Presentation is loading. Please wait.

Presentation is loading. Please wait.

TeraGrid 08 The Third Annual TeraGrid Conference

Published byΣωφρονία Παπαντωνίου Modified over 5 years ago

Similar presentations

Presentation on theme: "TeraGrid 08 The Third Annual TeraGrid Conference"— Presentation transcript:

1 TeraGrid 08 The Third Annual TeraGrid Conference
Tom Scavo, Jim Basney , Terry Fleury, Von Welch National Center for Supercomputing Applications June 9–13, 2008

2 Tutorial: Building Science Gateways
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch National Center for Supercomputing Applications June 9, 2008

3 Birds-of-a-Feather Session: Attribute-based Auditing and Authorization for Science Gateways
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch National Center for Supercomputing Applications June 11, 2008

4 Science Gateways Working Group Session
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch National Center for Supercomputing Applications June 12, 2008

5 Tutorial: Building Science Gateways
TeraGrid 08 Tutorial: Building Science Gateways Mon, 8:00am–12:00pm Birds-of-a-Feather Session: Attribute-based Auditing and Authorization for Science Gateways Wed, 5:30–6:30pm Poster Session: A Federated Identity Model for Science Gateways Wed, 6:30–8:30pm Science Gateways Working Group Session Thu, 3:00–4:30pm

6 Grid Security Infrastructure (GSI)

7 GSI relies heavily on X.509 proxy certificates
Grid Authentication Traditionally, grid authentication has been via trusted X.509 identity certificates GSI relies heavily on X.509 proxy certificates A proxy cert is a short-lived certificate signed by the user’s identity certificate Multiple GSI authentication mechanisms: GSI Transport (SSL/TLS) GSI Secure Message (WS-Security) GSI Secure Conversation (WS-SecureConversation)

8 The Classic Grid Use Case
A non-browser user issues a proxy certificate and initiates a grid request on her own behalf.

9 Issue a Proxy Certificate
grid-proxy-init X.509 End Entity Cred Issuer: Certification Authority Subject: End User X.509 Proxy Credential Issuer: End User Subject: End User+ Key Key myproxy-logon

10 Classic GSI GT4 Client GT4 Server Java WS Container Globus WS Client
Globus Web Service X.509 proxy certificate X.509 proxy credential Gridmap Key

11 Identity-based Access Control
The distinguished name (DN) in the proxy certificate is used as a basis for coarse-grained access control If the subject DN is in an access control list called a gridmap file, access is allowed A gridmap file also maps DNs to usernames Associated with each DN are zero or more local usernames GRAM, for example, requires a local account in which to run a job request

12 The gridmap has a flat file format: DN → [user0, user1, …, usern-1]
Gridmap File The gridmap has a flat file format: DN → [user0, user1, …, usern-1] The gridmap has dual functions: Authorization Policy Username Mapping Policy A single gridmap file serves both functions Identity-based gridmap files trade off flexibility and scalability for simplicity DN1 username1 DN2 username2

13 GridShib-enabled GSI

14 GridShib software allows Globus Toolkit and Shibboleth to interoperate
GridShib Project The goal of the GridShib Project is to introduce attribute-based authorization to Globus-based grids GridShib software allows Globus Toolkit and Shibboleth to interoperate Classic GridShib (circa 2004–2005) pulls attributes from a Shibboleth Attribute Service The current emphasis is on browser users and attribute push, specifically, the TeraGrid Science Gateway Use Case

15 GridShib for Shibboleth GridShib CA GridShib SAML Tools
GridShib Software GridShib for GT Consumes X.509-bound SAML assertions issued by the GridShib CA or the GridShib SAML Tools. Issues SAML attribute queries to a Shibboleth IdP with GridShib for Shibboleth installed. GridShib for Shibboleth Responds to attribute queries from GridShib for GT. GridShib CA Issues short-lived X.509 credentials to browser users. GridShib SAML Tools Issue or requests SAML assertions and optionally binds these assertions to X.509 proxy certificates.

16 GridShib for Shibboleth GridShib CA GridShib SAML Tools
GridShib Software GridShib for GT Consumes X.509-bound SAML assertions issued by the GridShib CA or the GridShib SAML Tools. Issues SAML attribute queries to a Shibboleth IdP with GridShib for Shibboleth installed. GridShib for Shibboleth Responds to attribute queries from GridShib for GT. GridShib CA Issues short-lived X.509 credentials to browser users. GridShib SAML Tools Issue or requests SAML assertions and optionally binds these assertions to X.509 proxy certificates.

