Presentation is loading. Please wait.

Presentation is loading. Please wait.

GridShib CIP Seminar December 6th, 2005 Tom Scavo Von Welch NCSA.

Published byOphelia Ashley Williamson Modified over 9 years ago

Similar presentations

Presentation on theme: "GridShib CIP Seminar December 6th, 2005 Tom Scavo Von Welch NCSA."— Presentation transcript:

1 GridShib CIP Seminar December 6th, 2005 Tom Scavo trscavo@ncsa.uiuc.edu Von Welch vwelch@ncsa.uiuc.edu NCSA

2 Dec. 6th, 20052CIP GridShib Seminar What is GridShib NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit –Funded under NSF NMI program GridShib team: NCSA, U. Chicago, ANL –Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team

3 Dec. 6th, 20053CIP GridShib Seminar Outline Distributed systems authentication - some history Attribute-based access control - why? Grid Security Overview Shibboleth Overview GridShib

4 Dec. 6th, 20054CIP GridShib Seminar The single system story Password

5 Dec. 6th, 20055CIP GridShib Seminar Along came more systems… Password

6 Dec. 6th, 20056CIP GridShib Seminar And more passwords… PasswordMyDogsName drowssap pAsSwOrD Pass-wurd pAsSwOrD drowssap MyDogsName

7 Dec. 6th, 20057CIP GridShib Seminar Enterprise Authentication Central authentication for a number of systems in a organization –Simply put, one central authority at a site for your password instead of each computer having its own. A number of systems exist: –Kerberos, Windows Domains, Radius, NIS, LDAP, etc.

8 Dec. 6th, 20058CIP GridShib Seminar Enterprise Auth Password

9 Dec. 6th, 20059CIP GridShib Seminar Ok, the world is good now? Well, it’s better, inside a single organization at least. But what happens when you want to login somewhere else?

10 Dec. 6th, 200510CIP GridShib Seminar Along come other sites… Password NCSA SDSC Other sites…

11 Dec. 6th, 200511CIP GridShib Seminar And more passwords… Password Pa55w0rd Sesame Pa55w0rd Sesame PrettyPlease KnockKnock NCSA

12 Dec. 6th, 200512CIP GridShib Seminar And then came the Web… Password Pa55w0rd Sesame Pa55w0rd Sesame PrettyPlease KnockKnock NCSA Amazon Ebay NYTimes MyBank AA.com travelocity Gmail s3cr3t mypass

13 Dec. 6th, 200513CIP GridShib Seminar Inter-site authentication All this created a huge usability problem for users –Multiple passwords hard to manage –Cumbersome to enter passwords over and over A number of approaches have been tried to solve these problems –Both in the web and computing worlds We present a brief survey here –Start with computing world…

14 Dec. 6th, 200514CIP GridShib Seminar Site-to-Site Federations Sites agree to couple their authentication systems –E.g., Kerberos, Radius Works but is difficult –Requires interoperable site authentication systems –Requires sites agree at highest-level - since some systems like Kerberos are used for most trusted assets, this can be hard.

15 Dec. 6th, 200515CIP GridShib Seminar SSH Public keys SSH allows a user to establish their own keys that they can use to log into any computers User establishes their own network Works well, but –Requires sites support SSH Much easier than Kerberos –User-managed –Keys must be everywhere for this to work –If key is compromised, how do we clean up? How do we even know?

16 Dec. 6th, 200516CIP GridShib Seminar X509 Certificates E.g., Grid Each user gets a private key and a global identity Certificate allows a key to be lost, but for identity to persist But… –Still user-managed keys as with SSH –Getting certificates can be a pain

17 Dec. 6th, 200517CIP GridShib Seminar Online X509 Certificate Authorities Started for the web –U. Michigan KCA Now used in the Grid –KCA @ FNAL, MyProxy Turn local authentication into X509 certificate that can be used Globally Allows site to federate by turning local authentication into standard format (X509)

