. Siebenlist.
2NCSA/University of Illinois
Von Welch Emerging NCSA Security R&D NSF CyberSecurity Summit September 28th, 2004 Von Welch
I2/NMI Update: Signet, Grouper, & GridShib
e-Infrastructure Workshop 28th March 2006, University of Leeds
Shibboleth for Non-Web-Based Applications: GridShib
NSF Middleware Initiative: GridShib
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
TeraGrid 08 The Third Annual TeraGrid Conference
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
NSF Middleware Initiative: GridShib
Presentation transcript:

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist, Von Welch

2 Acknowledgments l GridShib is a project funded by the NSF Middleware Initiative u NMI awards and l Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. l Also many thanks to Internet2

3 GridShib Goals l Allow the Grid to scale by leveraging existing campus identity management (IdM) u Shibboleth has the potential to become the interface to campus IdM systems l Making joining the Grid as easy as possible for users u No new passwords, certificates, etc l Allow campuses attributes to be used by the Grid

Some background

5 Grid Authentication l Globus Toolkit provides authentication services via X.509 credentials l When requesting a service, the user presents an X.509 certificate, usually a proxy certificate l GridShib leverages the existing authentication mechanisms in GT

6 Grid Authorization l Today, Globus Toolkit provides identity- based authorization mechanisms: u Access control lists (called grid-mapfiles) map DNs to local identity (e.g., Unix logins) u Community Authorization Service (CAS) l Some attribute-based authorization has appeared and is proving useful u E.g. VOMS

7 Shibboleth l Allows for inter-organization access to web resources l Exposes campus identity and attributes in standard format u Based on SAML as defined by OASIS u Policies for attribute release and transient handles to allow privacy

8 Why Shibboleth? l What does Shibboleth bring to the table? l A large (and growing) installed base on campuses around the world l Professional development and support team l A standards-based, open source implementation l A standard attribute vocabulary (eduPerson)

9 GridShib Software Components l GridShib for Globus Toolkit u A plugin for GT 4.0 l GridShib for Shibboleth u A plugin for Shibboleth 1.3 IdP l GridShib CA u A web-based CA for new grid users

10 GridShib for Globus Toolkit l GridShib for Globus Toolkit is a plugin for GT4 l Features: u SAML Authentication consumer u SAML attribute consumption u Attribute-based access control u Attribute-based local account mapping u SAML metadata consumption

11 GridShib for Shibboleth l GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later) l Features: u Name Mapper u SAML name identifier implementations l X509SubjectName, Address, etc. u Certificate Registry

12 GridShib Name Mapper l Users may be known by a number of names l The Name Mapper is a container for name mappings l Multiple name mappings are supported: u File-based name mappings u DB-based name mappings NameMapFile NameMapTable NameMapper

13 GridShib Certificate Registry l A Certificate Registry is integrated into GridShib for Shibboleth l An established grid user authenticates and registers an X.509 end-entity cert l The Registry binds the cert to the principal name and persists the binding in a database l On the backend, GridShib maps the DN in a query to a principal name in the DB

14 GridShib CA l The GridShib Certificate Authority is a web-based CA for new grid users l The GridShib CA is protected by a Shib SP and back- ended by the MyProxy Online CA l The CA issues short-term credentials suitable for authentication to a Grid SP l Credentials are downloaded to the desktop via Java Web Start

Example Deployments

16 nanoHub l Nanotechnology Portal l Expose user attributes via Shib AA l Use GridShib for GT to point Grid at nanoHub AA l Allows for Grid authorization of nanoHub users based on nanoHub attributes

17 nanoHUB nanoHUB Portal AA X.509 w/SAML Authn User authenticates to portal SAML Attribute Query

18 TeraGrid Testbed l Work underway with NSF TeraGrid project to build an testbed built on Shibboleth and GridShib technologies l Goals: l Allow for scalable access by leveraging campus authentication l Allow for attribute-based authorization to define communities l Ease of use for users

19 Testbed

20 GridShib-myVocs Integration l myVocs developed by UAB l myVocs allows for VOs based on Shibboleth identities l GridShib authorizes use of Grid Services based on Shibboleth identities l Integration allows for the creation and management of Grid Vos based on Shibboleth l

21 Future Plans: Attribute Push l Turning to attribute push l Our observation is that most Grid use cases want: u Persistent Id from Home Institution u Attributes from VO l Shib/X.509 Gateway is natural point to collection Attributes from home institution and combine with VO attributes and push to Grid u Gateway could be the GridShib-CA or a domain- portal, e.g. a TeraGrid Science Gateway

22 Summary l GridShib has a number of tools for leveraging Shibboleth for the Grid l Both for user authentication and attribute-based authorization l Deploys easily on Shibboleth 1.3 and Globus 4.0 l Available under Apache2 license For more information and software: l l l

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.