tom barton, tim freeman, kate keahey, raj kettimuthu, tom scavo, frank siebenlist, von welch
DESCRIPTION
GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC. Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist, Von Welch. Goals. Allow users to use existing Campus Idm systems to authenticate to the Grid - PowerPoint PPT PresentationTRANSCRIPT
GridShib:Grid/Shibboleth Integration
UpdateGGF 18 Shibboleth Developers BoF
September 10-11, 2006Washington, DC
Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu,Tom Scavo, Frank Siebenlist, Von Welch
Sep 11-12, 2006 2GGF 18
Goals• Allow users to use existing Campus Idm
systems to authenticate to the Grid– Assume Shibboleth every where
• Allow Grid access to campus attributes
• Hide as much of X.509 from users as possible
Sep 11-12, 2006 3GGF 18
Previous Work (from GGF 16)• Integration with Shibboleth AA with GT
– GT can query Shib AA, get attributes and use attributes to make authz decisions
– Drop-in addition to GT 4.0 and Shibboleth 1.3
• Shib Idp plug-in to allow mapping of X509 DNs to Shib principal names
• GridShib-CA• Beta release publicly available
– Expect to officially release in GT 4.1/4.2
Sep 11-12, 2006 4GGF 18
Shib Authorization in GT• Currently have a simple authorization
mechanisms
• List of attributes required to use service or container
• Mapping of attributes to local identity for GRAM job submission
Sep 11-12, 2006 5GGF 18
Recent Work: AuthnAssertions in Certificates
• IdP discovery and name specification in GT via SAML Authn assertion embedded in certificate– Provides pointer to IdP and NameId to use
• Big picture is it lets the credential issuer control the name binding– Allows certificate issuer to tell Grid Service what IdP (AA) to
contact and what name (w/Format and qualifier) to use– Allows use of standard AA as it doesn’t have to be involed in
X.509 anymore
• Also allow for trusted EECs to put identity into first-level proxy certificate– Intended for Grid Portals and Science Gateways
Sep 11-12, 2006 6GGF 18
nanoHUB
nanoHUBPortal
AA
X.509w/SAML
Authn
User authenticatesto portal
SAML AttributeQuery
Sep 11-12, 2006 7GGF 18
myVocs integration• Collaboration with Jill Gemmill and
John-Paul Robinson– U. Alabama-Birmingham
• myVocs allows for formation of Shibboleth-based VO’s
• Coupling with GridShib allows for myVocs-based VOs to access Grid Resources
Sep 11-12, 2006 8GGF 18
GridShib-myVocs Integration
Sep 11-12, 2006 9GGF 18
User Registers with myVocs
Identity
Auth
Sep 11-12, 2006 10GGF 18
Sep 11-12, 2006 11GGF 18
Sep 11-12, 2006 12GGF 18
Sep 11-12, 2006 13GGF 18
VO Admin Adds User to VO
VO attributes
Sep 11-12, 2006 14GGF 18
Grid Logon
Identity
Auth
Identity
Grid Creds.
Sep 11-12, 2006 15GGF 18
Sep 11-12, 2006 16GGF 18
Sep 11-12, 2006 17GGF 18
Sep 11-12, 2006 18GGF 18
Sep 11-12, 2006 19GGF 18
Grid Service Invocation
VOAttributes
Grid Creds.
Grid Id
Sep 11-12, 2006 20GGF 18
Sep 11-12, 2006 21GGF 18
Sep 11-12, 2006 22GGF 18
Future Plans: Attribute Push• Turning to attribute push• Our observation is that most Grid use cases
want:– Persistent Id from Home Institution– Attributes from VO
• Shib/X.509 Gateway is natural point to collection Attributes from home institution and VO and push to Grid– Push model seems to be easier - Shib2, VOMS,
CAS
Sep 11-12, 2006 23GGF 18
Attribute-push mode• User authenticates to Portal
– Could be GridShib-CA
• Portal gather up Shibboleth-issued attributes
• Combines with VO-issued attributes• Pushes attributes in X.509 certificate
– Including original Shibboleth Assertions
• Can include Authn assertion if Grid service wants to query for more
Sep 11-12, 2006 24GGF 18
SAML/X509 Binding Specification• SAML V1.1 Profiles for X.509 Subjects
– http://www.oasis-open.org/committees/document.php?document_id=19996&wg_abbrev=security
• Includes the following profiles:– X.509 SAML Subject Profile– SAML Assertion Profile for X.509 Subjects– SAML Attribute Query Profile for X.509 Subjects– SAML Attribute Self-Query Profile for X.509
Subjects
Sep 11-12, 2006 25GGF 18
More Informationhttp://gridshib.globus.org
• Tom Barton, Jim Basney, Tim Freeman, Tom Scavo, Frank Siebenlist, Von Welch, Rachana Ananthakrishnan, Bill Baker, Monte Goode, and Kate Keahey. Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Gridshib, and MyProxy. In 5th Annual PKI R&D Workshop, April 2006.
http://grid.ncsa.uiuc.edu/papers/gridshib-pki06-final.pdf
• GridShib is a project funded by the NSF Middleware Initiative (NMI awards 0438424 and 0438385)
• dev.globus incubator:– http://dev.globus.org/wiki/Incubator/GridShib