18 Dec. 6th, 200518CIP GridShib Seminar Meanwhile, in the web…

19 Dec. 6th, 200519CIP GridShib Seminar Microsoft Passport One authentication server for all users on the web that holds their password Major sociological issues –No one wants to trust Microsoft to hold their password to everything –No one wants Microsoft to know what web sites they are using Probably is no single entity that would be trusted

20 Dec. 6th, 200520CIP GridShib Seminar Liberty Alliance In response to passport… Allows users to link their accounts together –E.g., I can say vwelch@Ebay is also vonwelch@amazon is also vsw@paypal I log into one site, it can tell others I’ve logged in and they don’t have to re- authenticate me Was strong motivation for SAML

21 Dec. 6th, 200521CIP GridShib Seminar Shibboleth From higher-education community Motivated by university users wanting access to databases and online libraries Allows site to express local authentication in standard format (SAML) Also allows site to express attributes about user in standard format (eduPerson) –E.g., student, professor, department Growing adoption, federations of sites that allows cross-site authentication

22 Dec. 6th, 200522CIP GridShib Seminar Summary There has been an explosion of passwords as more systems and web services have emerged Intra-site is largely well controlled with various solutions, but intersite is still unsolved Both the web and computing community have come up with solutions

23 Dec. 6th, 200523CIP GridShib Seminar Outline Distributed systems authentication - some history Attribute-based access control - why? Grid Security Overview Shibboleth Overview GridShib

24 Dec. 6th, 200524CIP GridShib Seminar Attribute-based authorization So far we’ve talked about identity-based authorization –E.g. vwelch can access this web page/computer/bank account/etc. –Authentication- establishing who you are –Authorization - establishing you are allowed to do something This works well when you are providing a service to a relatively small number of people

25 Dec. 6th, 200525CIP GridShib Seminar Attribute-based authorization Often it’s more scalable to talk about authorization based on attributes –E.g., Any NCSA staff member can access this web page –E.g., Any UIUC staff or student can use the library So often the process is authentication (who), establish attributes (what), and use those attributes to decide if something is allowed

26 Dec. 6th, 200526CIP GridShib Seminar Outline Distributed systems authentication - some history Attribute-based access control - why? Grid Security Overview Shibboleth Overview GridShib

27 Dec. 6th, 200527CIP GridShib Seminar Grid Security: The Grid Security Infrastructure The Grid Security Infrastructure (GSI) is a set of tools, libraries and protocols used in Globus to allow users and applications to securely access resources. Based on a public key infrastructure, with certificate authorities and X509 certificates

28 Dec. 6th, 200528CIP GridShib Seminar GSI: Credentials In the GSI system each user has a set of credentials they use to prove their identity on the grid –Consists of a X509 certificate and private key Long-term private key is kept encrypted with a pass phrase –Good for security, inconvenient for repeated usage

29 Dec. 6th, 200529CIP GridShib Seminar Certificates A X.509 certificate binds a public key to a name It includes a name and a public key (among other things) bundled together and signed by a trusted party (Issuer) Name Issuer Public Key Signature

30 Dec. 6th, 200530CIP GridShib Seminar John Doe 755 E. Woodlawn Urbana IL 61801 BD 08-06-65 Male 6’0” 200lbs GRN Eyes State of Illinois Seal Certificates Similar to passport or driver’s license Name Issuer Public Key Signature

31 Dec. 6th, 200531CIP GridShib Seminar Certificates By checking the signature, one can determine that a public key belongs to a given user. Name Issuer Public Key Signature Hash =? Decrypt Public Key from Issuer

32 Dec. 6th, 200532CIP GridShib Seminar Certificate Authorities (CAs) A Certificate Authority is an entity that exists only to sign user certificates The CA signs its own certificate, which is distributed in a trusted manner Name: CA Issuer: CA CA’s Public Key CA’s Signature

33 Dec. 6th, 200533CIP GridShib Seminar Grid CAs There are a large number of Grid CAs –http://www.gridpma.org/http://www.gridpma.org/ Currently this is a X509 system that users may join by getting a certificate –This X509 system is independent for the user’s local authentication system

