Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.

Slides:



Advertisements
Similar presentations
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Advertisements

Federated Identity for Grid Architects Tom Scavo NCSA
GT 4 Security Goals & Plans Sam Meder
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
GridShib CIP Seminar December 6th, 2005 Tom Scavo Von Welch NCSA.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
GridShib Grid-Shibboleth Integration An Overview Von Welch
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Shibboleth A Technical Overview
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
2NCSA/University of Illinois
Shibboleth Roadmap
I2/NMI Update: Signet, Grouper, & GridShib
e-Infrastructure Workshop 28th March 2006, University of Leeds
Shibboleth for Non-Web-Based Applications: GridShib
Overview and Development Plans
NSF Middleware Initiative: GridShib
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
A Grid Authorization Model for Science Gateways
NSF Middleware Initiative: GridShib
Presentation transcript:

gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA

gridshib-tech-overview-dec052 Overview GridShib project details GridShib use cases GridShib implementation GridShib attribute pull profile GridShib-MyProxy integration GridShib browser profile

gridshib-tech-overview-dec053 What is GridShib? GridShib enables secure attribute sharing between Grid virtual organizations and higher-educational institutions The goal of GridShib is to integrate the Globus Toolkit® with Shibboleth® GridShib adds attribute-based authorization to Globus Toolkit

gridshib-tech-overview-dec054 Tale of Two Technologies Grid Client Globus Toolkit Shibboleth X.509 SAML Grid Security Infrastructure Shibboleth Federation Bridging Grid/X.509 with Shib/SAML

gridshib-tech-overview-dec055 Motivation Large scientific projects have spawned Virtual Organizations (VOs) The cyberinfrastructure and software systems to support VOs are called grids Globus Toolkit is the de facto standard software solution for grids Grid Security Infrastructure provides basic security services…but does it scale?

gridshib-tech-overview-dec056 Why Shibboleth? What does Shibboleth bring to the table? –A large (and growing) installed base –A standards-based, open source implementation –A standard attribute vocabulary (eduPerson) A well-developed, federated identity management infrastructure has sprung up around Shibboleth

gridshib-tech-overview-dec057 Shibboleth Federations A federation –Provides a common trust and policy framework –Issues credentials and distributes metadata –Provides discovery services for SPs Shibboleth-based federations: –InCommon (23 members) –InQueue (157 members) –SDSS (30 members) –SWITCH (23 members) –HAKA (8 members)

gridshib-tech-overview-dec058 InCommon Federation

gridshib-tech-overview-dec059 Introduction

gridshib-tech-overview-dec0510 GridShib Project GridShib is a project funded by the NSF Middleware Initiative (NMI awards and ) GridShib is a joint project of NCSA, University of Chicago, and Argonne National Laboratory Project web site

gridshib-tech-overview-dec0511 Milestones Dec 2004, GridShib project commences Feb 2005, Developers onboard Apr 2005, Globus Toolkit 4.0 released May 2005, GridShib Alpha released Jul 2005, Shibboleth 1.3 released Sep 2005, GridShib Beta released GridShib-MyProxy integration TBA

gridshib-tech-overview-dec0512 Related Projects Globus Toolkit Shibboleth LionShare eSP-grid science.ox.ac.uk/oesc/projects/index.xml.ID= body.1_div.1#esp science.ox.ac.uk/oesc/projects/index.xml.ID= body.1_div.1#esp

gridshib-tech-overview-dec0513 Leveraged Standards X.509 Public Key Infrastructure (RFC 3280) Proxy certificates (RFC 3820) OASIS SAML open.org/committees/tc_home.php?wg_abbrev =security#samlv11 open.org/committees/tc_home.php?wg_abbrev =security#samlv11 Internet2 Shibboleth mace-shibboleth-arch-protocols-latest.pdf mace-shibboleth-arch-protocols-latest.pdf

gridshib-tech-overview-dec0514 Use Cases There are three use cases under consideration: 1.Established grid user (non-browser) 2.New grid user (non-browser) 3.Portal grid user (browser)  Initial efforts have concentrated on the established grid user (i.e., user with existing long-term X.509 credentials )

gridshib-tech-overview-dec0515 Established Grid User User possesses an X.509 end entity certificate User may or may not use MyProxy Server to manage X.509 credentials User authenticates to Grid SP with proxy certificate (grid-proxy-init) The current GridShib implementation addresses this use case

