Gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
GT 4 Security Goals & Plans Sam Meder
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
1 Globus Toolkit Security Rachana Ananthakrishnan Frank Siebenlist Argonne National Laboratory.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.
GridShib: Campus/Grid RBAC Integration Penn State Grid Computing Workshop August 5th, 2005 Von Welch
GridShib CIP Seminar December 6th, 2005 Tom Scavo Von Welch NCSA.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Gridshib-tech-overview-dec051 GridShib A Technical Overview Tom Scavo NCSA.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
GridShib Grid-Shibboleth Integration An Overview Von Welch
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
Shibboleth A Technical Overview
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
University of Illinois at Urbana-Champaign National Center for Supercomputing Applications GridShib Grid/Shibboleth Interoperability
Virtual Organisations and the NGS Mike Jones Research Computing Services e-Science & “The Grid” for Bio/Health Informaticians, IT January 2008.
2NCSA/University of Illinois
Shibboleth for Non-Web-Based Applications: GridShib
NSF Middleware Initiative: GridShib
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey,
TeraGrid 08 Tom Scavo, Jim Basney , Terry Fleury, Von Welch
A Grid Authorization Model for Science Gateways
TeraGrid Identity Federation Testbed Update I2MM April 25, 2007
NSF Middleware Initiative: GridShib
Presentation transcript:

gridshib-tech-overview-apr061 GridShib A Technical Overview Tom Scavo NCSA

gridshib-tech-overview-apr062 Overview GridShib project details GridShib use cases GridShib implementation GridShib attribute pull profile GridShib-MyProxy integration GridShib browser profile

gridshib-tech-overview-apr063 What is GridShib? GridShib enables secure attribute sharing among Grid virtual organizations and higher-educational institutions The goal of GridShib is to integrate the Globus Toolkit® with Shibboleth® GridShib adds attribute-based authorization to Globus Toolkit

gridshib-tech-overview-apr064 Some Background Large scientific projects have spawned Virtual Organizations (VOs) The cyberinfrastructure and software systems to support VOs are called grids Globus Toolkit is the de facto standard software solution for grids Grid Security Infrastructure (GSI) provides basic security services for grids

gridshib-tech-overview-apr065 Grid Authentication Globus Toolkit provides authentication services via X.509 credentials When requesting a service, the user presents an X.509 certificate, usually a proxy certificate GridShib leverages the existing authentication mechanisms in GT

gridshib-tech-overview-apr066 Grid Authorization Today, Globus Toolkit provides identity- based authorization mechanisms: –Access control lists (called grid-mapfiles) map DNs to local identity (e.g., Unix logins) –Community Authorization Service (CAS) PERMIS and VOMS GridShib provides attribute-based authorization based on Shibboleth

gridshib-tech-overview-apr067 GridShib Project Motivation VOs are difficult to manage –Goal: Leverage existing identity management infrastructure Identity-based access control methods are inflexible and do not scale –Goal: Use attribute-based access control Solution: Integrate GT and Shibboleth!

gridshib-tech-overview-apr068 Tale of Two Technologies Grid Client Globus Toolkit X.509 Grid Security Infrastructure Existing GSI based on X.509…

gridshib-tech-overview-apr069 Tale of Two Technologies Grid Client Globus Toolkit Shibboleth X.509 SAML Grid Security Infrastructure Shibboleth Federation Graft Shib/SAML onto GSI/X.509

gridshib-tech-overview-apr0610 Why Shibboleth? What does Shibboleth bring to the table? –A large (and growing) installed base on campuses around the world –A standards-based, open source implementation –A standard attribute vocabulary (eduPerson) A well-developed, federated identity management infrastructure has sprung up around Shibboleth!

gridshib-tech-overview-apr0611 Shibboleth Federations A federation –Provides a common trust and policy framework –Issues credentials and distributes metadata –Provides discovery services for SPs Shibboleth-based federations: –InCommon (23 members) in U.S. –InQueue (157 members) in U.S. –SDSS (30 members) in U.K. –SWITCH (23 members) in Switzerland –HAKA (8 members) in Finland

gridshib-tech-overview-apr0612 InCommon Federation

gridshib-tech-overview-apr0613 Introduction

gridshib-tech-overview-apr0614 GridShib Project GridShib is a project funded by the NSF Middleware Initiative (NMI awards and ) GridShib is a joint project of NCSA, University of Chicago, and Argonne National Laboratory Project web site

