GridShib CIP Seminar December 6th, 2005 Tom Scavo Von Welch NCSA.

Slides:



Advertisements
Similar presentations
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Advertisements

Federated Identity for Grid Architects Tom Scavo NCSA
GT 4 Security Goals & Plans Sam Meder
MyProxy: A Multi-Purpose Grid Authentication Service
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Grid Security. Typical Grid Scenario Users Resources.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Grid Security 1. Grid security is a crucial component Need for secure communication between grid elements  Authenticated ( verify entities are who they.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.
Supporting further and higher education The Akenti Authorisation System Alan Robiette, JISC Development Group.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Shibboleth: An Introduction
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
GridShib Grid-Shibboleth Integration An Overview Von Welch
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Shibboleth A Technical Overview
1 Grid School Module 4: Grid Security. 2 Typical Grid Scenario Users Resources.
Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
2NCSA/University of Illinois
Grid Security.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Shibboleth for Non-Web-Based Applications: GridShib
NSF Middleware Initiative: GridShib
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
A Grid Authorization Model for Science Gateways
NSF Middleware Initiative: GridShib
Presentation transcript:

GridShib CIP Seminar December 6th, 2005 Tom Scavo Von Welch NCSA

Dec. 6th, 20052CIP GridShib Seminar What is GridShib NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit –Funded under NSF NMI program GridShib team: NCSA, U. Chicago, ANL –Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team

Dec. 6th, 20053CIP GridShib Seminar Outline Distributed systems authentication - some history Attribute-based access control - why? Grid Security Overview Shibboleth Overview GridShib

Dec. 6th, 20054CIP GridShib Seminar The single system story Password

Dec. 6th, 20055CIP GridShib Seminar Along came more systems… Password

Dec. 6th, 20056CIP GridShib Seminar And more passwords… PasswordMyDogsName drowssap pAsSwOrD Pass-wurd pAsSwOrD drowssap MyDogsName

Dec. 6th, 20057CIP GridShib Seminar Enterprise Authentication Central authentication for a number of systems in a organization –Simply put, one central authority at a site for your password instead of each computer having its own. A number of systems exist: –Kerberos, Windows Domains, Radius, NIS, LDAP, etc.

Dec. 6th, 20058CIP GridShib Seminar Enterprise Auth Password

Dec. 6th, 20059CIP GridShib Seminar Ok, the world is good now? Well, it’s better, inside a single organization at least. But what happens when you want to login somewhere else?

Dec. 6th, CIP GridShib Seminar Along come other sites… Password NCSA SDSC Other sites…

Dec. 6th, CIP GridShib Seminar And more passwords… Password Pa55w0rd Sesame Pa55w0rd Sesame PrettyPlease KnockKnock NCSA

Dec. 6th, CIP GridShib Seminar And then came the Web… Password Pa55w0rd Sesame Pa55w0rd Sesame PrettyPlease KnockKnock NCSA Amazon Ebay NYTimes MyBank AA.com travelocity Gmail s3cr3t mypass

Dec. 6th, CIP GridShib Seminar Inter-site authentication All this created a huge usability problem for users –Multiple passwords hard to manage –Cumbersome to enter passwords over and over A number of approaches have been tried to solve these problems –Both in the web and computing worlds We present a brief survey here –Start with computing world…

Dec. 6th, CIP GridShib Seminar Site-to-Site Federations Sites agree to couple their authentication systems –E.g., Kerberos, Radius Works but is difficult –Requires interoperable site authentication systems –Requires sites agree at highest-level - since some systems like Kerberos are used for most trusted assets, this can be hard.

Dec. 6th, CIP GridShib Seminar SSH Public keys SSH allows a user to establish their own keys that they can use to log into any computers User establishes their own network Works well, but –Requires sites support SSH Much easier than Kerberos –User-managed –Keys must be everywhere for this to work –If key is compromised, how do we clean up? How do we even know?