34 Dec. 6th, 200534CIP GridShib Seminar Grid Online CAs Usability issues with user-managed certificates have driven interest in online CAs –E.g., FNAL, NERSC, KCA, MyProxy This may lead to a federated style of authentication

35 Dec. 6th, 200535CIP GridShib Seminar Outline Distributed systems authentication - some history Attribute-based access control - why? Grid Security Overview Shibboleth Overview GridShib

36 Dec. 6th, 200536CIP GridShib Seminar What is Shibboleth? Shibboleth provides cross-domain single sign-on and attribute-based authorization while preserving user privacy Shibboleth is simultaneously: 1.A project 2.A specification 3.An implementation

37 Dec. 6th, 200537CIP GridShib Seminar Shibboleth Project Shibboleth, a project of Internet2-MACE: –Advocates a federated identity management policy framework focused on user privacy –Develops middleware architectures to facilitate inter-institutional attribute sharing –Manages an open source reference implementation of the Shibboleth spec Shibboleth has made significant contributions to the SAML-based identity management space

38 Dec. 6th, 200538CIP GridShib Seminar Collaborations Shibboleth Internet2 E-Auth Liberty Vendors OASIS Educause

39 Dec. 6th, 200539CIP GridShib Seminar Shibboleth Specification Shibboleth is an extension of the SAML 1.1 browser profiles: –Shibboleth Browser/POST Profile –Shibboleth Browser/Artifact Profile –Shibboleth Attribute Exchange Profile See the Shibboleth spec for details: S. Cantor et al., Shibboleth Architecture: Protocols and Profiles. Internet2-MACE, 10 September 2005.Shibboleth spec

40 Dec. 6th, 200540CIP GridShib Seminar Shibboleth Implementation The Shibboleth implementation consists of two components: 1.Shibboleth Identity Provider 2.Shibboleth Service Provider The Identity Provider is a J2EE webapp The Service Provider is a C++ Apache module –A pure Java Service Provider is in beta

41 Dec. 6th, 200541CIP GridShib Seminar The Shibboleth Wiki For example, the Shibboleth wiki (hosted at ohio-state.edu) is “shibbolized”: https://authdev.it.ohio- state.edu/twiki/bin/view/GridShib/WebHome https://authdev.it.ohio- state.edu/twiki/bin/view/GridShib/WebHome To edit wiki pages, a user must be known to the wiki Users have wikiNames but do not have wiki passwords Users log into their home institution, which asserts user identity to the wiki

42 Dec. 6th, 200542CIP GridShib Seminar

43 Dec. 6th, 200543CIP GridShib Seminar Shib Browser Profile The user clicks the link “Login via InQueue IdP” This initiates a sequence of steps known as the Shibboleth Browser Profile 7 8 6 5 UIUC OSU CLIENTCLIENT 3 4 2 1 InQueue

44 Dec. 6th, 200544CIP GridShib Seminar

45 Dec. 6th, 200545CIP GridShib Seminar Shib Browser Profile InQueue provides a “Where Are You From?” service The user chooses their preferred identity provider from a menu 7 8 6 5 UIUC OSU CLIENTCLIENT 3 4 2 1 InQueue

46 Dec. 6th, 200546CIP GridShib Seminar

47 Dec. 6th, 200547CIP GridShib Seminar Shib Browser Profile The user is redirected to UIUC login page After login, the user is issued a SAML assertion and redirected back to the wiki 7 8 6 5 UIUC OSU CLIENTCLIENT 3 4 2 1 InQueue

48 Dec. 6th, 200548CIP GridShib Seminar

49 Dec. 6th, 200549CIP GridShib Seminar Shib Browser Profile After validating the assertion, the wiki@OSU retrieves user attributes via back-channel Shib attribute exchange 7 8 6 5 UIUC OSU CLIENTCLIENT 3 4 2 1 InQueue

