gridshib cip seminar december 6th, 2005 tom scavo [email protected] von welch...

GridShibCIP Seminar

December 6th, 2005

Tom Scavo

[email protected]

Von Welch

[email protected]

NCSA

Dec. 6th, 2005 2CIP GridShib Seminar

What is GridShib• NSF NMI project to allow the use of Shibboleth-issued

attributes for authorization in NMI Grids built on the Globus Toolkit– Funded under NSF NMI program

• GridShib team: NCSA, U. Chicago, ANL– Tom Barton, David Champion, Tim Freemon, Kate Keahey,

Tom Scavo, Frank Siebenlist, Von Welch

• Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team


Outline• Distributed systems authentication -

some history

• Attribute-based access control - why?

• Grid Security Overview

• Shibboleth Overview

• GridShib


The single system story

Password

Password Password

Password


Along came more systems…

Password Password


And more passwords…

Password MyDogsName

drowssap

pAsSwOrDPass-wurd

Pass-wurdpAsSwOrD

drowssap MyDogsName


Enterprise Authentication• Central authentication for a number of

systems in a organization– Simply put, one central authority at a site

for your password instead of each computer having its own.

• A number of systems exist:– Kerberos, Windows Domains, Radius, NIS,

LDAP, etc.


Enterprise Auth

Password

Password


Ok, the world is good now?

• Well, it’s better, inside a single organization at least.

• But what happens when you want to login somewhere else?


Along come other sites…

Password NCSA

SDSC

Other sites…


And more passwords…

Password

Pa55w0rd Sesame

Pa55w0rdSesame

PrettyPlease

PrettyPleaseKnockKnock

KnockKnock NCSA


And then came the Web…

Password

Pa55w0rd Sesame

Pa55w0rdSesame

PrettyPlease

PrettyPleaseKnockKnock

KnockKnock NCSA

Amazon Ebay

NYTimes

MyBank

AA.com travelocity

Gmail

s3cr3t

s3cr3t

mypass

mypass


Inter-site authentication• All this created a huge usability problem for

users– Multiple passwords hard to manage– Cumbersome to enter passwords over and over

• A number of approaches have been tried to solve these problems– Both in the web and computing worlds

• We present a brief survey here– Start with computing world…


Site-to-Site Federations• Sites agree to couple their

authentication systems– E.g., Kerberos, Radius

• Works but is difficult– Requires interoperable site authentication

systems– Requires sites agree at highest-level -

since some systems like Kerberos are used for most trusted assets, this can be hard.


SSH Public keys• SSH allows a user to establish their own keys

that they can use to log into any computers• User establishes their own network• Works well, but

– Requires sites support SSH• Much easier than Kerberos

– User-managed– Keys must be everywhere for this to work– If key is compromised, how do we clean up? How

do we even know?


X509 Certificates• E.g., Grid

• Each user gets a private key and a global identity

• Certificate allows a key to be lost, but for identity to persist

• But…– Still user-managed keys as with SSH– Getting certificates can be a pain


Online X509 Certificate Authorities• Started for the web

– U. Michigan KCA

• Now used in the Grid– KCA @ FNAL, MyProxy

• Turn local authentication into X509 certificate that can be used Globally

• Allows site to federate by turning local authentication into standard format (X509)


Meanwhile, in the web…


Microsoft Passport• One authentication server for all users

on the web that holds their password• Major sociological issues

– No one wants to trust Microsoft to hold their password to everything

– No one wants Microsoft to know what web sites they are using

• Probably is no single entity that would be trusted


Liberty Alliance• In response to passport…• Allows users to link their accounts

together– E.g., I can say vwelch@Ebay is also

vonwelch@amazon is also vsw@paypal

• I log into one site, it can tell others I’ve logged in and they don’t have to re-authenticate me

• Was strong motivation for SAML


Shibboleth• From higher-education community• Motivated by university users wanting access

to databases and online libraries• Allows site to express local authentication in

standard format (SAML)• Also allows site to express attributes about

user in standard format (eduPerson)– E.g., student, professor, department

• Growing adoption, federations of sites that allows cross-site authentication


Summary• There has been an explosion of passwords as more

systems and web services have emerged• Intra-site is largely well controlled with various

solutions, but intersite is still unsolved• Both the web and computing community have come

up with solutions



some history



• Shibboleth Overview• GridShib


Attribute-based authorization• So far we’ve talked about identity-based

authorization– E.g. vwelch can access this web

page/computer/bank account/etc.– Authentication- establishing who you are– Authorization - establishing you are

allowed to do something

• This works well when you are providing a service to a relatively small number of people


Attribute-based authorization• Often it’s more scalable to talk about

authorization based on attributes– E.g., Any NCSA staff member can access

this web page– E.g., Any UIUC staff or student can use the

library

• So often the process is authentication (who), establish attributes (what), and use those attributes to decide if something is allowed



some history


• Grid Security Overview• Shibboleth Overview• GridShib


Grid Security:The Grid Security Infrastructure

• The Grid Security Infrastructure (GSI) is a set of tools, libraries and protocols used in Globus to allow users and applications to securely access resources.

