gridshib project update tom barton 1, tim freeman 1, kate keahey 1, raj kettimuthu 1, tom scavo 2,...
TRANSCRIPT
GridShib Project UpdateTom Barton1, Tim Freeman1,
Kate Keahey1, Raj Kettimuthu1,Tom Scavo2, Frank Siebenlist1, Von Welch2
1University of Chicago2NCSA/University of Illinois
Outline
GridShib Overview GridShib Components GridShib Profiles GridShib Roadmap
What is GridShib?
GridShib enables secure attribute sharing among Grid virtual organizations and higher-educational institutions
The goal of GridShib is to allow interoperability between the Globus Toolkit® with Shibboleth®
GridShib adds attribute-based authorization to Globus Toolkit
Some Background
Large scientific projects have spawned Virtual Organizations (VOs)
The cyberinfrastructure and software systems to support VOs are called grids
Globus Toolkit is the de facto standard software solution for grids
Grid Security Infrastructure (GSI) provides basic security services for grids
Grid Authentication
Globus Toolkit provides authentication services via X.509 credentials
When requesting a service, the user presents an X.509 certificate, usually a proxy certificate
GridShib leverages the existing authentication mechanisms in GT
Grid Authorization
Today, Globus Toolkit provides identity-based authorization mechanisms: Access control lists (called grid-mapfiles)
map DNs to local identity (e.g., Unix logins) Community Authorization Service (CAS)
PERMIS and VOMS GridShib provides attribute-based
authorization based on Shibboleth
GridShib Project Motivation
VOs are difficult to manage Goal: Leverage existing identity
management infrastructure Identity-based access control methods
are inflexible and do not scale Goal: Use attribute-based access control
Solution: Leverage Shibboleth with Globus Toolkit!
GridShib Use Cases
Three use cases under consideration:
1. Established grid user (non-browser)
2. New grid user (non-browser)
3. Portal grid user (browser) Initial efforts concentrated on the non-
browser use cases Current efforts are focused on the
portal grid user
Established Grid User
User possesses an X.509 end entity certificate
User may or may not use MyProxy Server to manage X.509 credentials
User authenticates to Grid SP with a proxy certificate
The current GridShib implementation addresses this use case
New Grid User
User does not possess an X.509 end entity certificate
User relies on GridShib CA to obtain short-lived X.509 certificates
User authenticates to Grid SP using short-lived X.509 credential
The myVocs-GridShib integration addresses this use case
Portal Grid User
User does not possess an X.509 cert A browser user authenticates to a Grid
Portal (which may or may not be Shib-enabled)
The user delegates the Grid Portal to request a service at the Grid SP
The Grid Portal authenticates to the Grid SP using its “community credential”
Outline
GridShib Overview GridShib Components GridShib Profiles GridShib Roadmap
Software Components
GridShib for Globus Toolkit GridShib for Shibboleth
Includes GridShib Certificate Registry GridShib Certificate Authority GridShib Authentication Assertion Client Shibboleth IdP Tester Globus SAML Library (not distributed)
GridShib for Globus Toolkit
GridShib for Globus Toolkit is a plugin for GT 4.0 (or later)
Features: Standalone attribute requester SAML attribute consumption Attribute-based access control Attribute-based local account mapping SAML metadata consumption
GridShib for Shibboleth
GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later)
Features: Name Mapper
Supports name mappings in both files and tables
SAML name identifier implementations X509SubjectName, emailAddress, etc.
