Shibboleth

1
Shibboleth Grid Integration

• STFC and University of Oxford
• (and University of Manchester)

2
Overview

• Motivation
• Why Shibboleth?
• Previous work ShibGrid
• Other projects
• Just starting SARoNGS
• Conclusions

3
Motivation

• We want to encourage more users to use the Grid
• All areas of research
• Single researcher to large projects
• Security infrastructure must enable this
• Certificates are often a barrier
• Generalised not specific
• Straightforward to use

4
Why Shibboleth?

• JISC is encouraging all institutions to
  transition from Athens to Federated Access
  Management
• This technology is currently based on Shibboleth
• It will become familiar to all academic users
• The Grid should also use this common technology
  for authentication

5
Shibboleth Overview

• Web-based federated access management system
  based on SAML
• Based on separation of authentication and
  authorisation
• Authentication Identity Provider (IdP) at users
  home institution
• Authorisation Service Provider (SP) based on
  information about the user from the IdP
• Discovery Where Are You From (WAYF) service
• User can remain anonymous at the SP

6
Shibboleth Authentication and Authorisation
Web server
(Thanks to Kang Tang)
7
ShibGrid Use cases

• Access to the Grid solely with Shibboleth
• Use standard Grid certificates when something
  extra is required still many advantages
• Access to the Grid through a Portal
• NGS portal/project portals
• Access to the Grid through other access methods
• Globus, Java GSI-SSH Terminal, CoG, etc.,
• Registration (for NGS) using Shibboleth

8
ShibGrid access to the NGS (via Portal)
Shibboleth Authentication and Authorisation
(Thanks to Kang Tang)
9
Other Components

• Grid proxy download tool
• For non portal Grid access methods
• Grid proxy upload tool
• Registration service
• Data Protection Act/Acceptable Use Policy
• Check the users institution is supported
• Check the user has correct configuration
• Link to NGS user registration

10
Logon via Shibboleth
11
Choose your home institution
12
background log-in in using Kerberos
13
welcome to the Portal
14
and we have an automatically-generated Grid proxy
15
Other Projects

• Theres more than one way to skin a cat
• This list is not exhaustive...
• UK SHEBANGS, ShibGrid, GridSite,
  DyVOSE/VOTES/BRIDGES/GLASS and GridShibPERMIS
• US GridShib
• Switzerland SWITCH (gLite)
• Australia MAMS

16
SARoNGS
Other ShibGrid Projects We want to support all
use cases.
GEMS Grid enabling MIMAS data set.
SHEBANGS ShibGrid research with VO support.
Computation focus.
SARoNGS Universal solution VO, compute and data
support.
SARoNGS Full production service for NGS and
MIMAS, etc.
ShibGrid Production quality, no VO support.
Computation focus.
ShibGrid Possible production service
VPMan VO-based resource access control.
NGS No VO-based access control.
NGS Full VO/VOMS support.
17
Just starting SARoNGS

• Will provide a standard production bridge for all
  UK Academics from the UK Federation into the Grid
  world.
• Integrated access to compute and data resources
• Will provide a much simpler model for integrating
  resource.
• Will combine expertise from ShibGrid, SHEBANGS
  and MIMAS.

18
The SARoNGS CTS (NGS default) (Credential
Translation Service)
Shib-enabled MyProxy CA
VOMS Server
Via email to VO manager
Request Authorisation certificate (by DN)
Request certificate
NGS default CTS
NGS MyProxy Server
Store proxy
Add VOMS AC
Registration Forms
Human Interface
Machine Interface
Retrieve credential
Shibboleth Service Provider
Redirect Users browser
Portal logon
Requests from tools
MyProxy username/password
19
The SARoNGS CTS (VO-based)
Shib-enabled MyProxy CA
Request certificate
VO-based CTS
NGS MyProxy Server
Store proxy
Generate VOMS AC
PERMIS Policy
Human Interface
Machine Interface
Registration Forms (optional)
Retrieve credential
PERMIS Access Control
Shibboleth Service Provider
Redirect Users browser
Portal logon
Requests from tools
MyProxy username/password
20
Conclusions

• There has been much research but this must now be
  brought together to form a core production
  service
• We are working towards fully integrating the Grid
  with the national access management federation
• Compute (initially NGS)
• Data (initially MIMAS)

21
Questions
22
(No Transcript)
23
More than just portal access

• Registration service
• Data Protection Act/Acceptable Use Policy
• Check the users institution is supported
• Check the user has correct configuration
• Link to NGS user registration
• Grid proxy download tool
• For non portal Grid access methods
• Grid proxy upload tool

24
Architectural Design

• Dont change the user
• Prevent extra logical steps portal first
• Easy to deploy in project portals
• Support other access methods
• Dont change other services
• Work within Shibboleth and GSI frameworks

25
Requirements highlights

• User/Project
• Transparent access to eScience facilities,
  consistent with other SSO-enabled components.
• Access to components at home or away (even
  Internet Café).
• Fit in with local authentication schemes.
• Dont want to know about certificates.
• Want to use own project portal.
• NGS
• Must be compatible with GT2 and registration
  system.
• VOMS in the future.

26
ShibGrid MyProxy Checks

• IdP (trusted) authentication/authorisation
• Standard Shibboleth
• Portal (not trusted)
• Standard MyProxy checks
• check the attribute assertion was created for
  the portal
• Users
• Authentication at IdP
• Authorisation
• Is user registered?
• username attribute username used?
• Attributes used to construct low-assurance
  certificate DNs