17 GS-ST is a SAML producer
GridShib SAML Tools The GridShib SAML Tools (GS-ST) are a standalone suite of Java-based client tools Binds a SAML assertion to an X.509 proxy certificate The same X.509-bound SAML token can be transmitted at the transport level or the message level (using WS-Security X.509 Certificate Token Profile) Includes the GridShib Security Framework, a Java API for producing and consuming X.509-bound SAML tokens GS-ST is a SAML producer

18 Easily installed and configured
GS-ST Features Easily installed and configured Binds arbitrary content (not just SAML) to a non-critical certificate extension Multiple output options (SAML, X.509 proxy credential, DER-encoded ASN.1) CLI with shell scripts (UNIX and Windows) Includes a Java API for portal developers Leverages the Globus SAML Library, an enhanced version of OpenSAML 1.1

19 Bind a SAML assertion to a non-critical X.509 v3 certificate extension
GS-ST Function Bind a SAML assertion to a non-critical X.509 v3 certificate extension We call this an X.509-bound SAML token

20 grid-proxy-init X.509 Proxy Credential X.509 Community Cred
Issuer: Science Gateway Subject: Science Gateway+ X.509 Community Cred Issuer: TeraGrid CA Subject: Science Gateway Key Key

21 gridshib-saml-issuer
grid-proxy-init X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X.509 Community Cred Issuer: TeraGrid CA Subject: Science Gateway Key X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: : Key <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> gridshib-saml-issuer Key

22 The SAML token is bound to a noncritical X.509v3 certificate extension
X.509-bound SAML Token GridShib SAML Tools produces X.509-bound SAML tokens, a new type of security token that enables attributed-based authorization in X.509-based Grids The SAML token is bound to a noncritical X.509v3 certificate extension X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: : <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> Key

23 WS-Security Token Profiles
OASIS WS-Security Technical Committee WSS X.509 Certificate Token Profile [1] WSS SAML Token Profile Globus implements the former We define a new token type: X.509-bound SAML Token An implementation of [1] automatically handles X.509-bound SAML tokens No new wire protocols are needed!

24 Security Tokens X.509 Token SAML Token http://gridshib.globus.org/
SOAP Envelope SOAP Envelope SOAP Header SOAP Header X.509 certificate SAML assertion SOAP Body SOAP Body

25 Security Tokens X.509-bound SAML Token X.509 Token SAML Token
SOAP Envelope SOAP Envelope SOAP Envelope SOAP Header SOAP Header SOAP Header X.509 certificate X.509 certificate SAML assertion SAML assertion SOAP Body SOAP Body SOAP Body

26 a SAML assertion to a proxy certificate and initiates a grid request
GridShib-enabled GSI A non-browser user binds a SAML assertion to a proxy certificate and initiates a grid request on her own behalf

27 GridShib for GT (GS4GT) is a plug-in for GT 4.x
GS4GT is compatible with both GT 4.0 and 4.2 GS4GT is an implementation of a Grid Service Provider, which is analogous to a Shibboleth Service Provider, but for X.509-based grids GS4GT is a SAML consumer Used together, GridShib SAML Tools and GridShib for GT enable attribute-based access control in Globus-based grids

28 Introduces attribute-based authorization into GT
GS4GT Features Introduces attribute-based authorization into GT Exposes a single comprehensive policy decision point called the GridShibPDP Implements an attribute push model Restricts access based on blacklists of IP addresses and/or name identifiers Provides attribute-based account mapping Supports optional gridmap short-circuiting Defines an attribute-based authorization policy language (in XML)

29 GridShib-enabled GSI GT4 Client GT4 Server http://gridshib.globus.org/
Java WS Container (with GridShib for GT) Globus WS Client GridShib SAML PIP Globus Web Service proxy certificate SAML GridShib SAML Tools proxy credential Security Context SAML Key end entity credential Logs Blacklist Policy Authz Policy Key

30 GS4GT Configuration Files
GridShib SAML Entity Map The SAML Entity Map maps SAML issuers to X.509 issuers A SAML issuer in this file is trusted The SAML Entity Map will be replaced by SAML Metadata (XML) A blacklist is a list of identifiers (SAML identifiers or subject DNs) A user whose identifier is on the blacklist will be denied access The flat file blacklist will be replaced by a database table entityID1 DN1 entityID2 DN2 GridShib Blacklist Policy identifier1 identifier2

