GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch

Slides:



Advertisements
Similar presentations
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
GT 4 Security Goals & Plans Sam Meder
MyProxy: A Multi-Purpose Grid Authentication Service
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Widely Distributed Access Management Tom Barton University of Chicago.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Maturation & Convergence in Authentication & Authorization Services in US Higher Education: Keith Hazelton, Sr. IT Architect, University.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
GridShib CIP Seminar December 6th, 2005 Tom Scavo Von Welch NCSA.
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
GridShib Grid-Shibboleth Integration An Overview Von Welch
X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.
Current Middleware Picture Tom Barton University of Chicago Tom Barton University of Chicago.
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
CaGrid 1.0 Security Infrastructure Stephen Langella, Scott Oster, Shannon Hastings, David Ervin, Joshua Phillips, Vinay Kumar, Tahsin Kurc, Joel Saltz.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
2NCSA/University of Illinois
I2/NMI Update: Signet, Grouper, & GridShib
e-Infrastructure Workshop 28th March 2006, University of Leeds
Shibboleth for Non-Web-Based Applications: GridShib
NSF Middleware Initiative: GridShib
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
NSF Middleware Initiative: GridShib
Presentation transcript:

GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch

August 5th, 20052PSU Grid Computing Workshop Outline Overview of Shibboleth and Globus Our Motivation and Use Cases Integration Approach Status

August 5th, 20053PSU Grid Computing Workshop Shibboleth Internet2 project Allows for inter-institutional sharing of web resources (via browsers) –Provides attributes for authorization between institutions Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’ Standards-based (SAML) Being extended to non-web resources

August 5th, 20054PSU Grid Computing Workshop Acknowledgements NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit –Funded under NSF award SCI GridShib team: NCSA, U. Chicago, ANL –Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team

August 5th, 20055PSU Grid Computing Workshop Shibboleth Identity Provider composed of single sign-on (SSO) and attribute authority (AA) services SSO: authenticates user locally and issues authentication assertion with Handle –Assertion is short-lived bearer assertion –Handle is also short-lived and non-identifying –Handle is registered with AA Attribute Authority responds to queries regarding handle

August 5th, 20056PSU Grid Computing Workshop Shibboleth Service Provider composed of Assertion Consumer and Attribute Requestor Assertion Consumer parses authentication assertion Attribute Requestor: request attributes from AA –Attributes used for authorization Where Are You From (WAYF) service determines user’s Identity Provider

August 5th, 20057PSU Grid Computing Workshop Shibboleth (Simplified) AA SSO Shibboleth IdP Handle Attributes SAML AR ACS Shibboleth SP Handle LDAP (e.g.)

August 5th, 20058PSU Grid Computing Workshop Globus Toolkit Toolkit for Grid computing –Job submission, data movement, data management, resource management Based on Web Services and WSRF Security based on X.509 identity- and proxy-certificates –Maybe from conventional or on-line CAs Some initial attribute-based authorization

August 5th, 20059PSU Grid Computing Workshop Motivation Many Grid VOs are focused on science or business other than IT support –Don’t have expertise or resources to run security services Allow for leveraging of Shibboleth code and deployments run by campuses

August 5th, PSU Grid Computing Workshop Use Cases Project leveraging campus attributes –Simplest case Project-operated Shib service –Project operates own service, conceptually easy, but not ideal Campus-operated, project-administered Shib –Ideal mix, but need mechanisms for provisioning of attribute administration

August 5th, PSU Grid Computing Workshop Integration Approach Conceptually, replace Shibboleth’s handle-based authentication with X509 –Provides stronger security for non-web browser apps –Works with existing PKI install base To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible

August 5th, PSU Grid Computing Workshop GridShib (Simplified) A SSO Shibboleth DN Attributes DN SAML SSL/TLS, WS-Security

August 5th, PSU Grid Computing Workshop Integration Areas Assertion Transmission Attribute Authority Discovery Distribute Attribute Administration User Registration Pseudonymous Interaction Authorization

August 5th, PSU Grid Computing Workshop Assertion Transmission How to get SAML assertions from AA into Globus? Initially: Pull mode with Globus acting as a Shibboleth Attribute Requestor Will explore Pull modes to help with privacy and role combination Implement Grid Name Mapper to map X509 DNs to local identities used to obtain attributes

August 5th, PSU Grid Computing Workshop Attribute Authority Discovery No interactive WAYF service in the Grid Place identifier of Identity Provider in cert –Either in long-term EEC or short-term Proxy Cert Will explore pushing attributes –Avoids the problem –Might also address combined attributes from multiple AAs

August 5th, PSU Grid Computing Workshop Distributed Attribute Administration Campus is ideal for running services, but may not know all attributes of users How does a campus issue attributes for which it is not authoritative? –E.g. IEEE Membership of staff –In Grid case, Project Membership This may be the largest hurdle due to social, political and/or legal issues –Need accepted cookbook for process Plan on exploring signet –

August 5th, PSU Grid Computing Workshop LDAP Getting Attributes into a Site’s Attribute Authority uid: jdoe eduPersonAffiliation: … isMemberOf: … eduPersonEntitlement: … SIS HR On-site Authorities Loaders Person Registry Group Registry Grouper UI Privilege Registry Off-site Authorities Signet UI Attribute Authority Core Business Systems Shib/ GridShib using Shibboleth

August 5th, PSU Grid Computing Workshop User Registration How does the mapping from the User’s X509 DN to local Campus identity get made in NameMapper configuration? In initial version, this will be manual process Yes, far from ideal We envision –Something akin to a registration service that authenticates user’s X509 and local credentials and puts mapping in automatically –Or a portal that hides all the X509 from the user and also handles this mapping E.g. PURSE, GAMA

August 5th, PSU Grid Computing Workshop Pseudonymous Interaction How to maintain Shibboleth pseudonymous functionality with X509? Will develop online CA that issues certificates with non-identifying DNs –Register with AA just as SSO –Basically holder-of-key assertions

August 5th, PSU Grid Computing Workshop Authorization Develop authorization framework in Globus Toolkit Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions XACML used for expressing gathered identity, attribute and policy information –Convert Attributes into common format for policy evaluation –Allows for common evaluation of attributes expressed in SAML and X509 (and others…)

August 5th, PSU Grid Computing Workshop GridShib Status Testing initial version internal to project Will be a drop-in addition to GT 4.0 and Shibboleth 1.3 Current adapting to last minute Shibboleth 1.3 changes and doing internal testing Plan on beta release in 2-3 weeks Looking for interested beta testers

August 5th, PSU Grid Computing Workshop Questions? Project website: – My

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.