Presentation is loading. Please wait.

Presentation is loading. Please wait.

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

Published byHilary Paul Modified over 8 years ago

Similar presentations

Presentation on theme: "GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005."— Presentation transcript:

1 GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005

2 2GridShib Overview Some Background: Shibboleth http://shibboleth.internet2.edu/ Internet2 project Allows for controlled inter-institutional sharing of web resources –Federation of identities and attributes –Uses attribute-based authorization –Standards-based (SAML) Being extended to non-web applications Part of NMI/EDIT distribution

3 GlobusWORLD 20053GridShib Overview Some Background: Globus Toolkit http://www.globus.org Collaborative work from the Globus Alliance Toolkit for Grid computing –Job submission, data movement, data management, resource management Security based on X.509 identity- and proxy-certificates Mix of Web Services and pre-WS (e.g. GridFTP) protocols

4 GlobusWORLD 20054GridShib Overview What is GridShib? Formally known as: –NSF Middleware Initiative (NMI) Grant: Policy Controlled Attribute Framework We call it “GridShib” In a nutshell: Allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit 2 year project which kicked off December 1, 2004

5 GlobusWORLD 20055GridShib Overview Why? Attribute-based authorization has shown itself to be useful in large grid, far-flung participants with several types of roles among them NEESgrid, Earth System Grid, TeraGrid, Grid3 (GriPhyN, iVDGL, and PPDG), SCEC Identity-based approach not scaling Shibboleth is well supported and deployed by Internet2 project SAML is used by larger identity federation world, e.g. Liberty Alliance - integrating SAML support into Grids opens the door to leveraging this large technology space

6 GlobusWORLD 20056GridShib Overview Leveraging Internet2 Work Shibboleth & SAML have shown how to Authorize the anonymous user Extend integration of common infrastructure across administrative and operational domains Others are now trying non-browser-based “shibbolization” approaches roughly analogous to what we envision E.g. LionShare Plug: all code elements above are NMI components. We’re building on 3 years’ work of many people.

7 GlobusWORLD 20057GridShib Overview GridShib Integration Principles No modification to typical grid client applications Leverage shibboleth’s attribute administration and end-user maintenance of attribute release policies Leverage high-quality Campus Identity Provider operations Leverage high-quality Shib and Grid software Try to keep modifications to Grid Services and security clients (e.g. grid-proxy-init)

8 GlobusWORLD 20058GridShib Overview GridShib Challenges Integration of SAML and X.509 identity certificates –Use of X.509 certificate identifier as a subject handle for use by the Shib Attribute Authority (SAA) –Shibboleth v1.3 should help with this Integration of SAML and X.509 attribute certificates –E.g. Enable the use of both Shibbolath and VOMS for authorization decisions in the same runtime –Derive common attribute expression to allow for use of both/either of this in Globus runtime

9 GlobusWORLD 20059GridShib Overview GridShib Challenges (cont) Distributed Attribute Administration –What happens when the folks running the attribute authority are not the ones authoritative for the attributes? –Many projects don’t have resources to run a 7x24 security service, but are the only ones who know the attribute space. –Explore Signet, Grouper (from Internet2)

10 GlobusWORLD 200510GridShib Overview GridShib Challenges (cont) Attribute Authority identification –“Where are you from” problem –Grids often have different identity providers and attribute authorities Plumbing interconnect

11 GlobusWORLD 200511GridShib Overview Project objectives Priority 1: Pull mode operation –Globus services contact Shibboleth to obtain attributes about identified user –Support both GT4.x Web Services and pre- WS code Priority 2: Push mode operation –User obtains Shib attributes and push to service Allows role selection

12 GlobusWORLD 200512GridShib Overview Timeline December 1, 2004: formal start February 1, 2005: Developers on board and coding Summer 2005: First release –Basic integration: code supporting pull model with user identified –Selection and simple implementation of policy description language –Targeting GT 4.2 –Shibboleth 1.3

13 GlobusWORLD 200513GridShib Overview Acknowledgements Working in collaboration with Steven Carmody and the Internet2 Shibboleth Design team –Providers of much valuable advice. Funded under NSF award SCI-0438424

14 GlobusWORLD 200514GridShib Overview Questions? Project website: –http://grid.ncsa.uiuc.edu/GridShib/http://grid.ncsa.uiuc.edu/GridShib/ Or contact: –vwelch@ncsa.uiuc.eduvwelch@ncsa.uiuc.edu For more information on NMI: –http://www.nsf-middleware.org/

Download ppt "GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.

A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.
1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.

1-2.1 Grid computing infrastructure software Brief introduction to Globus © 2010 B. Wilkinson/Clayton Ferner. Spring 2010 Grid computing course. Modification.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Knowledge Environments for Science: Representative Projects Ian Foster Argonne National Laboratory University of Chicago

Knowledge Environments for Science: Representative Projects Ian Foster Argonne National Laboratory University of Chicago
Globus Computing Infrustructure Software Globus Toolkit 11-2.

Globus Computing Infrustructure Software Globus Toolkit 11-2.
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.

Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.

Similar presentations

Ads by Google