Presentation is loading. Please wait.

Presentation is loading. Please wait.

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

Published byMillicent Simpson Modified over 9 years ago

Similar presentations

Presentation on theme: "GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch"— Presentation transcript:

1 GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch vwelch@ncsa.uiuc.edu http://grid.ncsa.uiuc.edu/GridShib/

2 April 11, 20052GridShib: UK eScience Security Workshop What is GridShib? NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit –Funded under NSF award SCI-0438424 Goal: GT 4.2 & Shibboleth 1.3 GridShib team: NCSA, U. Chicago, ANL –Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team

3 April 11, 20053GridShib: UK eScience Security Workshop Why? Someone else… Leverage Shibboleth code base –Someone else is writing and debugging it Leverage Shibboleth deployments –Someone else is supporting them Leverage larger issues going on in Identity Federation world –Someone else is helping to write them –Even more someone else’s will be writing and deploying them –SAML standard, profiles Leverage someone else’s attributes? –Are campus attributes useful to Grids?

4 April 11, 20054GridShib: UK eScience Security Workshop Outline Low-level technical discussion –Shibboleth –GridShib Higher-level discussion of Identity Federation for Grids –How do sites federate to support a VO?

5 April 11, 20055GridShib: UK eScience Security Workshop Shibboleth Federation Model Attrs IDs Attrs IDs SAML

6 April 11, 20056GridShib: UK eScience Security Workshop Shibboleth (Simplified) Attrs IDs Shibboleth Handle Attributes SAML

7 April 11, 20057GridShib: UK eScience Security Workshop GridShib (Simplified) Attrs IDs Shibboleth DN Attributes DN SAML SSL/TLS, WS-Security

8 April 11, 20058GridShib: UK eScience Security Workshop GridShib Goals Work with others to standardize X509 profile for Shibboleth/SAML AA Change as little as possible on Shibboleth side –Limit to installation of new NameMapper plug-in for Shibboleth to recognize and map DNs to local identities Privacy –In “V2”

9 April 11, 20059GridShib: UK eScience Security Workshop GridShib Goals (cont) Modifications to GT to request, receive and parse SAML attributes from Shib –Frank Siebenlist’s earlier talk General PDP functionality –Grid uses cases can be very complicated and varied in terms of authz policy –Try to support union of many “simple” cases –Allow for deployment of custom PDPs

10 April 11, 200510GridShib: UK eScience Security Workshop Higher-level Issues How does Identity federation apply to Grids? Shibboleth model is very good for allowing a single site to federate their user’s attributes If the site attributes are all the matter, then this is all you need –E.g. a “campus grid” for campus users

11 April 11, 200511GridShib: UK eScience Security Workshop VO Attributes However, most VOs have their own attributes –Domain-specific, VO-organization, etc. This means multiple attribute authorities for the same set of user How do these multiple attributes get served up?

12 April 11, 200512GridShib: UK eScience Security Workshop VO runs Shibboleth Server Requires a large, resourced VO –Must have skills, support staff, time Requires more complexity in authorization –Need to map attributes to authority To some extend defeats the purpose

13 April 11, 200513GridShib: UK eScience Security Workshop Campus runs Shibboleth Puts services in the right place –Campuses are good at running production services Requires campus to somehow outsource administration of attributes Two sub-models: –One campus for VO attributes for all VO users –Each campus handles VO attributes for own users

14 April 11, 200514GridShib: UK eScience Security Workshop Prediction Arranging for administration of each VO user’s attributes will be hard at first –Significant social issues with campuses Initially, we will be finding one campus to serve attributes for each VO –That campus out sources administration for a VO attribute space to that VO –Allows remote administration by VO –They still run services

15 April 11, 200515GridShib: UK eScience Security Workshop Questions? Project website: –http://grid.ncsa.uiuc.edu/GridShib/http://grid.ncsa.uiuc.edu/GridShib/ Or contact: –vwelch@ncsa.uiuc.eduvwelch@ncsa.uiuc.edu For more information on NMI: –http://www.nsf-middleware.org/http://www.nsf-middleware.org/

16 April 11, 200516GridShib: UK eScience Security Workshop Extra Slides

17 April 11, 200517GridShib: UK eScience Security Workshop Shibboleth http://shibboleth.internet2.edu/ Internet2 project Allows for inter-institutional sharing of web resources (via browsers) –Federation of identities and attributes –Uses attribute-based authorization –Standards-based (SAML) Being extended to non-web resources

18 April 11, 200518GridShib: UK eScience Security Workshop Globus Toolkit http://www.globus.org Collaborative work from the Globus Alliance Toolkit for Grid computing –Job submission, data movement, data management, resource management Based on Web Services and WSRF Security based on X.509 identity- and proxy-certificates

19 April 11, 200519GridShib: UK eScience Security Workshop Campus Grid Use Case Campus running Grid, Shibboleth service Users with campus-issued certificates –Maybe a few outside users Desires to use campus attributes to authorize use of campus grid E.g. USC

20 April 11, 200520GridShib: UK eScience Security Workshop Grid Deployment Use Case Multi-site Grid based around a virtual organization Users have certificates from one or more Grid CAs, probably not run by VO Grid wishes to establish attributes for their users to do role-based authorization Grid is either large enough to establish and run their own Shibboleth AA or someone is willing to do it for them E.g. TeraGrid, OSG

21 April 11, 200521GridShib: UK eScience Security Workshop Hybrid Use Case Grid based on virtual organization but wants to make resources available to larger community –E.g. Allow all chemists to access some dataset Users have certificates from one or more Grid CAs, probably not run by VO Want to use campus-asserted attributes, from campus-run Shibboleth services to authorize access to VO resources Currently done by issuing light-weight Grid credentials to users via a portal E.g. ESG

22 April 11, 200522GridShib: UK eScience Security Workshop GridShib Integration Goals Use Shibboleth 1.3 out of box –With additional NameMapper module to handle mapping X.509 identities to local names –Work with Shib identity provider metadata –Working with Shib developers to achieve Don’t require modification to typical grid client applications for simple use cases Most of work going into Grid services

23 April 11, 200523GridShib: UK eScience Security Workshop Project objectives Priority 1: Pull mode operation –Globus services contact Shibboleth to obtain attributes about identified user Priority 2: Push mode operation –User obtains Shib attributes and push to service Allows role selection Priority 3: Pseudonymous access with MyProxy/GridLogon

Download ppt "GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch"

Similar presentations

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November.

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
OSG/TeraGrid Interopations: The Authz Perspective Von Welch (NCSA) Presenting work by Christopher A. Baumbauer (Purdue U.) Greg Cross (U. Chicago) Stuart.

OSG/TeraGrid Interopations: The Authz Perspective Von Welch (NCSA) Presenting work by Christopher A. Baumbauer (Purdue U.) Greg Cross (U. Chicago) Stuart.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.

Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham.
A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.

A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.

GridShib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago.
SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure.
I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.

I2/NMI Update: Signet, Grouper, & GridShib Tom Barton University of Chicago.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.

MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center.

Similar presentations

Ads by Google