gridshib-tech-overview-apr0615 Milestones Dec 2004, GridShib project commences Feb 2005, Developers onboard Apr 2005, Globus Toolkit 4.0 released May 2005, GridShib Alpha released Jul 2005, Shibboleth 1.3 released Sep 2005, GridShib Beta released Apr 2006, GridShib-myVocs integration

gridshib-tech-overview-apr0616 Related Projects Globus Toolkit Shibboleth MyProxy SHEBANGS Z/SHEBANGS Z/SHEBANGS

gridshib-tech-overview-apr0617 Leveraged Standards X.509 Public Key Infrastructure (RFC 3280) Proxy certificates (RFC 3820) OASIS SAML open.org/committees/tc_home.php?wg_abbrev =security#samlv11 open.org/committees/tc_home.php?wg_abbrev =security#samlv11 Internet2 Shibboleth mace-shibboleth-arch-protocols-latest.pdf mace-shibboleth-arch-protocols-latest.pdf

gridshib-tech-overview-apr0618 GridShib Use Cases Three use cases under consideration: 1.Established grid user (non-browser) 2.New grid user (non-browser) 3.Portal grid user (browser) Initial efforts concentrated on the established grid user Current efforts are focused on the new grid user

gridshib-tech-overview-apr0619 Established Grid User User possesses an X.509 end entity certificate User may or may not use MyProxy Server to manage X.509 credentials User authenticates to Grid SP with proxy certificate obtained from MyProxy The current GridShib implementation addresses this use case

gridshib-tech-overview-apr0620 New Grid User User does not possess an X.509 end entity certificate User relies on GridShib CA to issue short-lived X.509 certificates User authenticates to Grid SP using short-lived X.509 credential The myVocs-GridShib integration addresses this use case

gridshib-tech-overview-apr0621 Portal Grid User User does not possess an X.509 cert User accesses Grid SP via a browser interface, that is, the client delegates a web application to request a service at the Grid SP MyProxy issues a short-lived X.509 certificate via a back-channel exchange GridShib Browser Profiles apply

gridshib-tech-overview-apr0622 GridShib Implementation

gridshib-tech-overview-apr0623 Software Components GridShib for Globus Toolkit –A plugin for Globus Toolkit 4.0 GridShib for Shibboleth –A plugin for Shibboleth 1.3 IdP GridShib Certificate Authority –A web-based CA for new grid users Visit the GridShib Downloads page:

gridshib-tech-overview-apr0624 GridShib for Globus Toolkit GridShib for Globus Toolkit is a plugin for GT4 Features: –Standalone attribute requester –SAML attribute consumption –Attribute-based access control –Attribute-based local account mapping –SAML metadata consumption

gridshib-tech-overview-apr0625 Standalone Attribute Requester A standalone attribute requester will query a Shib AA for attributes –By “standalone” we mean a query separate from a Shib browser profile The attribute query is based on –The Subject DN of the proxy cert or –A SAML authn assertion embedded in an end-entity certificate

gridshib-tech-overview-apr0626 Attribute-based Access Control Access control based on authorization policy with respect to attributes DN-based access control Attribute caching for efficiency

gridshib-tech-overview-apr0627 GridShib for Shibboleth GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later) Features: –Name Mapper –SAML name identifier implementations X509SubjectName, Address, etc. –Certificate Registry

gridshib-tech-overview-apr0628 GridShib Name Mapper The Name Mapper is a container for name mappings Multiple name mappings are supported: –File-based name mappings –DB-based name mappings NameMapFile NameMapTable NameMapper

gridshib-tech-overview-apr0629 GridShib Certificate Registry A Certificate Registry is integrated into GridShib for Shibboleth 0.5: state.edu/twiki/bin/view/GridShib/GridShibCertificateRegistry state.edu/twiki/bin/view/GridShib/GridShibCertificateRegistry An established grid user authenticates and registers an X.509 end-entity cert The Registry binds the cert to the principal name and persists the binding in a database On the backend, GridShib maps the DN in a query to a principal name in the DB

gridshib-tech-overview-apr0630

gridshib-tech-overview-apr0631 GridShib CA The GridShib Certificate Authority is a web- based CA for new grid users: state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority The GridShib CA is protected by a Shib SP and backended by the MyProxy Online CA The CA issues short-term credentials suitable for authentication to a Grid SP Credentials are downloaded to the desktop via Java Web Start

gridshib-tech-overview-apr0632

gridshib-tech-overview-apr0633 Future Work Solve IdP discovery problem for grids Provide name mapping maintenance tools (for administrators) Implement a profile for attribute push Produce SAML metadata Design metadata repositories and tools