Dec. 6th, CIP GridShib Seminar X509 Certificates E.g., Grid Each user gets a private key and a global identity Certificate allows a key to be lost, but for identity to persist But… –Still user-managed keys as with SSH –Getting certificates can be a pain

Dec. 6th, CIP GridShib Seminar Online X509 Certificate Authorities Started for the web –U. Michigan KCA Now used in the Grid FNAL, MyProxy Turn local authentication into X509 certificate that can be used Globally Allows site to federate by turning local authentication into standard format (X509)

Dec. 6th, CIP GridShib Seminar Meanwhile, in the web…

Dec. 6th, CIP GridShib Seminar Microsoft Passport One authentication server for all users on the web that holds their password Major sociological issues –No one wants to trust Microsoft to hold their password to everything –No one wants Microsoft to know what web sites they are using Probably is no single entity that would be trusted

Dec. 6th, CIP GridShib Seminar Liberty Alliance In response to passport… Allows users to link their accounts together –E.g., I can say is also is also I log into one site, it can tell others I’ve logged in and they don’t have to re- authenticate me Was strong motivation for SAML

Dec. 6th, CIP GridShib Seminar Shibboleth From higher-education community Motivated by university users wanting access to databases and online libraries Allows site to express local authentication in standard format (SAML) Also allows site to express attributes about user in standard format (eduPerson) –E.g., student, professor, department Growing adoption, federations of sites that allows cross-site authentication

Dec. 6th, CIP GridShib Seminar Summary There has been an explosion of passwords as more systems and web services have emerged Intra-site is largely well controlled with various solutions, but intersite is still unsolved Both the web and computing community have come up with solutions

Dec. 6th, CIP GridShib Seminar Outline Distributed systems authentication - some history Attribute-based access control - why? Grid Security Overview Shibboleth Overview GridShib

Dec. 6th, CIP GridShib Seminar Attribute-based authorization So far we’ve talked about identity-based authorization –E.g. vwelch can access this web page/computer/bank account/etc. –Authentication- establishing who you are –Authorization - establishing you are allowed to do something This works well when you are providing a service to a relatively small number of people

Dec. 6th, CIP GridShib Seminar Attribute-based authorization Often it’s more scalable to talk about authorization based on attributes –E.g., Any NCSA staff member can access this web page –E.g., Any UIUC staff or student can use the library So often the process is authentication (who), establish attributes (what), and use those attributes to decide if something is allowed

Dec. 6th, CIP GridShib Seminar Outline Distributed systems authentication - some history Attribute-based access control - why? Grid Security Overview Shibboleth Overview GridShib

Dec. 6th, CIP GridShib Seminar Grid Security: The Grid Security Infrastructure The Grid Security Infrastructure (GSI) is a set of tools, libraries and protocols used in Globus to allow users and applications to securely access resources. Based on a public key infrastructure, with certificate authorities and X509 certificates

Dec. 6th, CIP GridShib Seminar GSI: Credentials In the GSI system each user has a set of credentials they use to prove their identity on the grid –Consists of a X509 certificate and private key Long-term private key is kept encrypted with a pass phrase –Good for security, inconvenient for repeated usage

Dec. 6th, CIP GridShib Seminar Certificates A X.509 certificate binds a public key to a name It includes a name and a public key (among other things) bundled together and signed by a trusted party (Issuer) Name Issuer Public Key Signature

Dec. 6th, CIP GridShib Seminar John Doe 755 E. Woodlawn Urbana IL BD Male 6’0” 200lbs GRN Eyes State of Illinois Seal Certificates Similar to passport or driver’s license Name Issuer Public Key Signature

Dec. 6th, CIP GridShib Seminar Certificates By checking the signature, one can determine that a public key belongs to a given user. Name Issuer Public Key Signature Hash =? Decrypt Public Key from Issuer

Dec. 6th, CIP GridShib Seminar Certificate Authorities (CAs) A Certificate Authority is an entity that exists only to sign user certificates The CA signs its own certificate, which is distributed in a trusted manner Name: CA Issuer: CA CA’s Public Key CA’s Signature

Dec. 6th, CIP GridShib Seminar Grid CAs There are a large number of Grid CAs – Currently this is a X509 system that users may join by getting a certificate –This X509 system is independent for the user’s local authentication system

Dec. 6th, CIP GridShib Seminar Grid Online CAs Usability issues with user-managed certificates have driven interest in online CAs –E.g., FNAL, NERSC, KCA, MyProxy This may lead to a federated style of authentication

Dec. 6th, CIP GridShib Seminar Outline Distributed systems authentication - some history Attribute-based access control - why? Grid Security Overview Shibboleth Overview GridShib

