Presentation is loading. Please wait.

Presentation is loading. Please wait.

GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,

Published byAapo Kivelä Modified over 5 years ago

Similar presentations

Presentation on theme: "GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,"— Presentation transcript:

1 GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist, Von Welch

2 Goals Allow users to use existing Campus Idm systems to authenticate to the Grid Assume Shibboleth every where Allow Grid access to campus attributes Hide as much of X.509 from users as possible Sep 11-12, 2006 GGF 18

3 Previous Work (from GGF 16)
Integration with Shibboleth AA with GT GT can query Shib AA, get attributes and use attributes to make authz decisions Drop-in addition to GT 4.0 and Shibboleth 1.3 Shib Idp plug-in to allow mapping of X509 DNs to Shib principal names GridShib-CA Beta release publicly available Expect to officially release in GT 4.1/4.2 Sep 11-12, 2006 GGF 18

4 Shib Authorization in GT
Currently have a simple authorization mechanisms List of attributes required to use service or container Mapping of attributes to local identity for GRAM job submission Sep 11-12, 2006 GGF 18

5 Recent Work: Authn Assertions in Certificates
IdP discovery and name specification in GT via SAML Authn assertion embedded in certificate Provides pointer to IdP and NameId to use Big picture is it lets the credential issuer control the name binding Allows certificate issuer to tell Grid Service what IdP (AA) to contact and what name (w/Format and qualifier) to use Allows use of standard AA as it doesn’t have to be involed in X.509 anymore Also allow for trusted EECs to put identity into first-level proxy certificate Intended for Grid Portals and Science Gateways Sep 11-12, 2006 GGF 18

6 nanoHUB nanoHUB Portal AA User authenticates to portal X.509 w/SAML
Authn AA SAML Attribute Query Sep 11-12, 2006 GGF 18

7 myVocs integration Collaboration with Jill Gemmill and John-Paul Robinson U. Alabama-Birmingham myVocs allows for formation of Shibboleth-based VO’s Coupling with GridShib allows for myVocs-based VOs to access Grid Resources Sep 11-12, 2006 GGF 18

8 GridShib-myVocs Integration
GridShib CA Sep 11-12, 2006 GGF 18

9 User Registers with myVocs
Identity GridShib CA Auth Mention this is one-time event Sep 11-12, 2006 GGF 18

10 Sep 11-12, 2006 GGF 18

11 Sep 11-12, 2006 GGF 18

12 Sep 11-12, 2006 GGF 18

13 VO Admin Adds User to VO VO attributes GridShib CA Sep 11-12, 2006
GGF 18

14 Grid Logon Identity Identity Auth Grid Creds. GridShib CA
User with existing credentials could also got to Grid credential registratry Sep 11-12, 2006 GGF 18

15 Sep 11-12, 2006 GGF 18

16 Sep 11-12, 2006 GGF 18

17 Sep 11-12, 2006 GGF 18

18 Sep 11-12, 2006 GGF 18

19 Grid Service Invocation
GridShib CA VO Attributes Grid Id User with existing credentials could also got to Grid credential registratry Grid Creds. Sep 11-12, 2006 GGF 18

20 Sep 11-12, 2006 GGF 18

21 Sep 11-12, 2006 GGF 18

22 Future Plans: Attribute Push
Turning to attribute push Our observation is that most Grid use cases want: Persistent Id from Home Institution Attributes from VO Shib/X.509 Gateway is natural point to collection Attributes from home institution and VO and push to Grid Push model seems to be easier - Shib2, VOMS, CAS Sep 11-12, 2006 GGF 18

23 Attribute-push mode User authenticates to Portal
Could be GridShib-CA Portal gather up Shibboleth-issued attributes Combines with VO-issued attributes Pushes attributes in X.509 certificate Including original Shibboleth Assertions Can include Authn assertion if Grid service wants to query for more Sep 11-12, 2006 GGF 18

24 SAML/X509 Binding Specification
SAML V1.1 Profiles for X.509 Subjects Includes the following profiles: X.509 SAML Subject Profile SAML Assertion Profile for X.509 Subjects SAML Attribute Query Profile for X.509 Subjects SAML Attribute Self-Query Profile for X.509 Subjects Sep 11-12, 2006 GGF 18

25 More Information http://gridshib.globus.org
Tom Barton, Jim Basney, Tim Freeman, Tom Scavo, Frank Siebenlist, Von Welch, Rachana Ananthakrishnan, Bill Baker, Monte Goode, and Kate Keahey. Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Gridshib, and MyProxy. In 5th Annual PKI R&D Workshop, April 2006. GridShib is a project funded by the NSF Middleware Initiative (NMI awards and ) dev.globus incubator: Sep 11-12, 2006 GGF 18

Download ppt "GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,"

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…

From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…
X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.

X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.

2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.

I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.

Similar presentations

Ads by Google