GridShib and MyProxy Grid Credential Management and Identity Federation - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

GridShib and MyProxy Grid Credential Management and Identity Federation

Description:

Opinions and recommendations are those of the authors and do not necessarily ... Bug fixes. OGF19. http://myproxy.ncsa.uiuc.edu/ 8. GridShib for GT 0.5.1 ... – PowerPoint PPT presentation

Number of Views:39
Avg rating:3.0/5.0
Slides: 27
Provided by: ogf
Category:

less

Transcript and Presenter's Notes

Title: GridShib and MyProxy Grid Credential Management and Identity Federation


1
GridShib and MyProxyGrid Credential Management
and Identity Federation
  • Von WelchNCSAvwelch_at_ncsa.uiuc.edu

2
Plug - Longer Talks
  • Wed _at_ 2-330pm
  • GridShib, MyProxy, GAARDS
  • Mountain Laurel

3
GridShib
  • dev.Globus Incubator Project
  • Collaborative between NCSA and U. Chicago
  • GridShib is a project funded by the NSF
    Middleware Initiative
  • NMI awards 0438424 and 0438385
  • Opinions and recommendations are those of the
    authors and do not necessarily reflect the views
    of the National Science Foundation.
  • Also many thanks to Internet2 Shibboleth Project

4
What is GridShib?
  • Allows Shibboleth interoperability and SAML
    functionality in the Globus Toolkit
  • Allows GT to parse SAML attributes and use for
    authorization
  • Allows portals to embed Shibboleth attributes in
    Grid credentials
  • Allows conversion of Shibboleth authentication to
    Grid credentials

5
Software Components
  • GridShib for Globus Toolkit
  • GridShib for Shibboleth
  • Includes GridShib Certificate Registry
  • GridShib Certificate Authority
  • GridShib SAML Tools

6
Online Roadmap
  • We present current plans and timelines
  • Roadmap online at GridShib dev.globus incubator
    site
  • http//dev.globus.org/wiki/GridShib_Development_Ro
    admap
  • Roadmap will be maintained as work progresses,
    check web page for updates

7
GridShib for GT 0.5
  • GridShib for GT 0.5 announced Nov 30
  • Compatible with both GT4.0 and GT4.1
  • GT4.1 introduces powerful authz framework
  • Separate binaries for each GT version
  • Source build auto-senses target GT platform
  • New identity-based authorization feature
  • Uses grid-mapfile instead of DN ACLs
  • Logging enhancements
  • Bug fixes

8
GridShib for GT 0.5.1
  • GridShib for GT 0.5.1 (expected any day now)
  • Combined VOMS/SAML attribute to account mapping
  • As with the current gridmap situation, GT4.0.x
    deployments cannot take advantage of permit
    overrides and arbitrarily configure fallbacks
  • To accommodate this well allow for a name
    mapping scheme that checks in this order and
    continues to fall back if no match/authz is
    granted gridmap, VOMS, Shibboleth/SAML

9
GridShib for GT 0.6
  • GridShib for GT 0.6 (expected March 2007)
  • Full-featured attribute push PIP
  • Compatible with current GridShib Attribute Tools
  • More powerful attribute-based authz policies
  • Allow unique issuer in authz policy rules

10
GridShib SAML Tools
  • Current version 0.1.2
  • Self-issues a SAML assertion with up to two
    statements
  • Optionally binds this assertion to an X.509 proxy
    certificate
  • Supports both SAML AuthenticationStatement and
    AttributeStatement
  • Separates the issuing of the SAML from the
    binding of the SAML

11
GridShib SAML Tools 0.2.0
  • Target release date February 2007
  • Same command-line interface as v0.1.x (but with
    more options)
  • Leverages Shibboleth Attribute Resolver to
    support more complicated attribute requirements
  • Support for nested SSO Response
  • Enhanced logging
  • Java API for Portal developers

12
GridShib for Shib Versions
  • GridShib for Shib 0.5.1
  • Announced Aug 8, 2006
  • GridShib for Shib 0.6
  • Expected Jan 2007
  • Will include SAML Issuer Tool (derived from Shib
    resolvertest tool)

13
GridShib for Shib 0.6
  • GridShib for Shib 0.6 (expected April 2007)
  • Core (already included in 0.5)
  • Requires Shib IdP
  • Includes basic plugins and handlers
  • Certificate Registry (already included in 0.5)
  • Requires GridShib for Shib Core
  • Includes Derby embedded database
  • SAML Tools (new in 0.6)
  • Requires GridShib for Shib Core
  • Includes SAML Issuer Tool and SAML X.509 Binding
    Tool

