Presentation is loading. Please wait.

Presentation is loading. Please wait.

NSF Middleware Initiative: GridShib

Published byKaren McGee Modified over 5 years ago

Similar presentations

Presentation on theme: "NSF Middleware Initiative: GridShib"— Presentation transcript:

1 NSF Middleware Initiative: GridShib
Tom Barton University of Chicago

2 NSF Middleware Initiative (NMI) Grant: Policy Controlled Attribute Framework
What: shibbolize NMI Grids We call it “GridShib” Participants Von Welch, UIUC/NCSA (PI) Kate Keahey, UChicago/Argonne (PI) Frank Siebenlist, Argonne Tom Barton, UChicago 2 years starting December 1, 2004 Coordination already established with related JISC-funded project at Oxford I2MM Fall 2004

3 Critical mass of impending need
Two types of grid use cases: Large grid, far-flung participants, several types of roles among them Examples: NEESgrid, Earth System Grid, TeraGrid, Grid3 (GriPhyN, iVDGL, and PPDG) Grid-mapfile approach doesn’t scale Centralized access to campus grid resources for research computing Examples: UChicago, USC, UAB I2MM Fall 2004

4 Enterprise middleware value proposition fits VOs too
Leverage Identity Provider operations at participants’ home organizations rather than duplicate Identity Provider activities within each Virtual Organization Participants use familiar home-issued credentials Ease resource provider’s burden by removing need to act as an Identity Provider too Overall security & auditability is improved by locating these support functions with IT staff tasked specifically for such purposes I2MM Fall 2004

5 Time is finally right Others are now trying non-browser-based shibbolization approaches roughly analogous to what we envision Shibboleth & SAML have shown how to authorize the anonymous user Sufficiently abstracted security related interfaces & services provided by NMI Grid componentry Plug: all code elements in prospective solution are NMI components. We’re building on work of many people over 3+ years. I2MM Fall 2004

6 Grid-Shib integration essentials
Design principles No modification to typical grid client applications No change to shibboleth’s model of administrative and end-user maintenance of attribute release policies Leverage high-quality campus Identity Provider operations Accommodations for Grid shibbolization Identity Provider Discovery (pull models) Basic sequence of events (push models) Use of an identifer in X.509 certificate as a subject handle for use by the Attribute Authority I2MM Fall 2004

7 Project activities Gather use cases and requirements
Extend and test Globus Toolkit, GridLogon, and Shibboleth Attribute Authority to enable 4 modes of operation User identified, attributes pulled User identified, attributes pushed User pseudonymous, attributes pulled User pseudonymous, attributes pushed I2MM Fall 2004

8 Highlighted elements of potential solution
Globus Toolkit 4.0’s support of WSRF (Web Services Resource Framework) Transportable End Point References, used to identify Attribute Authority and grid resource to each other GridLogon extensions Itself an extension of MyProxy Integrate with local authentication service Cryptographically bind identified & anonymous X.509 certificate pairs I2MM Fall 2004

9 User pseudonymous, attributes pulled
I2MM Fall 2004

10 Timeline December 1, 2004: formal start Year 1 Year 2
Basic integration: code supporting pull model with user identified Year 2 Advanced integration: code supporting push and user pseudonymity I2MM Fall 2004

11 Bigger picture proposition
Middleware value proposition applies to common infrastructure enabling run-time VO security services … Identity management systems Authentication services & certificate authorities Attribute services like the Shibboleth Attribute Authority … and potentially to common infrastructure for managing VO privileges & groups VOMS CAS Permis Signet Grouper I2MM Fall 2004

Download ppt "NSF Middleware Initiative: GridShib"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Knowledge Environments for Science: Representative Projects Ian Foster Argonne National Laboratory University of Chicago

Knowledge Environments for Science: Representative Projects Ian Foster Argonne National Laboratory University of Chicago
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.

I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

Similar presentations

Ads by Google