GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

Slides:



Advertisements
Similar presentations
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Advertisements

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November.
GT 4 Security Goals & Plans Sam Meder
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Grid Security. Typical Grid Scenario Users Resources.
PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Shibboleth and TAGPMA Michael Helm DOEGRids/ESnet 27 Mar 2006.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for ISIS Developers January 30, 2007.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
GridShib CIP Seminar December 6th, 2005 Tom Scavo Von Welch NCSA.
GRIDS Center Middleware Overview Sandra Redman Information Technology and Systems Center and Information Technology Research Center National Space Science.
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Leveraging the InCommon Federation to access the NSF TeraGrid Jim Basney Senior Research Scientist National Center for Supercomputing Applications University.
Grid Authorization Landscape and Futures Von Welch NCSA
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
GridShib Grid-Shibboleth Integration An Overview Von Welch
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.
Shibboleth A Technical Overview
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
Globus Security: Features and Roadmap & Building Secure VOs using Globus Toolkit Frank Siebenlist Rachana Ananthakrishnan Computation Institute, University.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Leveraging Campus Authentication to Access the TeraGrid Scott Lathrop, Argonne National Lab Tom Barton, U Chicago.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
2NCSA/University of Illinois
e-Infrastructure Workshop 28th March 2006, University of Leeds
Shibboleth for Non-Web-Based Applications: GridShib
NSF Middleware Initiative: GridShib
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
NSF Middleware Initiative: GridShib
Presentation transcript:

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

Oct 3rd, 20052GGF15 What is GridShib NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit –Funded under NSF award SCI GridShib team: NCSA, U. Chicago, ANL –Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team

Oct 3rd, 20053GGF15 Motivation Many Grid VOs are focused on science or business other than IT support –Don’t have expertise or resources to run security services Allow for leveraging of Shibboleth code and deployments run by campuses

Oct 3rd, 20054GGF15 Outline Overview of Shibboleth Overview of Globus/Grid PKI Approach Status and Future Plans

Oct 3rd, 20055GGF15 Campus Infrastructure

Oct 3rd, 20056GGF15 Student? Check out book… Access student records… Is student John Smith?

Oct 3rd, 20057GGF15 Check out book… Different protocols Privacy Different Schemas

Oct 3rd, 20058GGF15 Shibboleth Internet2 project Allows for inter-institutional sharing of web resources (via browsers) –Provides attributes for authorization between institutions Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’ Standards-based (SAML) Being extended to non-web resources

Oct 3rd, 20059GGF15 SAML Authn/Authz Uses SAML to express Identity and attributes to Allow for interoperability Uses short-lived identifiers To protest privacy of users.

Oct 3rd, GGF15 Check out book… Pseudonymous Identifier Is a student Pseudonymous Identifier

Oct 3rd, GGF15 Shibboleth Identity Provider composed of single sign-on (SSO) and attribute authority (AA) services SSO: authenticates user locally and issues authentication assertion with Handle –Assertion is short-lived bearer assertion –Handle is also short-lived and non-identifying –Handle is registered with AA Attribute Authority responds to queries regarding handle

Oct 3rd, GGF15 Shibboleth Service Provider composed of Assertion Consumer and Attribute Requestor Assertion Consumer parses authentication assertion Attribute Requestor: request attributes from AA –Attributes used for authorization Where Are You From (WAYF) service determines user’s Identity Provider

Oct 3rd, GGF15 Shibboleth (Simplified) AA SSO Shibboleth IdP Handle Attributes SAML AR ACS Shibboleth SP Handle LDAP (e.g.)

Oct 3rd, GGF15 Globus Toolkit Toolkit for Grid computing –Job submission, data movement, data management, resource management Based on Web Services and WSRF Security based on X.509 identity- and proxy-certificates –Maybe from conventional or on-line CAs Some initial attribute-based authorization

Oct 3rd, GGF15 Grid PKI Large investment in PKI at the international level for Grids –TAGPMA, GridPMA, APGridPMA –Dozens of CAs, thousands of users Really painful to establish But its working… –And it’s not going way easily

Oct 3rd, GGF15 Integration Approach Conceptually, replace Shibboleth’s handle-based authentication with X509 –Provides stronger security for non-web browser apps –Works with existing PKI install base To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible

Oct 3rd, GGF15 Use Cases Project leveraging campus attributes –Simplest case Project-operated Shib service –Project operates own service, conceptually easy, but not ideal Campus-operated, project-administered Shib –Ideal mix, but need mechanisms for provisioning of attribute administration

Oct 3rd, GGF15 GridShib (Simplified) A SSO Shibboleth DN Attributes DN SAML SSL/TLS, WS-Security

Oct 3rd, GGF15 Authorization Delivering attributes is half the story… Currently have a simple authorization mechanisms –List of attributes required to use service or container Developing finer-grain authorization for GRAM

Oct 3rd, GGF15 Authorization Plans Develop authorization framework in Globus Toolkit –Siebenlist et. al. at Argonne –Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions Work in OGSA-Authz WG to allow for callouts to third-party authorization services –E.G. PERMIS Convert Attributes (SAML or X509) into common format for policy evaluation –XACML-based

Oct 3rd, GGF15 GridShib Status Beta release publically available Drop-in addition to GT 4.0 and Shibboleth 1.3 Project website: – Very interested in feedback

Oct 3rd, GGF15 Future Plans Integration of GridShib with MyProxy Online CA –Allow for use of Grid Resources by users without long-term X509 credentials –Collaboration with Jim Basney Signet/Grouper integration for distributed attribute administration –See Tom Barton’s talk

Oct 3rd, GGF15 Questions? My Project website: –

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.