Title: Shibboleth for NonWebBased Applications: GridShib
1Shibboleth for Non-Web-Based Applications
GridShib
http//arch.doit.wisc.edu/keith/midnetgridShib-05
0609-01.ppt Courtesy of Tom Barton, University
of Chicago and Von Welch, NCSA, UIUCMIDnet
Spring Conference, June 9, 2005
2Some Background Shibboleth
- http//shibboleth.internet2.edu/
- Internet2 project
- Allows for inter-institutional sharing of web
resources - Federation of identities and attributes
- Uses attribute-based authorization
- Standards-based (SAML)
- Being extended to non-web resources
- Part of NMI/EDIT distribution
3Some Background Globus Toolkit
- http//www.globus.org
- Collaborative work from the Globus Alliance
- Toolkit for Grid computing
- Job submission, data movement, data management,
resource management - Security based on X.509 identity- and
proxy-certificates - Part of NMI Grids Center Suite
4NSF Middleware Initiative (NMI) GrantPolicy
Controlled Attribute Framework
- What shibbolize NMI Grids
- Allow the use of Shibboleth-issued attributes for
authorization in NMI Grids built on the Globus
Toolkit - Participants
- Von Welch, UIUC/NCSA (PI)
- Kate Keahey, UChicago/Argonne (PI)
- Frank Siebenlist, Argonne
- Tom Barton, UChicago
- 2 years starting December 1, 2004
- We call it GridShib
5The GridShib picture
User
Grid Service
(1) Grid Authentication
(0) Attribute Release Policy
Campus
(2) Shib Attribute Request
(4) Attribute-based authorization
(3) Attributes
Shibboleth
6Why?
- Critical mass of grid deployments could use it
- Large grid, far-flung participants, several types
of roles among them - Examples NEESgrid, Earth System Grid, TeraGrid,
Grid3 (GriPhyN, iVDGL, and PPDG) - Centralized access to campus grid resources for
research computing - Examples UChicago, USC, UAB
7Why?
- Values of integrating common infrastructure with
Virtual Organizations are similar to Enterprise
case
8Time is finally right
- Shibboleth SAML have shown how to
- Authorize the anonymous user
- Extend integration of common infrastructure
across administrative and operational domains - Sufficiently abstracted security related
interfaces provided by NMI Grid componentry - Others are trying non-web-based shibbolization
approaches roughly analogous to what we envision - Plug all code elements above are NMI components.
Were building on work of many people over 3
years.
9Grid-Shib integration essentials
- Design principles
- No modification to typical grid client
applications - No change to shibboleths model of administrative
and end-user maintenance of attribute release
policies - Leverage high-quality campus Identity Provider
operations - Accommodations for Grid shibbolization
- Identity Provider Discovery (pull models)
- Basic sequence of events (push models)
- Use of an identifer in X.509 cert as a subject
handle for use by the Attribute Authority
10Basic integrationuser identified, attributes
pulled
11Advanced integration examplepseudonymous push
12Timeline
- December 1, 2004 formal start
- Year 1
- Basic integration code supporting pull model
with user identified - Year 2
- Advanced integration code supporting push and
user pseudonymity
13Project objectives
- Priority 0 Gather requirements, identify users,
related work - Users
- U Chicago
- USC (Henderson)
- TeraGrid
- Related work
- Already established coordination with ESP-Grid,
Dr. Jeffreys, Oxford, UK - UAB (Gemmil)
- Georgetown (Leonhardt)
14Project objectives
- Priority 1 Pull mode operation
- Globus services contact Shibboleth to obtain
attributes about identified user - Support both GT4.x Web Services and pre-WS code
- Priority 2 Push mode operation
- User obtains Shib attributes and push to service
- Allows role selection
- Priority 3 Online CAs
- Pseudonymous operation
- Integration with local authentication services
15GridShib Progress
- Developers hired February 2005
- Substantial resolution of GridShibs Shibboleth
usage profile - Shibboleth IdP plugin nearing completion
- Maps externally-issued X.509 identity
certificates to local identifiers - SAML attribute marshaling in GT4 runtime nearing
completion
16GridShib Progress (contd)
- Common attribute format internal to GT4 runtime
to support access policies spanning SAML and
X.509 PMI attribute sources - Uses XACML Request Context
- Initial GridShib release for closed alpha
deployment - Readiness by end of June
- Overlays GT 4.0 and Shib 1.3
17Timeline (cont)
- 2006 Second release
- Advanced integration code supporting push and
user-pseudonymity - Integration with MyProxy/GridLogon for improved
usability - Integration of feedback from Y1 release
18GridShib Challenges
- Use of an identifier in X.509 certificate as a
subject handle for use by the Shib Attribute
Authority (SAA) - Shibboleth v1.3 should handle this
- Allowing VOs to define attributes meaningful to
them - Attribute Authority identification
- Where are you from problem
- Plumbing interconnect
- Translating requirements into meaningful
authorization policy - Support pseudonymity
19GridShib Challenges
- Identity Provider Discovery
- Compounded by need in some grids to consult
several identity providers for each user - Distributed Attribute Administration
- What happens when the folks running the attribute
authority are not the ones authoritative for the
attributes? - Some projects dont have resources to run a 7x24
security service, but are the only ones who know
the attribute space - Explore Signet, Grouper
- Mapping local subject identifier to externally
issued EEC
20Distributed Authorities
Session authentication credential
Attribute Authority
Authorities
Home Org
Affiliated Org
Grid user
Signet Grouper
Grid Service
Virtual Org
21Getting Attributes into a Sites Attribute
Authority
SIS
Person Registry
Loaders
Attribute Authority
HR
Shib/ GridShib
Core Business Systems
Group Registry
LDAP
Grouper UI
On-site Authorities
uid jdoe eduPersonAffiliation isMemberOf
eduPersonEntitlement
Privilege Registry
Signet UI
using Shibboleth
Off-site Authorities
22Potential objectives
- Collaboration with Signet folks to allow for
distributed attribute administration - Support for alternatives to GT4
- Standard PKI-authenticated web services in
addition to GT4 - Some Grid projects looking at plain web services
approach - Support for GT2 legacy code?
- Will there still be demand?
23Loose ends
- Use of VO-operated AA vs. one embedded within an
Enterprises Identity Provider operation - May be some use cases in which this is sufficient
or desirable - We dont address the problem of how to manage the
attributes needed by grid resources, just how to
transport them
24Resources
- Grouper website http//middleware.internet2.edu/di
r/groups/grouper/ - Signet website
- http//middleware.internet2.edu/signet/
- Internet2 Middleware Initiative
- http//middleware.internet2.edu/
- GridShib project
- http//grid.ncsa.uiuc.edu/GridShib/
25Acknowledgements
- Working in collaboration with Steven Carmody and
the Internet2 Shibboleth Design team - Providers of much valuable advice.
- Funded under NSF award SCI-0438424
26Questions?
- Project website
- http//grid.ncsa.uiuc.edu/GridShib/
- Or contact
- tbarton_at_uchicago.edu
- vwelch_at_ncsa.uiuc.edu
- For more information on NMI
- http//www.nsf-middleware.org/
27Q A