31 GridShib Mapping Policy
GS4GT Policy Files DN1 username1 DN2 username2 Globus Gridmap file GridShib Mapping Policy GridShib Authz Policy <XML> <XML>

32 Two separate attribute-based policy files:
GS4GT Policy Files Two separate attribute-based policy files: Authorization Policy [A0, A1, …, Am-1] Username Mapping Policy [A0, A1, …, Am1-1] → [user0, user1, …, usern1-1] [A0, A1, …, Am2-1] → [user0, user1, …, usern2-1] … A single XML-based policy file may encapsulate both types of policies

33 Fine-grained, attribute-based authorization
Summary Fine-grained, attribute-based authorization Introduces X.509-bound SAML tokens Works at both the transport level or the message level No modifications to GT clients are required If the service is not GridShib-enabled, the X.509-bound SAML token is simply ignored

34 A Grid Authorization Model for Science Gateways

35 The Science Gateway Use Case
A browser user authenticates to a grid portal.  The portal issues a proxy certificate and initiates a grid request on behalf of the user

36 Classic Science Gateway
A science gateway is a convenient intermediary between a browser user and a grid resource provider. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential community account Key Science Gateway Resource Provider

37 Classic Science Gateway
Each gateway is issued a community credential that uniquely identifies the gateway. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential community account Key Science Gateway Resource Provider

38 Classic Science Gateway
Resource providers associate the community credential with a local community account. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential community account Key Science Gateway Resource Provider

39 Classic Science Gateway
To submit a job, a browser user typically authenticates to the gateway by presenting a username and password. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential community account Key Science Gateway Resource Provider

40 Classic Science Gateway
The gateway then issues a short-lived proxy credential signed by its community credential. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service community credential proxy credential community account Key Key Science Gateway Resource Provider

41 Classic Science Gateway
The gateway submits the job on the user’s behalf, authenticating as itself to the resource. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate community credential proxy credential community account Key Key Science Gateway Resource Provider

42 Classic Science Gateway
The resource authenticates the gateway and maps the request to the community account based on the identity in the proxy certificate. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate community credential proxy credential community account Key Key Science Gateway Resource Provider

43 Classic Science Gateway
After the job is executed, the result is returned to the browser user via the gateway web interface. Web Browser Web Authn Web Interface Java WS Container Webapp WS GRAM Client WS GRAM Service proxy certificate community credential proxy credential community account Key Key Science Gateway Resource Provider

44 Community Account Model: The Good
The Community Account Model simplifies the user experience simplifies gateway implementation and deployment simplifies gridmap file management at the RP A community credential is issued to each gateway A single community account is created at the RP The gateway issues proxy certificates and makes grid requests on behalf of the user

45 Community Account Model: The Bad
The community account model has some significant drawbacks, however: End user identity is unknown to the RP Course-grained access control at the resource (by design) Awkward approach to auditing and incident response In the event of an emergency, the RP is forced to disable all access to the community account Less than adequate accounting mechanisms All this can be traced to a single problem…

46 Community Account Model: The Ugly
All requests look exactly the same to the resource provider! If the gateway would only pass the user’s name and contact information to the resource provider, all previously mentioned problems would be solved

47 Grid Authorization Model
We describe a grid authorization model that significantly increases the information flow between a science gateway and a resource provider Extends the Community Account Model Asserts end user identity to the RP Permits fine-grained access control at the RP Provides strong auditing and effective incident response Allows dynamic blacklisting of problem accounts or runaway processes A lightweight approach that does not require new wire protocols or extensive new middleware infrastructure Complements existing SAML-based middleware infrastructure on today's campuses

48 Grid Authorization Model
The proposed model incorporates GridShib SAML Tools at the gateway and GridShib for GT at the resource provider Using GridShib SAML Tools, the gateway issues a SAML assertion containing the user's authentication context and attributes binds the SAML assertion to a proxy certificate signed by the community credential authenticates to the resource by presenting the SAML-laden proxy certificate

49 + = <saml:Assertion> <saml:NameID> trscavo
X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> + = Key X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: : <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> Key

50 GridShib-enabled Science Gateway
A browser user authenticates to a grid portal.  The portal binds a self-issued SAML assertion to a proxy certificate and initiates a grid request on behalf of the user.