50 Dec. 6th, 200550CIP GridShib Seminar Asserting Identity Initially, the user is unknown to the wiki After querying the home institution, the wiki knows the user’s identity “trscavo-uiuc.edu” is wiki-speak for trscavo@uiuc.edu The latter is eduPersonPrincipalName, an identity attribute asserted by the user’s home institution

51 Dec. 6th, 200551CIP GridShib Seminar OpenIdP.org By design, a user with an account at an institution belonging to InCommon, InQueue, or SDSS can log into the wiki: https://authdev.it.ohio- state.edu/twiki/bin/view/GridShib/WebHome https://authdev.it.ohio- state.edu/twiki/bin/view/GridShib/WebHome Other users can register at openidp.org, which is a zero-admin Shibboleth IdP The openidp asserts an alternate form of identity (email addresses as opposed to eduPersonPrincipalName)

52 Dec. 6th, 200552CIP GridShib Seminar Identity Provider Service Provider The Actors Identity Provider –The Identity Provider (IdP) creates, maintains, and manages user identity –A Shibboleth IdP produces SAML assertions Service Provider –The Service Provider (SP) controls access to services and resources –A Shibboleth SP consumes SAML assertions Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Artifact Resolution Service Attribute Requester

53 Dec. 6th, 200553CIP GridShib Seminar Shib SSO Profiles Shibboleth SSO profiles are SP-first Shibboleth specifies an Authentication Request Profile Shibboleth Browser/POST Profile = Shib Authn Request Profile + SAML Browser/POST Profile Shibboleth Browser/Artifact Profile = Shib Authn Request Profile + SAML Browser/Artifact Profile

54 Dec. 6th, 200554CIP GridShib Seminar Shib AuthN Request Profile A Shibboleth authentication request is an ordinary GET request: https://idp.org/shibboleth/SSO? providerId=https://sp.org/shibboleth/& shire=https://sp.org/shibboleth/SSO& target=https://sp.org/myresource& time=1102260120 The client is redirected to this location after requesting a protected resource at the SP without a security context

55 Dec. 6th, 200555CIP GridShib Seminar 8 7 1 2 5 6 3 4 Identity Provider Service Provider Shib Browser/POST Profile Browser/POST is an SP-first profile The IdP produces an assertion at step 4, which the SP consumes at step 5 CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource

56 Dec. 6th, 200556CIP GridShib Seminar Shib Attribute Exchange A Shibboleth SP often queries an IdP for attributes after validating an authN assertion An opaque, transient identifier called a handle is embedded in the authN assertion The SP sends a SAML AttributeQuery message with handle attached

57 Dec. 6th, 200557CIP GridShib Seminar Browser/POST Profile The first 5 steps of this profile are identical to ordinary Browser/POST Before redirecting the Client to the Resource Manager, the SP queries for attributes via a back-channel exchange 10 9 1 2 5 8 3 4 Identity Provider Service Provider CLIENTCLIENT Authentication Authority Attribute Authority SSO Service Assertion Consumer Service Resource Attribute Requester 7 6

58 Dec. 6th, 200558CIP GridShib Seminar Directory Schema Neither Shibboleth nor SAML define any attributes per se It is left to individual deployments to define their own attributes A standard approach to user attributes is crucial Without such standards, interoperability is impossible

59 Dec. 6th, 200559CIP GridShib Seminar eduPerson Internet2 and EDUCAUSE have jointly developed a set of attributes and associated bindings called eduPerson The LDAP binding of eduPerson is derived from the standard LDAP object class called inetOrgPerson [RFC 2798] Approximately 40 attributes have been defined by InCommon as common identity attributes

60 Dec. 6th, 200560CIP GridShib Seminar InCommon Attributes InCommon’s 6 “highly recommended” attributes: Attribute NameAttribute Value givenNameMary sn (surname)Smith cn (common name)Mary Smith eduPersonScopedAffiliationstudent@example.org eduPersonPrincipalNamemary.smith@example.org eduPersonTargetedID? (eduPersonTargetedID does not have a precise value syntax)