gridshib-tech-overview-apr0634 GT Authorization Framework Work is underway to develop and enhance the authorization framework in Globus Toolkit –Siebenlist et al. at Argonne –Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions Work in OGSA-Authz WG to allow for callouts to third-party authorization services –E.g., PERMIS Convert Attributes (SAML or X.509) into common format for policy evaluation –XACML-based

gridshib-tech-overview-apr0635 Classic GridShib Profile

gridshib-tech-overview-apr0636 The GridShib Actors Standard (non-browser) Grid Client Globus Toolkit with GridShib installed (called a “Grid SP”) Shibboleth IdP with GridShib installed IdP Grid SP CLIENTCLIENT CLIENTCLIENT

gridshib-tech-overview-apr0637 GridShib Attribute Pull Profile In the “Classic GridShib” profile, a Grid SP “pulls” attributes from a Shib IdP The Client is assumed to have an account (i.e., local principal name) at the IdP The Grid SP and the IdP have been assigned a unique identifier (providerId) IdP Grid SP CLIENTCLIENT CLIENTCLIENT

gridshib-tech-overview-apr GridShib Attribute Pull Step 1 The Grid Client requests a service at the Grid SP The Client presents an X.509 certificate to the Grid SP The Client also provides a pointer to its preferred IdP –This is the so-called IdP Discovery problem IdP Grid SP CLIENTCLIENT CLIENTCLIENT

gridshib-tech-overview-apr0639 IdP Discovery The Grid SP needs to know the Client’s preferred IdP One approach is to embed the IdP providerId in the proxy certificate Another approach is to use an IdP proxy (such as myVocs) Currently the IdP providerId is configured into the Grid SP

gridshib-tech-overview-apr GridShib Attribute Pull Step 2 The Grid SP authenticates the Client and extracts the DN from the proxy cert The Grid SP queries the Attribute Authority (AA) at the IdP using the DN as a SAML name identifier IdP Grid SP CLIENTCLIENT CLIENTCLIENT

gridshib-tech-overview-apr0641 Attribute Query The Grid SP formulates a SAML attribute query: CN=GridShib,OU=NCSA,O=UIUC The Resource attribute is the Grid SP providerId The NameQualifier attribute is the IdP providerId The NameIdentifier is the DN from the proxy cert Zero or more AttributeDesignator elements call out the desired attributes (but empty queries are the norm today)

gridshib-tech-overview-apr GridShib Attribute Pull Step 3 The AA authenticates the requester and maps the DN to a local principal name The AA returns an attribute assertion to the Grid SP –The assertion is subject to Attribute Release Policy (ARP) at the IdP IdP Grid SP CLIENTCLIENT CLIENTCLIENT

gridshib-tech-overview-apr0643 Attribute Assertion The assertion contains an attribute statement: CN=GridShib,OU=NCSA,O=UIUC member student The Subject is identical to the Subject of the query Attributes may be single-valued or multi-valued Attributes may be scoped (e.g., )

gridshib-tech-overview-apr0644 Name Mapping File An IdP does not issue X.509 certs so it has no prior knowledge of the DN Solution: Create a name mapping file at the IdP (similar to the grid-mapfile at the Grid SP) # Default name mapping file CN=GridShib,OU=NCSA,O=UIUC gridshib "CN=some user,OU=People,DC=doegrids" test The DN must conform to RFC 2253

gridshib-tech-overview-apr0645 Name Mapping Table The Name Mapper supports table- based name mappings (in addition to files) Define a JDBC source in a config file (JDBC driver, JDBC URL, etc.) Relational scripts and tools are provided

gridshib-tech-overview-apr GridShib Attribute Pull Step 4 The Grid SP parses the attribute assertion and performs the requested service The attributes are cached as necessary A response is returned to the Grid Client IdP Grid SP CLIENTCLIENT CLIENTCLIENT

gridshib-tech-overview-apr0647 GridShib-MyProxy Integration

gridshib-tech-overview-apr0648 Shib Browser Profile Consider a Shib browser profile stripped to its bare essentials Authentication and attribute assertions are produced at steps 2 and 5, resp. The SAML Subject in the authentication assertion becomes the Subject of the attribute query at step IdP SP CLIENTCLIENT 1 2

gridshib-tech-overview-apr0649 GridShib Non-Browser Profile Replace the SP with a Grid SP and the browser client with a non-browser client Three problems arise: –Client must possess X.509 credential to authenticate to Grid SP –Grid SP needs to know what IdP to query (IdP Discovery) –The IdP must map the SAML Subject to a local principal IdP Grid SP CLIENTCLIENT

