gridshib: grid/shibboleth interoperability september 14, 2006 washington, dc tom barton, tim...
TRANSCRIPT
GridShib:Grid/Shibboleth Interoperability
September 14, 2006Washington, DC
Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu,Tom Scavo, Frank Siebenlist, Von Welch
2
Acknowledgments
GridShib is a project funded by the NSF Middleware Initiative NMI awards 0438424 and 0438385
Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation.
Also many thanks to Internet2
3
GridShib Goals
Allow the Grid to scale by leveraging existing campus identity management (IdM) Shibboleth has the potential to become the
interface to campus IdM systems Making joining the Grid as easy as possible
for users No new passwords, certificates, etc
Allow campuses attributes to be used by the Grid
Some background
5
Grid Authentication
Globus Toolkit provides authentication services via X.509 credentials
When requesting a service, the user presents an X.509 certificate, usually a proxy certificate
GridShib leverages the existing authentication mechanisms in GT
6
Grid Authorization
Today, Globus Toolkit provides identity-based authorization mechanisms: Access control lists (called grid-mapfiles)
map DNs to local identity (e.g., Unix logins) Community Authorization Service (CAS)
Some attribute-based authorization has appeared and is proving useful E.g. VOMS
7
Shibboleth
Allows for inter-organization access to web resources
Exposes campus identity and attributes in standard format Based on SAML as defined by OASIS Policies for attribute release and transient
handles to allow privacy
8
Why Shibboleth?
What does Shibboleth bring to the table? A large (and growing) installed base on
campuses around the world Professional development and support
team A standards-based, open source
implementation A standard attribute vocabulary
(eduPerson)
9
GridShib Software Components
GridShib for Globus Toolkit A plugin for GT 4.0
GridShib for Shibboleth A plugin for Shibboleth 1.3 IdP
GridShib CA A web-based CA for new grid users
10
GridShib for Globus Toolkit
GridShib for Globus Toolkit is a plugin for GT4
Features: SAML Authentication consumer SAML attribute consumption Attribute-based access control Attribute-based local account mapping SAML metadata consumption
11
GridShib for Shibboleth
GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later)
Features: Name Mapper SAML name identifier implementations
X509SubjectName, emailAddress, etc.
Certificate Registry
12
GridShib Name Mapper
Users may be known by a number of names
The Name Mapper is a container for name mappings
Multiple name mappings are supported: File-based name
mappings DB-based name
mappings
NameMapFile NameMapTable
NameMapper
13
GridShib Certificate Registry
A Certificate Registry is integrated into GridShib for Shibboleth
An established grid user authenticates and registers an X.509 end-entity cert
The Registry binds the cert to the principal name and persists the binding in a database
On the backend, GridShib maps the DN in a query to a principal name in the DB
14
GridShib CA
The GridShib Certificate Authority is a web-based CA for new grid users
The GridShib CA is protected by a Shib SP and back-ended by the MyProxy Online CA
The CA issues short-term credentials suitable for authentication to a Grid SP
Credentials are downloaded to the desktop via Java Web Start
Example Deployments
16
nanoHub
Nanotechnology Portal Expose user attributes
via Shib AA Use GridShib for GT to
point Grid at nanoHub AA
Allows for Grid authorization of nanoHub users based on nanoHub attributes
17
nanoHUB
nanoHUBPortal
AA
X.509w/SAML
Authn
User authenticatesto portal
SAML AttributeQuery
18
TeraGrid Testbed
Work underway with NSF TeraGrid project to build an testbed built on Shibboleth and GridShib technologies
Goals: Allow for scalable access by leveraging
campus authentication Allow for attribute-based authorization to
define communities Ease of use for users
19
Testbed
20
GridShib-myVocs Integration
myVocs developed by Gemmill @ UAB myVocs allows for VOs based on
Shibboleth identities GridShib authorizes use of Grid Services
based on Shibboleth identities Integration allows for the creation and
management of Grid Vos based on Shibboleth
http://www.myvocs.org
21
Future Plans: Attribute Push
Turning to attribute push Our observation is that most Grid use cases want:
Persistent Id from Home Institution Attributes from VO
Shib/X.509 Gateway is natural point to collection Attributes from home institution and combine with VO attributes and push to Grid Gateway could be the GridShib-CA or a domain-
portal, e.g. a TeraGrid Science Gateway
22
Summary GridShib has a number of tools for leveraging
Shibboleth for the Grid Both for user authentication and attribute-based
authorization Deploys easily on Shibboleth 1.3 and Globus 4.0 Available under Apache2 license
For more information and software: http://gridshib.globus.org [email protected] http://dev.globus.org/wiki/Incubator/GridShib