14
GridShib CA 0.3
  • Substantial improvement over version 0.2
  • More robust protocol
  • Installation of trusted CAs at the client
  • Pluggable back-end CAs
  • Uses an openssl-based CA by default
  • A module to use a MyProxy CA is included
  • Certificate registry functionality
  • A module that auto-registers DNs with myVocs

15
GridShib CA 0.4
  • Target release March 2007
  • Fall back to default SSLSocketFactory on error
    (Bug 4875) 1
  • Create CA with domain name componements (Bug
    4887) 2
  • Register certificate on the front channel with
    GridShib for Shibboleth Certificate Registry
  • Integrate GridShib SAML Tools to bind simple
    attribute assertion to EEC
  • Bind IdP entityID to SIA extension
  • Handle creating DN from mix of atttributes (Bug
    4889) 3

16
What is MyProxy?
  • An Online Certificate Authority
  • Issues short-lived X.509 End Entity Certificates
  • Avoid need for long-lived user keys
  • An Online Credential Repository
  • Issues short-lived X.509 Proxy Certificates
  • Long-lived private keys never leave the server
  • Supporting multiple authentication methods
  • Passphrase, Certificate, PAM, SASL, Kerberos,
    Pubcookie, VOMS
  • Open Source Software
  • Included in Globus Toolkit, UGE, NMI, VDT, and
    CoG Kits
  • C, Java, Python, and Perl clients available
  • Contributions from EDG, UVA, LBL, and others
  • Protocol specified in GFD-E.54

17
Topics for Discussion
  • Credential Renewal
  • High Availability
  • Attribute Support
  • Web Services
  • Web SSO
  • Security Context Provisioning
  • User Registration
  • HSM Support
  • Audit Logging
  • Others?

18
Credential Renewal
  • Existing MyProxy-based renewal support
  • EGEE Renewal Service
  • Condor-G
  • Future Work
  • MyProxy-based GT4 Renewal Service
  • Integrated with GT4 Delegation Service
  • Support for GRAM, WS-GRAM, RFT

19
High Availability
  • Existing support
  • Clients retry when server is unreachable
  • Documentation for MyProxy CA replication
  • Primary-backup replication of MyProxy repository
  • Future Work
  • Robust client retry
  • Peer-to-peer repository replication

20
Attribute Support
  • Existing support
  • VOMS authentication to MyProxy server
  • GridShib CA integration with MyProxy
  • Future Work
  • Issue credentials with VOMS assertions
  • SAML authentication to MyProxy server

21
Web Services
  • Currently MyProxy does not provide a Web Services
    interface
  • C, Java, Perl, Python APIs
  • Standard Delegation Service interface is needed
  • For MyProxy, GT4, and EGEE delegation services

22
Web Single Sign-on
  • Existing Support
  • MyProxy server accepts Pubcookie tokens
  • Future Work
  • Shibboleth/SAML support
  • Other web SSO methods?

23
Security Context Provisioning
  • Existing Support
  • MyProxy can provision user certificates, CA
    certificates, and CRLs
  • Requires MyProxy server CA certificate to be
    installed
  • Future Work
  • Java client support
  • Zero configuration bootstrap

24
User Registration
  • Existing Support
  • Provided by PURSE and GAMA
  • GridShib CA and OpenIDP
  • Future Work
  • Integration with MyProxy CA
  • Integration with attribute and authorization
    services

25
HSM Support
  • Existing Prototypes
  • MyProxy repository using IBM 4738
  • MyProxy CA using Aladdin eToken
  • Future Work
  • Full support for OpenSSL hardware engines in
    MyProxy CA

26
Audit Logging
  • Existing Support
  • All MyProxy server operations are logged to
    syslog
  • Recent improvements to MyProxy CA logging to meet
    IGTF guidelines
  • Future Work
  • Include auditing information in issued
    credentials
  • Support standard grid logging interfaces

27
Thank you
  • Reminder
  • Wed _at_ 2-330pm
  • GridShib, MyProxy, GAARDS
  • Mountain Laurel
  • For more informationvwelch_at_ncsa.uiuc.eduhttp//
    myproxy.ncsa.uiuc.edu/http//gridshib.globus.org
Write a Comment
User Comments (0)
About PowerShow.com