• Based on a public key infrastructure, with certificate authorities and X509 certificates


GSI: Credentials• In the GSI system each user has a set

of credentials they use to prove their identity on the grid– Consists of a X509 certificate and private

key

• Long-term private key is kept encrypted with a pass phrase– Good for security, inconvenient for

repeated usage


Certificates• A X.509 certificate

binds a public key to a name

• It includes a name and a public key (among other things) bundled together and signed by a trusted party (Issuer)

NameIssuerPublic KeySignature


John Doe755 E. WoodlawnUrbana IL 61801

BD 08-06-65Male 6’0” 200lbsGRN Eyes

State ofIllinois

Seal

Certificates• Similar to passport or driver’s license



Certificates• By checking the signature, one can

determine that a public key belongs to a given user.


Hash

=?Decrypt

Public Key fromIssuer


Certificate Authorities (CAs)• A Certificate

Authority is an entity that exists only to sign user certificates

• The CA signs its own certificate, which is distributed in a trusted manner

Name: CAIssuer: CACA’s Public KeyCA’s Signature


Grid CAs• There are a large number of Grid CAs

– http://www.gridpma.org/

• Currently this is a X509 system that users may join by getting a certificate– This X509 system is independent for the

user’s local authentication system

http://www.gridpma.org/


Grid Online CAs• Usability issues with user-managed

certificates have driven interest in online CAs– E.g., FNAL, NERSC, KCA, MyProxy

• This may lead to a federated style of authentication



some history



• Shibboleth Overview• GridShib


What is Shibboleth?• Shibboleth provides cross-domain

single sign-on and attribute-based authorization while preserving user privacy

• Shibboleth is simultaneously:1. A project

2. A specification

3. An implementation


Shibboleth Project• Shibboleth, a project of Internet2-MACE:

– Advocates a federated identity management policy framework focused on user privacy

– Develops middleware architectures to facilitate inter-institutional attribute sharing

– Manages an open source reference implementation of the Shibboleth spec

• Shibboleth has made significant contributions to the SAML-based identity management space


Collaborations

Shibboleth

Internet2

E-Auth

Liberty

Vendors

OASIS

Educause


Shibboleth Specification• Shibboleth is an extension of the SAML

1.1 browser profiles:– Shibboleth Browser/POST Profile– Shibboleth Browser/Artifact Profile– Shibboleth Attribute Exchange Profile

• See the Shibboleth spec for details:S. Cantor et al., Shibboleth Architecture: Protocols and Profiles. Internet2-MACE, 10 September 2005.

http://shibboleth.internet2.edu/docs/internet2-mace-shibboleth-arch-protocols-latest.pdf


Shibboleth Implementation• The Shibboleth implementation consists

of two components:1. Shibboleth Identity Provider

2. Shibboleth Service Provider

• The Identity Provider is a J2EE webapp

• The Service Provider is a C++ Apache module

– A pure Java Service Provider is in beta


The Shibboleth Wiki• For example, the Shibboleth wiki (hosted at

ohio-state.edu) is “shibbolized”:https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/WebHome

• To edit wiki pages, a user must be known to the wiki

• Users have wikiNames but do not have wiki passwords

• Users log into their home institution, which asserts user identity to the wiki

https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/WebHome



Shib Browser Profile• The user clicks

the link “Login via InQueue IdP”

• This initiates a sequence of steps known as the Shibboleth Browser Profile

7

8

6

5

UIUC

OSU

CLIENT

3

4

2

1

InQueue


Shib Browser Profile• InQueue

provides a “Where Are You From?” service

• The user chooses their preferred identity provider from a menu

7

8

6

5

UIUC

OSU

CLIENT

3

4

2

1

InQueue


Shib Browser Profile• The user is

redirected to UIUC login page

• After login, the user is issued a SAML assertion and redirected back to the wiki

7

8

6

5

UIUC

OSU

CLIENT

3

4

2

1

InQueue


Shib Browser Profile• After validating

the assertion, the wiki@OSU retrieves user attributes via back-channel Shib attribute exchange