51 Grid Authorization Model for Gateways
An enhancement to the community account model increases the information flow between the gateway and the resource provider. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools community credential Key Science Gateway Resource Provider

52 Grid Authorization Model for Gateways
A software component called GridShib SAML Tools is integrated into the gateway portal environment. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools community credential Key Science Gateway Resource Provider

53 Grid Authorization Model for Gateways
Another software component called GridShib for GT is deployed at the resource provider. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools community credential Key Science Gateway Resource Provider

54 Grid Authorization Model for Gateways
These two GridShib software components produce and consume Security Assertion Markup Language (SAML) tokens. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools community credential Key Science Gateway Resource Provider

55 Grid Authorization Model for Gateways
Again the browser user authenticates to the gateway by presenting a username and password. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools community credential Key Science Gateway Resource Provider

56 Grid Authorization Model for Gateways
This time the gateway uses the GridShib SAML Tools to issue an X.509-bound SAML token. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools proxy credential SAML Key community credential Key Science Gateway Resource Provider

57 Grid Authorization Model for Gateways
The SAML token bound to the proxy certificate contains the name of the end user and other user attributes (e.g., ). Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service X.509 Proxy Credential Issuer: Science Gateway Subject: Science Gateway+ X509v3 extension: : username GridShib SAML Tools proxy credential SAML Key community credential Key <saml:Assertion> <saml:NameID> trscavo </saml:NameID> </saml:Assertion> Science Gateway Resource Provider Key

58 Grid Authorization Model for Gateways
The gateway authenticates as itself to the resource provider, presenting the proxy certificate with bound SAML token. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential SAML Key community credential Key Science Gateway Resource Provider

59 Grid Authorization Model for Gateways
The GridShib SAML policy information point (PIP) extracts the SAML token from the proxy certificate, parses it, and writes the information to a log file. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential SAML Key community credential Logs Key Science Gateway Resource Provider

60 Grid Authorization Model for Gateways
The security information in the SAML token is also used to populate a SAML security context within the container. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential Security Context SAML Key community credential Logs Key Science Gateway Resource Provider

61 Grid Authorization Model for Gateways
The service compares the information in the security context to the blacklist, denying access if any request info is on the blacklist. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential Security Context SAML Key community credential Logs Blacklist Policy Key Science Gateway Resource Provider

62 Grid Authorization Model for Gateways
The service combines the information in the security context with its access control policy, allowing access if and only if policy is satisfied. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential Security Context SAML Key community credential Logs Blacklist Policy Authz Policy Key Science Gateway Resource Provider

63 Grid Authorization Model for Gateways
As before, after the service executes the job, the result is returned to the browser user via the gateway web interface. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service proxy certificate SAML username GridShib SAML Tools proxy credential Security Context SAML Key community credential Logs Blacklist Policy Authz Policy Key Science Gateway Resource Provider

64 GridShib-enabled Science Gateway
Simple installation and configuration of GridShib SAML Tools at the gateway Includes GridShib Security Framework Exposes both a command-line interface and a Java API End user identity and contact information (e.g., ) transmitted to RP Push much of the responsibility for auditing and incident response back onto the RP Big Advantage: No need to shut down the entire gateway in the event of an incident!

65 Subject name identifier: Authentication statement
User Attributes Gateway entityID: Subject name identifier: Authentication statement authentication method: urn:oasis:names:tc:SAML:1.0:am:password authentication instant: T12:10: IP address: Attribute statement isMemberOf attribute: group://gisolve.org/gisolve mail attribute:

66 GridShib-enabled Resource Provider
The end user and the end user’s contact information (and other attributes) are logged Effective auditing and incident response Blacklist an IP address or name identifier on demand Exposes a SAML security context Fine-grained, attribute-based access control

67 Virtual Organization Membership Service
Comparison with VOMS Virtual Organization Membership Service The most successful grid authorization model today VOMS binds X.509 attribute certificates (instead of SAML) to proxy certificates VOMS requires the requester to be the subject; VOMS will not issue an AC to a requester acting on behalf of the subject Therefore, a gateway can not call out to a VOMS server to obtain attributes for a user Conclusion:  VOMS can not be used as a basis for gateway security

68 Integration with TeraGrid Central Database
Resource Provider Java WS Container (with GridShib for GT) The GridShib-enhanced community account model permits fine-grained access control and effective incident response at the resource. GridShib SAML PIP WS GRAM Service Security Context Logs Policy AMIE upload Security table GRAM audit table TGCDB

