The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
GT 4 Security Goals & Plans Sam Meder
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
High Performance Computing Course Notes Grid Computing.
OSG AuthZ Architecture AuthZ Components Legend VO Management Services Grid Site GUMS Site Services SAZ CE Gatekeeper Prima Is Auth? Yes / No SE SRM gPlazma.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.
WebFTS as a first WLCG/HEP FIM pilot
Federated A(A(A))I Jens Jensen hepsysman, RAL,
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Presented by Xiaoyu Qin Virtualized Access Control & Firewall Virtualization.
1.The portal sends, under the user approval, user’s attribute retrieved from IDP to CA bridge 2.CA bridge module requests to a CA-online a certificate.
May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
GILDA testbed GILDA Certification Authority GILDA Certification Authority User Support and Training Services in IGI IGI Site Administrators IGI Users IGI.
SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
INFSO-RI Enabling Grids for E-sciencE VOMS architecture Valerio Venturi, Vincenzo Ciaschini INFN First gLite tutorial on GILDA,
AN INTEGRATED FRAMEWORK FOR VO-ORIENTED AUTHORIZATION, POLICY-BASED MANAGEMENT AND ACCOUNTING Andrea Caltroni 3, Vincenzo Ciaschini 1, Andrea Ferraro 1,
INFSO-RI Enabling Grids for E-sciencE GILDA Practicals : Security systems GILDA Tutors Singapore, 1st South East Asia Forum -- EGEE.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
VO. VOMS 1. Authentication2. Credentials 3. Authentication Client Resource.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.
Delegation of Authority David Chadwick
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.
INFSO-RI Enabling Grids for E-sciencE Use of VOMS Attributes: semantics and suggestions Vincenzo Ciaschini MWSG 12 Stockholm 12-13/06/07.
INFSO-RI Enabling Grids for E-sciencE G-PBox Auth meeting 13/9/2005 Presenter: Vincenzo Ciaschini.
6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.
Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
FP6−2004−Infrastructures−6-SSA E-infrastructure shared between Europe and Latin America Practicals on Security Miguel Cárdenas Montes.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
INFSO-RI Enabling Grids for E-sciencE - II SLCS, VASH, and LCAS/LCMAPS Plugins All-Hands Meeting Helsinki Placi Flury, SWITCH 19.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
INFSO-RI Enabling Grids for E-sciencE VOMS & MyProxy interaction Emidio Giorgio INFN NA4 Generic Applications Meeting 10 January.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
The VOMS and the SE in Tier2 Presenter: Sergey Dolgobrodov HEP Meeting Manchester, January 2009.
EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) 马兰馨 IHEP, CAS Hands on gLite Security.
Security Bob Cowles
DGAS Distributed Grid Accounting System INFN Workshop /05/1009, Palau Giuseppe Patania Andrea Guarise 6/18/20161.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
1 Grid security Services and Support Vincenzo Ciaschini, INFN CNAF V INFN-GRID workshop 18-20/12/2006.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
Guidelines for attribute translation to X.509
StoRM: a SRM solution for disk based storage systems
Practicals on VOMS and MyProxy
Grid accounting system
The New Virtual Organization Membership Service (VOMS)
AMGA Web Interface Vincenzo Milazzo
Presentation transcript:

The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007

What is VOMS VOMS is…  An Attribute Authority.  A VO Management System.  A source of trust for authorization. VOMS is not…  A policy system.  An AuthN/AuthZ framework.

VOMS: The problem In a grid environment, VOs tend to be extremely large and change frequently.  Hundreds or even thousands of users. Sites need to know the users because of the need to prepare local accounts and eventually apply authorization policies. It is not scalable to manage them by hand

VOMS: The solution Organize users into groups and grant them roles.  Allows for full RBAC authorization. Also, adds other general-purpose attributes.

Who uses VOMS? Egee  10 VOs, 2 servers InfnGrid  15 VOs, 2 servers OSG  29 VOs, ? servers

VOMS Architecture VOMSDB VOMS-ADMIN Secure

What is VOMS-Admin? A web application that manages the contents of the VOMS database Used by VO Administrators mainly to  add/remove users to the VO,  put them in VOMS groups,  assign VOMS roles to them Provides a WSDL interface to its functions Has a command line client Has a web-based user interface

VOMS-Admin architecture

What is VOMSd VOMSd is the component which listens for user requests and creates Attribute Certificates.  All communication is secured and mutually authenticated.  Allows high customization of ACs. Which roles to present, validity length, targeting, etc…

VOMSd Architecture VOMSd DBBACKENDDBBACKEND DBINTERFACEDBINTERFACE I/OINTERFACEI/OINTERFACE Internal Logic

VOMS data format Attributes (groups, roles, general purpose) returned by VOMS are inserted into an RFC-3281 compliant Attribute Certificate.  The exact profile is described here:  ACs are the natural choice in a X.509 world. The grid is a X.509 world. The provided clients insert the AC in a non-critical extension of the user proxy.  Immediate compatibility with non-VOMS aware software.

What is a proxy? A proxy is a short-lived certificate that has as issuer a user certificate.  Standardized in RFC  Commonly used throughout the grid for authentication and authorization purposes.

VOMS clients The clients provided are command-line based.  But APIs are available in C,C++ and JAVA. You could write your own client.

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s Subject

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s issuer

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Certificate’s subject

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Type of proxy

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s key strength

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s Location

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Proxy’s validity

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 VO Name

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Owner’s Data

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 Owner’s Group membership

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 General-Purpose attributes

Example of data: marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --all subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxy issuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini identity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini type : proxy strength : 512 bits path : /tmp/x509up_u502 timeleft : 11:59:58 === VO valerio extension information === VO : valerio subject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini issuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.it attribute : /valerio/Role=NULL/Capability=NULL attribute : /valerio/asdasd/Role=NULL/Capability=NULL attribute : /valerio/qwerty/Role=NULL/Capability=NULL attribute : attributeOne = 111 (valerio) attribute : attributeTwo = 222 (valerio) timeleft : 11:59:58 AC validity

Voms & Shibboleth

Shibboleth Structure IdPSP WAYF

Shibboleth: Protocol Description User Service Provider Wayf Identity Provider

A common misconception: VOMSShibboleth = IdP

Similarities VOMS and a Shibboleth IdP both…  Maintain lists of user identities.  Add attributes to user identities.  Offer a way to distribute such attributes.

Differences Shibboleth IdPVOMS Has good support for federationsHas basic support for federations Does not support X.509Supports X.509 Supports SAMLSAML support in development Allows third parties to get information on usersDoes not allow third parties to get information on users. Pull modelPush model Mostly geared to website authorizationMostly geared to grid authorization Delegation of credentials not well supportedDelegation of credentials well supported

Shibboleth and Grids: The problem “The Shibboleth System is NOT usable in non-Browser scenarios (without a lot of hard thinking)”  “Introduction to Shibboleth – Phases of Deployment” Steve Carmody, 2006 Shibboleth Camp Unfortunately, grid access and usage relies heavily on non-browser access.  Implies that some translation mechanism is necessary for shib users to access a grid.

An example submission Broker Execution Storage Job Data Job Data

Shibboleth and Grids: The Solution Insert Shib attributes directly in a VOMS proxy and use said proxy for grid access.  Implemented by VASH  Collaboration by SWITCH and INFN within EGEE.  Details in my colleague’s presentation.

The VOMS team Vincenzo Ciaschini  Valerio Venturi  Andrea Ceccanti 