Presentation is loading. Please wait.

Presentation is loading. Please wait.

2NCSA/University of Illinois

Published byEustacia Ross Modified over 6 years ago

Similar presentations

Presentation on theme: "2NCSA/University of Illinois"— Presentation transcript:

1 2NCSA/University of Illinois
GridShib Grid/Shibboleth Interoperability November, 2006 Tom Barton1, Tim Freeman1, Kate Keahey1, Raj Kettimuthu1, Tom Scavo2, Frank Siebenlist1, Von Welch2 1University of Chicago 2NCSA/University of Illinois National Center for Supercomputing Applications

2 Acknowledgments GridShib is a project funded by the NSF Middleware Initiative NMI awards and Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. Collaboration between NCSA and U. Chicago/ANL Also many thanks to Internet2 National Center for Supercomputing Applications

3 GridShib Goals Allow the Grid to scale by leveraging existing campus identity management (IdM) Consider Shibboleth as the interface to campus IdM systems Get out of identity management game Making joining the Grid as easy as possible for users No separate long-term credential for Grid access to manage No new passwords, certificates, etc Allow campuses attributes and VO attributes to be aggregated and used by the Grid for authorization Allow for scalability in user base through attribute-based authorization - I.e. know groups of users instead of individual users National Center for Supercomputing Applications

4 Some background National Center for Supercomputing Applications

5 Authentication vs Authorization
Identifier: A unique name for an entity (username, DN, GUID, SSN, etc.) Authentication: Verifying Identity of users associating them with a Identifier Authorization: Deciding whether or not a request will be granted Different authentication methods have different levels of certainty Authorization Policy: The set of rules by which an authorization decision is made Authentication does not imply Authorization E.g. just because you trust a CA doesn’t mean all the user with certificates from it are authorized National Center for Supercomputing Applications

6 Attributes Attribute: A property of an entity
Entities may have lots of properties The same property may apply to many entities E.g. community membership, affiliation, age, gender, height, occupation Attribute-based authorization: Authorization based on who someone is (their identity) but what they are (their attributes) E.g. you can buy me a beer if your age > 21 years National Center for Supercomputing Applications

7 Globus Toolkit provides authentication services via X.509 credentials
Grid Authentication Globus Toolkit provides authentication services via X.509 credentials When requesting a service, the user presents an X.509 certificate RFC 3820 proxy certificate or standard end entity certificate GridShib leverages the existing authentication mechanisms in GT National Center for Supercomputing Applications

8 Some attribute-based authorization has appeared and is proving useful
Grid Authorization Today, Globus Toolkit provides identity-based authorization mechanisms: Access control lists (called grid-mapfiles) map DNs to local identity (e.g., Unix logins) Community Authorization Service (CAS) Some attribute-based authorization has appeared and is proving useful E.g. VOMS, caBIG A Grid SP may callout to a 3rd party, SAML-based authorization service called a Community Authorization Service (CAS). PrivilEge and Role Management Infrastructure Standards (PERMIS) is also a SAML-based, 3rd party authorization service. Virtual Organization Membership Service (VOMS) pushes X.509 attribute certificates to the Grid SP. National Center for Supercomputing Applications

9 Shibboleth Allows for inter-organization access to web resources
Exposes campus identity and attributes in standard format Based on SAML as defined by OASIS Policies for attribute release and transient handles to allow privacy National Center for Supercomputing Applications

10 What does Shibboleth bring to the table?
Why Shibboleth? What does Shibboleth bring to the table? A large (and growing) installed base on campuses around the world Professional development and support team A standards-based, open source implementation A standard attribute vocabulary (eduPerson) Shibboleth deployments have reached critical mass worldwide (US, UK, Switzerland, France, Finland, Australia). Shibboleth is the only open source implementation of the SAML browser profiles. National Center for Supercomputing Applications

11 Application mismatch Identity Federation Challenges
Shibboleth works well with with webapps and web browsers Grid services are soap and otherwise Identity Federation Have to convert between SAML and X.509 Have to map identifiers in Grid space to identifiers at campus National Center for Supercomputing Applications

12 GridShib Software Components
GridShib for Globus Toolkit A plugin for GT 4.0 GridShib for Shibboleth A plugin for Shibboleth 1.3 IdP GridShib CA A web-based CA for new grid users GridShib SAML Tools Tools for portals and users to embed attributes into X.509 credentials All at: National Center for Supercomputing Applications

13 GridShib for Globus Toolkit
GridShib for Globus Toolkit is a plugin for GT4 Features: SAML Authentication consumer SAML attribute consumption Attribute-based access control Attribute-based local account mapping SAML metadata consumption National Center for Supercomputing Applications