7

8

6

5

UIUC

OSU

CLIENT

3

4

2

1

InQueue


Asserting Identity• Initially, the user is unknown to the wiki• After querying the home institution, the

wiki knows the user’s identity• “trscavo-uiuc.edu” is wiki-speak for

[email protected]• The latter is eduPersonPrincipalName,

an identity attribute asserted by the user’s home institution


OpenIdP.org• By design, a user with an account at an

institution belonging to InCommon, InQueue, or SDSS can log into the wiki:https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/WebHome

• Other users can register at openidp.org, which is a zero-admin Shibboleth IdP

• The openidp asserts an alternate form of identity (email addresses as opposed to eduPersonPrincipalName)




Identity Provider

Service Provider

The Actors• Identity Provider

– The Identity Provider (IdP) creates, maintains, and manages user identity

– A Shibboleth IdP produces SAML assertions

• Service Provider– The Service Provider (SP)

controls access to services and resources

– A Shibboleth SP consumes SAML assertions

AuthenticationAuthority

AttributeAuthority

SSOService

AssertionConsumer

Service

Resource

ArtifactResolution

Service

AttributeRequester


Shib SSO Profiles• Shibboleth SSO profiles are SP-first• Shibboleth specifies an Authentication

Request Profile• Shibboleth Browser/POST Profile =

Shib Authn Request Profile + SAML Browser/POST Profile

• Shibboleth Browser/Artifact Profile = Shib Authn Request Profile + SAML Browser/Artifact Profile


Shib AuthN Request Profile• A Shibboleth authentication request is an

ordinary GET request:https://idp.org/shibboleth/SSO? providerId=https://sp.org/shibboleth/& shire=https://sp.org/shibboleth/SSO& target=https://sp.org/myresource& time=1102260120

• The client is redirected to this location after requesting a protected resource at the SP without a security context


8

7

1

2

5

6

3

4

Identity Provider

Service Provider

Shib Browser/POST Profile• Browser/POST is

an SP-first profile• The IdP

produces an assertion at step 4, which the SP consumes at step 5

CLIENT


AttributeAuthority

SSOService

AssertionConsumer

Service

Resource


Shib Attribute Exchange• A Shibboleth SP often queries an IdP for

attributes after validating an authN assertion

• An opaque, transient identifier called a handle is embedded in the authN assertion

• The SP sends a SAML AttributeQuery message with handle attached


Browser/POST Profile• The first 5 steps of

this profile are identical to ordinary Browser/POST

• Before redirecting the Client to the Resource Manager, the SP queries for attributes via a back-channel exchange

10

9

1

2

5

8

3

4

Identity Provider

Service Provider

CLIENT


AttributeAuthority

SSOService

AssertionConsumer

Service

Resource

AttributeRequester

7 6


Directory Schema• Neither Shibboleth nor SAML define

any attributes per se

• It is left to individual deployments to define their own attributes

• A standard approach to user attributes is crucial

• Without such standards, interoperability is impossible


eduPerson• Internet2 and EDUCAUSE have jointly

developed a set of attributes and associated bindings called eduPerson

• The LDAP binding of eduPerson is derived from the standard LDAP object class called inetOrgPerson [RFC 2798]

• Approximately 40 attributes have been defined by InCommon as common identity attributes


InCommon Attributes• InCommon’s 6 “highly recommended” attributes:

Attribute Name Attribute Value

givenName Mary

sn (surname) Smith

cn (common name) Mary Smith

eduPersonScopedAffiliation [email protected]

eduPersonPrincipalName [email protected]

eduPersonTargetedID ?

(eduPersonTargetedID does not have a precise value syntax)



some history



• Shibboleth Overview

• GridShib


What is GridShib?• GridShib enables secure attribute

sharing between Grid virtual organizations and higher-educational institutions

• The goal of GridShib is to integrate the Globus Toolkit® with Shibboleth®

• GridShib adds attribute-based authorization to Globus Toolkit


Motivation• Large scientific projects have spawned

Virtual Organizations (VOs)• The cyberinfrastructure and software

systems to support VOs are called grids• Globus Toolkit is the de facto standard

software solution for grids• Grid Security Infrastructure provides

basic security services…but does it scale?


