Enabling Collaborations via a Transformative Virtual Organization Platform Dr. Gordon K. Springer University of Missouri-Columbia CS Department Seminar Series Columbia, Missouri May 6, 2008

Overview  Problem and implications  Shibboleth Concepts and protocol overview Advantages and shortcomings  The entitlements repository Design and implementation Demonstration  Conclusion 5/06/20082

Introduction  Interconnected computing resources, data repositories, research tools and information sources are widespread  Research institutions develop research projects that access and share computing, information and research resources belonging to various other institutions, forming virtual organizations (VOs) 5/06/20083

Virtual Organization  A virtual organization is an umbrella organization that encompasses all the research institutions that share a common goal. They come together by sharing resources, by allowing for greater knowledge leveraging, and by providing access to research and learning tools  The goal of any virtual organization is to provide member institutions with a secure, robust and inter-operable problem free inter- institutional collaborative research environment 5/06/20084

The Great Plains Network The Great Plains Network (GPN) has created a virtual organization of Midwestern research universities working on providing an efficient collaborative research environment for their members 5/06/20085

6 The GPN Network 5/06/2008

7 GPN Today 5/06/2008

8 Mission Enhance competitiveness and economic benefit by providing leadership in advanced high performance applications and network technologies to enable the Great Plains region to lead in innovative learning/educational environments and collaborative research. 5/06/2008

9 GPN Collaborative Framework 5/06/2008

The Problem  What are the key issues involved in providing for a secure, robust and efficient inter-institutional collaborative environment?  What technologies satisfy these requirements? 5/06/200810

Key Issues  Security of computing resources, networks, communications and personal information  Authentication and authorization of users to remote resources are key issues in distributed computing 5/06/200811

Key Issues  Authentication The process of establishing if an entity (e.g., user, service) is the entity that they claim to be Usernames and passwords, public and private keys, smart cards combined with some type of knowledge possession (e.g., answering a question presumably answerable only by the entity)  Authorization The process of determining, after an entity is authenticated, if they are allowed to have access to a particular resource Authorization always implies the existence of a previous authentication 5/06/200812

Key Issues  Trust Member institutions need to establish a trusting relationship in order to share resources  Privacy User identity privacy Passive privacy – the user has no control upon its identity credentials Active privacy – the user has strict control upon its identity credentials 5/06/200813

Shibboleth  Shibboleth is an Internet2 standards-based architecture, policy framework and technology implementation used to support sharing of computing resources.  Shibboleth is a middleware initiative that offers a mechanism to authenticate and authorize inter-institutional user access to protected resources. 5/06/200814

Shibboleth  Shibboleth controls access to a resource without the need for the user’s identity credentials (username and password)  Shibboleth protects a resource in the same manner as a username and a password can protect a resource  Shibboleth protection is based on group membership and the attributes that describe that membership, rather than the identification of a particular entity 5/06/200815

Group Membership vs Individual Credentials  Individual credentials: each entity needs to have a username and a password for every shared resource  Group membership: is described by attributes, such as “student”, “manager”, “enrolled in CS 1001” or “member of the GPNVO group” 5/06/200816

Example  The University of Missouri wants to share access to its computing cluster  A group of researchers from other GPN VO member institutions want to use it  All authorized users from GPN VO institutions have the attribute “member of the GPN VO group”  The goal is to create & manage the attributes by VO administrators or delegates across institutional boundaries 5/06/200817

Shibboleth Key Concepts  Shibboleth requires one username and password pair for access to potentially a huge number of resources  Shibboleth reinforces the order of authentication followed by authorization The user’s home institution (IdP) is responsible to authenticate the user and to store the user’s institutional attributes The remote shared resource (SP) is responsible to authorize a user using attributes sent by the home institution. (Our system uses a separated Entitlement Server for VO attributes) 5/06/200818

Shibboleth Key Concepts  Shibboleth reinforces active privacy: a user can decide which of their attributes are revealed to the shared resources  Shibboleth provides the framework for establishing a trust fabric within a virtual organization Collaborative trust: negotiate attributes structure and values (e.g., eduPerson object class), level of security of the infrastructure, policies Certificate Authorities 5/06/200819

Shibboleth Components  An identity provider represents the Shibboleth entity that authenticates a user and answers attributes inquiries from the service provider  A service provider represents the Shibboleth entity that communicates with the user, the user’s identity provider at their home institution, and makes the access control decision based on the user’s attributes  A Where Are You From (WAYF) service is an independent service operated by a virtual organization. Its purpose is to identify a user’s home institution and to redirect the user to the home institution’s authentication system 5/06/200820

Shibboleth Protocol WAYF Identity Provider Service Provider Identity Directory Handle Service Attribute Authorit y SHIRE SHAR Resource Manager Reso urce Attributes C redentials Handle /06/200821

Attributes of Group Membership  Attributes are a central part of the Shibboleth architecture as they provide the group membership information  An attribute is a name - value pair  Attributes are stored in the identity provider  We have two types of attributes: institution related attributes and virtual organization related attributes  An entitlement is an attribute value that allows a user access to a specific resource or group of resources 5/06/200822

Institution Related Entitlements  eduPerson is an object class used by identity directories to describe attributes to be used by academic institutions eduPersonPrimaryAffiliation= “faculty”, eduPersonPrincipalName = or eduPersonEntitlement represent some of the defined eduPerson attributes  The “eduPersonEntitlement” is the only attribute whose values are not already defined. eduPersonPrimaryAffiliation can have only one of these values: “faculty”, “student”, “member” or “staff” 5/06/200823

