University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability

Slides:



Advertisements
Similar presentations
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Advertisements

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA
GT 4 Security Goals & Plans Sam Meder
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
TeraGrid Science Gateway AAAA Model: Implementation and Lessons Learned Jim Basney NCSA University of Illinois Von Welch Independent.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SWITCHaai Team Introduction to Shibboleth.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.
TeraGrid Plans for Authentication and Authorization Testbed Dane Skow, Argonne National Laboratory Computation Institute Seminar September 28, 2006.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Shibboleth: An Introduction
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
GridShib Grid-Shibboleth Integration An Overview Von Welch
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9–13, 2008 Tom Scavo, Jim Basney, Terry Fleury, Von Welch.
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
2NCSA/University of Illinois
Federation made simple
Shibboleth Roadmap
I2/NMI Update: Signet, Grouper, & GridShib
TeraGrid Plans for Authentication and Authorization Testbed
e-Infrastructure Workshop 28th March 2006, University of Leeds
Shibboleth for Non-Web-Based Applications: GridShib
NSF Middleware Initiative: GridShib
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
TeraGrid 08 The Third Annual TeraGrid Conference
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
NSF Middleware Initiative: GridShib
Presentation transcript:

University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability MWSG March 1, 2007 Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago 2 NCSA/University of Illinois

National Center for Supercomputing Applications Acknowledgments GridShib is a project funded by the NSF Middleware Initiative –Collaboration between NCSA and U. Chicago/ANL –NMI awards and –Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. Globus Incubator/Open Source – Also many thanks to Internet2

National Center for Supercomputing Applications GridShib Goals Allow the Grid to scale by leveraging existing campus identity management (IdM) –Consider Shibboleth as the interface to campus IdM systems –Get out of identity management game Making joining the Grid as easy as possible for users –No separate long-term credential for Grid access to manage –No new passwords, certificates, etc Allow campuses attributes and VO attributes to be aggregated and used by the Grid for authorization –Allow for scalability in user base through attribute-based authorization - I.e. know groups of users instead of individual users

National Center for Supercomputing Applications Why Shibboleth? What does Shibboleth bring to the table? A large (and growing) installed base on campuses around the world Professional development and support team A standards-based, open source implementation A standard attribute vocabulary (eduPerson)

National Center for Supercomputing Applications GridShib Software Components GridShib for Globus Toolkit –A plugin for GT 4.0 GridShib for Shibboleth –A plugin for Shibboleth 1.3 IdP GridShib CA –A web-based CA for new grid users GridShib SAML Tools –Tools for portals and users to embed attributes into X.509 credentials All at:

University of Illinois at Urbana-Champaign National Center for Supercomputing Applications Deployment Scenarios

National Center for Supercomputing Applications Shibboleth-authenticated Grid Access GridShib CA Grid- mapfile Grid Credential (short-lived EEC * ) Campus Shibboleth ProtectNetwork.com OpenIdp.org Idm System ePPN MyProxy *O(8 hours), <1M secs

National Center for Supercomputing Applications Shibboleth-authorized Grid Access GridShib CA GridShib for GT Grid Credential Attributes GridShib for Shib

National Center for Supercomputing Applications GridShib SAML Tools Attributes Web Portal Authenticate (e.g. username/ password) Grid Requests Community Access via Science Gateway GridShib for GT GridShib for Shib

National Center for Supercomputing Applications Attribute Push Turning to attribute push Our observation is that most Grid use cases want: –Persistent Id from Home Institution –Attributes from VO Shib/X.509 Gateway is natural point to collection Attributes from home institution and combine with VO attributes and push to Grid –Gateway could be the GridShib-CA or a domain-portal, e.g. a TeraGrid Science Gateway –Attributes may be static or dynamic

National Center for Supercomputing Applications GridShib SAML Tools Attributes Web Portal Authenticate Grid Requests Attribute Push Scenario GridShib for GT Local Attributes (may be dynamic) GridShib for Shib

National Center for Supercomputing Applications Our Roadmap We will now present current plans and timelines Roadmap online at GridShib dev.globus incubator site Roadmap will be maintained as work progresses, check web page for updates

National Center for Supercomputing Applications GridShib for Globus Toolkit GridShib for Globus Toolkit is a plugin for GT4 Features: –SAML Authentication consumer –SAML attribute consumption –Attribute-based access control –Attribute-based local account mapping –SAML metadata consumption

National Center for Supercomputing Applications GridShib for GT Announced Feb 15 Compatible with both GT4.0 and GT4.1 –GT4.1 introduces powerful authz framework –Separate binaries for each GT version –Source build auto-senses target GT platform Combined VOMS/SAML attribute to account mapping –Checks in this order and continues to fall back if no match/authz is granted: gridmap, VOMS, Shibboleth/SAML