gridshib-tech-overview-dec0516 New Grid User User does not possess an X.509 end entity certificate User relies on MyProxy Online CA to issue short-lived X.509 certificates User authenticates to Grid SP using short-lived X.509 credential Emerging GridShib Non-Browser Profiles address this use case

gridshib-tech-overview-dec0517 Portal Grid User User does not possess an X.509 cert User accesses Grid SP via a browser interface, that is, the client delegates a web application to request a service at the Grid SP MyProxy issues a short-lived X.509 certificate via a back-channel exchange GridShib Browser Profiles apply

gridshib-tech-overview-dec0518 GridShib Implementation

gridshib-tech-overview-dec0519 Software Components GridShib for Globus Toolkit –A plugin for GT 4.0 GridShib for Shibboleth –A plugin for Shibboleth 1.3 IdP Shibboleth IdP Tester –A test application for Shibboleth 1.3 IdP Visit the GridShib Download page:

gridshib-tech-overview-dec0520 The Actors Standard (non-browser) Grid Client Globus Toolkit with GridShib installed (which we call a “Grid SP”) Shibboleth IdP with GridShib installed IdP Grid SP CLIENTCLIENT

gridshib-tech-overview-dec0521 GridShib Attribute Pull Profile In the current implementation, a Grid SP “pulls” attributes from a Shib IdP The Client is assumed to have an account (i.e., local principal name) at the IdP The Grid SP and the IdP have been assigned a unique identifier (providerId) IdP Grid SP CLIENTCLIENT

gridshib-tech-overview-dec GridShib Attribute Pull Step 1 The Grid Client requests a service at the Grid SP The Client presents a standard proxy certificate to the Grid SP The Client also provides a pointer to its preferred IdP IdP Grid SP CLIENTCLIENT

gridshib-tech-overview-dec0523 IdP Discovery The Grid SP needs to know the Client’s preferred IdP One approach is to embed the IdP providerId in the proxy certificate This requires modifications to the MyProxy client software, however Currently the IdP providerId is configured into the Grid SP

gridshib-tech-overview-dec GridShib Attribute Pull Step 2 The Grid SP authenticates the Client and extracts the DN from the proxy cert The Grid SP queries the Attribute Authority (AA) at the IdP IdP Grid SP CLIENTCLIENT

gridshib-tech-overview-dec0525 Attribute Query The Grid SP formulates a SAML attribute query: CN=GridShib,OU=NCSA,O=UIUC The Resource attribute is the Grid SP providerId The NameQualifier attribute is the IdP providerId The NameIdentifier is the DN from the proxy cert Zero or more AttributeDesignator elements call out the desired attributes

gridshib-tech-overview-dec GridShib Attribute Pull Step 3 The AA authenticates the requester and returns an attribute assertion to the Grid SP The assertion is subject to Attribute Release Policy (ARP) IdP Grid SP CLIENTCLIENT

gridshib-tech-overview-dec0527 Attribute Assertion The assertion contains an attribute statement: CN=GridShib,OU=NCSA,O=UIUC member student The Subject is identical to the Subject of the query Attributes may be single-valued or multi-valued Attributes may be scoped (e.g., )

gridshib-tech-overview-dec0528 Name Mapping An IdP does not issue X.509 certs so it has no prior knowledge of the DN Solution: Create a name mapping file at the IdP (similar to the grid-mapfile at the Grid SP) # Default name mapping file CN=GridShib,OU=NCSA,O=UIUC gridshib "CN=some user,OU=People,DC=doegrids" test The DN must conform to RFC 2253

gridshib-tech-overview-dec GridShib Attribute Pull Step 4 The Grid SP parses the attribute assertion and performs the requested service A generalized attribute framework is being developed for GT A response is returned to the Grid Client IdP Grid SP CLIENTCLIENT

gridshib-tech-overview-dec0530 Future Work Solve the IdP Discovery problem –Implement shib-proxy-init Implement DB-based name mapping Provide name mapping maintenance tools (for administrators) Design an interactive name registry service (for users) Devise metadata repositories and tools

gridshib-tech-overview-dec0531 GridShib-MyProxy Integration

gridshib-tech-overview-dec0532 Shib Browser Profile Consider a Shib browser profile stripped to its bare essentials Authentication and attribute assertions are produced at steps 2 and 5, resp. The SAML Subject in the authentication assertion becomes the Subject of the attribute query at step IdP SP CLIENTCLIENT 1 2