Dec. 6th, CIP GridShib Seminar What is Shibboleth? Shibboleth provides cross-domain single sign-on and attribute-based authorization while preserving user privacy Shibboleth is simultaneously: 1.A project 2.A specification 3.An implementation

Dec. 6th, CIP GridShib Seminar Shibboleth Project Shibboleth, a project of Internet2-MACE: –Advocates a federated identity management policy framework focused on user privacy –Develops middleware architectures to facilitate inter-institutional attribute sharing –Manages an open source reference implementation of the Shibboleth spec Shibboleth has made significant contributions to the SAML-based identity management space

Dec. 6th, CIP GridShib Seminar Collaborations Shibboleth Internet2 E-Auth Liberty Vendors OASIS Educause

Dec. 6th, CIP GridShib Seminar Shibboleth Specification Shibboleth is an extension of the SAML 1.1 browser profiles: –Shibboleth Browser/POST Profile –Shibboleth Browser/Artifact Profile –Shibboleth Attribute Exchange Profile See the Shibboleth spec for details: S. Cantor et al., Shibboleth Architecture: Protocols and Profiles. Internet2-MACE, 10 September 2005.Shibboleth spec

Dec. 6th, CIP GridShib Seminar Shibboleth Implementation The Shibboleth implementation consists of two components: 1.Shibboleth Identity Provider 2.Shibboleth Service Provider The Identity Provider is a J2EE webapp The Service Provider is a C++ Apache module –A pure Java Service Provider is in beta

Dec. 6th, CIP GridShib Seminar The Shibboleth Wiki For example, the Shibboleth wiki (hosted at ohio-state.edu) is “shibbolized”: state.edu/twiki/bin/view/GridShib/WebHome state.edu/twiki/bin/view/GridShib/WebHome To edit wiki pages, a user must be known to the wiki Users have wikiNames but do not have wiki passwords Users log into their home institution, which asserts user identity to the wiki

Dec. 6th, CIP GridShib Seminar

Dec. 6th, CIP GridShib Seminar Shib Browser Profile The user clicks the link “Login via InQueue IdP” This initiates a sequence of steps known as the Shibboleth Browser Profile UIUC OSU CLIENTCLIENT InQueue

Dec. 6th, CIP GridShib Seminar

Dec. 6th, CIP GridShib Seminar Shib Browser Profile InQueue provides a “Where Are You From?” service The user chooses their preferred identity provider from a menu UIUC OSU CLIENTCLIENT InQueue

Dec. 6th, CIP GridShib Seminar

Dec. 6th, CIP GridShib Seminar Shib Browser Profile The user is redirected to UIUC login page After login, the user is issued a SAML assertion and redirected back to the wiki UIUC OSU CLIENTCLIENT InQueue

Dec. 6th, CIP GridShib Seminar

Dec. 6th, CIP GridShib Seminar Shib Browser Profile After validating the assertion, the retrieves user attributes via back-channel Shib attribute exchange UIUC OSU CLIENTCLIENT InQueue

Dec. 6th, CIP GridShib Seminar Asserting Identity Initially, the user is unknown to the wiki After querying the home institution, the wiki knows the user’s identity “trscavo-uiuc.edu” is wiki-speak for The latter is eduPersonPrincipalName, an identity attribute asserted by the user’s home institution

Dec. 6th, CIP GridShib Seminar OpenIdP.org By design, a user with an account at an institution belonging to InCommon, InQueue, or SDSS can log into the wiki: state.edu/twiki/bin/view/GridShib/WebHome state.edu/twiki/bin/view/GridShib/WebHome Other users can register at openidp.org, which is a zero-admin Shibboleth IdP The openidp asserts an alternate form of identity ( addresses as opposed to eduPersonPrincipalName)

Dec. 6th, CIP GridShib Seminar Identity Provider Service Provider The Actors Identity Provider –The Identity Provider (IdP) creates, maintains, and manages user identity –A Shibboleth IdP produces SAML assertions Service Provider –The Service Provider (SP) controls access to services and resources –A Shibboleth SP consumes SAML assertions Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Artifact Resolution Service Attribute Requester