gridshib-tech-overview-apr0650 The Role of MyProxy Consider a new grid user instead of the established grid user For a new grid user, we are led to a significantly different solution Obviously, we must issue an X.509 credential to a new grid user A short-lived credential is preferred Enter MyProxy Online CA…

gridshib-tech-overview-apr0651 MyProxy-first Attribute Pull MyProxy with Online CA MyProxy inserts a SAML authN assertion into a short-lived, reusable EEC IdP collocated with MyProxy IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-apr MyProxy-first Attribute Pull Step 1 A MyProxy Client sends a MyProxy Protocol request to a MyProxy Server Any authentication method supported by MyProxy may be used IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-apr MyProxy-first Attribute Pull Step 2 The MyProxy Server authenticates the requester MyProxy issues an X.509 credential with embedded authN assertion The credential is returned in a MyProxy Protocol response IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-apr0654 Authentication Assertion MyProxy inserts an assertion containing a minimal authentication statement into the certificate: AuthenticationMethod may be used by Grid SP The NameQualifier attribute is the IdP providerId The IdP easily maps the NameIdentifier to the desired local principal

gridshib-tech-overview-apr MyProxy-first Attribute Pull Step 3 A Grid Client requests a service at a Grid SP The client presents the decorated X.509 certificate obtained from MyProxy IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-apr MyProxy-first Attribute Pull Step 4 The Grid SP authenticates the Client and processes the assertion The Grid SP queries the Shib Attribute Authority (AA) referred to in the assertion IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-apr MyProxy-first Attribute Pull Step 5 The AA authenticates the requester and returns an attribute assertion to the Grid SP The assertion is subject to policy IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-apr MyProxy-first Attribute Pull Step 6 The Grid SP parses the attribute assertion and makes an access control decision A response is returned to the Client IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-apr0659 MyProxy-first Advantages Relatively easy to implement Requires only one round trip by the client Requires no modifications to the Shib IdP Requires no modifications to the Client Supports multiple authentication mechanisms out-of-the-box Uses transparent, persistent identifiers: –No coordination of timeouts necessary –Mapping to local principal is straightforward

gridshib-tech-overview-apr0660 IdP-first Non-Browser Profiles The IdP-first profiles require no shared state between MyProxy and the IdP Supports separate security domains Leverages existing name identifier mappings at the IdP IdP-first profiles may be used with either Attribute Pull or Attribute Push

gridshib-tech-overview-apr0661 Attribute Pull or Push? attributes user AA Grid SP user AA request attributes Pull Push

gridshib-tech-overview-apr0662 IdP-first Attribute Pull MyProxy with Online CA MyProxy consumes and produces SAML authN assertions The Client authenticates to MyProxy with a SAML authN assertion IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-apr0663 IdP-first Attribute Push The IdP “pushes” an attribute assertion to the Client The Client authenticates to MyProxy with a SAML authN assertion MyProxy consumes both SAML authN and attribute assertions IdP Grid SP MyProxy CLIENTCLIENT

gridshib-tech-overview-apr0664 IdP-first Advantages Since IdP controls both ends of the flow: –Mapping NameIdentifier to a local principal is straightforward –Choice of NameIdentifier format is left to the IdP Attribute push simplifies IdP config and trust relationships Reusable by grid portal use case

gridshib-tech-overview-apr0665 GridShib Browser Profiles

gridshib-tech-overview-apr0666 IdP-first Browser Profiles As a consequence of the IdP-first Non- Browser profiles, MyProxy gains the ability to consume SAML assertions If we replace the non-browser client with a web component, we can reuse that functionality in the following GridShib Browser Profile

gridshib-tech-overview-apr0667 IdP-first Attribute Pull The first three steps are normal Shib Browser/POST A Shib SP is protecting a web version of MyProxy Client IdP Grid SP MyProxy CLIENTCLIENT SP

gridshib-tech-overview-apr0668 The 3-tier Problem How does the browser user delegate authority to the web component to retrieve an X.509 credential on its behalf? This problem is an instance of the so- called n-tier problem (n = 3)

gridshib-tech-overview-apr0669 Delegation Profile No widely accepted solution to this problem exists today The Shib Project is proposing Liberty WSF 2.0: state.edu/twiki/bin/view/Shibboleth/Liber tyAllianceProject state.edu/twiki/bin/view/Shibboleth/Liber tyAllianceProject The implications for GridShib are not clear at this point

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.