gridshib-tech-overview-dec0533 GridShib Non-Browser Profile Replace the SP with a Grid SP and the browser client with a non-browser client Three problems arise: –Client must possess X.509 credential to authenticate to Grid SP –Grid SP needs to know what IdP to query (IdP Discovery) –The IdP must map the SAML Subject to a local principal IdP Grid SP CLIENTCLIENT

gridshib-tech-overview-dec0534 The Role of MyProxy Consider a new grid user instead of the established grid user For a new grid user, we are led to a significantly different solution Obviously, we must issue an X.509 credential to a new grid user A short-lived credential is preferred Enter MyProxy Online CA…

gridshib-tech-overview-dec0535 MyProxy-first Attribute Pull MyProxy with Online CA MyProxy inserts a SAML authN assertion into a short-lived, reusable EEC IdP collocated with MyProxy IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-dec MyProxy-first Attribute Pull Step 1 A MyProxy Client sends a MyProxy Protocol request to a MyProxy Server Any authentication method supported by MyProxy may be used IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-dec MyProxy-first Attribute Pull Step 2 The MyProxy Server authenticates the requester MyProxy issues an X.509 credential with embedded authN assertion The credential is returned in a MyProxy Protocol response IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-dec0538 Authentication Assertion MyProxy inserts an assertion containing a minimal authentication statement into the certificate: AuthenticationMethod may be used by Grid SP The NameQualifier attribute is the IdP providerId The IdP easily maps the NameIdentifier to the desired local principal

gridshib-tech-overview-dec MyProxy-first Attribute Pull Step 3 A Grid Client requests a service at a Grid SP The client presents the decorated X.509 certificate obtained from MyProxy IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-dec MyProxy-first Attribute Pull Step 4 The Grid SP authenticates the Client and processes the assertion The Grid SP queries the Shib Attribute Authority (AA) referred to in the assertion IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-dec MyProxy-first Attribute Pull Step 5 The AA authenticates the requester and returns an attribute assertion to the Grid SP The assertion is subject to policy IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-dec MyProxy-first Attribute Pull Step 6 The Grid SP parses the attribute assertion and makes an access control decision A response is returned to the Client IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-dec0543 MyProxy-first Advantages Relatively easy to implement Requires only one round trip by the client Requires no modifications to the Shib IdP Requires no modifications to the Client Supports multiple authentication mechanisms out-of-the-box Uses transparent, persistent identifiers: –No coordination of timeouts necessary –Mapping to local principal is straightforward

gridshib-tech-overview-dec0544 IdP-first Non-Browser Profiles The IdP-first profiles require no shared state between MyProxy and the IdP Supports separate security domains Leverages existing name identifier mappings at the IdP IdP-first profiles may be used with either Attribute Pull or Attribute Push

gridshib-tech-overview-dec0545 Attribute Pull or Push? attributes user AA Grid SP user AA request attributes Pull Push

gridshib-tech-overview-dec0546 IdP-first Attribute Pull MyProxy with Online CA MyProxy consumes and produces SAML authN assertions The Client authenticates to MyProxy with a SAML authN assertion IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-dec0547 IdP-first Attribute Push The IdP “pushes” an attribute assertion to the Client The Client authenticates to MyProxy with a SAML authN assertion MyProxy consumes both SAML authN and attribute assertions IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-dec0548 IdP-first Advantages Since IdP controls both ends of the flow: –Mapping NameIdentifier to a local principal is straightforward –Choice of NameIdentifier format is left to the IdP Attribute push simplifies IdP config and trust relationships Reusable by grid portal use case

gridshib-tech-overview-dec0549 GridShib Browser Profiles

gridshib-tech-overview-dec0550 IdP-first Browser Profiles As a consequence of the IdP-first Non- Browser profiles, MyProxy gains the ability to consumes SAML assertions If we replace the non-browser client with a web component, we can reuse that functionality in the following GridShib Browser Profile

gridshib-tech-overview-dec0551 IdP-first Attribute Pull The first three steps are normal Shib Browser/POST A Shib SP is protecting a web version of MyProxy Client IdP Grid SP MyProxy CLIENTCLIENT SP

gridshib-tech-overview-dec0552 The 3-tier Problem How does the browser user delegate authority to the web component to retrieve an X.509 credential on its behalf? This problem is an instance of the so- called n-tier problem

gridshib-tech-overview-dec0553 Delegation Profile No widely accepted solution to this problem exists today The Shib dev team has proposed a SAML2-based solution: t-cantor-saml-sso-delegation-01.pdf t-cantor-saml-sso-delegation-01.pdf The implications for GridShib are not clear at this point

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.