Dec. 6th, CIP GridShib Seminar Shib SSO Profiles Shibboleth SSO profiles are SP-first Shibboleth specifies an Authentication Request Profile Shibboleth Browser/POST Profile = Shib Authn Request Profile + SAML Browser/POST Profile Shibboleth Browser/Artifact Profile = Shib Authn Request Profile + SAML Browser/Artifact Profile

Dec. 6th, CIP GridShib Seminar Shib AuthN Request Profile A Shibboleth authentication request is an ordinary GET request: providerId= shire= target= time= The client is redirected to this location after requesting a protected resource at the SP without a security context

Dec. 6th, CIP GridShib Seminar Identity Provider Service Provider Shib Browser/POST Profile Browser/POST is an SP-first profile The IdP produces an assertion at step 4, which the SP consumes at step 5 CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource

Dec. 6th, CIP GridShib Seminar Shib Attribute Exchange A Shibboleth SP often queries an IdP for attributes after validating an authN assertion An opaque, transient identifier called a handle is embedded in the authN assertion The SP sends a SAML AttributeQuery message with handle attached

Dec. 6th, CIP GridShib Seminar Browser/POST Profile The first 5 steps of this profile are identical to ordinary Browser/POST Before redirecting the Client to the Resource Manager, the SP queries for attributes via a back-channel exchange Identity Provider Service Provider CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Attribute Requester 7 6

Dec. 6th, CIP GridShib Seminar Directory Schema Neither Shibboleth nor SAML define any attributes per se It is left to individual deployments to define their own attributes A standard approach to user attributes is crucial Without such standards, interoperability is impossible

Dec. 6th, CIP GridShib Seminar eduPerson Internet2 and EDUCAUSE have jointly developed a set of attributes and associated bindings called eduPerson The LDAP binding of eduPerson is derived from the standard LDAP object class called inetOrgPerson [RFC 2798] Approximately 40 attributes have been defined by InCommon as common identity attributes

Dec. 6th, CIP GridShib Seminar InCommon Attributes InCommon’s 6 “highly recommended” attributes: Attribute NameAttribute Value givenNameMary sn (surname)Smith cn (common name)Mary Smith eduPersonTargetedID? (eduPersonTargetedID does not have a precise value syntax)

Dec. 6th, CIP GridShib Seminar Outline Distributed systems authentication - some history Attribute-based access control - why? Grid Security Overview Shibboleth Overview GridShib

Dec. 6th, CIP GridShib Seminar What is GridShib? GridShib enables secure attribute sharing between Grid virtual organizations and higher-educational institutions The goal of GridShib is to integrate the Globus Toolkit® with Shibboleth® GridShib adds attribute-based authorization to Globus Toolkit

Dec. 6th, CIP GridShib Seminar Motivation Large scientific projects have spawned Virtual Organizations (VOs) The cyberinfrastructure and software systems to support VOs are called grids Globus Toolkit is the de facto standard software solution for grids Grid Security Infrastructure provides basic security services…but does it scale?

Dec. 6th, CIP GridShib Seminar Tale of Two Technologies Grid Client Globus Toolkit Shibboleth X.509 SAML Grid Security Infrastructure Shibboleth Federation Bridging Grid/X.509 with Shib/SAML

Dec. 6th, CIP GridShib Seminar Grid Authentication Globus Toolkit provides authentication services via X.509 When requesting a service, the user presents an X.509 certificate, usually a proxy certificate GridShib leverages the existing authentication mechanisms in GT

Dec. 6th, CIP GridShib Seminar Grid Authorization Today, Globus Toolkit provides identity- based authorization mechanisms: –List of attributes required to use service or container –Mapping of attributes to local identity (in grid-mapfiles) for job submission GridShib hopes to augment identity- based authorization with attribute-based authorization

Dec. 6th, CIP GridShib Seminar GT Authorization Framework Work is underway to develop and enhance the authorization framework in Globus Toolkit –Siebenlist et al. at Argonne –Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions Work in OGSA-Authz WG to allow for callouts to third-party authorization services –E.g., PERMIS Convert Attributes (SAML or X.509) into common format for policy evaluation –XACML-based

Dec. 6th, CIP GridShib Seminar Why Shibboleth? What does Shibboleth bring to the table? –A large (and growing) installed base –A standards-based, open source implementation –A standard attribute vocabulary (eduPerson) A well-developed, federated identity management infrastructure has sprung up around Shibboleth