61 Dec. 6th, 200561CIP GridShib Seminar Outline Distributed systems authentication - some history Attribute-based access control - why? Grid Security Overview Shibboleth Overview GridShib

62 Dec. 6th, 200562CIP GridShib Seminar What is GridShib? GridShib enables secure attribute sharing between Grid virtual organizations and higher-educational institutions The goal of GridShib is to integrate the Globus Toolkit® with Shibboleth® GridShib adds attribute-based authorization to Globus Toolkit

63 Dec. 6th, 200563CIP GridShib Seminar Motivation Large scientific projects have spawned Virtual Organizations (VOs) The cyberinfrastructure and software systems to support VOs are called grids Globus Toolkit is the de facto standard software solution for grids Grid Security Infrastructure provides basic security services…but does it scale?

64 Dec. 6th, 200564CIP GridShib Seminar Tale of Two Technologies Grid Client Globus Toolkit Shibboleth X.509 SAML Grid Security Infrastructure Shibboleth Federation Bridging Grid/X.509 with Shib/SAML

65 Dec. 6th, 200565CIP GridShib Seminar Grid Authentication Globus Toolkit provides authentication services via X.509 When requesting a service, the user presents an X.509 certificate, usually a proxy certificate GridShib leverages the existing authentication mechanisms in GT

66 Dec. 6th, 200566CIP GridShib Seminar Grid Authorization Today, Globus Toolkit provides identity- based authorization mechanisms: –List of attributes required to use service or container –Mapping of attributes to local identity (in grid-mapfiles) for job submission GridShib hopes to augment identity- based authorization with attribute-based authorization

67 Dec. 6th, 200567CIP GridShib Seminar GT Authorization Framework Work is underway to develop and enhance the authorization framework in Globus Toolkit –Siebenlist et al. at Argonne –Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions Work in OGSA-Authz WG to allow for callouts to third-party authorization services –E.g., PERMIS Convert Attributes (SAML or X.509) into common format for policy evaluation –XACML-based

68 Dec. 6th, 200568CIP GridShib Seminar Why Shibboleth? What does Shibboleth bring to the table? –A large (and growing) installed base –A standards-based, open source implementation –A standard attribute vocabulary (eduPerson) A well-developed, federated identity management infrastructure has sprung up around Shibboleth

69 Dec. 6th, 200569CIP GridShib Seminar Shibboleth Federations A federation –Provides a common trust and policy framework –Issues credentials and distributes metadata –Provides discovery services for SPs Shibboleth-based federations: –InCommon (23 members) –InQueue (157 members) –SDSS (30 members) –SWITCH (23 members) –HAKA (8 members)

70 Dec. 6th, 200570CIP GridShib Seminar InCommon Federation

71 Dec. 6th, 200571CIP GridShib Seminar Use Cases There are three use cases under consideration: 1.Established grid user (non-browser) 2.New grid user (non-browser) 3.Portal grid user (browser)  Initial efforts have concentrated on the established grid user (i.e., user with existing long-term X.509 credentials )

72 Dec. 6th, 200572CIP GridShib Seminar Established Grid User User possesses an X.509 end entity certificate User may or may not use MyProxy Server to manage X.509 credentials User authenticates to Grid SP with proxy certificate (grid-proxy-init) The current GridShib implementation addresses this use case

73 Dec. 6th, 200573CIP GridShib Seminar New Grid User User does not possess an X.509 end entity certificate User relies on MyProxy Online CA to issue short-lived X.509 certificates User authenticates to Grid SP using short-lived X.509 credential Emerging GridShib Non-Browser Profiles address this use case

74 Dec. 6th, 200574CIP GridShib Seminar Portal Grid User User does not possess an X.509 cert User accesses Grid SP via a browser interface, that is, the client delegates a web application to request a service at the Grid SP MyProxy issues a short-lived X.509 certificate via a back-channel exchange GridShib Browser Profiles apply

