Presentation is loading. Please wait.

Presentation is loading. Please wait.

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November.

Published byBrandon Long Modified over 10 years ago

Similar presentations

Presentation on theme: "Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November."— Presentation transcript:

1 Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November 3th, 2005 Von Welch vwelch@ncsa.uiuc.edu

2 Nov 3rd, 20052GridShib talk @ BRIITE Outline What are Virtual Organizations (VOs)? Authentication in VOs –Global names X509 and PKIs –Identity Federation Shibboleth On-line CAs GridShib Challenges Ahead

3 Nov 3rd, 20053GridShib talk @ BRIITE What is a Virtual Organization? A dynamic set of users and resources, from different institutions, who operated in a coordinated, controlled manner to achieve a common goal. Key attributes: –Dynamic –All users and resources still belong to original institution –Coordinated and controlled Shared policy

4 Nov 3rd, 20054GridShib talk @ BRIITE Whats an institution? –AKA a real organization Some relevant attributes: Have users Professional IT staff and services –Define namespace –Authentication mechanism –Reluctant to change Legal standing Persistent Cares about reputation, legal standing

5 Nov 3rd, 20055GridShib talk @ BRIITE Some VO examples From simpler to more complex

6 Nov 3rd, 20056GridShib talk @ BRIITE Web-based Collaboration Users decide to collaborate One user creates a (e.g.) wiki –Single resource of interest Wiki creator hands out user names and password to all the users –This user is now the authority Users put usernames and passwords into their web browsers –The browser is their wallet

7 Nov 3rd, 20057GridShib talk @ BRIITE Web-based Community One organization brings together users from multiple organizations –E.g. IEEE, ACM, AMA Organization instantiates a web resource Organization creates and hands user names and passwords… And users add to their browser wallets

8 Nov 3rd, 20058GridShib talk @ BRIITE Previous examples Both had users from multiple institutions Both had only a single resource provider Ultimately all the policy was created and enforced in one place Moving on to a more complex example…

9 Nov 3rd, 20059GridShib talk @ BRIITE LHC Data Distribution Tier2 Centre ~1 TIPS Online System Offline Processor Farm ~20 TIPS CERN Computer Centre FermiLab ~4 TIPSFrance Regional Centre Italy Regional Centre Germany Regional Centre Institute Institute ~0.25TIPS Physicist workstations ~100 MBytes/sec ~622 Mbits/sec ~1 MBytes/sec There is a bunch crossing every 25 nsecs. There are 100 triggers per second Each triggered event is ~1 MByte in size Physicists work on analysis channels. Each institute will have ~10 physicists working on one or more channels; data for these channels should be cached by the institute server Physics data cache ~PBytes/sec ~622 Mbits/sec or Air Freight (deprecated) Tier2 Centre ~1 TIPS Caltech ~1 TIPS ~622 Mbits/sec Tier 0 Tier 1 Tier 2 Tier 4 1 TIPS is approximately 25,000 SpecInt95 equivalents

10 Nov 3rd, 200510GridShib talk @ BRIITE LHC VO Example Users and resources from multiple organizations –Resources are computers, scientific instruments, storage, datasets, etc. –Often non-web based With multiple resource providers there is no longer a single obvious authority

11 Nov 3rd, 200511GridShib talk @ BRIITE LHC (cont) VO picks (and/or establishes) authorities for identity and attributes Lots and lots of policy discussions and (hopefully) agreements All resources in VO trust authorities An attribute authority is established –Distributes attribute assertions or a list of member identities –All resources trust this attribute authority

12 Nov 3rd, 200512GridShib talk @ BRIITE VO Challenges #1: Protocol and credentials Resource has to be able to recognize and authorize users Institutions have different credential formats and protocols –Passwords vs Kerberos vs LDAP vs Windows Domain Unlikely to have a ubiquitous solution any time soon

13 Nov 3rd, 200513GridShib talk @ BRIITE VO Challenges #2: Naming Users dont have global, unique names Each institution and service provider has their own name for each user –But its hard to leverage these things across institutions (lack of protocols, common credentials) Same name at different institutions may be different users Names vs Identities –Often its what you are, not who that is important

14 Nov 3rd, 200514GridShib talk @ BRIITE VO Challenges #3: Policy Expectation management How much effort must go into different operations? –How secure is secure? Who is responsible for what when things go wrong? How will the VO respond when things go wrong?