Certificate Registry Supports the established grid user
GridShib Certificate Registry A Certificate Registry is integrated into
GridShib for Shibboleth 0.5:https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateRegistry
An established grid user authenticates and registers an X.509 end-entity cert
The Registry binds the cert to the principal name and persists the binding in a database
On the backend, GridShib maps the DN in a query to a principal name in the DB
GridShib Authn Assertion Client
The GridShib Authn Assertion Client is a standalone tool that creates an X.509 proxy certificate with bound SAML authn assertion
The client uses the proxy to authenticate to a Grid SP
The Grid SP queries a Shibboleth AA based on the information in the bound SAML assertion
Shibboleth IdP Tester
The Shibboleth IdP Tester is a tool that queries a Shibboleth AA for attributes
The IdP Tester can be used to: Test an ordinary Shibboleth AA Test a GridShib-enabled AA
The IdP Tester installs as a Shib IdP extension (i.e., it does not disturb an existing Shib deployment)
GridShib CA The GridShib Certificate Authority is a web-
based CA for new grid users:https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority
The GridShib CA is protected by a Shib SP and backended by either OpenSSL or the MyProxy Online CA
The CA issues short-term credentials suitable for authentication to a Grid SP
Credentials are downloaded to the desktop via Java Web Start
Globus SAML Library
GridShib forked the OpenSAML 1.1 source library in Jan 2006
Globus SAML Library is in synch with OpenSAML 1.1 CVS HEAD
Globus SAML Library is bundled with GridShib for GT
Globus SAML Library adds new features to OpenSAML 1.1
Outline
GridShib Overview GridShib Components GridShib Profiles GridShib Roadmap
GridShib Attribute Pull Profile
In the “Classic GridShib” profile, a Grid SP “pulls” attributes from a Shib IdP
The Client is assumed to have an account (i.e., local principal name) at the IdP
The Grid SP and the IdP have been assigned a unique identifier (entityID)
3
4
2
1
IdPIdP
Grid SPGrid SP
CLIENT
CLIENT
1
GridShib Attribute Pull Step 1
The Grid Client requests a service at the Grid SP
The Client presents an X.509 certificate to the Grid SP
The Client may provide a pointer to its preferred IdP This is the so-called IdP
Discovery problem
IdPIdP
Grid SPGrid SP
CLIENT
CLIENT
2
1
GridShib Attribute Pull Step 2
The Grid SP authenticates the Client and extracts the DN from the proxy cert
The Grid SP queries the Attribute Authority (AA) at the IdP using the DN as a SAML name identifier
IdPIdP
Grid SPGrid SP
CLIENT
CLIENT
32
1
GridShib Attribute Pull Step 3
The AA authenticates the requester and maps the DN to a local principal name
The AA returns an attribute assertion to the Grid SP The assertion is subject to
Attribute Release Policy (ARP) at the IdP
IdPIdP
Grid SPGrid SP
CLIENT
CLIENT
3
4
2
1
GridShib Attribute Pull Step 4
The Grid SP parses the attribute assertion and performs the requested service
The attributes are cached as necessary
A response is returned to the Grid Client
IdPIdP
Grid SPGrid SP
CLIENT
CLIENT
IdP Discovery
Like the Shibboleth SP-initiated browser flows, the Grid SP needs to know the user’s preferred IdP
SAML assertions bound to X.509 certs give clues as to the user’s preferred IdP
For example, the GridShib Authentication Assertion Client sets the NameQualifier attribute to the unique identifier of the IdP
Unfortunately, the NameQualifier attribute is deprecated in SAML V2.0
IdP Discovery (cont’d)
The Issuer attribute is a better indicator of the user’s preferred IdP
However, for self-issued assertions (assertion issuer == certificate issuer) the Issuer is a DN, which doesn’t help IdP discovery
Solution: Set the X.509 Subject Information Access extension to the IdP entityID
GridShib Attribute Push Profile
The Client may push attributes at step 1
SAML assertions are bound to X.509 certificates or SOAP messages
The Grid SP may or may not query for attributes in this case
3
4
2
1
IdPIdP
Grid SPGrid SP
CLIENT
CLIENT
Outline
GridShib Overview GridShib Components GridShib Profiles GridShib Roadmap
Online Roadmap
We present current plans and timelines Roadmap online at GridShib dev.globus
incubator sitehttp://dev.globus.org/wiki/GridShib_Development_Roadmap
Roadmap will be maintained as work progresses, check web page for updates
Attribute Push
For the past six months, GridShib has concentrated on attribute push
Advantages of attribute push: IdP Discovery is less of an issue
Disadvantages of attribute push: What to push? (we call this “SP Discovery”)
GridShib X.509 Certificate The anatomy of an X.509 certificate suitable
for GridShib attribute push: short lifetime IdP entityID in Subject Information Access
extension SAML Subject in the Subject Alt Name
extension SAML assertion(s) bound to X.509 v3 certificate
extension SSO assertion(s) nested in the Advice element
of a bound SAML assertion
X.509 Binding for SAML
We bind an ASN.1 SEQUENCE of SAML elements at a well-known, non-critical X.509 v3 certificate extension
GridShib and Globus CAS already have limited ability to bind <Assertion> elements to X.509 proxy certificates
Future versions of the GridShib CA will bind SAML to end-entity certificates
1. Shib Authn Request (Redirect)2. SAML Authn Response3. SAML Authn Response (POST)4. SAML Attribute Query (SOAP)5. SAML Attribute Response6. HTTP 200 OK (Java Web Start)7. WS-RF Service Request (SOAP)8. WS-RF Service Response
GridShib, an NSF-funded project between NCSA and the University of Chicago, integrates federated identity management infrastructure (Shibboleth) with Grid technology (Globus Toolkit) to provide attribute-based authorization for distributed scientific communities (http://gridshib.globus.org/).We propose to bind SAML assertions to X.509 certificates to facilitate GridShib Attribute Push, which overcomes some limitations of Classic GridShib (Attribute Pull). Two use cases for GridShib Attribute Push are depicted below.