69 Integration with TeraGrid Central Database
Resource Provider Java WS Container (with GridShib for GT) Since each request is now associated with a unique end user, we push job info to TeraGrid Central for improved auditing and accounting. GridShib SAML PIP WS GRAM Service Security Context Logs Policy AMIE upload Security table GRAM audit table TGCDB

70 Integration with TeraGrid Central Database
Resource Provider Java WS Container (with GridShib for GT) First, the security context associated with each incoming request is captured in a security table. GridShib SAML PIP WS GRAM Service Security Context Logs Policy AMIE upload Security table GRAM audit table TGCDB

71 Integration with TeraGrid Central Database
Resource Provider Java WS Container (with GridShib for GT) Likewise the disposition of every job request is captured in an enhanced GRAM audit table. GridShib SAML PIP WS GRAM Service Security Context Logs Policy AMIE upload Security table GRAM audit table TGCDB

72 Integration with TeraGrid Central Database
Resource Provider Java WS Container (with GridShib for GT) An AMIE process joins these two tables and pushes an information packet to the TeraGrid Central Database. GridShib SAML PIP WS GRAM Service Security Context Logs Policy AMIE upload Security table GRAM audit table TGCDB

73 Integration with TeraGrid Central Database
Resource Provider Java WS Container (with GridShib for GT) A gateway can query the TGCDB for individual accounting records, permitting fine-grained accounting at the gateway. GridShib SAML PIP WS GRAM Service Security Context Logs Policy AMIE upload Security table GRAM audit table TGCDB

74 Integration with TeraGrid Central Database
Resource Provider Java WS Container (with GridShib for GT) TeraGrid adminstrators can query the TGCDB for aggregate accounting data for the purposes of NSF reporting and planning. GridShib SAML PIP WS GRAM Service Security Context Logs Policy AMIE upload Security table GRAM audit table TGCDB

75 Gateway Job Accounting
TeraGrid Resource Provider (RP) -No Changes required to AMIE -DAI provides virtualization for audit and accounting DBs GT4 Java Container Core Audit Table Core Deleg Audit Table Delegation Diagram courtesy of Stu Martin RFT Audit Table RFT Client / Gateway ** sudo Create Job Get EPR RM adapter Control Job with EPR MJFS Resource Manager RM log - Query Using Grid JID MEJS ** SEG GRAM Audit Table - Reply with Accounting record RM Accounting User Job(s) OGSA DAI GET UNIQUE USER ID + Local AMIE Accounting ** Locally convert EPR to Grid JID AMIE upload Central TG Accounting DB

76 Benefits of TGCDB Integration
The gateway can query the TGCDB (via OGSA-DAI) and implement local, fine-grained accounting mechanisms TeraGrid administrators can obtain aggregate accounting data for NSF reporting and planning

77 TeraGrid Deployment Strategy
GridShib SAML Tools at the Gateway GridShib for GT at the RP Integrate GS4GT into CTSS4 Integrate with TeraGrid Central Database Retrofit GRAM 4.0 Audit with end user identity Assist with the design and implementation of GRAM 4.2 Audit (in particular, the security table)

78 A Federated Identity Model for Science Gateways

79 Federated Identity The long term vision is to introduce federated identity at the science gateway Shibboleth, an open-source implementation of the SAML Browser Profiles, provides: Ubiquity Manageability Usability Security Since Shibboleth is based on SAML, our model complements existing campus infrastructure

80 Science Gateway Resource Provider
It is well-known that password management at the gateway is a significant administrative burden for both the gateway and the end user. Web Browser Web Authn Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools community credential Key Science Gateway Resource Provider

81 SAML Identity Provider
To avoid having to manage passwords at the gateway, we propose a federated identity solution on the browser-facing side of the gateway. Web Authn Web Browser SAML Service Provider Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools Science Gateway Resource Provider

82 SAML Identity Provider
A third-party Identity Provider on each campus manages user identity and credentials. Web Authn Web Browser SAML Service Provider Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools Science Gateway Resource Provider

83 SAML Identity Provider
The gateway, which is protected by a Service Provider, trusts the Identity Provider to authenticate the browser user. Web Authn Web Browser SAML Service Provider Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools Science Gateway Resource Provider

84 SAML Identity Provider
Since we’re already invested in SAML on the back end, we prefer an implementation of the standard SAML browser profiles (such as Shibboleth). Web Authn Web Browser SAML Service Provider Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools Science Gateway Resource Provider

