GridShib:Grid/Shibboleth Interoperability

September 14, 2006Washington, DC

Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu,Tom Scavo, Frank Siebenlist, Von Welch

2

Acknowledgments

GridShib is a project funded by the NSF Middleware Initiative NMI awards 0438424 and 0438385

Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation.

Also many thanks to Internet2

3

GridShib Goals

Allow the Grid to scale by leveraging existing campus identity management (IdM) Shibboleth has the potential to become the

interface to campus IdM systems Making joining the Grid as easy as possible

for users No new passwords, certificates, etc

Allow campuses attributes to be used by the Grid

Some background

5

Grid Authentication

Globus Toolkit provides authentication services via X.509 credentials

When requesting a service, the user presents an X.509 certificate, usually a proxy certificate

GridShib leverages the existing authentication mechanisms in GT

6

Grid Authorization

Today, Globus Toolkit provides identity-based authorization mechanisms: Access control lists (called grid-mapfiles)

map DNs to local identity (e.g., Unix logins) Community Authorization Service (CAS)

Some attribute-based authorization has appeared and is proving useful E.g. VOMS

7

Shibboleth

Allows for inter-organization access to web resources

Exposes campus identity and attributes in standard format Based on SAML as defined by OASIS Policies for attribute release and transient

handles to allow privacy

8

Why Shibboleth?

What does Shibboleth bring to the table? A large (and growing) installed base on

campuses around the world Professional development and support

team A standards-based, open source

implementation A standard attribute vocabulary

(eduPerson)

9

GridShib Software Components

GridShib for Globus Toolkit A plugin for GT 4.0

GridShib for Shibboleth A plugin for Shibboleth 1.3 IdP

GridShib CA A web-based CA for new grid users

10

GridShib for Globus Toolkit

GridShib for Globus Toolkit is a plugin for GT4

Features: SAML Authentication consumer SAML attribute consumption Attribute-based access control Attribute-based local account mapping SAML metadata consumption

11

GridShib for Shibboleth

GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later)

Features: Name Mapper SAML name identifier implementations

X509SubjectName, emailAddress, etc.

Certificate Registry

12

GridShib Name Mapper

Users may be known by a number of names

The Name Mapper is a container for name mappings

Multiple name mappings are supported: File-based name

mappings DB-based name

mappings

NameMapFile NameMapTable

NameMapper

13

GridShib Certificate Registry

A Certificate Registry is integrated into GridShib for Shibboleth

An established grid user authenticates and registers an X.509 end-entity cert

The Registry binds the cert to the principal name and persists the binding in a database

On the backend, GridShib maps the DN in a query to a principal name in the DB

14

GridShib CA

The GridShib Certificate Authority is a web-based CA for new grid users

The GridShib CA is protected by a Shib SP and back-ended by the MyProxy Online CA

The CA issues short-term credentials suitable for authentication to a Grid SP

Credentials are downloaded to the desktop via Java Web Start

Example Deployments

16

nanoHub

Nanotechnology Portal Expose user attributes

via Shib AA Use GridShib for GT to

point Grid at nanoHub AA

Allows for Grid authorization of nanoHub users based on nanoHub attributes

17

nanoHUB

nanoHUBPortal

AA

X.509w/SAML

Authn

User authenticatesto portal

SAML AttributeQuery

18

TeraGrid Testbed

Work underway with NSF TeraGrid project to build an testbed built on Shibboleth and GridShib technologies

Goals: Allow for scalable access by leveraging

campus authentication Allow for attribute-based authorization to

define communities Ease of use for users

19

Testbed

20

GridShib-myVocs Integration

myVocs developed by Gemmill @ UAB myVocs allows for VOs based on

Shibboleth identities GridShib authorizes use of Grid Services

based on Shibboleth identities Integration allows for the creation and

management of Grid Vos based on Shibboleth

http://www.myvocs.org

21

Future Plans: Attribute Push

Turning to attribute push Our observation is that most Grid use cases want:

Persistent Id from Home Institution Attributes from VO

Shib/X.509 Gateway is natural point to collection Attributes from home institution and combine with VO attributes and push to Grid Gateway could be the GridShib-CA or a domain-

portal, e.g. a TeraGrid Science Gateway

22

Summary GridShib has a number of tools for leveraging

Shibboleth for the Grid Both for user authentication and attribute-based

authorization Deploys easily on Shibboleth 1.3 and Globus 4.0 Available under Apache2 license

For more information and software: http://gridshib.globus.org vwelch@ncsa.uiuc.edu http://dev.globus.org/wiki/Incubator/GridShib