Presentation is loading. Please wait.

Presentation is loading. Please wait.

GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA

Published byJoseph Wright Modified over 8 years ago

Similar presentations

Presentation on theme: "GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA"— Presentation transcript:

1 GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA vwelch@ncsa.uiuc.edu

2 OGF19http://myproxy.ncsa.uiuc.edu/2 Plug - Longer Talks Wed @ 2-3:30pm GridShib, MyProxy, GAARDS Mountain Laurel

3 OGF19http://myproxy.ncsa.uiuc.edu/3 GridShib l dev.Globus Incubator Project l Collaborative between NCSA and U. Chicago l GridShib is a project funded by the NSF Middleware Initiative u NMI awards 0438424 and 0438385 u Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. l Also many thanks to Internet2 Shibboleth Project

4 OGF19http://myproxy.ncsa.uiuc.edu/4 What is GridShib? l Allows Shibboleth interoperability and SAML functionality in the Globus Toolkit l Allows GT to parse SAML attributes and use for authorization l Allows portals to embed Shibboleth attributes in Grid credentials l Allows conversion of Shibboleth authentication to Grid credentials

5 OGF19http://myproxy.ncsa.uiuc.edu/5 Software Components l GridShib for Globus Toolkit l GridShib for Shibboleth u Includes GridShib Certificate Registry l GridShib Certificate Authority l GridShib SAML Tools

6 OGF19http://myproxy.ncsa.uiuc.edu/6 Online Roadmap l We present current plans and timelines l Roadmap online at GridShib dev.globus incubator site http://dev.globus.org/wiki/GridShib_Development_Roadmap l Roadmap will be maintained as work progresses, check web page for updates

7 OGF19http://myproxy.ncsa.uiuc.edu/7 GridShib for GT 0.5 l GridShib for GT 0.5 announced Nov 30 u Compatible with both GT4.0 and GT4.1 l GT4.1 introduces powerful authz framework l Separate binaries for each GT version l Source build auto-senses target GT platform u New identity-based authorization feature l Uses grid-mapfile instead of DN ACLs u Logging enhancements u Bug fixes

8 OGF19http://myproxy.ncsa.uiuc.edu/8 GridShib for GT 0.5.1 l GridShib for GT 0.5.1 (expected any day now) u Combined VOMS/SAML attribute to account mapping l As with the current gridmap situation, GT4.0.x deployments cannot take advantage of permit overrides and arbitrarily configure fallbacks l To accommodate this we’ll allow for a name mapping scheme that checks in this order and continues to fall back if no match/authz is granted: gridmap, VOMS, Shibboleth/SAML

9 OGF19http://myproxy.ncsa.uiuc.edu/9 GridShib for GT 0.6 l GridShib for GT 0.6 (expected March 2007) u Full-featured attribute push PIP l Compatible with current GridShib Attribute Tools u More powerful attribute-based authz policies l Allow unique issuer in authz policy rules

10 OGF19http://myproxy.ncsa.uiuc.edu/10 GridShib SAML Tools l Current version 0.1.2 l Self-issues a SAML assertion with up to two statements l Optionally binds this assertion to an X.509 proxy certificate l Supports both SAML AuthenticationStatement and AttributeStatement l Separates the issuing of the SAML from the binding of the SAML

11 OGF19http://myproxy.ncsa.uiuc.edu/11 GridShib SAML Tools 0.2.0 l Target release date: February 2007 l Same command-line interface as v0.1.x (but with more options) l Leverages Shibboleth Attribute Resolver to support more complicated attribute requirements l Support for nested SSO Response l Enhanced logging l Java API for Portal developers

12 OGF19http://myproxy.ncsa.uiuc.edu/12 GridShib for Shib Versions l GridShib for Shib 0.5.1 u Announced Aug 8, 2006 l GridShib for Shib 0.6 u Expected Jan 2007 u Will include SAML Issuer Tool (derived from Shib resolvertest tool)

13 OGF19http://myproxy.ncsa.uiuc.edu/13 GridShib for Shib 0.6 l GridShib for Shib 0.6 (expected April 2007) u Core (already included in 0.5) l Requires Shib IdP l Includes basic plugins and handlers u Certificate Registry (already included in 0.5) l Requires GridShib for Shib Core l Includes Derby embedded database u SAML Tools (new in 0.6) l Requires GridShib for Shib Core l Includes SAML Issuer Tool and SAML X.509 Binding Tool

14 OGF19http://myproxy.ncsa.uiuc.edu/14 GridShib CA 0.3 l Substantial improvement over version 0.2 l More robust protocol l Installation of trusted CAs at the client l Pluggable back-end CAs u Uses an openssl-based CA by default u A module to use a MyProxy CA is included l Certificate registry functionality u A module that auto-registers DNs with myVocs