Two use cases for GridShib Attribute Push involve the GridShib CA and the TeraGrid Science Gateway. The GridShib CA binds SAML to an X.509 end-entity certificate after step 5. The Science Gateway binds SAML to an X.509 proxy certificate after step 9. The client presents the X.509 certificate to the GridShib Service Provider (SP). The GridShib SP extracts the SAML,
parses the attributes, and makes an informed access control decision.
Classic GridShib
Use Case: GridShib CA
Use Case: Science Gateway
X.509 Certificate
1. WS-RF Service Request (SOAP)2. WS-RF Service Response
1. Shib Authn Request (Redirect)2. SAML Authn Response3. SAML Authn Response (POST)4. SAML Attribute Query (SOAP)5. SAML Attribute Response6. HTTP 200 OK
<!-- shib-enabled gridshib ca --><saml:Assertion ...> <saml:Conditions ...>...</saml:Conditions> <saml:Advice> <!-- attribute assertion obtained from Shib IdP --> <saml:Assertion ...>...</saml:Assertion> <!-- authn assertion obtained from Shib IdP --> <saml:Assertion ...>...</saml:Assertion> </saml:Advice> <!-- gridshib ca-asserted attributes --> <saml:AttributeStatement> <!-- the subject of this EEC --> <saml:Subject>...</saml:Subject> ... </saml:AttributeStatement></saml:Assertion>
An X.509 Binding for SAML
14
54
3
2
1 ShibbolethIdentityProvider
ShibbolethIdentityProvider
WebPortal
WebPortal
Browser
Browser
GridShibClient
GridShibClient X.509
Issuer
X.509Issuer SAML
Issuer
SAMLIssuer
6 7 8
13 10 9
GridShibServiceProvider
GridShibServiceProvider
11126
54
3
2
1 ShibbolethIdentityProvider
ShibbolethIdentityProvider
GridShibCA
GridShibCA
Browser
Browser
8
7
GridShibServiceProvider
GridShibServiceProvider
GridClient
GridClient
GridServiceProvider
GridServiceProvider
GridClient
GridClient
1
2+ B
rowser
Browser
ShibbolethIdentityProvider
ShibbolethIdentityProvider
5
6
3
2
1
ShibbolethServiceProvider
ShibbolethServiceProvider
=
4
1. WS-RF Service Request (SOAP)2. SAML Attribute Query (SOAP)3. SAML Attribute Response4. WS-RF Service Response
4
32
1
GridShibIdentityProvider
GridShibIdentityProvider
GridShibServiceProvider
GridShibServiceProvider
GridClient
GridClient
<saml:Assertion …> …</saml:Assertion>…<saml:Assertion …> …</saml:Assertion>
X.509 v3 Certificate ExtensionOID 1.3.6.1.4.1.3536.1.1.1.10
X.509 Binding for SAML (cont’d)
Initially, we bind a <saml1:Assertion> element to the X.509 certificate
Eventually we would like to support: <saml1:Assertion> <saml1:AssertionIDReference> <saml2:Assertion> <saml2:EncryptedAssertion> <saml2:AssertionIDRef> <saml2:AssertionURIRef>
X.509 Binding: Use Cases
Presenter is the Subject Principal Self-assertion Principal Self-query Shib-enabled GridShib CA MyProxy Online CA Community Authorization Service
Presenter Acting on Behalf of the Subject: nanoHUB Pull National Virtual Observatory (NVO) Push Shib-enabled Science Gateway
Use Case: nanoHUB
6 5
43
21
nanoHUBLDAP
nanoHUBportal
nanoHUBIdP
Grid SPnanoHUBuser
6 5
32
41
nanoHUBLDAP
nanoHUBportal
nanoHUBIdP
Grid SPnanoHUBuser
Use Case: NVO
AuthnAuthority
AttributeAuthority
MyProxyGSI Client
Portal
GridSP
Browser
AttributeStore
SAML
SAML
(inputs)
(inputs)
X.509EEC
CA
Use Case: Science Gateway
AuthnAuthority
AttributeAuthority
SAMLX.509 Binding
Tool
GSI Client
Portal (Shib-
enabled)
GridSP
Browser
AttributeStore
SAML
SAML
(inputs)
(inputs)
X.509Proxy
(inputs)SSO
Assertion
Work in the Pipeline
New versions of GridShib for GT, GridShib for Shib, and GridShib CA
GridShib Authn Assertion Client => GridShib SAML Issuer Tool
Shibboleth IdP Tester => GridShib Attribute Query Client
GridShib SAML Tools Enhancements to Globus SAML Library
GridShib for GT Versions
GridShib for GT 0.5 Announced Nov 30, 2006
GridShib for GT 0.5.1 Expected ?
GridShib for GT 0.6 Expected ?