15 Nov 3rd, 200515GridShib talk @ BRIITE VO Challenges #4: Scalability From the VO perspective: –With enough members, it will take professional staff to manage membership, credentials, security services –Not a big problem for large VOs E.g. IEEE can afford to set up services, hire staff, etc. to establish and maintain the VO –However for smaller VOs, this sort of overhead is an issue E.g. scientific project often do not have the skills and expertise to operate a VO.

16 Nov 3rd, 200516GridShib talk @ BRIITE VO Challenges Scalability from the user perspective: –Each VO they are a part of means another name and set of credentials (e.g. username & password) –Browsers can solve a lot of this for the Web Unless your disk crashes, you change computers, etc. –This is what the identity federation folks are targeting E.g. Shibboleth, Liberty Alliance

17 Nov 3rd, 200517GridShib talk @ BRIITE Authentication in VOs Some history –Grids –Shibboleth GridShib Work To-Date Challenges ahead

18 Nov 3rd, 200518GridShib talk @ BRIITE Grids The Grid uses X509 for authentication and has a lot of experience Each user obtains an X509 certificate and identity Can be made to scale with enough effort. We have a world-wide trust federation. –http://www.gridpma.orghttp://www.gridpma.org This identity is that mapped to a local identity at each resource by the resource

19 Nov 3rd, 200519GridShib talk @ BRIITE Grid X509 Global Namespace X509 Global Namespace

20 Nov 3rd, 200520GridShib talk @ BRIITE Advantages to Grid X509 approach Lightweight in that it doesnt require sites-to-site agreements –Allows a few users from a number of sites to collaborate in VOs without complicated peering –Each resource can accept the X509 certificates it wants

21 Nov 3rd, 200521GridShib talk @ BRIITE Disadvantages to Grid approach Heavyweight in that it buts credential management burden on users Users are poor managers of X509 private keys –Too long to memorize or write down No good place to store keys –No ubiquitous support for hardware tokens across multiple organizations Lost keys are painful to replace Can be hard to tell if a key was compromised –Hacker broke in, what keys were on the system?

22 Nov 3rd, 200522GridShib talk @ BRIITE Shibboleth Uses identity federation approach –Very much aligned with Liberty Alliance –Identity == what you are, not necessarily who Site-to-site trust arrangements allow for expressing identifiers and attributes across sites Features for privacy –Resource knows only what you are, not who

23 Nov 3rd, 200523GridShib talk @ BRIITE Shibboleth Id Federation

24 Nov 3rd, 200524GridShib talk @ BRIITE Advantages of Shibboleth Uses existing authentication system –No new credentials for the user to learn and manage Privacy XML-Buzzword-compliant –Might be an advantage, certainly hipper Flatter, simpler hierarchies than PKI –At least for now

25 Nov 3rd, 200525GridShib talk @ BRIITE Disadvantages of Shibboleth Identity federation requires institutions to agree –Slower than user-to-user trust –Requires high-level of motivation to ensure that it will happen –Lawyers Technology is currently focused on web browser applications –Lack of delegation –Protocol assumes lots of browser features Redirection, auto-refresh of credentials, etc.

