Shibboleth for NonWebBased Applications: GridShib - PowerPoint PPT Presentation

1 / 27
About This Presentation
Title:

Shibboleth for NonWebBased Applications: GridShib

Description:

Shibboleth IdP plugin nearing completion ... SAML attribute marshaling in GT4 runtime nearing completion. MIDnet, June, 2005. 16 ... – PowerPoint PPT presentation

Number of Views:275
Avg rating:3.0/5.0
Slides: 28
Provided by: tomb164
Category:

less

Transcript and Presenter's Notes

Title: Shibboleth for NonWebBased Applications: GridShib


1
Shibboleth for Non-Web-Based Applications
GridShib
http//arch.doit.wisc.edu/keith/midnetgridShib-05
0609-01.ppt Courtesy of Tom Barton, University
of Chicago and Von Welch, NCSA, UIUCMIDnet
Spring Conference, June 9, 2005
2
Some Background Shibboleth
  • http//shibboleth.internet2.edu/
  • Internet2 project
  • Allows for inter-institutional sharing of web
    resources
  • Federation of identities and attributes
  • Uses attribute-based authorization
  • Standards-based (SAML)
  • Being extended to non-web resources
  • Part of NMI/EDIT distribution

3
Some Background Globus Toolkit
  • http//www.globus.org
  • Collaborative work from the Globus Alliance
  • Toolkit for Grid computing
  • Job submission, data movement, data management,
    resource management
  • Security based on X.509 identity- and
    proxy-certificates
  • Part of NMI Grids Center Suite

4
NSF Middleware Initiative (NMI) GrantPolicy
Controlled Attribute Framework
  • What shibbolize NMI Grids
  • Allow the use of Shibboleth-issued attributes for
    authorization in NMI Grids built on the Globus
    Toolkit
  • Participants
  • Von Welch, UIUC/NCSA (PI)
  • Kate Keahey, UChicago/Argonne (PI)
  • Frank Siebenlist, Argonne
  • Tom Barton, UChicago
  • 2 years starting December 1, 2004
  • We call it GridShib

5
The GridShib picture
User
Grid Service
(1) Grid Authentication
(0) Attribute Release Policy
Campus
(2) Shib Attribute Request
(4) Attribute-based authorization
(3) Attributes
Shibboleth
6
Why?
  • Critical mass of grid deployments could use it
  • Large grid, far-flung participants, several types
    of roles among them
  • Examples NEESgrid, Earth System Grid, TeraGrid,
    Grid3 (GriPhyN, iVDGL, and PPDG)
  • Centralized access to campus grid resources for
    research computing
  • Examples UChicago, USC, UAB

7
Why?
  • Values of integrating common infrastructure with
    Virtual Organizations are similar to Enterprise
    case

8
Time is finally right
  • Shibboleth SAML have shown how to
  • Authorize the anonymous user
  • Extend integration of common infrastructure
    across administrative and operational domains
  • Sufficiently abstracted security related
    interfaces provided by NMI Grid componentry
  • Others are trying non-web-based shibbolization
    approaches roughly analogous to what we envision
  • Plug all code elements above are NMI components.
    Were building on work of many people over 3
    years.

9
Grid-Shib integration essentials
  • Design principles
  • No modification to typical grid client
    applications
  • No change to shibboleths model of administrative
    and end-user maintenance of attribute release
    policies
  • Leverage high-quality campus Identity Provider
    operations
  • Accommodations for Grid shibbolization
  • Identity Provider Discovery (pull models)
  • Basic sequence of events (push models)
  • Use of an identifer in X.509 cert as a subject
    handle for use by the Attribute Authority

10
Basic integrationuser identified, attributes
pulled
11
Advanced integration examplepseudonymous push
12
Timeline
  • December 1, 2004 formal start
  • Year 1
  • Basic integration code supporting pull model
    with user identified
  • Year 2
  • Advanced integration code supporting push and
    user pseudonymity

13
Project objectives
  • Priority 0 Gather requirements, identify users,
    related work
  • Users
  • U Chicago
  • USC (Henderson)
  • TeraGrid
  • Related work
  • Already established coordination with ESP-Grid,
    Dr. Jeffreys, Oxford, UK
  • UAB (Gemmil)
  • Georgetown (Leonhardt)