GridShib for GT 0.5
GridShib for GT 0.5 announced Nov 30 Compatible with both GT4.0 and GT4.1
GT4.1 introduces powerful authz framework Separate binaries for each GT version Source build auto-senses target GT platform
New identity-based authorization feature Uses grid-mapfile instead of DN ACLs
Logging enhancements Bug fixes
GridShib for GT 0.5.1
GridShib for GT 0.5.1 (expected ?) Combined VOMS/SAML attribute to account
mapping As with the current gridmap situation, GT4.0.x deployments
cannot take advantage of permit overrides and arbitrarily configure fallbacks
To accommodate this we’ll allow for a name mapping scheme that checks in this order and continues to fall back if no match/authz is granted: gridmap, VOMS, Shibboleth/SAML
GridShib for GT 0.6
GridShib for GT 0.6 (expected ?) Full-featured attribute push PIP
TBA
More powerful attribute-based authz policies Allow unique issuer in authz policy rules
GridShib for Shib Versions
GridShib for Shib 0.5.1 Announced Aug 8, 2006
GridShib for Shib 0.6 Expected Jan 2007 Will include SAML Issuer Tool (derived from
Shib resolvertest tool)
GridShib for Shib 0.6
GridShib for Shib 0.6 (expected Jan 2007) Core (already included in 0.5)
Requires Shib IdP Includes basic plugins and handlers
Certificate Registry (already included in 0.5) Requires GridShib for Shib Core Includes Derby embedded database
SAML Tools (new in 0.6) Requires GridShib for Shib Core Includes SAML Issuer Tool and SAML X.509 Binding Tool
GridShib CA Versions
GridShib CA 0.3 Announced Nov 27, 2006
GridShib CA 0.4 Expected March, 2007
GridShib CA 0.3
GridShib CA 0.3 announced Nov 27, 2006 Substantial improvement over version 0.2 More robust protocol Installation of trusted CAs at the client Pluggable back-end CAs
Uses an openssl-based CA by default A module to use a MyProxy CA is included
Certificate registry functionality A module that auto-registers DNs with myVocs
GridShib SAML Tools
GridShib SAML Issuer Tool Derived from Authentication Assertion Client
Shibboleth SAML Issuer Tool Derived from Shib resolvertest tool
GridShib Attribute Query Client Derived from Shib IdP Tester
GridShib X.509 Binding Tool Derived from GT CAS/SAML utilities
GridShib SAML Tools (cont’d)
ShibbolethSAML Issuer
Tool
SAMLX.509 Binding
Tool(inputs) X.509SAML
Shibboleth IdP Config
GridShibSAML Issuer
Tool
SAMLX.509 Binding
Tool(inputs) X.509SAML
ConfigFiles
GridShib SAML Tools (cont’d)
ShibbolethSAML Issuer
Tool
GridShibSAML Issuer
Tool
SAMLX.509 Binding
Tool
(inputs)
(inputs)
X.509SAMLGridShib
Attribute QueryClient
(inputs)
SAML Tool Distributions
The Shib SAML Issuer Tool and the SAML X.509 Binding Tool will be distributed with GridShib for Shib 0.6
The GridShib SAML Issuer Tool, GridShib Attribute Query Client, and SAML X.509 Binding Tool will be distributed as a single, standalone package
Note: The latter does not require GridShib for Shib or GridShib for GT
Globus SAML Library
Features and enhancements: Support for SAML V2.0 metadata SAML object equivalence implementation Enhanced SAMLNameIdentifier class SAML NameIdentifier format handlers New SAMLSubjectAssertion class New SubjectStatement class Additional unit tests and examples Requires JDK 1.4 or above
New Software Components
GridShib for Globus Toolkit 0.6 GridShib for Shibboleth 0.6
Optional Certificate Registry Optional SAML Issuer Tool
GridShib Certificate Authority 0.4 GridShib SAML Tools
SAML Issuer Tool Attribute Query Client SAML X.509 Binding Tool
Globus SAML Library (enhanced)
Profiles and Bindings Specs
SAML V1.1 Profiles for X.509 Subjects http://www.oasis-open.org/committees/download.php/19996/sstc-saml1-profiles-x509-draft-01.pdf
Subject-based Assertion Profile for SAML V1.1 X.509 Binding for SAML Assertions Attribute Query Profile for SAML V1.1 SAML V1.1 Deployment Profiles for X.509 Subjects SAML V2.0 Deployment Profiles for X.509 Subjects
Acknowledgments
GridShib is a project funded by the NSF Middleware Initiative NMI awards 0438424 and 0438385 Opinions and recommendations are those of the
authors and do not necessarily reflect the views of the National Science Foundation.
Also many thanks to Internet2 Shibboleth Project
Summary GridShib has a number of tools for leveraging
Shibboleth for the Grid Both for user authentication and attribute-based
authorization Deploys easily on Shibboleth 1.3 and Globus 4.0 Available under Apache2 license
For more information and software: http://gridshib.globus.org [email protected] http://dev.globus.org/wiki/Incubator/GridShib
Questions?