Dec. 6th, CIP GridShib Seminar Shibboleth Federations A federation –Provides a common trust and policy framework –Issues credentials and distributes metadata –Provides discovery services for SPs Shibboleth-based federations: –InCommon (23 members) –InQueue (157 members) –SDSS (30 members) –SWITCH (23 members) –HAKA (8 members)

Dec. 6th, CIP GridShib Seminar InCommon Federation

Dec. 6th, CIP GridShib Seminar Use Cases There are three use cases under consideration: 1.Established grid user (non-browser) 2.New grid user (non-browser) 3.Portal grid user (browser)  Initial efforts have concentrated on the established grid user (i.e., user with existing long-term X.509 credentials )

Dec. 6th, CIP GridShib Seminar Established Grid User User possesses an X.509 end entity certificate User may or may not use MyProxy Server to manage X.509 credentials User authenticates to Grid SP with proxy certificate (grid-proxy-init) The current GridShib implementation addresses this use case

Dec. 6th, CIP GridShib Seminar New Grid User User does not possess an X.509 end entity certificate User relies on MyProxy Online CA to issue short-lived X.509 certificates User authenticates to Grid SP using short-lived X.509 credential Emerging GridShib Non-Browser Profiles address this use case

Dec. 6th, CIP GridShib Seminar Portal Grid User User does not possess an X.509 cert User accesses Grid SP via a browser interface, that is, the client delegates a web application to request a service at the Grid SP MyProxy issues a short-lived X.509 certificate via a back-channel exchange GridShib Browser Profiles apply

Dec. 6th, CIP GridShib Seminar Software Components GridShib for Globus Toolkit –A plugin for GT 4.0 GridShib for Shibboleth –A plugin for Shibboleth 1.3 IdP Shibboleth IdP Tester –A test application for Shibboleth 1.3 IdP Visit the GridShib Download page:

Dec. 6th, CIP GridShib Seminar The Actors Standard (non-browser) Grid Client Globus Toolkit with GridShib installed (which we call a “Grid SP”) Shibboleth IdP with GridShib installed IdP Grid SP CLIENTCLIENT

Dec. 6th, CIP GridShib Seminar GridShib Attribute Pull Profile In the current implementation, a Grid SP “pulls” attributes from a Shib IdP The Client is assumed to have an account (i.e., local principal name) at the IdP The Grid SP and the IdP have been assigned a unique identifier (providerId) IdP Grid SP CLIENTCLIENT

Dec. 6th, CIP GridShib Seminar 1 GridShib Attribute Pull Step 1 The Grid Client requests a service at the Grid SP The Client presents a standard proxy certificate to the Grid SP The Client also provides a pointer to its preferred IdP IdP Grid SP CLIENTCLIENT

Dec. 6th, CIP GridShib Seminar IdP Discovery The Grid SP needs to know the Client’s preferred IdP One approach is to embed the IdP providerId in the proxy certificate This requires modifications to the MyProxy client software, however Currently the IdP providerId is configured into the Grid SP

Dec. 6th, CIP GridShib Seminar 2 1 GridShib Attribute Pull Step 2 The Grid SP authenticates the Client and extracts the DN from the proxy cert The Grid SP queries the Attribute Authority (AA) at the IdP IdP Grid SP CLIENTCLIENT

Dec. 6th, CIP GridShib Seminar Attribute Query The Grid SP formulates a SAML attribute query: CN=GridShib,OU=NCSA,O=UIUC The Resource attribute is the Grid SP providerId The NameQualifier attribute is the IdP providerId The NameIdentifier is the DN from the proxy cert Zero or more AttributeDesignator elements call out the desired attributes

Dec. 6th, CIP GridShib Seminar 32 1 GridShib Attribute Pull Step 3 The AA authenticates the requester and returns an attribute assertion to the Grid SP The assertion is subject to Attribute Release Policy (ARP) IdP Grid SP CLIENTCLIENT

Dec. 6th, CIP GridShib Seminar Attribute Assertion The assertion contains an attribute statement: CN=GridShib,OU=NCSA,O=UIUC member student The Subject is identical to the Subject of the query Attributes may be single-valued or multi-valued Attributes may be scoped (e.g., )