14 Tools for creating SAML and binding to Grid Credentials
GridShib SAML Tools Tools for creating SAML and binding to Grid Credentials Used to direct GridShib for GT to appropriate Shibboleth AA Addressing WAYF Directs GridShib for GT as what what identifier to use in SAML attribute request Can alleviate need for Shibboleth Idp changes Upcoming version allows binding of attributes to the Credential National Center for Supercomputing Applications

15 GridShib for Shibboleth
GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later) Features: Name Mapper SAML name identifier implementations X509SubjectName, Address, etc. Certificate Registry National Center for Supercomputing Applications

16 Users may be known by a number of names
GridShib Name Mapper Users may be known by a number of names The Name Mapper is a container for name mappings Multiple name mappings are supported: File-based name mappings DB-based name mappings NameMapFile NameMapTable NameMapper The Name Mapper is an oracle that takes a DN and returns a principal name. Implementation note: GridShib ships with (embedded) Derby but other RDBMSs are supported via JDBC (but only MySQL has been tested). National Center for Supercomputing Applications

17 GridShib Certificate Registry
A Certificate Registry is integrated into GridShib for Shibboleth An established grid user authenticates and registers an X.509 end-entity cert The Registry binds the cert to the principal name and persists the binding in a database On the backend, GridShib maps the DN in a query to a principal name in the DB National Center for Supercomputing Applications

18 GridShib CA The GridShib Certificate Authority is a web-based CA for new grid users The GridShib CA is protected by a Shib SP and back-ended by the MyProxy Online CA Or a local OpenSSL-based CA The CA issues short-term credentials suitable for authentication to a Grid SP Short-lived EEC, similar to MyProxy-CA or KCA Credentials are downloaded to the desktop via Java Web Start National Center for Supercomputing Applications

19 GridShib-myVocs Integration
myVocs UAB Gemmill, Robinson myVocs allows for VOs based on Shibboleth identities GridShib authorizes use of Grid Services based on Shibboleth identities Integration allows for the creation and management of Grid Vos based on Shibboleth National Center for Supercomputing Applications

20 Deployment Scenarios National Center for Supercomputing Applications

21 Shibboleth-authenticated Grid Access
Campus Shibboleth ProtectNetwork.com OpenIdp.org Idm System ePPN GridShib CA MyProxy Grid Credential (short-lived EEC) GridShib for GT National Center for Supercomputing Applications

22 Shibboleth-authorized Grid Access
GridShib for Shib GridShib for Shib GridShib CA Attributes Grid Credential GridShib for GT National Center for Supercomputing Applications

23 Community Access via Science Gateway
GridShib for Shib GridShib for Shib Authenticate Attributes Web Portal GridShib for GT GridShib SAML Tools Grid Requests National Center for Supercomputing Applications

24 Next Release: Attribute Push
Turning to attribute push Our observation is that most Grid use cases want: Persistent Id from Home Institution Attributes from VO Shib/X.509 Gateway is natural point to collection Attributes from home institution and combine with VO attributes and push to Grid Gateway could be the GridShib-CA or a domain-portal, e.g. a TeraGrid Science Gateway Planned for January ‘05 National Center for Supercomputing Applications

25 Attribute Push Web Portal GridShib for Shib GridShib for Shib
Authenticate Attributes Web Portal GridShib for GT Local Attributes GridShib SAML Tools Grid Requests National Center for Supercomputing Applications

26 TeraGrid testbed Testbed for Federated Identity Management and Attribute-based Authorization Building on Shibboleth, GridShib Goals: Allow for scalable access by leveraging campus authentication - remove Idm burden from TeraGrd Allow for attribute-based authorization to define communities Ease of use for users - no management of long-term Grid credentials Interoperability with OSG, others. National Center for Supercomputing Applications

27 GridShib Plans December ‘06: 0.5 release
Bug fixes and cleanup from Nanohub engagement December ‘06: Finish TeraGrid Testbed planning January ‘06: 0.6 release Attribute push January-May ‘07: TeraGrid testbed Bug fixes as arise Evaluation of technology, gap analysis Focus seems to be on Portal efforts at this point National Center for Supercomputing Applications

28 Summary GridShib has a number of tools for leveraging Shibboleth for the Grid Both for user authentication and attribute-based authorization Deploys easily on Shibboleth 1.3 and Globus 4.0 Available under Apache2 license For more information and software: National Center for Supercomputing Applications

29 Questions? National Center for Supercomputing Applications

Download ppt "2NCSA/University of Illinois"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.

I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.

MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.

Similar presentations

Ads by Google