National Center for Supercomputing Applications GridShib for GT 0.6 Expected March 2007 Full-featured attribute push PIP –Compatible with current GridShib Attribute Tools More powerful attribute-based authz policies –Allow unique issuer in authz policy rules

National Center for Supercomputing Applications GridShib SAML Tools Tools for creating SAML and binding to Grid Credentials Used to direct GridShib for GT to appropriate Shibboleth AA –Addressing WAYF Directs GridShib for GT as what what identifier to use in SAML attribute request –Can alleviate need for Shibboleth Idp changes Allows binding of Attributes from Shibboleth or generated locally –To be consumed by GridShib for GT Current version 0.1.2

National Center for Supercomputing Applications GridShib SAML Tools Target release date: February 2007 Same command-line interface as v0.1.x (but with more options) Leverages Shibboleth Attribute Resolver to support more complicated attribute requirements Support for nested SSO Response Enhanced logging Java API for Portal developers

National Center for Supercomputing Applications GridShib for Shibboleth GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later) Features: –Name Mapper –SAML name identifier implementations X509SubjectName, Address, etc. –Certificate Registry

National Center for Supercomputing Applications GridShib Name Mapper Users may be known by a number of names The Name Mapper is a container for name mappings Multiple name mappings are supported: –File-based name mappings –DB-based name mappings NameMapFile NameMapTable NameMapper

National Center for Supercomputing Applications GridShib Certificate Registry A Certificate Registry is integrated into GridShib for Shibboleth An established grid user authenticates and registers an X.509 end-entity cert The Registry binds the cert to the principal name and persists the binding in a database On the backend, GridShib maps the DN in a query to a principal name in the DB

National Center for Supercomputing Applications GridShib CA The GridShib Certificate Authority is a web-based CA for new grid users The GridShib CA is protected by a Shib SP and back-ended by the MyProxy Online CA –Or a local OpenSSL-based CA The CA issues short-term credentials suitable for authentication to a Grid SP –Short-lived EEC, similar to MyProxy-CA or KCA Credentials are downloaded to the desktop via Java Web Start –Lots of tricky security details here Version up at –Can be used by anyone in InQueue or with OpenIdp or ProtectNetwork login

National Center for Supercomputing Applications More detail: Client GridShib-CA GridShib-CA Architecture Browser Java WS App EEC/ Key Shib Idp GridShib-CA (Shib SP) MyProxy OpenSSL- Based CA CAs Shib Session Standard Shib Auth OR Certreq/ Cert

National Center for Supercomputing Applications GridShib CA 0.3 Substantial improvement over version 0.2 More robust protocol Installation of trusted CAs at the client Pluggable back-end CAs –Uses an openssl-based CA by default –A module to use a MyProxy CA is included Certificate registry functionality –A module that auto-registers DNs with myVocs

National Center for Supercomputing Applications GridShib CA 0.4 Target release: March 2007 Incorporate improvements from initial deployments and requirements from TeraGrid –Fall back to default SSLSocketFactory on error (Bug 4875) –Create CA with domain name components (Bug 4887) –Integrate GridShib SAML Tools to bind simple attribute assertion to EEC –Bind IdP entityID to SIA extension –Handle creating DN from mix of attributes (Bug 4889)

National Center for Supercomputing Applications TeraGrid testbed Testbed for Federated Identity Management and Attribute-based Authorization –Building on Shibboleth, GridShib Goals: –Allow for scalable access by leveraging campus authentication - remove Idm burden from TeraGrd –Allow for attribute-based authorization to define communities –Ease of use for users - no management of long-term Grid credentials –Interoperability with OSG, others. If this sounds like something you would be interested in participating in please talk to me

National Center for Supercomputing Applications TG: Plans/Progress Rollout attribute-based authz to handful of RP nodes –Test systems or alternative head nodes for HPC systems –Integrating with CTSSv3 –CTSSv4 will be vdt-based, investigate interactions with GUMS/PRIMA Prototype portal - nanoHub Purdue Establish GridShib-CA for TG Policies, procedures

National Center for Supercomputing Applications

TG Testbed: Issues What do Grids need from campuses? –Persistent Identifier - targetedId vs ePPN –Legal name (displayName) Incident response –Grid sites must have ability to de-authorize user quickly –What ’ s the next step? –Campus must agree to “ help ” –Campuses want to be informed of issues –Need POC (7/24 probably not always available) –Define responsibility split

National Center for Supercomputing Applications What attribute information do we log and how? –Obviously record information related to authorization –Keep other attributes? Any privacy concerns? –SAML/Shibboleth attributes get long fast attribute name = urn:mace:dir:attribute-def:role attribute namespace = urn:mace:shibboleth:1.0:attributeNamespace:uri attribute value = –Syslog line limits get hit quickly with naïve schemes Issues cont

National Center for Supercomputing Applications Questions…

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.