26 Nov 3rd, 200526GridShib talk @ BRIITE The online CA Approach An alternative to traditional PKIs Online CAs leveraging existing institutional authentication –E.g. KCA, MyProxy –Deployments at FNAL, NERSC User uses local authentication to obtain short-lived X509 credential (with persistent name)

27 Nov 3rd, 200527GridShib talk @ BRIITE Online CA

28 Nov 3rd, 200528GridShib talk @ BRIITE Online CA Advantages –No new passwords for the users –Works with existing Grid infrastructure Disadvantages –Still have short-lived credential. Is it short- lived enough we can ignore revocation?

29 Nov 3rd, 200529GridShib talk @ BRIITE On to GridShib…

30 Nov 3rd, 200530GridShib talk @ BRIITE What is GridShib NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit –Funded under NSF NMI program GridShib team: NCSA, U. Chicago, ANL –Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team

31 Nov 3rd, 200531GridShib talk @ BRIITE Motivation Many Grid VOs are focused on science or business other than IT support –Dont have expertise or resources to run security services We have a strong infrastructure in place for authentication in the form of Grid PKIs Attribute authorities are emerging as the next important service

32 Nov 3rd, 200532GridShib talk @ BRIITE Campus Infrastructure

33 Nov 3rd, 200533GridShib talk @ BRIITE Student? Check out book… Access student records… Is student John Smith?

34 Nov 3rd, 200534GridShib talk @ BRIITE Check out book… Different protocols Privacy Different Schemas

35 Nov 3rd, 200535GridShib talk @ BRIITE Shibboleth http://shibboleth.internet2.edu/ Internet2 project Allows for inter-institutional sharing of web resources (via browsers) –Provides attributes for authorization between institutions Allows for pseudonymity via temporary, meaningless identifiers called Handles Standards-based (SAML) Being extended to non-web resources

36 Nov 3rd, 200536GridShib talk @ BRIITE Shibboleth Identity Provider composed of single sign-on (SSO) and attribute authority (AA) services SSO: authenticates user locally and issues authentication assertion with Handle –Assertion is short-lived bearer assertion –Handle is also short-lived and non-identifying –Handle is registered with AA Attribute Authority responds to queries regarding handle

37 Nov 3rd, 200537GridShib talk @ BRIITE Shibboleth (Simplified) AA SSO Shibboleth IdP Handle Attributes SAML AR ACS Shibboleth SP Handle LDAP (e.g.)

38 Nov 3rd, 200538GridShib talk @ BRIITE Globus Toolkit http://www.globus.org Toolkit for Grid computing –Job submission, data movement, data management, resource management Based on Web Services and WSRF Security based on X.509 identity- and proxy-certificates –Maybe from conventional or on-line CAs Some initial attribute-based authorization

39 Nov 3rd, 200539GridShib talk @ BRIITE Grid PKI Large investment in PKI at the international level for Grids –http://www.gridpma.org –TAGPMA, GridPMA, APGridPMA –Dozens of CAs, thousands of users Really painful to establish But its working… –And its not going way easily

40 Nov 3rd, 200540GridShib talk @ BRIITE Integration Approach Conceptually, replace Shibboleths handle-based authentication with X509 –Provides stronger security for non-web browser apps –Works with existing PKI install base To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible

41 Nov 3rd, 200541GridShib talk @ BRIITE GridShib (Simplified) A SSO Shibboleth DN Attributes DN SAML SSL/TLS, WS-Security

42 Nov 3rd, 200542GridShib talk @ BRIITE Authorization Delivering attributes is half the story… Currently have a simple authorization mechanisms –List of attributes required to use service or container –Mapping of attributes to local identity for job submission

43 Nov 3rd, 200543GridShib talk @ BRIITE Authorization Plans Develop authorization framework in Globus Toolkit –Siebenlist et. al. at Argonne –Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions Work in OGSA-Authz WG to allow for callouts to third-party authorization services –E.G. PERMIS Convert Attributes (SAML or X509) into common format for policy evaluation –XACML-based

44 Nov 3rd, 200544GridShib talk @ BRIITE GridShib Status Beta release publicly available Drop-in addition to GT 4.0 and Shibboleth 1.3 Project website: –http://gridshib.globus.org Very interested in feedback

