SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.

Slides:

Advertisements

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Advertisements

GT 4 Security Goals & Plans Sam Meder

The National Grid Service and OGSA-DAI Mike Mineter

Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.

Data Management Expert Panel - WP2. WP2 Overview.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

Authz work in GGF David Chadwick

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

XML Web Services Architecture Siddharth Ruchandani CS 6362 – SW Architecture & Design Summer /11/05.

OGSA-DAI in OMII-Europe Neil Chue Hong EPCC, University of Edinburgh.

17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.

Interoperability in OMII – Europe (using the new standard compliant SAML-based VOMS to handle attribute-based authz.) Morris Riedel (FZJ), Valerio Venturi.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Semantic Web Technologies Research Topics and Projects discussion Brief Readings Discussion Research Presentations.

EGEE is a project funded by the European Union under contract IST Gap analysis draft v2 Olle Mulmo, David Groep, Joni Hahkala JRA3 Gap, 10.

JISC Middleware Security Workshop 20/10/05© 2005 University of Kent.1 The PERMIS Authorisation Infrastructure David Chadwick

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.

Basics of Grid Middleware – 2 (with an introduction to OMII-Europe) Mike Mineter NeSC-TOE.

OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS SAML Vincenzo Ciaschini MWSG Zurich,

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks VOMS Vincenzo Ciaschini EGEE/OSG Workshop.

EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.

Conference name Company name INFSOM-RI Speaker name The ETICS Job management architecture EGEE ‘08 Istanbul, September 25 th 2008 Valerio Venturi.

Middleware for Campus Grids Steven Newhouse, ETF Chair (& Deputy Director, OMII)

Grid Authorization Landscape and Futures Von Welch NCSA

OSG AuthZ components Dane Skow Gabriele Carcassi.

Standards driven AAA for Job Management within the OMII-UK distribution Steven Newhouse Director, OMII-UK

Security Middleware Andrew McNab University of Manchester.

INFSO-RI Enabling Grids for E-sciencE Web Services Mike Mineter National e-Science Centre, Edinburgh.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

DGC Paris Spitfire A Relational DB Service for the Grid Leanne Guy Peter Z. Kunszt Gavin McCance William Bell European DataGrid Data Management.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks GSI with OpenSSL Vincenzo Ciaschini EGEE-3.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.

Current Globus Developments Jennifer Schopf, ANL.

The AstroGrid-D Information Service Stellaris A central grid component to store, manage and transform metadata - and connect to the VO!

Security Area Christoph Witzig (SWITCH) on behalf of John White (HIP)

© 2008 Open Grid Forum PGI - Information Security in the UNICORE Grid Middleware Morris Riedel (FZJ – Jülich Supercomputing Centre & DEISA) PGI Co-Chair.

JRA1/Job Submission and Monitoring Moreno Marzolla on behalf of JRA1/Job Submission Task INFN Sezione di Padova, OMII-EU AH.

Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.

Trygve Aspelien and Yuri Demchenko

Access Policy - Federation March 23, 2016

OGSA-WG Basic Profile Session #1 Security

Vincenzo Ciaschini JRA1 All-Hands Helsinki 18-20/06/07

Infrastructure Support

OGF 21 Seattle Washington

GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,

TeraGrid 08 The Third Annual TeraGrid Conference

NSF Middleware Initiative: GridShib

Presentation transcript:

SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008

EU project: RIO31844-OMII-EUROPE Outline Standardization effort Service description Integration

EU project: RIO31844-OMII-EUROPE Goal was add SAML support to VOMS Attribute Exchange profile edited in the OGSA AuthZ WG SAML Query/Response profile X.509 Deployment XACML Attributes Standardization Effort

EU project: RIO31844-OMII-EUROPE VOMS SAML Service implementing the Attribute Exchange Profile –That is, SAML Query/Response profile + X.509 subjects + attributes requirements It does the same thing the classic VOMS server does –releases signed assertions containing attributes about a subject Differences –uses SAML attribute assertions instead of ACs –has a Web Service interface

EU project: RIO31844-OMII-EUROPE VOMS SAML No API, no voms-proxy-init –WS approach, get the WSDL and use whatever SOAP and XML tools you prefer example code in the distribution using Axis, XFire, JAXB, XMLBeans, libcurl, libxml; coming soon gSOAP, OpenSAML –Binding to a proxy only one of the possible uses more later