15 OGF19http://myproxy.ncsa.uiuc.edu/15 GridShib CA 0.4 l Target release: March 2007 l Fall back to default SSLSocketFactory on error (Bug 4875) [1] l Create CA with domain name componements (Bug 4887) [2] l Register certificate on the front channel with GridShib for Shibboleth Certificate Registry l Integrate GridShib SAML Tools to bind simple attribute assertion to EEC l Bind IdP entityID to SIA extension l Handle creating DN from mix of atttributes (Bug 4889) [3]

16 OGF19http://myproxy.ncsa.uiuc.edu/16 What is MyProxy? l An Online Certificate Authority u Issues short-lived X.509 End Entity Certificates u Avoid need for long-lived user keys l An Online Credential Repository u Issues short-lived X.509 Proxy Certificates u Long-lived private keys never leave the server l Supporting multiple authentication methods u Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS l Open Source Software u Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits u C, Java, Python, and Perl clients available u Contributions from EDG, UVA, LBL, and others l Protocol specified in GFD-E.54

17 OGF19http://myproxy.ncsa.uiuc.edu/17 Topics for Discussion l Credential Renewal l High Availability l Attribute Support l Web Services l Web SSO l Security Context Provisioning l User Registration l HSM Support l Audit Logging l Others?

18 OGF19http://myproxy.ncsa.uiuc.edu/18 Credential Renewal l Existing MyProxy-based renewal support u EGEE Renewal Service u Condor-G l Future Work u MyProxy-based GT4 Renewal Service l Integrated with GT4 Delegation Service l Support for GRAM, WS-GRAM, RFT

19 OGF19http://myproxy.ncsa.uiuc.edu/19 High Availability l Existing support u Clients retry when server is unreachable u Documentation for MyProxy CA replication u Primary-backup replication of MyProxy repository l Future Work u Robust client retry u Peer-to-peer repository replication

20 OGF19http://myproxy.ncsa.uiuc.edu/20 Attribute Support l Existing support u VOMS authentication to MyProxy server u GridShib CA integration with MyProxy l Future Work u Issue credentials with VOMS assertions u SAML authentication to MyProxy server

21 OGF19http://myproxy.ncsa.uiuc.edu/21 Web Services l Currently MyProxy does not provide a Web Services interface u C, Java, Perl, Python APIs l Standard Delegation Service interface is needed u For MyProxy, GT4, and EGEE delegation services

22 OGF19http://myproxy.ncsa.uiuc.edu/22 Web Single Sign-on l Existing Support u MyProxy server accepts Pubcookie tokens l Future Work u Shibboleth/SAML support u Other web SSO methods?

23 OGF19http://myproxy.ncsa.uiuc.edu/23 Security Context Provisioning l Existing Support u MyProxy can provision user certificates, CA certificates, and CRLs u Requires MyProxy server CA certificate to be installed l Future Work u Java client support u Zero configuration bootstrap

24 OGF19http://myproxy.ncsa.uiuc.edu/24 User Registration l Existing Support u Provided by PURSE and GAMA u GridShib CA and OpenIDP l Future Work u Integration with MyProxy CA u Integration with attribute and authorization services

25 OGF19http://myproxy.ncsa.uiuc.edu/25 HSM Support l Existing Prototypes u MyProxy repository using IBM 4738 u MyProxy CA using Aladdin eToken l Future Work u Full support for OpenSSL hardware engines in MyProxy CA

26 OGF19http://myproxy.ncsa.uiuc.edu/26 Audit Logging l Existing Support u All MyProxy server operations are logged to syslog u Recent improvements to MyProxy CA logging to meet IGTF guidelines l Future Work u Include auditing information in issued credentials u Support standard grid logging interfaces

27 OGF19http://myproxy.ncsa.uiuc.edu/27 Thank you Reminder: Wed @ 2-3:30pm GridShib, MyProxy, GAARDS Mountain Laurel For more information: vwelch@ncsa.uiuc.edu http://myproxy.ncsa.uiuc.edu/ http://gridshib.globus.org

Download ppt "GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA"

Similar presentations

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.

National Center for Supercomputing Applications MyProxy and NVO or Web SSO for Grid Portals GlobusWorld 2006 Washington, DC, USA September 12, 2006 Mike.
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.

TeraGrid ’06 National Center for Supercomputing Applications Managing Credentials on the TeraGrid with MyProxy Jim Basney.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Similar presentations

Ads by Google