Tale of Two Technologies

GridClient

GlobusToolkit

Shibboleth

X.509

SAMLGrid Security Infrastructure

Shibboleth Federation

Bridging Grid/X.509 with Shib/SAML


Grid Authentication• Globus Toolkit provides authentication

services via X.509

• When requesting a service, the user presents an X.509 certificate, usually a proxy certificate

• GridShib leverages the existing authentication mechanisms in GT


Grid Authorization• Today, Globus Toolkit provides identity-

based authorization mechanisms:– List of attributes required to use service or

container– Mapping of attributes to local identity (in

grid-mapfiles) for job submission

• GridShib hopes to augment identity-based authorization with attribute-based authorization


GT Authorization Framework• Work is underway to develop and enhance the

authorization framework in Globus Toolkit– Siebenlist et al. at Argonne– Pluggable modules for processing authentication,

gathering and processing attributes and rendering decisions

• Work in OGSA-Authz WG to allow for callouts to third-party authorization services– E.g., PERMIS

• Convert Attributes (SAML or X.509) into common format for policy evaluation– XACML-based


Why Shibboleth?

• What does Shibboleth bring to the table?– A large (and growing) installed base– A standards-based, open source

implementation– A standard attribute vocabulary (eduPerson)

• A well-developed, federated identity management infrastructure has sprung up around Shibboleth


Shibboleth Federations• A federation

– Provides a common trust and policy framework– Issues credentials and distributes metadata– Provides discovery services for SPs

• Shibboleth-based federations:– InCommon (23 members)– InQueue (157 members)– SDSS (30 members)– SWITCH (23 members)– HAKA (8 members)


InCommon Federation


Use Cases• There are three use cases under

consideration:1. Established grid user (non-browser)

2. New grid user (non-browser)

3. Portal grid user (browser)

Initial efforts have concentrated on the established grid user (i.e., user with existing long-term X.509 credentials )


Established Grid User• User possesses an X.509 end entity

certificate

• User may or may not use MyProxy Server to manage X.509 credentials

• User authenticates to Grid SP with proxy certificate (grid-proxy-init)

• The current GridShib implementation addresses this use case


New Grid User• User does not possess an X.509 end

entity certificate

• User relies on MyProxy Online CA to issue short-lived X.509 certificates

• User authenticates to Grid SP using short-lived X.509 credential

• Emerging GridShib Non-Browser Profiles address this use case


Portal Grid User• User does not possess an X.509 cert

• User accesses Grid SP via a browser interface, that is, the client delegates a web application to request a service at the Grid SP

• MyProxy issues a short-lived X.509 certificate via a back-channel exchange

• GridShib Browser Profiles apply


Software Components• GridShib for Globus Toolkit

– A plugin for GT 4.0

• GridShib for Shibboleth– A plugin for Shibboleth 1.3 IdP

• Shibboleth IdP Tester– A test application for Shibboleth 1.3 IdP

• Visit the GridShib Download page:http://gridshib.globus.org/download.html

http://gridshib.globus.org/download.html


The Actors• Standard (non-browser)

Grid Client• Globus Toolkit with GridShib

installed (which we call a “Grid SP”)

• Shibboleth IdP with GridShib installed

IdP

Grid SP

CLIENT


GridShib Attribute Pull Profile• In the current

implementation, a Grid SP “pulls” attributes from a Shib IdP

• The Client is assumed to have an account (i.e., local principal name) at the IdP

• The Grid SP and the IdP have been assigned a unique identifier (providerId)

3

4

2

1

IdP

Grid SP

CLIENT


1

GridShib Attribute Pull Step 1• The Grid Client requests a

service at the Grid SP• The Client presents a

standard proxy certificate to the Grid SP

• The Client also provides a pointer to its preferred IdP

IdP

Grid SP

CLIENT


IdP Discovery• The Grid SP needs to know the Client’s

preferred IdP

• One approach is to embed the IdP providerId in the proxy certificate

• This requires modifications to the MyProxy client software, however

• Currently the IdP providerId is configured into the Grid SP


2

1

GridShib Attribute Pull Step 2• The Grid SP

authenticates the Client and extracts the DN from the proxy cert

• The Grid SP queries the Attribute Authority (AA) at the IdP

IdP

Grid SP

CLIENT

Attribute Query• The Grid SP formulates a SAML attribute query:

<samlp:AttributeQuery Resource="https://globus.org/gridshib"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="http://idp.uchicago.edu/shibboleth"> CN=GridShib,OU=NCSA,O=UIUC </saml:NameIdentifier> </saml:Subject>  </samlp:AttributeQuery>

• The Resource attribute is the Grid SP providerId• The NameQualifier attribute is the IdP providerId• The NameIdentifier is the DN from the proxy cert• Zero or more AttributeDesignator elements call out the

desired attributes


32

1

GridShib Attribute Pull Step 3• The AA authenticates

the requester and returns an attribute assertion to the Grid SP

• The assertion is subject to Attribute Release Policy (ARP)

IdP

Grid SP

CLIENT


Attribute Assertion• The assertion contains an attribute statement:

<saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"