45 Nov 3rd, 200545GridShib talk @ BRIITE Challenges Ahead…

46 Nov 3rd, 200546GridShib talk @ BRIITE Distributed Attribute Admin The Problem… NCSA runs the attribute authority But lots of people issue attributes about me –IEEE, ACM, TeraGrid, GridShib, etc. –Every group Im a member of is an attribute –Many of these group are their own authority Think of all the credentials in your purse or wallet…

47 Nov 3rd, 200547GridShib talk @ BRIITE Distributed Attribute Admin Many of these groups will simply set up their own attribute service Two issues: –Users need a way to manage this virtual wallet What attribute authorities should be consulted when - what are my roles at the moment? –Some groups are too small to set up their own attribute services

48 Nov 3rd, 200548GridShib talk @ BRIITE Distributed Attribute Admin Need ways for a user to point at the attributes services they want to be consulted –Push attributes? –Push references to attribute authorities? –We exploring both of these paths Signet/Grouper integration for distributed attribute administration –Tom Barton @ U. of Chicago –Allow small groups to set attributes in your attribute server –Technical issues, probably bigger policy issues

49 Nov 3rd, 200549GridShib talk @ BRIITE GridShib/Online CA Integration X509 Credentials still have large problem with user-managed credentials –See slide 21 Use of online CA at campus to issue credentials helps with this If we integrate an online CA such that the identifiers it issues can then be used to get attributes from a Shibboleth AA we get a full attribute-based authorization system Collaboration with Jim Basney

50 Nov 3rd, 200550GridShib talk @ BRIITE GridShib/MyProxy Integration

51 Nov 3rd, 200551GridShib talk @ BRIITE GridShib/MyProxy Integration Challenge is one of name management Users local name must be mapped to X509 DN and then back to name meaningful to attribute authority Is algorithmic approach better or can we assume database of mappings? Who should do the mappings?

52 Nov 3rd, 200552GridShib talk @ BRIITE Grid Portals Web portals are important –Clients already installed, easily customized, users familiar with them But protocols are rather difficult to customize –There is a rich set of features, but adding new features (for security) or otherwise is difficult –Lots of portal developers to convince

53 Nov 3rd, 200553GridShib talk @ BRIITE Grid Portals SAML X509

54 Nov 3rd, 200554GridShib talk @ BRIITE Thank You My email: –vwelch@ncsa.uiuc.eduvwelch@ncsa.uiuc.edu GridShib –http://gridshib.globus.orghttp://gridshib.globus.org Shibboleth –http://shibboleth.internet2.edu/http://shibboleth.internet2.edu/ Globus Toolkit –http://www.globus.org/http://www.globus.org/ MyProxy –http://myproxy.ncsa.uiuc.edu/

Download ppt "Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA. November."

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
A AAAA Model to Support Science Gateways with Community Accounts GGF-14 Science Gateways Workshop June 28, 2005 Von Welch, James Barlow, James Basney,

A AAAA Model to Support Science Gateways with Community Accounts GGF-14 Science Gateways Workshop June 28, 2005 Von Welch, James Barlow, James Basney,
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access.
Lia Toledo Moreira Mota, Alexandre de Assis Mota, Wu, Shin-Ting

Lia Toledo Moreira Mota, Alexandre de Assis Mota, Wu, Shin-Ting
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
UKOLN is supported by: Starting to explore the role of memory institutions within the social fabric of the new Web Dr Liz Lyon, UKOLN, University of Bath,

UKOLN is supported by: Starting to explore the role of memory institutions within the social fabric of the new Web Dr Liz Lyon, UKOLN, University of Bath,
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney

National Center for Supercomputing Applications PKI and CKM ® Scaling Study NCASSR Kick-off Meeting June 11-12, 2003 Jim Basney

Similar presentations

Ads by Google