75 Dec. 6th, 200575CIP GridShib Seminar Software Components GridShib for Globus Toolkit –A plugin for GT 4.0 GridShib for Shibboleth –A plugin for Shibboleth 1.3 IdP Shibboleth IdP Tester –A test application for Shibboleth 1.3 IdP Visit the GridShib Download page: http://gridshib.globus.org/download.html http://gridshib.globus.org/download.html

76 Dec. 6th, 200576CIP GridShib Seminar The Actors Standard (non-browser) Grid Client Globus Toolkit with GridShib installed (which we call a “Grid SP”) Shibboleth IdP with GridShib installed IdP Grid SP CLIENTCLIENT

77 Dec. 6th, 200577CIP GridShib Seminar GridShib Attribute Pull Profile In the current implementation, a Grid SP “pulls” attributes from a Shib IdP The Client is assumed to have an account (i.e., local principal name) at the IdP The Grid SP and the IdP have been assigned a unique identifier (providerId) 3 4 2 1 IdP Grid SP CLIENTCLIENT

78 Dec. 6th, 200578CIP GridShib Seminar 1 GridShib Attribute Pull Step 1 The Grid Client requests a service at the Grid SP The Client presents a standard proxy certificate to the Grid SP The Client also provides a pointer to its preferred IdP IdP Grid SP CLIENTCLIENT

79 Dec. 6th, 200579CIP GridShib Seminar IdP Discovery The Grid SP needs to know the Client’s preferred IdP One approach is to embed the IdP providerId in the proxy certificate This requires modifications to the MyProxy client software, however Currently the IdP providerId is configured into the Grid SP

80 Dec. 6th, 200580CIP GridShib Seminar 2 1 GridShib Attribute Pull Step 2 The Grid SP authenticates the Client and extracts the DN from the proxy cert The Grid SP queries the Attribute Authority (AA) at the IdP IdP Grid SP CLIENTCLIENT

81 Dec. 6th, 200581CIP GridShib Seminar Attribute Query The Grid SP formulates a SAML attribute query: CN=GridShib,OU=NCSA,O=UIUC The Resource attribute is the Grid SP providerId The NameQualifier attribute is the IdP providerId The NameIdentifier is the DN from the proxy cert Zero or more AttributeDesignator elements call out the desired attributes

82 Dec. 6th, 200582CIP GridShib Seminar 32 1 GridShib Attribute Pull Step 3 The AA authenticates the requester and returns an attribute assertion to the Grid SP The assertion is subject to Attribute Release Policy (ARP) IdP Grid SP CLIENTCLIENT

83 Dec. 6th, 200583CIP GridShib Seminar Attribute Assertion The assertion contains an attribute statement: CN=GridShib,OU=NCSA,O=UIUC member student The Subject is identical to the Subject of the query Attributes may be single-valued or multi-valued Attributes may be scoped (e.g., member@uchicago.edu )

84 Dec. 6th, 200584CIP GridShib Seminar Name Mapping An IdP does not issue X.509 certs so it has no prior knowledge of the DN Solution: Create a name mapping file at the IdP (similar to the grid-mapfile at the Grid SP) # Default name mapping file CN=GridShib,OU=NCSA,O=UIUC gridshib "CN=some user,OU=People,DC=doegrids" test The DN must conform to RFC 2253

85 Dec. 6th, 200585CIP GridShib Seminar 3 4 2 1 GridShib Attribute Pull Step 4 The Grid SP parses the attribute assertion and performs the requested service A generalized attribute framework is being developed for GT A response is returned to the Grid Client IdP Grid SP CLIENTCLIENT

86 Dec. 6th, 200586CIP GridShib Seminar Future Work Solve the IdP Discovery problem –Implement shib-proxy-init Implement DB-based name mapping Provide name mapping maintenance tools (for administrators) Design an interactive name registry service (for users) Devise metadata repositories and tools

87 Dec. 6th, 200587CIP GridShib Seminar Shib Browser Profile Consider a Shib browser profile stripped to its bare essentials Authentication and attribute assertions are produced at steps 2 and 5, resp. The SAML Subject in the authentication assertion becomes the Subject of the attribute query at step 4 5 6 4 3 IdP SP CLIENTCLIENT 1 2

