Presentation is loading. Please wait.

Presentation is loading. Please wait.

SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.

Published byKelly Walton Modified over 9 years ago

Similar presentations

Presentation on theme: "SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008."— Presentation transcript:

1 SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008

2 EU project: RIO31844-OMII-EUROPE Outline Standardization effort Service description Integration

3 EU project: RIO31844-OMII-EUROPE Goal was add SAML support to VOMS Attribute Exchange profile edited in the OGSA AuthZ WG SAML Query/Response profile X.509 Deployment XACML Attributes Standardization Effort

4 EU project: RIO31844-OMII-EUROPE VOMS SAML Service implementing the Attribute Exchange Profile –That is, SAML Query/Response profile + X.509 subjects + attributes requirements It does the same thing the classic VOMS server does –releases signed assertions containing attributes about a subject Differences –uses SAML attribute assertions instead of ACs –has a Web Service interface

5 EU project: RIO31844-OMII-EUROPE VOMS SAML No API, no voms-proxy-init –WS approach, get the WSDL and use whatever SOAP and XML tools you prefer example code in the distribution using Axis, XFire, JAXB, XMLBeans, libcurl, libxml; coming soon gSOAP, OpenSAML –Binding to a proxy only one of the possible uses more later

6 EU project: RIO31844-OMII-EUROPE Service Interface A single operation, AttributeQuery –Input : samlp:AttributeQuery Who's doing the query, whose attributes is querying for, which attributes is querying for –Output : samlp:Response Who’s answering, what’s the status, and the assertion An attribute assertion associates a principal with a set of attributes –The asserting entity, the subject of the assertion, conditions under which the assertion is valid, the attributes, and a signature A SAML Attribute Profile for VO related attributes is currently being discussed in the OGF OGSA Authorization WG

7 EU project: RIO31844-OMII-EUROPE Implementation Web service –To be deployed in a servlet container Used with Tomcat with gLite trustmanager –Uses Axis But custom serialization that uses OpenSAML since Axis has problems with SAML schemas –There is SOAP support in OpenSAML, will move from Axis SAML –uses OpenSAML currently release candidate 2 Database layer –Uses Hibernate as VOMS Admin does

8 EU project: RIO31844-OMII-EUROPE Status First release due February 29 –Alpha available since April 07, beta since November 07, both used for OMII-Europe developments, testing and demonstrations Those impatiently willing to test it can enroll in the OMII-Europe VO and use the present deployment Fancy a deployment for gLite developers? –Could serve the DTEAM VO –I didn’t dare asking Maria Dimou about either using a machine at CERN mort connecting to the database from CNAF The db replicas that are going to be available at CNAF soon would be easier An official endorsement from JRA1 would help

9 EU project: RIO31844-OMII-EUROPE Middleware Integration VOMS releases SAML assertion, so what? Assertions are used by Grid services to drive authorization decisions Commonly used in push mode for attribute retrieval –get attributes and push them to the service How to do that? –In an extension of the proxy certificate, the way VOMS does now with ACs –In the SOAP Header, using WS-Security

10 EU project: RIO31844-OMII-EUROPE Middleware Integration Just as ACs, SAML assertions may be put in an extension of the proxy certificate –Proved a very simple and effective way of carrying attributes to Grid services This is the way GridShib has used SAML assertions when integrating Shibboleth and GT –https://spaces.internet2.edu/display/GS/X509BindingSAML One may also have voms-proxy-init doing that Advantage would be the integration would be nearly painless

11 EU project: RIO31844-OMII-EUROPE Middleware Integration In OMII-Europe we have experimented using WS-Security to carry SAML assertions in the SOAP Header –One of the main goal was the availability of VOMS on UNICORE, which doesn't use proxies Using the SOAP Header works both with EECs and proxies Defined in the ‘Web Services Security: SAML Token Profile 1.1’ –defines the use of SAML assertions as security tokens from the header block defined by the WSS: SOAP Message Security specification Full example of client service inteaction available with the source code –Comprises validation of the XML signature

12 EU project: RIO31844-OMII-EUROPE Middleware Integration Advantages –It’s standard –Works with EECs Not only useful for proxies-unaware middleware as UNICORE Why use proxies, that aren’t safe (or as safe as EECs), when you can use EECs? –Using resources that don’t need a delegation step –Decoupling of authentication from attributes You don’t need to get the client certificate and extract the attributes For services deployed in a container, let the container do the X.509 dirty jobs and care only about the XML

13 EU project: RIO31844-OMII-EUROPE Disadvantages –Only for Web Services –Coupling is used for assuring against attributes escalation You have a proxy with an AC, you cannot ask for attributes that are not in the AC already

14 EU project: RIO31844-OMII-EUROPE Ongoing integrations CREAM BES –Uses VOMS SAML assertions as well as VOMS proxies –More in next talk UNICORE –uses VOMS SAML assertions for authorization –Tested with the UNICORE OGSA BES, available for any UNICORE service Globus Toolkit –Two components in OMII-Europe that are based on GT are integrating VOMS SAML assertions Writing a PIP for the authz framework, and we are in touch with GT developers to eventually feed it back to them –May come handy if GT AuthZ were choosen as a PEP for the new authz framework

15 EU project: RIO31844-OMII-EUROPE gLite Integration SAML assertions mentioned in the EGEE III DoW –'extension in the use of SAML-based attributes for authorisation' –'support the use of SAML attributes in VOMS' –'development of the gLite authorization framework.. support for the use of SAML assertions ' How to use them probably to be discussed in the next weeks –There's a service you can use –There's experience you can leverage on Integration in CREAM BES Suggestion: try to maintain the availability under UNICORE and GT

16 EU project: RIO31844-OMII-EUROPE gLite Integration Need to move VOMS-SAML code into EGEE context Branding issue to be sorted out at a higher level Shouldn’t be too painful –Code currently only in the INFN SVN –Built with ETICS, and packaged nearly the gLite way uses /opt/omii instead of /opt/glite

17 EU project: RIO31844-OMII-EUROPE valerio.venturi@cnaf.infn.it jra1voms@omii-europe.org

Download ppt "SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008."

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
The National Grid Service and OGSA-DAI Mike Mineter

The National Grid Service and OGSA-DAI Mike Mineter
Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.

Current status of grids: the need for standards Mike Mineter TOE-NeSC, Edinburgh.
Data Management Expert Panel - WP2. WP2 Overview.

Data Management Expert Panel - WP2. WP2 Overview.
GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.

GUMS status Gabriele Carcassi PPDG Common Project 12/9/2004.
The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.

The VOMS Attribute Authority and its relation with Shibboleth Presenter: Vincenzo Ciaschini 8 th TF-EMC2 Meeting Firenze, March 2007.
VOMS & SAML Valerio Venturi MWSG 12 12-13/6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.

VOMS & SAML Valerio Venturi MWSG /6/07. EU project: RIO31844-OMII-EUROPE OMII-Europe OMII-Europe is an EU-funded project which has been established.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
20 March 2007 VOMS etc - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.

20 March 2007 VOMS etc Andrew McNabwww.gridsite.org VOMS etc Andrew McNab University of Manchester.
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.

Security Middleware and VOMS service status Andrew McNab Grid Security Research Fellow University of Manchester.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.

Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.

GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Similar presentations

Ads by Google