Dec. 6th, CIP GridShib Seminar Name Mapping An IdP does not issue X.509 certs so it has no prior knowledge of the DN Solution: Create a name mapping file at the IdP (similar to the grid-mapfile at the Grid SP) # Default name mapping file CN=GridShib,OU=NCSA,O=UIUC gridshib "CN=some user,OU=People,DC=doegrids" test The DN must conform to RFC 2253

Dec. 6th, CIP GridShib Seminar GridShib Attribute Pull Step 4 The Grid SP parses the attribute assertion and performs the requested service A generalized attribute framework is being developed for GT A response is returned to the Grid Client IdP Grid SP CLIENTCLIENT

Dec. 6th, CIP GridShib Seminar Future Work Solve the IdP Discovery problem –Implement shib-proxy-init Implement DB-based name mapping Provide name mapping maintenance tools (for administrators) Design an interactive name registry service (for users) Devise metadata repositories and tools

Dec. 6th, CIP GridShib Seminar Shib Browser Profile Consider a Shib browser profile stripped to its bare essentials Authentication and attribute assertions are produced at steps 2 and 5, resp. The SAML Subject in the authentication assertion becomes the Subject of the attribute query at step IdP SP CLIENTCLIENT 1 2

Dec. 6th, CIP GridShib Seminar GridShib Non-Browser Profile Replace the SP with a Grid SP and the browser client with a non-browser client Three problems arise: –Client must possess X.509 credential to authenticate to Grid SP –Grid SP needs to know what IdP to query (IdP Discovery) –The IdP must map the SAML Subject to a local principal IdP Grid SP CLIENTCLIENT

Dec. 6th, CIP GridShib Seminar The Role of MyProxy Consider a new grid user instead of the established grid user For a new grid user, we are led to a significantly different solution Obviously, we must issue an X.509 credential to a new grid user A short-lived credential is preferred Enter MyProxy Online CA…

Dec. 6th, CIP GridShib Seminar MyProxy-first Attribute Pull MyProxy with Online CA MyProxy inserts a SAML authN assertion into a short-lived, reusable EEC IdP collocated with MyProxy IdP Grid SP MyProxy CLIENTCLIENT

Dec. 6th, CIP GridShib Seminar MyProxy-first Advantages Relatively easy to implement Requires only one round trip by the client Requires no modifications to the Shib IdP Requires no modifications to the Client Supports multiple authentication mechanisms out-of-the-box Uses transparent, persistent identifiers: –No coordination of timeouts necessary –Mapping to local principal is straightforward

Dec. 6th, CIP GridShib Seminar IdP-first Non-Browser Profiles The IdP-first profiles require no shared state between MyProxy and the IdP Supports separate security domains Leverages existing name identifier mappings at the IdP IdP-first profiles may be used with either Attribute Pull or Attribute Push

Dec. 6th, CIP GridShib Seminar Attribute Pull or Push? attributes user AA Grid SP user AA request attributes Pull Push

Dec. 6th, CIP GridShib Seminar IdP-first Attribute Pull MyProxy with Online CA MyProxy consumes and produces SAML authN assertions The Client authenticates to MyProxy with a SAML authN assertion IdP Grid SP MyProxy CLIENTCLIENT

Dec. 6th, CIP GridShib Seminar IdP-first Attribute Push The IdP “pushes” an attribute assertion to the Client The Client authenticates to MyProxy with a SAML authN assertion MyProxy consumes both SAML authN and attribute assertions IdP Grid SP MyProxy CLIENTCLIENT

Dec. 6th, CIP GridShib Seminar IdP-first Advantages Since IdP controls both ends of the flow: –Mapping NameIdentifier to a local principal is straightforward –Choice of NameIdentifier format is left to the IdP Attribute push simplifies IdP config and trust relationships Reusable by grid portal use case

Dec. 6th, CIP GridShib Seminar Conclusion Globus Toolkit is the de facto standard software solution for grids Shibboleth is a popular approach to federated identity management GridShib leverages existing Shibboleth deployments to add attribute-based authorization to Globus Toolkit

Dec. 6th, CIP GridShib Seminar Questions? GridShib web site Tom Scavo Von Welch Thank You!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.