Presentation is loading. Please wait.

Presentation is loading. Please wait.

GridShib Grid-Shibboleth Integration An Overview Von Welch

Published byTiffany Bernadette Greer Modified over 8 years ago

Similar presentations

Presentation on theme: "GridShib Grid-Shibboleth Integration An Overview Von Welch"— Presentation transcript:

1 GridShib Grid-Shibboleth Integration An Overview Von Welch vwelch@ncsa.uiuc.edu http://grid.ncsa.uiuc.edu/GridShib/

2 Nov 5, 20042GridShib Overview Some Background: Shibboleth http://shibboleth.internet2.edu/ Internet2 project Allows for inter-institutional sharing of web resources –Federation of identities and attributes –Uses attribute-based authorization –Standards-based (SAML) Being extended to non-web resources Part of NMI/EDIT distribution

3 Nov 5, 20043GridShib Overview Some Background: Globus Toolkit http://www.globus.org Collaborative work from the Globus Alliance Toolkit for Grid computing –Job submission, data movement, data management, resource management Security based on X.509 identity- and proxy-certificates Part of NMI Grids Center Suite

4 Nov 5, 20044GridShib Overview What is GridShib? Formally known as: –NSF Middleware Initiative (NMI) Grant: Policy Controlled Attribute Framework We call it “GridShib” In a nutshell: Allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit 2 year project starting December 1, 2004

5 Nov 5, 20045GridShib Overview The GridShib picture (1) Grid Authentication (2) Shib Attribute Request Shibboleth (3) Attributes Grid Service (4) Attribute-based authorization Campus User (0) Attribute Release Policy

6 Nov 5, 20046GridShib Overview Who is GridShib? NCSA Von Welch (PI) Shibboleth-PKI Integration “Get the assertion into the Grid.” Argonne/U. Chicago Kate Keahey (PI) Frank Siebenlist Globus Toolkit Policy Framework “Do something with the assertion in the Grid.” U. Chicago Tom Barton Deployment, Testing, Hardening “Make sure real users can use it.”

7 Nov 5, 20047GridShib Overview Why? Critical mass of grid deployments could use it Large grid, far-flung participants with several types of roles among them Examples: NEESgrid, Earth System Grid, TeraGrid, Grid3 (GriPhyN, iVDGL, and PPDG), SCEC Grid-mapfile approach not scaling Shibboleth is well supported and deployed Centralized campus resource for research computing Examples: UChicago, USC, UAB

8 Nov 5, 20048GridShib Overview Time is finally right Shibboleth & SAML have shown how to Authorize the anonymous user Extend integration of common infrastructure across administrative and operational domains Others are now trying non-browser-based “shibbolization” approaches roughly analogous to what we envision Sufficiently abstracted security related interfaces provided by NMI Grid componentry Plug: all code elements above are NMI components. We’re building on 3 years’ work of many people.

9 Nov 5, 20049GridShib Overview GridShib Integration Principles No modification to typical grid client applications Leverage shibboleth’s attribute administration and end-user maintenance of attribute release policies Leverage high-quality Campus Identity Provider operations Leverage high-quality Shib and Grid software

10 Nov 5, 200410GridShib Overview GridShib Challenges Use of an identifier in X.509 certificate as a subject handle for use by the Shib Attribute Authority (SAA) –Shibboleth v1.3 should handle this Allowing VOs to define attributes meaningful to them Attribute Authority identification –“Where are you from” problem Plumbing interconnect Translating requirements into meaningful authorization policy Support pseudonymity

11 Nov 5, 200411GridShib Overview Project objectives Priority 0: Gather requirements, identify users, related work –Users: U Chicago USC (Henderson) TeraGrid –Related work: Already established coordination with ESP-Grid, Dr. Jeffreys, Oxford, UK UAB (Gemmil) Georgetown (Leonhardt)

12 Nov 5, 200412GridShib Overview Project objectives Priority 1: Pull mode operation –Globus services contact Shibboleth to obtain attributes about identified user Priority 2: Push mode operation –User obtains Shib attributes and push to service Allows role selection Priority 3: Pseudonymous access with MyProxy/GridLogon

13 Nov 5, 200413GridShib Overview Timeline December 1, 2004: formal start –Kickoff meeting Dec 7-8th @ U Chicago Summer 2005: First release –Basic integration: code supporting pull model with user identified –Selection and simple implementation of policy description language –GT 4.2? 4.4? (Timeframe not set) –Shibboleth 1.3

14 Nov 5, 200414GridShib Overview Timeline (cont) 2006: Second release –Advanced integration: code supporting push and user-pseudonymity –Integration with MyProxy/GridLogon for improved usability –Integration of feedback from Y1 release

15 Nov 5, 200415GridShib Overview Potential objectives Collaboration with Signet folks to allow for distributed attribute administration Support for alternatives to GT4: –Standard PKI-authenticated web services in addition to GT4 Some Grid projects looking at plain web services approach –Support for GT2 legacy code? Will there still be demand?

16 Nov 5, 200416GridShib Overview Acknowledgements Working in collaboration with Steven Carmody and the Internet2 Shibboleth Design team –Providers of much valuable advice. Funded under NSF award SCI-0438424

17 Nov 5, 200417GridShib Overview Questions? Project website: –http://grid.ncsa.uiuc.edu/GridShib/http://grid.ncsa.uiuc.edu/GridShib/ Or contact: –vwelch@ncsa.uiuc.eduvwelch@ncsa.uiuc.edu For more information on NMI: –http://www.nsf-middleware.org/

Download ppt "GridShib Grid-Shibboleth Integration An Overview Von Welch"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Internet2 and other US WMD Update. Topics Update on non-merger, Newnet (and the control plane), InCommon and other feds “Product” update – Shib, Grouper,

Internet2 and other US WMD Update. Topics Update on non-merger, Newnet (and the control plane), InCommon and other feds “Product” update – Shib, Grouper,
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.

TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Knowledge Environments for Science: Representative Projects Ian Foster Argonne National Laboratory University of Chicago

Knowledge Environments for Science: Representative Projects Ian Foster Argonne National Laboratory University of Chicago
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.

I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Similar presentations

Ads by Google