85 SAML Identity Provider
Web Authn A browser user authenticates to their preferred campus Identity Provider instead of the science gateway. Web Browser SAML Service Provider Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools Science Gateway Resource Provider

86 SAML Identity Provider
SAML Assertion Web Authn The SAML Identity Provider issues a SAML token that the user transmits to the gateway via the browser. Web Browser SAML Service Provider Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools Science Gateway Resource Provider

87 SAML Identity Provider
SAML Assertion Web Authn The SAML Service Provider protecting the gateway consumes the SAML token in lieu of a username/password. Web Browser SAML Assertion SAML Service Provider Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools Science Gateway Resource Provider

88 SAML Identity Provider
SAML Assertion Web Authn The gateway issues a combined SAML token containing both campus attributes and local attributes. Web Browser SAML Assertion SAML Service Provider Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service username GridShib SAML Tools proxy credential SAML+ Key community credential Key Science Gateway Resource Provider

89 SAML Identity Provider
SAML Assertion Web Authn The gateway authenticates as itself to the resource provider, presenting the combined X.509-bound SAML token. Web Browser SAML Assertion SAML Service Provider Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service proxy certificate SAML+ username GridShib SAML Tools proxy credential SAML+ Key community credential Key Science Gateway Resource Provider

90 SAML Identity Provider
SAML Assertion Web Authn Since the gateway did not authenticate the end user directly, the resource provider must decide if it trusts the combined SAML token. Web Browser SAML Assertion SAML Service Provider Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service proxy certificate SAML+ username GridShib SAML Tools proxy credential Security Context SAML+ Key community credential Logs Key Science Gateway Resource Provider

91 SAML Identity Provider
SAML Assertion Web Authn In the case of federated identity, access control policy at the resource provider is more complex since a third security domain is involved. Web Browser SAML Assertion SAML Service Provider Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service proxy certificate SAML+ username GridShib SAML Tools proxy credential Security Context SAML+ Key community credential Logs Blacklist Policy Authz Policy Key Science Gateway Resource Provider

92 SAML Identity Provider
SAML Assertion Web Authn SAML Web Browser SSO closes the loop for complete end-to-end flow of security information Web Browser SAML Assertion SAML Service Provider Web Interface Java WS Container (with GridShib for GT) attributes Webapp WS GRAM Client GridShib SAML PIP WS GRAM Service proxy certificate SAML+ username GridShib SAML Tools proxy credential Security Context SAML+ Key community credential Logs Blacklist Policy Authz Policy Key Science Gateway Resource Provider

93 Federated Identity Model for Gateways
TeraGrid Science Gateway B C SAML Assertion X.509 proxy credential SAML Key X.509 proxy certificate SAML Shib-enabled Grid Portal GridShib-enabled Grid Client response response X.509 end entity credential GridShib-enabled Grid SP Key Browser A D SAML Request SAML Request X.509 Shibboleth SSO Service GridShib-enabled Attribute Service SAML Assertion SAML Assertion Shibboleth Identity Provider

94 Birds-of-a-Feather Session

95 Is your gateway infrastructure built on a JEE portal framework?
If so, which one? If not, what application server do you use?

96 If not, describe your security framework.
Is your gateway security framework built on the community credential model? If not, describe your security framework.

97 If not, is the community credential stored in the file system?
Do you use MyProxy? If not, is the community credential stored in the file system?

98 In your application server environment, how easy is it to obtain the following information:
Username Authentication instant IP address address Does your portal framework provide an API to obtain this information or do you have to query a database?

99 Does your gateway control its own DNS domain?
If not, what is the URL of your gateway? [relate this to "scope"]

100 Original Project PIs Developers Acknowledgments
Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist Developers Rachana Ananthakrishnan, Jim Basney, Tim Freeman, Raj Kettimuthu, Terry Fleury, Tom Scavo The GridShib work was funded by the NSF National Middleware Initiative (NMI awards and ). Opinions and recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF. The Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA.

101 GridShib http://gridshib.globus.org/
Thank you! GridShib

Download ppt "TeraGrid 08 The Third Annual TeraGrid Conference"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.

X509-bindings-profiles-sep061 Bindings and Profiles for Attribute-based Authz in the Grid Tom Scavo NCSA.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
VOMS & SAML Valerio Venturi MWSG 12 12-13/6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr.

Attribute-based Authentication for Gateways Jim Basney Terry Fleury Stuart Martin JP Navarro Tom Scavo Jon Siwek Von Welch Nancy Wilkins-Diehr.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

Similar presentations

Ads by Google