Virtual Organization Entitlements  GPN registered the namespace urn:mace:greatplains.net to be used as a prefix in defining new VO related entitlements, such as urn:mace:greatplains.net:biosci  The suffix (“biosci”) is used at the service provider to allow fine-grained control to authorize access to different shared resources 5/06/200824

Example  A user may have the “faculty” or “enrolled in CS 1001” institution related attributes stored in its eduPerson object  In order to use a resource that requires membership in the “biogrid” group denoted by the “urn:mace:greatplains.net:biogrid” VO entitlement, the user needs to have an entry in a repository somewhere that links their identity to the VO entitlement 5/06/200825

Shibboleth Advantages  Shibboleth creates the policy framework to establish a trust fabric in a virtual organization  Shibboleth decouples authentication from authorization decreasing the usernames and passwords management overhead  Shibboleth reinforces user identity privacy across shared resources  Shibboleth is based on open standards and has an open-source implementation 5/06/200826

Shibboleth Shortcomings  There are security risks involved in allowing external entities to manage entitlements in the identity management system of another institution  The eduPerson object class does not support significant modifications in its format to allow for VO entitlements to be stored in its structure leading to reduced fine-grained authorization capabilities  Signet and Grouper simplify attribute management, but within the scope of a single IdP populating the eduPerson object class. In VOs there are multiple IdPs that would have to incorporate the VO entitlements in order to properly support the VO 5/06/200827

The Entitlements Repository  Defines, manages and uses virtual organization (VO) entitlements that do not refer to any particular user or institution They encompass the idea of a shared resource that needs to be made available to any entitled entity from any member organization  Allows refined authorization for any virtual organization 5/06/200828

The Entitlements Repository  Separates the VO entitlements (“member of the GPNVO group”) from institution related entitlements (“faculty”)  The entitlements repository maintains the VO entitlements separately from the institution entitlements maintained in the identity provider  The entitlements repository gives the virtual organization decision power over its own entitlements 5/06/200829

The Fine-Grained Authorization Design  The identity provider is in charge of authenticating the users  The service provider is in charge of the authorization decisions  The entitlements repository is in charge of defining, managing and providing access for VO entitlements queries and updates The identity provider, the service provider and the entitlements repository jointly provide for creating a secure and robust collaboration environment for use by any VO. 5/06/200830

Entitlements Repository Design VO Entitle- ment Server IdP 1 IdP 2 IdP n user nuser 2user 1 SP 1 SP 2 SP n... Authenticate Authz Assertion VO Entitlement based Authz 5/06/200831

The Entitlements Repository Components  The entitlements server is the main component of the repository. It maintains the VO entitlements database and communicates securely with the clients  The entitlements client connects to the server from a service provider to issue queries  The entitlements client is also used by administrative users to manage the VO entitlements stored by the server through a web interface 5/06/200832

Entitlement Server Integration with Shibboleth WAYF Identity Provider Service Provider Identity Directory Handle Service Attribute Authority SHIRE SHAR Resource Manager Reso urce Attributes Credentials Handle Entitlement Server Administrative User Entitlement Client App Command YES/NO Handle VO Entitlement Command Credentials 8 9 Command YES/NO 11 ES DB Entitlement Server 5/06/200833

5/06/ User Service Provider Entitlement Server Identity Provider Page 1: request by URL TCP/IP uses public key encryption for authentication and privacy Simplified Design

5/06/ Getting Authenticated

5/06/ Entering the VO Environment

5/06/ A menu of Services

Not Everyone is Authorized When Peter asks for Biotools he is refused: 5/06/200838

5/06/ Bioinformatics Tools

Entitlements Server’s Users Roles  USER access: Low priority role that allows the service providers to assert a user’s VO entitlements in order to completely determine if a user can be granted access to its computing resources or not.  ADMIN access: Administrative users have access to the records of their own institution or virtual organization. They are able to add a new record, delete an already existing record, lookup or display VO entitlements.  ROOT access: The root level administrative users have access to the entire database and are able to add or delete a new record and also search the entire database for VO entitlements. 5/06/200840

The Entitlements Repository Protocol The Client Application The Entitlement Server AUTH/ AUTHN Commu nication AUTH/ AUTHZ SERVICE Entitle DB Auth Message 5 Service provider or administrative user Session ID Secured Message Exchange 1 2 3Session TimeDB Symkey DB Cmnds Credentials 4 5/06/200841

Entitlement Server Operation Types  SP_SETUP is the operation used initially to set up a secure communication channel between the service provider and the entitlement server  SP_LOOKUP is the operation used by the service provider to query the entitlement server  SP_USE is the operation used to carry back administrative user’s updates and queries to the entitlement server 5/06/200842

Entitlement Server Databases  The Entitlement Database stores all the VO entitlements that are managed by the server  The Time Database is used to store session time stamps  The Symkey Database is used to store the symmetric keys employed to communicate with various service providers 5/06/200843

Secure Communication Channel  Any communication with the entitlement server takes place over a 3DES encrypted channel  RSA private-public keys are used to establish a symmetric key  The symmetric key is generated during the SP_SETUP operation  The symmetric key is valid only for a limited period of time or session 5/06/200844

Entitlement Server Web Interfaces 5/06/200845

Entitlement Server Web Interfaces 5/06/200846

Entitlement Server Web Interfaces 5/06/200847

Entitlement Server Web Interfaces 5/06/200848

Entitlement Server Web Interfaces 5/06/200849

Entitlement Server Web Interfaces 5/06/200850

Conclusions  The entitlement repository and the prototype implementation facilitates secure and robust collaboration between groups of research institutions  The entitlement repository provides for refined access control decisions at the service provider  The entitlement repository allows the infrastructure of the virtual organization to control its VO entitlements  The entitlement repository is a complement to the identity provider 5/06/200851

Questions? A Live Tour 5/06/200852