Presentation is loading. Please wait.

Presentation is loading. Please wait.

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

Published byAlexia Blankenship Modified over 8 years ago

Similar presentations

Presentation on theme: "GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago."— Presentation transcript:

1 GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago 2 NCSA/University of Illinois

2 Outline l GridShib Overview l GridShib Components l GridShib Profiles l GridShib Roadmap

3 What is GridShib? l GridShib enables secure attribute sharing among Grid virtual organizations and higher-educational institutions l The goal of GridShib is to allow interoperability between the Globus Toolkit® with Shibboleth® l GridShib adds attribute-based authorization to Globus Toolkit

4 Some Background l Large scientific projects have spawned Virtual Organizations (VOs) l The cyberinfrastructure and software systems to support VOs are called grids l Globus Toolkit is the de facto standard software solution for grids l Grid Security Infrastructure (GSI) provides basic security services for grids

5 Grid Authentication l Globus Toolkit provides authentication services via X.509 credentials l When requesting a service, the user presents an X.509 certificate, usually a proxy certificate l GridShib leverages the existing authentication mechanisms in GT

6 Grid Authorization l Today, Globus Toolkit provides identity- based authorization mechanisms: u Access control lists (called grid-mapfiles) map DNs to local identity (e.g., Unix logins) u Community Authorization Service (CAS) l PERMIS and VOMS l GridShib provides attribute-based authorization based on Shibboleth

7 GridShib Project Motivation l VOs are difficult to manage u Goal: Leverage existing identity management infrastructure l Identity-based access control methods are inflexible and do not scale u Goal: Use attribute-based access control l Solution: Leverage Shibboleth with Globus Toolkit!

8 GridShib Use Cases l Three use cases under consideration: 1. Established grid user (non-browser) 2. New grid user (non-browser) 3. Portal grid user (browser) l Initial efforts concentrated on the non- browser use cases l Current efforts are focused on the portal grid user

9 Established Grid User l User possesses an X.509 end entity certificate l User may or may not use MyProxy Server to manage X.509 credentials l User authenticates to Grid SP with a proxy certificate l The current GridShib implementation addresses this use case

10 New Grid User l User does not possess an X.509 end entity certificate l User relies on GridShib CA to obtain short- lived X.509 certificates l User authenticates to Grid SP using short- lived X.509 credential l The myVocs-GridShib integration addresses this use case

11 Portal Grid User l User does not possess an X.509 cert l A browser user authenticates to a Grid Portal (which may or may not be Shib- enabled) l The user delegates the Grid Portal to request a service at the Grid SP l The Grid Portal authenticates to the Grid SP using its “community credential”

12 Outline l GridShib Overview l GridShib Components l GridShib Profiles l GridShib Roadmap

13 Software Components l GridShib for Globus Toolkit l GridShib for Shibboleth u Includes GridShib Certificate Registry l GridShib Certificate Authority l GridShib Authentication Assertion Client l Shibboleth IdP Tester l Globus SAML Library (not distributed)

14 GridShib for Globus Toolkit l GridShib for Globus Toolkit is a plugin for GT 4.0 (or later) l Features: u Standalone attribute requester u SAML attribute consumption u Attribute-based access control u Attribute-based local account mapping u SAML metadata consumption

15 GridShib for Shibboleth l GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later) l Features: u Name Mapper l Supports name mappings in both files and tables u SAML name identifier implementations l X509SubjectName, emailAddress, etc. u Certificate Registry l Supports the established grid user

16 GridShib Certificate Registry l A Certificate Registry is integrated into GridShib for Shibboleth 0.5: https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateRegistry l An established grid user authenticates and registers an X.509 end-entity cert l The Registry binds the cert to the principal name and persists the binding in a database l On the backend, GridShib maps the DN in a query to a principal name in the DB

17

18 GridShib Authn Assertion Client l The GridShib Authn Assertion Client is a standalone tool that creates an X.509 proxy certificate with bound SAML authn assertion l The client uses the proxy to authenticate to a Grid SP l The Grid SP queries a Shibboleth AA based on the information in the bound SAML assertion

19 Shibboleth IdP Tester l The Shibboleth IdP Tester is a tool that queries a Shibboleth AA for attributes l The IdP Tester can be used to: u Test an ordinary Shibboleth AA u Test a GridShib-enabled AA l The IdP Tester installs as a Shib IdP extension (i.e., it does not disturb an existing Shib deployment)

20 GridShib CA l The GridShib Certificate Authority is a web- based CA for new grid users: https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority l The GridShib CA is protected by a Shib SP and backended by either OpenSSL or the MyProxy Online CA l The CA issues short-term credentials suitable for authentication to a Grid SP l Credentials are downloaded to the desktop via Java Web Start