EU project: RIO31844-OMII-EUROPE Service Interface A single operation, AttributeQuery –Input : samlp:AttributeQuery Who's doing the query, whose attributes is querying for, which attributes is querying for –Output : samlp:Response Who’s answering, what’s the status, and the assertion An attribute assertion associates a principal with a set of attributes –The asserting entity, the subject of the assertion, conditions under which the assertion is valid, the attributes, and a signature A SAML Attribute Profile for VO related attributes is currently being discussed in the OGF OGSA Authorization WG

EU project: RIO31844-OMII-EUROPE Implementation Web service –To be deployed in a servlet container Used with Tomcat with gLite trustmanager –Uses Axis But custom serialization that uses OpenSAML since Axis has problems with SAML schemas –There is SOAP support in OpenSAML, will move from Axis SAML –uses OpenSAML currently release candidate 2 Database layer –Uses Hibernate as VOMS Admin does

EU project: RIO31844-OMII-EUROPE Status First release due February 29 –Alpha available since April 07, beta since November 07, both used for OMII-Europe developments, testing and demonstrations Those impatiently willing to test it can enroll in the OMII-Europe VO and use the present deployment Fancy a deployment for gLite developers? –Could serve the DTEAM VO –I didn’t dare asking Maria Dimou about either using a machine at CERN mort connecting to the database from CNAF The db replicas that are going to be available at CNAF soon would be easier An official endorsement from JRA1 would help

EU project: RIO31844-OMII-EUROPE Middleware Integration VOMS releases SAML assertion, so what? Assertions are used by Grid services to drive authorization decisions Commonly used in push mode for attribute retrieval –get attributes and push them to the service How to do that? –In an extension of the proxy certificate, the way VOMS does now with ACs –In the SOAP Header, using WS-Security

EU project: RIO31844-OMII-EUROPE Middleware Integration Just as ACs, SAML assertions may be put in an extension of the proxy certificate –Proved a very simple and effective way of carrying attributes to Grid services This is the way GridShib has used SAML assertions when integrating Shibboleth and GT – One may also have voms-proxy-init doing that Advantage would be the integration would be nearly painless

EU project: RIO31844-OMII-EUROPE Middleware Integration In OMII-Europe we have experimented using WS-Security to carry SAML assertions in the SOAP Header –One of the main goal was the availability of VOMS on UNICORE, which doesn't use proxies Using the SOAP Header works both with EECs and proxies Defined in the ‘Web Services Security: SAML Token Profile 1.1’ –defines the use of SAML assertions as security tokens from the header block defined by the WSS: SOAP Message Security specification Full example of client service inteaction available with the source code –Comprises validation of the XML signature

EU project: RIO31844-OMII-EUROPE Middleware Integration Advantages –It’s standard –Works with EECs Not only useful for proxies-unaware middleware as UNICORE Why use proxies, that aren’t safe (or as safe as EECs), when you can use EECs? –Using resources that don’t need a delegation step –Decoupling of authentication from attributes You don’t need to get the client certificate and extract the attributes For services deployed in a container, let the container do the X.509 dirty jobs and care only about the XML

EU project: RIO31844-OMII-EUROPE Disadvantages –Only for Web Services –Coupling is used for assuring against attributes escalation You have a proxy with an AC, you cannot ask for attributes that are not in the AC already

EU project: RIO31844-OMII-EUROPE Ongoing integrations CREAM BES –Uses VOMS SAML assertions as well as VOMS proxies –More in next talk UNICORE –uses VOMS SAML assertions for authorization –Tested with the UNICORE OGSA BES, available for any UNICORE service Globus Toolkit –Two components in OMII-Europe that are based on GT are integrating VOMS SAML assertions Writing a PIP for the authz framework, and we are in touch with GT developers to eventually feed it back to them –May come handy if GT AuthZ were choosen as a PEP for the new authz framework

EU project: RIO31844-OMII-EUROPE gLite Integration SAML assertions mentioned in the EGEE III DoW –'extension in the use of SAML-based attributes for authorisation' –'support the use of SAML attributes in VOMS' –'development of the gLite authorization framework.. support for the use of SAML assertions ' How to use them probably to be discussed in the next weeks –There's a service you can use –There's experience you can leverage on Integration in CREAM BES Suggestion: try to maintain the availability under UNICORE and GT

EU project: RIO31844-OMII-EUROPE gLite Integration Need to move VOMS-SAML code into EGEE context Branding issue to be sorted out at a higher level Shouldn’t be too painful –Code currently only in the INFN SVN –Built with ETICS, and packaged nearly the gLite way uses /opt/omii instead of /opt/glite

EU project: RIO31844-OMII-EUROPE