GridShib:Grid/Shibboleth Integration

UpdateGGF 18 Shibboleth Developers BoF

September 10-11, 2006Washington, DC

Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu,Tom Scavo, Frank Siebenlist, Von Welch

Sep 11-12, 2006 2GGF 18

Goals• Allow users to use existing Campus Idm

systems to authenticate to the Grid– Assume Shibboleth every where

• Allow Grid access to campus attributes

• Hide as much of X.509 from users as possible

Sep 11-12, 2006 3GGF 18

Previous Work (from GGF 16)• Integration with Shibboleth AA with GT

– GT can query Shib AA, get attributes and use attributes to make authz decisions

– Drop-in addition to GT 4.0 and Shibboleth 1.3

• Shib Idp plug-in to allow mapping of X509 DNs to Shib principal names

• GridShib-CA• Beta release publicly available

– Expect to officially release in GT 4.1/4.2

Sep 11-12, 2006 4GGF 18

Shib Authorization in GT• Currently have a simple authorization

mechanisms

• List of attributes required to use service or container

• Mapping of attributes to local identity for GRAM job submission

Sep 11-12, 2006 5GGF 18

Recent Work: AuthnAssertions in Certificates

• IdP discovery and name specification in GT via SAML Authn assertion embedded in certificate– Provides pointer to IdP and NameId to use

• Big picture is it lets the credential issuer control the name binding– Allows certificate issuer to tell Grid Service what IdP (AA) to

contact and what name (w/Format and qualifier) to use– Allows use of standard AA as it doesn’t have to be involed in

X.509 anymore

• Also allow for trusted EECs to put identity into first-level proxy certificate– Intended for Grid Portals and Science Gateways

Sep 11-12, 2006 6GGF 18

nanoHUB

nanoHUBPortal

AA

X.509w/SAML

Authn

User authenticatesto portal

SAML AttributeQuery

Sep 11-12, 2006 7GGF 18

myVocs integration• Collaboration with Jill Gemmill and

John-Paul Robinson– U. Alabama-Birmingham

• myVocs allows for formation of Shibboleth-based VO’s

• Coupling with GridShib allows for myVocs-based VOs to access Grid Resources

Sep 11-12, 2006 8GGF 18

GridShib-myVocs Integration

Sep 11-12, 2006 9GGF 18

User Registers with myVocs

Identity

Auth

Sep 11-12, 2006 10GGF 18

Sep 11-12, 2006 11GGF 18

Sep 11-12, 2006 12GGF 18

Sep 11-12, 2006 13GGF 18

VO Admin Adds User to VO

VO attributes

Sep 11-12, 2006 14GGF 18

Grid Logon

Identity

Auth

Identity

Grid Creds.

Sep 11-12, 2006 15GGF 18

Sep 11-12, 2006 16GGF 18

Sep 11-12, 2006 17GGF 18

Sep 11-12, 2006 18GGF 18

Sep 11-12, 2006 19GGF 18

Grid Service Invocation

VOAttributes

Grid Creds.

Grid Id

Sep 11-12, 2006 20GGF 18

Sep 11-12, 2006 21GGF 18

Sep 11-12, 2006 22GGF 18

Future Plans: Attribute Push• Turning to attribute push• Our observation is that most Grid use cases

want:– Persistent Id from Home Institution– Attributes from VO

• Shib/X.509 Gateway is natural point to collection Attributes from home institution and VO and push to Grid– Push model seems to be easier - Shib2, VOMS,

CAS

Sep 11-12, 2006 23GGF 18

Attribute-push mode• User authenticates to Portal

– Could be GridShib-CA

• Portal gather up Shibboleth-issued attributes

• Combines with VO-issued attributes• Pushes attributes in X.509 certificate

– Including original Shibboleth Assertions

• Can include Authn assertion if Grid service wants to query for more

Sep 11-12, 2006 24GGF 18

SAML/X509 Binding Specification• SAML V1.1 Profiles for X.509 Subjects

– http://www.oasis-open.org/committees/document.php?document_id=19996&wg_abbrev=security

• Includes the following profiles:– X.509 SAML Subject Profile– SAML Assertion Profile for X.509 Subjects– SAML Attribute Query Profile for X.509 Subjects– SAML Attribute Self-Query Profile for X.509

Subjects

Sep 11-12, 2006 25GGF 18

More Informationhttp://gridshib.globus.org

• Tom Barton, Jim Basney, Tim Freeman, Tom Scavo, Frank Siebenlist, Von Welch, Rachana Ananthakrishnan, Bill Baker, Monte Goode, and Kate Keahey. Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Gridshib, and MyProxy. In 5th Annual PKI R&D Workshop, April 2006.

http://grid.ncsa.uiuc.edu/papers/gridshib-pki06-final.pdf

• GridShib is a project funded by the NSF Middleware Initiative (NMI awards 0438424 and 0438385)

• dev.globus incubator:– http://dev.globus.org/wiki/Incubator/GridShib