21

22 Globus SAML Library l GridShib forked the OpenSAML 1.1 source library in Jan 2006 l Globus SAML Library is in synch with OpenSAML 1.1 CVS HEAD l Globus SAML Library is bundled with GridShib for GT l Globus SAML Library adds new features to OpenSAML 1.1

23 Outline l GridShib Overview l GridShib Components l GridShib Profiles l GridShib Roadmap

24 GridShib Attribute Pull Profile l In the “Classic GridShib” profile, a Grid SP “pulls” attributes from a Shib IdP l The Client is assumed to have an account (i.e., local principal name) at the IdP l The Grid SP and the IdP have been assigned a unique identifier (entityID) 3 4 2 1 IdP Grid SP CLIENTCLIENT CLIENTCLIENT

25 1 GridShib Attribute Pull Step 1 l The Grid Client requests a service at the Grid SP l The Client presents an X.509 certificate to the Grid SP l The Client may provide a pointer to its preferred IdP u This is the so-called IdP Discovery problem IdP Grid SP CLIENTCLIENT CLIENTCLIENT

26 2 1 GridShib Attribute Pull Step 2 l The Grid SP authenticates the Client and extracts the DN from the proxy cert l The Grid SP queries the Attribute Authority (AA) at the IdP using the DN as a SAML name identifier IdP Grid SP CLIENTCLIENT CLIENTCLIENT

27 32 1 GridShib Attribute Pull Step 3 l The AA authenticates the requester and maps the DN to a local principal name l The AA returns an attribute assertion to the Grid SP u The assertion is subject to Attribute Release Policy (ARP) at the IdP IdP Grid SP CLIENTCLIENT CLIENTCLIENT

28 3 4 2 1 GridShib Attribute Pull Step 4 l The Grid SP parses the attribute assertion and performs the requested service l The attributes are cached as necessary l A response is returned to the Grid Client IdP Grid SP CLIENTCLIENT CLIENTCLIENT

29 IdP Discovery l Like the Shibboleth SP-initiated browser flows, the Grid SP needs to know the user’s preferred IdP l SAML assertions bound to X.509 certs give clues as to the user’s preferred IdP For example, the GridShib Authentication Assertion Client sets the NameQualifier attribute to the unique identifier of the IdP Unfortunately, the NameQualifier attribute is deprecated in SAML V2.0

30 IdP Discovery (cont’d) The Issuer attribute is a better indicator of the user’s preferred IdP However, for self-issued assertions (assertion issuer == certificate issuer) the Issuer is a DN, which doesn’t help IdP discovery l Solution: Set the X.509 Subject Information Access extension to the IdP entityID

31 GridShib Attribute Push Profile l The Client may push attributes at step 1 l SAML assertions are bound to X.509 certificates or SOAP messages l The Grid SP may or may not query for attributes in this case 3 4 2 1 IdP Grid SP CLIENTCLIENT CLIENTCLIENT

32 Outline l GridShib Overview l GridShib Components l GridShib Profiles l GridShib Roadmap

33 Online Roadmap l We present current plans and timelines l Roadmap online at GridShib dev.globus incubator site http://dev.globus.org/wiki/GridShib_Development_Roadmap l Roadmap will be maintained as work progresses, check web page for updates

34 Attribute Push l For the past six months, GridShib has concentrated on attribute push l Advantages of attribute push: u IdP Discovery is less of an issue l Disadvantages of attribute push: u What to push? (we call this “SP Discovery”)

35 GridShib X.509 Certificate l The anatomy of an X.509 certificate suitable for GridShib attribute push: u short lifetime u IdP entityID in Subject Information Access extension u SAML Subject in the Subject Alt Name extension u SAML assertion(s) bound to X.509 v3 certificate extension u SSO assertion(s) nested in the Advice element of a bound SAML assertion

36 X.509 Binding for SAML l We bind an ASN.1 SEQUENCE of SAML elements at a well-known, non-critical X.509 v3 certificate extension GridShib and Globus CAS already have limited ability to bind elements to X.509 proxy certificates l Future versions of the GridShib CA will bind SAML to end-entity certificates

