shibboleth & grid integration stfc and university of oxford (and university of manchester)
TRANSCRIPT
![Page 1: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/1.jpg)
Shibboleth & Grid Integration
STFC and University of Oxford
(and University of Manchester)
![Page 2: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/2.jpg)
Overview
• Motivation
• Why Shibboleth?
• Previous work: ShibGrid
• Other projects
• Just starting: SARoNGS
• Conclusions
![Page 3: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/3.jpg)
Motivation
• We want to encourage more users to use the Grid– All areas of research– Single researcher to large projects– Security infrastructure must enable this
• Certificates are often a barrier• Generalised not specific • Straightforward to use
![Page 4: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/4.jpg)
Why Shibboleth?
• JISC is encouraging all institutions to transition from Athens to “Federated Access Management”
• This technology is currently based on Shibboleth
• It will become familiar to all academic users• The Grid should also use this common
technology for authentication
![Page 5: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/5.jpg)
Shibboleth Overview
• Web-based federated access management system based on SAML
• Based on separation of authentication and authorisation– Authentication: Identity Provider (IdP) at
user’s home institution– Authorisation: Service Provider (SP) based on
information about the user from the IdP – Discovery: Where Are You From (WAYF)
service• User can remain anonymous at the SP
![Page 6: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/6.jpg)
Shibboleth Authentication and Authorisation
(Thanks to Kang Tang)
Web server
![Page 7: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/7.jpg)
ShibGrid Use cases• Access to the Grid solely with Shibboleth • Use standard Grid certificates when something
extra is required – still many advantages
• Access to the Grid through a Portal– NGS portal/project portals
• Access to the Grid through other access methods– Globus, Java GSI-SSH Terminal, CoG, etc.,
• Registration (for NGS) using Shibboleth
![Page 8: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/8.jpg)
ShibGrid access to the NGS (via Portal)
(Thanks to Kang Tang)
Shibboleth Authentication and Authorisation
![Page 9: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/9.jpg)
Other Components
• Grid proxy download tool– For non portal Grid access methods
• Grid proxy upload tool• Registration service
– Data Protection Act/Acceptable Use Policy– Check the user’s institution is supported– Check the user has correct configuration– Link to NGS user registration
![Page 10: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/10.jpg)
Logon via Shibboleth…
![Page 11: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/11.jpg)
…Choose your home institution…
![Page 12: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/12.jpg)
…background log-in in using Kerberos…
![Page 13: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/13.jpg)
…welcome to the Portal…
![Page 14: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/14.jpg)
…and we have an automatically-generated Grid proxy
![Page 15: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/15.jpg)
Other Projects
• “There’s more than one way to skin a cat”
• This list is not exhaustive...
– UK – SHEBANGS, ShibGrid, GridSite, DyVOSE/VOTES/BRIDGES/GLASS and GridShibPERMIS
– US – GridShib
– Switzerland – SWITCH (gLite)
– Australia – MAMS
![Page 16: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/16.jpg)
SARoNGS:Full production service for NGS and MIMAS, etc.
VPMan:VO-based resource access control.
SARoNGS
ShibGrid:Production quality, no VO support. Computation focus.
SHEBANGS:Shib+Grid: research with VO support. Computation focus.
NGS:No VO-based access control.
NGS:Full VO/VOMS support.
ShibGrid:Possible production service
SARoNGS:Universal solution: VO, compute and data support.
GEMS:Grid enabling MIMAS data set.
Other Shib+Grid Projects:We want to support all use cases.
![Page 17: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/17.jpg)
Just starting: SARoNGS
• Will provide a standard production bridge for all UK Academics from the UK Federation into the Grid world.
• Integrated access to compute and data resources
• Will provide a much simpler model for integrating resource.
• Will combine expertise from ShibGrid, SHEBANGS and MIMAS.
![Page 18: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/18.jpg)
The SARoNGS CTS (NGS default) (Credential Translation Service)
NGS default CTS
Shib-enabledMyProxy CA
VOMSServer
NGS MyProxy Server
Human Interface Machine Interface
Shibboleth Service Provider
Add VOMS ACStoreproxy
Request Authorisation certificate (by DN)Request certificate
Requests from toolsPortal –logon
Redirect User’s browser
MyProxy username/password
Retrieve credential
RegistrationForms
Via email to VO manager
![Page 19: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/19.jpg)
VO-based CTS
PERMIS Access Control
The SARoNGS CTS (VO-based) Shib-enabledMyProxy CA
NGS MyProxy Server
Human Interface Machine Interface
Shibboleth Service Provider
Generate VOMS ACStoreproxy
Request certificate
Requests from toolsPortal –logon
Redirect User’s browser
MyProxy username/password
Retrieve credential
RegistrationForms(optional)
PERMIS Policy
![Page 20: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/20.jpg)
Conclusions
• There has been much research but this must now be brought together to form a core production service
• We are working towards fully integrating the Grid with the national access management federation:– Compute (initially NGS)– Data (initially MIMAS)
![Page 21: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/21.jpg)
Questions
![Page 22: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/22.jpg)
![Page 23: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/23.jpg)
More than just portal access…
• Registration service– Data Protection Act/Acceptable Use Policy– Check the user’s institution is supported– Check the user has correct configuration– Link to NGS user registration
• Grid proxy download tool– For non portal Grid access methods
• Grid proxy upload tool
![Page 24: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/24.jpg)
Architectural Design
• Don’t change the user
– Prevent extra logical steps: portal first
– Easy to deploy in project portals
– Support other access methods
• Don’t change other services
– Work within Shibboleth and GSI frameworks
![Page 25: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/25.jpg)
Requirements highlights
• User/Project– Transparent access to eScience facilities, consistent
with other SSO-enabled components.– Access to components at home or away (even
Internet Café).– Fit in with local authentication schemes.– Don’t want to know about certificates.– Want to use own project portal.
• NGS– Must be compatible with GT2 and registration system.
• VOMS in the future.
![Page 26: Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)](https://reader036.vdocuments.net/reader036/viewer/2022062409/5697bfed1a28abf838cb8fdc/html5/thumbnails/26.jpg)
ShibGrid MyProxy Checks• IdP (trusted) authentication/authorisation
– Standard Shibboleth• Portal (not trusted):
– Standard MyProxy checks– + check the attribute assertion was created for the
portal• Users:
– Authentication: at IdP– Authorisation:
• Is user registered?• username attribute = username used?
– Attributes used to construct low-assurance certificate DNs