ShibGrid: Shibboleth access to the UK National Grid

ServiceUniversity of Oxford and STFC

Motivation

• We want to encourage more users on the NGS– Need to cover all areas of research– From the single researcher to large projects– Security infrastructure must enable this

• PKI often a barrier• Generalised not specific • Straightforward to use

• Community is adopting Shibboleth

Requirements

• User/Project– Don’t want to know about certificates (or any other security

mechanism!).– Transparent access to eScience facilities, consistent with other

SSO-enabled components.– Access to components at home or away (even Internet Café).– Fit in with local authentication schemes.– Want to use own project portal.

• NGS– Must be compatible with GT2 and registration system.

• VOMS in the future.

Use cases• Access to the Grid solely with Shibboleth • Use standard Grid certificates when something

extra is required – still many advantages

• Access to the Grid through a Portal– NGS portal/project portals

• Access to the Grid through other access methods– Globus, Java GSI-SSH Terminal, CoG, etc.,

• Registration (for NGS) using Shibboleth

Shibboleth Overview

• Web-based federated access management system based on SAML

• Based on separation of authentication and authorisation– Authentication: Identity Provider (IdP) at user’s home

institution– Authorisation: Service Provider (SP) based on

attributes from the IdP – Discovery: Where Are You From (WAYF) service

• User can remain anonymous at the SP

Architectural Design

• Don’t change the user– Prevent extra logical steps: portal first– Easy to deploy in project portals– Support other access methods

• Don’t change other services– Work within Shibboleth and GSI frameworks

ShibGrid access to the NGS (via Portal)

(Thanks to Kang Tang)

Shibboleth Authentication and Authorisation

ShibGrid MyProxy Checks• IdP (trusted) authentication/authorisation

– Standard Shibboleth• Portal (not trusted):

– Standard MyProxy checks– + check the attribute assertion was created for the portal

• Users:– Authentication: at IdP– Authorisation:

• Is user registered?• username attribute = username used?

– Attributes used to construct low-assurance certificate DNs

More than just portal access…

• Registration service– Data Protection Act/Acceptable Use Policy?– Supported IdP?– Correct configuration?– Link to NGS user registration

• Grid proxy download tool– For non portal Grid access methods

• Grid proxy upload tool

Logon via Shibboleth…

…Choose your home institution…

…background log-in in using Kerberos…

…welcome to the Portal…

…and we have a low-assurance Grid proxy

Certificate Download Tool

Download a stored digital certificate from the MyProxy certificate store for use in other environments

Certificate Upload Tool

Upload a standard UK e-Science certificate into the ShibGrid enabled MyProxy Server - enables download using Shib tools for those users who already have a digital certificate

Conclusion• Succeeded in providing Shibboleth access to the Grid.• Enabling NGS to grant access to users who do not have, and

do not want, an e-Science certificate– lowering the barrier for beginners– widening the user base.

• Use of standard components and protocols ensures the product is easily deployable, maintainable, and interoperable. – Prototype was deployed in the NGS portal (both uPortal and

StringBeans-based versions)– Software available through the OMII catalogue

• Led to some extra functionality being requested of the UK Shib federation

Thanks to the team!

Jens Jensen

David Meredith

David Spence

Kang Tang

Matt Vilijoen

Questions