37 1. Shib Authn Request (Redirect) 2. SAML Authn Response 3. SAML Authn Response (POST) 4. SAML Attribute Query (SOAP) 5. SAML Attribute Response 6. HTTP 200 OK (Java Web Start) 7. WS-RF Service Request (SOAP) 8. WS-RF Service Response GridShib, an NSF-funded project between NCSA and the University of Chicago, integrates federated identity management infrastructure (Shibboleth) with Grid technology (Globus Toolkit) to provide attribute-based authorization for distributed scientific communities (http://gridshib.globus.org/). We propose to bind SAML assertions to X.509 certificates to facilitate GridShib Attribute Push, which overcomes some limitations of Classic GridShib (Attribute Pull). Two use cases for GridShib Attribute Push are depicted below. Two use cases for GridShib Attribute Push involve the GridShib CA and the TeraGrid Science Gateway. The GridShib CA binds SAML to an X.509 end-entity certificate after step 5. The Science Gateway binds SAML to an X.509 proxy certificate after step 9. The client presents the X.509 certificate to the GridShib Service Provider (SP). The GridShib SP extracts the SAML, parses the attributes, and makes an informed access control decision. Classic GridShib Use Case: GridShib CA Use Case: Science Gateway X.509 Certificate 1. WS-RF Service Request (SOAP) 2. WS-RF Service Response 1. Shib Authn Request (Redirect) 2. SAML Authn Response 3. SAML Authn Response (POST) 4. SAML Attribute Query (SOAP) 5. SAML Attribute Response 6. HTTP 200 OK............ An X.509 Binding for SAML 14 54 3 2 1 Shibboleth Identity Provider Web Portal BrowserBrowser BrowserBrowser GridShib Client X.509 Issuer SAML Issuer 678 1310 9 GridShib Service Provider 1112 6 54 3 2 1 Shibboleth Identity Provider GridShib CA BrowserBrowser BrowserBrowser 8 7 GridShib Service Provider Grid Client Grid Service Provider Grid Client 1 2 + BrowserBrowser BrowserBrowser Shibboleth Identity Provider 5 6 3 2 1 Shibboleth Service Provider = 4 1. WS-RF Service Request (SOAP) 2. SAML Attribute Query (SOAP) 3. SAML Attribute Response 4. WS-RF Service Response 4 32 1 GridShib Identity Provider GridShib Service Provider Grid Client … … … X.509 v3 Certificate Extension OID 1.3.6.1.4.1.3536.1.1.1.10

38 X.509 Binding for SAML (cont’d) Initially, we bind a element to the X.509 certificate l Eventually we would like to support: u

39 X.509 Binding: Use Cases l Presenter is the Subject u Principal Self-assertion u Principal Self-query u Shib-enabled GridShib CA u MyProxy Online CA u Community Authorization Service l Presenter Acting on Behalf of the Subject: u nanoHUB Pull u National Virtual Observatory (NVO) Push u Shib-enabled Science Gateway

40 Use Case: nanoHUB 65 43 21 nanoHUB LDAP nanoHUB portal nanoHUB IdP Grid SP nanoHUB user 6 5 32 4 1 nanoHUB LDAP nanoHUB portal nanoHUB IdP Grid SPnanoHUB user

41 Use Case: NVO Authn Authority Attribute Authority MyProxy GSI Client Portal Grid SP BrowserBrowser Attribute Store SAML (inputs) X.509 EEC CA

42 Use Case: Science Gateway Authn Authority Attribute Authority SAML X.509 Binding Tool GSI Client Portal (Shib- enabled) Grid SP BrowserBrowser Attribute Store SAML (inputs) X.509 Proxy (inputs) SSO Assertion

43 Work in the Pipeline l New versions of GridShib for GT, GridShib for Shib, and GridShib CA l GridShib Authn Assertion Client => GridShib SAML Issuer Tool l Shibboleth IdP Tester => GridShib Attribute Query Client l GridShib SAML Tools l Enhancements to Globus SAML Library

44 GridShib for GT Versions l GridShib for GT 0.5 u Announced Nov 30, 2006 l GridShib for GT 0.5.1 u Expected ? l GridShib for GT 0.6 u Expected ?

45 GridShib for GT 0.5 l GridShib for GT 0.5 announced Nov 30 u Compatible with both GT4.0 and GT4.1 l GT4.1 introduces powerful authz framework l Separate binaries for each GT version l Source build auto-senses target GT platform u New identity-based authorization feature l Uses grid-mapfile instead of DN ACLs u Logging enhancements u Bug fixes

46 GridShib for GT 0.5.1 l GridShib for GT 0.5.1 (expected ?) u Combined VOMS/SAML attribute to account mapping l As with the current gridmap situation, GT4.0.x deployments cannot take advantage of permit overrides and arbitrarily configure fallbacks l To accommodate this we’ll allow for a name mapping scheme that checks in this order and continues to fall back if no match/authz is granted: gridmap, VOMS, Shibboleth/SAML