88 Dec. 6th, 200588CIP GridShib Seminar GridShib Non-Browser Profile Replace the SP with a Grid SP and the browser client with a non-browser client Three problems arise: –Client must possess X.509 credential to authenticate to Grid SP –Grid SP needs to know what IdP to query (IdP Discovery) –The IdP must map the SAML Subject to a local principal IdP Grid SP CLIENTCLIENT

89 Dec. 6th, 200589CIP GridShib Seminar The Role of MyProxy Consider a new grid user instead of the established grid user For a new grid user, we are led to a significantly different solution Obviously, we must issue an X.509 credential to a new grid user A short-lived credential is preferred Enter MyProxy Online CA…

90 Dec. 6th, 200590CIP GridShib Seminar MyProxy-first Attribute Pull MyProxy with Online CA MyProxy inserts a SAML authN assertion into a short-lived, reusable EEC IdP collocated with MyProxy 6 54 3 2 1 IdP Grid SP MyProxy CLIENTCLIENT

91 Dec. 6th, 200591CIP GridShib Seminar MyProxy-first Advantages Relatively easy to implement Requires only one round trip by the client Requires no modifications to the Shib IdP Requires no modifications to the Client Supports multiple authentication mechanisms out-of-the-box Uses transparent, persistent identifiers: –No coordination of timeouts necessary –Mapping to local principal is straightforward

92 Dec. 6th, 200592CIP GridShib Seminar IdP-first Non-Browser Profiles The IdP-first profiles require no shared state between MyProxy and the IdP Supports separate security domains Leverages existing name identifier mappings at the IdP IdP-first profiles may be used with either Attribute Pull or Attribute Push

93 Dec. 6th, 200593CIP GridShib Seminar Attribute Pull or Push? attributes user AA Grid SP user AA request attributes Pull Push

94 Dec. 6th, 200594CIP GridShib Seminar IdP-first Attribute Pull MyProxy with Online CA MyProxy consumes and produces SAML authN assertions The Client authenticates to MyProxy with a SAML authN assertion 8 7 6 5 4 3 2 1 IdP Grid SP MyProxy CLIENTCLIENT

95 Dec. 6th, 200595CIP GridShib Seminar IdP-first Attribute Push The IdP “pushes” an attribute assertion to the Client The Client authenticates to MyProxy with a SAML authN assertion MyProxy consumes both SAML authN and attribute assertions 5 6 4 3 1 2 IdP Grid SP MyProxy CLIENTCLIENT

96 Dec. 6th, 200596CIP GridShib Seminar IdP-first Advantages Since IdP controls both ends of the flow: –Mapping NameIdentifier to a local principal is straightforward –Choice of NameIdentifier format is left to the IdP Attribute push simplifies IdP config and trust relationships Reusable by grid portal use case

97 Dec. 6th, 200597CIP GridShib Seminar Conclusion Globus Toolkit is the de facto standard software solution for grids Shibboleth is a popular approach to federated identity management GridShib leverages existing Shibboleth deployments to add attribute-based authorization to Globus Toolkit

98 Dec. 6th, 200598CIP GridShib Seminar Questions? GridShib web site http://gridshib.globus.org/ http://gridshib.globus.org/ Tom Scavo trscavo@ncsa.uiuc.edu trscavo@ncsa.uiuc.edu Von Welch vwelch@ncsa.uiuc.edu vwelch@ncsa.uiuc.edu Thank You!

Download ppt "GridShib CIP Seminar December 6th, 2005 Tom Scavo Von Welch NCSA."

Similar presentations

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.

GridShib Tom Barton, U Chicago. 2 Grid Computing Distributed computing and/or data resources Heterogeneous computing & storage environments Interfaces.
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

GridShib: Grid-Shibboleth Integration (Identity Federation and Grids) April 11, 2005 Von Welch

Similar presentations

Ads by Google