NameQualifier="http://idp.uchicago.edu/shibboleth"> CN=GridShib,OU=NCSA,O=UIUC </saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"> <saml:AttributeValue> member </saml:AttributeValue> <saml:AttributeValue> student </saml:AttributeValue> </saml:Attribute></saml:AttributeStatement>

• The Subject is identical to the Subject of the query• Attributes may be single-valued or multi-valued• Attributes may be scoped (e.g., [email protected])


Name Mapping• An IdP does not issue X.509 certs so it

has no prior knowledge of the DN• Solution: Create a name mapping file at

the IdP (similar to the grid-mapfile at the Grid SP)# Default name mapping fileCN=GridShib,OU=NCSA,O=UIUC gridshib"CN=some user,OU=People,DC=doegrids" test

• The DN must conform to RFC 2253


3

4

2

1

GridShib Attribute Pull Step 4• The Grid SP parses the

attribute assertion and performs the requested service

• A generalized attribute framework is being developed for GT

• A response is returned to the Grid Client

IdP

Grid SP

CLIENT


Future Work• Solve the IdP Discovery problem

– Implement shib-proxy-init

• Implement DB-based name mapping

• Provide name mapping maintenance tools (for administrators)

• Design an interactive name registry service (for users)

• Devise metadata repositories and tools


Shib Browser Profile• Consider a Shib browser

profile stripped to its bare essentials

• Authentication and attribute assertions are produced at steps 2 and 5, resp.

• The SAML Subject in the authentication assertion becomes the Subject of the attribute query at step 4

5

6

4

3

IdP

SP

CLIENT

1

2


GridShib Non-Browser Profile• Replace the SP with a Grid

SP and the browser client with a non-browser client

• Three problems arise:– Client must possess X.509

credential to authenticate to Grid SP

– Grid SP needs to know what IdP to query (IdP Discovery)

– The IdP must map the SAML Subject to a local principal

IdP

Grid SP

CLIENT


The Role of MyProxy• Consider a new grid user instead of the

established grid user

• For a new grid user, we are led to a significantly different solution

• Obviously, we must issue an X.509 credential to a new grid user

• A short-lived credential is preferred

• Enter MyProxy Online CA…


MyProxy-first Attribute Pull• MyProxy with

Online CA• MyProxy inserts

a SAML authN assertion into a short-lived, reusable EEC

• IdP collocated with MyProxy 6

54

3

2

1

IdP

Grid SP

MyProxy

CLIENT


MyProxy-first Advantages• Relatively easy to implement • Requires only one round trip by the client • Requires no modifications to the Shib IdP • Requires no modifications to the Client • Supports multiple authentication mechanisms

out-of-the-box • Uses transparent, persistent identifiers:

– No coordination of timeouts necessary – Mapping to local principal is straightforward


IdP-first Non-Browser Profiles• The IdP-first profiles require no shared

state between MyProxy and the IdP

• Supports separate security domains

• Leverages existing name identifier mappings at the IdP

• IdP-first profiles may be used with either Attribute Pull or Attribute Push


Attribute Pull or Push?

attributes

user

AA

Grid SP

user

AA

request request

attributes

Pull Push


IdP-first Attribute Pull• MyProxy with

Online CA• MyProxy

consumes and produces SAML authN assertions

• The Client authenticates to MyProxy with a SAML authN assertion

8

76

5

4

3

2

1

IdP

Grid SP

MyProxy

CLIENT


IdP-first Attribute Push• The IdP “pushes” an

attribute assertion to the Client

• The Client authenticates to MyProxy with a SAML authN assertion

• MyProxy consumes both SAML authN and attribute assertions

5

6

4

3

1

2

IdP

Grid SP

MyProxy

CLIENT


IdP-first Advantages• Since IdP controls both ends of the flow:

– Mapping NameIdentifier to a local principal is straightforward

– Choice of NameIdentifier format is left to the IdP

• Attribute push simplifies IdP config and trust relationships

• Reusable by grid portal use case


Conclusion• Globus Toolkit is the de facto standard

software solution for grids

• Shibboleth is a popular approach to federated identity management

• GridShib leverages existing Shibboleth deployments to add attribute-based authorization to Globus Toolkit


Questions?• GridShib web site

http://gridshib.globus.org/

• Tom [email protected]

• Von [email protected]

Thank You!

http://gridshib.globus.org/

mailto:[email protected]

mailto:[email protected]

gridshib cip seminar december 6th, 2005 tom scavo [email protected] von welch...

Documents

gridshib seminarwhat

number of systems

authentication systemse

site federationssites

nmi grids

grideach user

use of shibboleth

private key