47 GridShib for GT 0.6 l GridShib for GT 0.6 (expected ?) u Full-featured attribute push PIP l TBA u More powerful attribute-based authz policies l Allow unique issuer in authz policy rules

48 GridShib for Shib Versions l GridShib for Shib 0.5.1 u Announced Aug 8, 2006 l GridShib for Shib 0.6 u Expected Jan 2007 u Will include SAML Issuer Tool (derived from Shib resolvertest tool)

49 GridShib for Shib 0.6 l GridShib for Shib 0.6 (expected Jan 2007) u Core (already included in 0.5) l Requires Shib IdP l Includes basic plugins and handlers u Certificate Registry (already included in 0.5) l Requires GridShib for Shib Core l Includes Derby embedded database u SAML Tools (new in 0.6) l Requires GridShib for Shib Core l Includes SAML Issuer Tool and SAML X.509 Binding Tool

50 GridShib CA Versions l GridShib CA 0.3 u Announced Nov 27, 2006 l GridShib CA 0.4 u Expected March, 2007

51 GridShib CA 0.3 l GridShib CA 0.3 announced Nov 27, 2006 u Substantial improvement over version 0.2 u More robust protocol u Installation of trusted CAs at the client u Pluggable back-end CAs l Uses an openssl-based CA by default l A module to use a MyProxy CA is included u Certificate registry functionality l A module that auto-registers DNs with myVocs

52 GridShib SAML Tools l GridShib SAML Issuer Tool u Derived from Authentication Assertion Client l Shibboleth SAML Issuer Tool u Derived from Shib resolvertest tool l GridShib Attribute Query Client u Derived from Shib IdP Tester l GridShib X.509 Binding Tool u Derived from GT CAS/SAML utilities

53 GridShib SAML Tools (cont’d) Shibboleth SAML Issuer Tool SAML X.509 Binding Tool (inputs) X.509 SAML Shibboleth IdP Config GridShib SAML Issuer Tool SAML X.509 Binding Tool (inputs) X.509 SAML Config Files

54 GridShib SAML Tools (cont’d) Shibboleth SAML Issuer Tool GridShib SAML Issuer Tool SAML X.509 Binding Tool (inputs) X.509 SAML GridShib Attribute Query Client (inputs)

55 SAML Tool Distributions l The Shib SAML Issuer Tool and the SAML X.509 Binding Tool will be distributed with GridShib for Shib 0.6 l The GridShib SAML Issuer Tool, GridShib Attribute Query Client, and SAML X.509 Binding Tool will be distributed as a single, standalone package l Note: The latter does not require GridShib for Shib or GridShib for GT

56 Globus SAML Library l Features and enhancements: u Support for SAML V2.0 metadata u SAML object equivalence implementation u Enhanced SAMLNameIdentifier class u SAML NameIdentifier format handlers u New SAMLSubjectAssertion class u New SubjectStatement class u Additional unit tests and examples u Requires JDK 1.4 or above

57 New Software Components l GridShib for Globus Toolkit 0.6 l GridShib for Shibboleth 0.6 u Optional Certificate Registry u Optional SAML Issuer Tool l GridShib Certificate Authority 0.4 l GridShib SAML Tools u SAML Issuer Tool u Attribute Query Client u SAML X.509 Binding Tool l Globus SAML Library (enhanced)

58 Profiles and Bindings Specs l SAML V1.1 Profiles for X.509 Subjects http://www.oasis-open.org/committees/download.php/19996/sstc-saml1-profiles-x509-draft-01.pdf http://www.oasis-open.org/committees/download.php/19996/sstc-saml1-profiles-x509-draft-01.pdf l Subject-based Assertion Profile for SAML V1.1 l X.509 Binding for SAML Assertions l Attribute Query Profile for SAML V1.1 l SAML V1.1 Deployment Profiles for X.509 Subjects l SAML V2.0 Deployment Profiles for X.509 Subjects

59 Acknowledgments l GridShib is a project funded by the NSF Middleware Initiative u NMI awards 0438424 and 0438385 u Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. l Also many thanks to Internet2 Shibboleth Project

60 Summary l GridShib has a number of tools for leveraging Shibboleth for the Grid l Both for user authentication and attribute-based authorization l Deploys easily on Shibboleth 1.3 and Globus 4.0 l Available under Apache2 license For more information and software: l http://gridshib.globus.org l vwelch@ncsa.uiuc.edu l http://dev.globus.org/wiki/Incubator/GridShib http://dev.globus.org/wiki/Incubator/GridShib

61 Questions?

Download ppt "GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago."

Similar presentations

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.

Similar presentations

Ads by Google