14
Project objectives
  • Priority 1 Pull mode operation
  • Globus services contact Shibboleth to obtain
    attributes about identified user
  • Support both GT4.x Web Services and pre-WS code
  • Priority 2 Push mode operation
  • User obtains Shib attributes and push to service
  • Allows role selection
  • Priority 3 Online CAs
  • Pseudonymous operation
  • Integration with local authentication services

15
GridShib Progress
  • Developers hired February 2005
  • Substantial resolution of GridShibs Shibboleth
    usage profile
  • Shibboleth IdP plugin nearing completion
  • Maps externally-issued X.509 identity
    certificates to local identifiers
  • SAML attribute marshaling in GT4 runtime nearing
    completion

16
GridShib Progress (contd)
  • Common attribute format internal to GT4 runtime
    to support access policies spanning SAML and
    X.509 PMI attribute sources
  • Uses XACML Request Context
  • Initial GridShib release for closed alpha
    deployment
  • Readiness by end of June
  • Overlays GT 4.0 and Shib 1.3

17
Timeline (cont)
  • 2006 Second release
  • Advanced integration code supporting push and
    user-pseudonymity
  • Integration with MyProxy/GridLogon for improved
    usability
  • Integration of feedback from Y1 release

18
GridShib Challenges
  • Use of an identifier in X.509 certificate as a
    subject handle for use by the Shib Attribute
    Authority (SAA)
  • Shibboleth v1.3 should handle this
  • Allowing VOs to define attributes meaningful to
    them
  • Attribute Authority identification
  • Where are you from problem
  • Plumbing interconnect
  • Translating requirements into meaningful
    authorization policy
  • Support pseudonymity

19
GridShib Challenges
  • Identity Provider Discovery
  • Compounded by need in some grids to consult
    several identity providers for each user
  • Distributed Attribute Administration
  • What happens when the folks running the attribute
    authority are not the ones authoritative for the
    attributes?
  • Some projects dont have resources to run a 7x24
    security service, but are the only ones who know
    the attribute space
  • Explore Signet, Grouper
  • Mapping local subject identifier to externally
    issued EEC

20
Distributed Authorities
Session authentication credential
Attribute Authority
Authorities
Home Org
Affiliated Org
Grid user
Signet Grouper
Grid Service
Virtual Org
21
Getting Attributes into a Sites Attribute
Authority
SIS
Person Registry
Loaders
Attribute Authority
HR
Shib/ GridShib
Core Business Systems
Group Registry
LDAP
Grouper UI
On-site Authorities
uid jdoe eduPersonAffiliation isMemberOf
eduPersonEntitlement
Privilege Registry
Signet UI
using Shibboleth
Off-site Authorities
22
Potential objectives
  • Collaboration with Signet folks to allow for
    distributed attribute administration
  • Support for alternatives to GT4
  • Standard PKI-authenticated web services in
    addition to GT4
  • Some Grid projects looking at plain web services
    approach
  • Support for GT2 legacy code?
  • Will there still be demand?

23
Loose ends
  • Use of VO-operated AA vs. one embedded within an
    Enterprises Identity Provider operation
  • May be some use cases in which this is sufficient
    or desirable
  • We dont address the problem of how to manage the
    attributes needed by grid resources, just how to
    transport them

24
Resources
  • Grouper website http//middleware.internet2.edu/di
    r/groups/grouper/
  • Signet website
  • http//middleware.internet2.edu/signet/
  • Internet2 Middleware Initiative
  • http//middleware.internet2.edu/
  • GridShib project
  • http//grid.ncsa.uiuc.edu/GridShib/

25
Acknowledgements
  • Working in collaboration with Steven Carmody and
    the Internet2 Shibboleth Design team
  • Providers of much valuable advice.
  • Funded under NSF award SCI-0438424

26
Questions?
  • Project website
  • http//grid.ncsa.uiuc.edu/GridShib/
  • Or contact
  • tbarton_at_uchicago.edu
  • vwelch_at_ncsa.uiuc.edu
  • For more information on NMI
  • http//www.nsf-middleware.org/

27
Q A
Write a Comment
User Comments (0)
About PowerShow.com