GridShib A Technical Overview - PowerPoint PPT Presentation

About This Presentation
Title:

GridShib A Technical Overview

Description:

GridShib A Technical Overview Tom Scavo trscavo_at_ncsa.uiuc.edu NCSA – PowerPoint PPT presentation

Number of Views:130
Avg rating:3.0/5.0
Slides: 70
Provided by: TomS91
Category:

less

Transcript and Presenter's Notes

Title: GridShib A Technical Overview


1
GridShibA Technical Overview
  • Tom Scavotrscavo_at_ncsa.uiuc.edu
  • NCSA

2
Overview
  • GridShib project details
  • GridShib use cases
  • GridShib implementation
  • GridShib attribute pull profile
  • GridShib-MyProxy integration
  • GridShib browser profile

3
What is GridShib?
  • GridShib enables secure attribute sharing among
    Grid virtual organizations and higher-educational
    institutions
  • The goal of GridShib is to integrate the Globus
    Toolkit with Shibboleth
  • GridShib adds attribute-based authorization to
    Globus Toolkit

4
Some Background
  • Large scientific projects have spawned Virtual
    Organizations (VOs)
  • The cyberinfrastructure and software systems to
    support VOs are called grids
  • Globus Toolkit is the de facto standard software
    solution for grids
  • Grid Security Infrastructure (GSI) provides basic
    security services for grids

5
Grid Authentication
  • Globus Toolkit provides authentication services
    via X.509 credentials
  • When requesting a service, the user presents an
    X.509 certificate, usually a proxy certificate
  • GridShib leverages the existing authentication
    mechanisms in GT

6
Grid Authorization
  • Today, Globus Toolkit provides identity-based
    authorization mechanisms
  • Access control lists (called grid-mapfiles) map
    DNs to local identity (e.g., Unix logins)
  • Community Authorization Service (CAS)
  • PERMIS and VOMS
  • GridShib provides attribute-based authorization
    based on Shibboleth

7
GridShib Project Motivation
  • VOs are difficult to manage
  • Goal Leverage existing identity management
    infrastructure
  • Identity-based access control methods are
    inflexible and do not scale
  • Goal Use attribute-based access control
  • Solution Integrate GT and Shibboleth!

8
Tale of Two Technologies
Existing GSI basedon X.509
Grid Security Infrastructure
Grid Client
Globus Toolkit
X.509
9
Tale of Two Technologies
Shibboleth Federation
Shibboleth
Graft Shib/SAMLonto GSI/X.509
SAML
Grid Security Infrastructure
Grid Client
Globus Toolkit
X.509
10
Why Shibboleth?
  • What does Shibboleth bring to the table?
  • A large (and growing) installed base on campuses
    around the world
  • A standards-based, open source implementation
  • A standard attribute vocabulary (eduPerson)
  • A well-developed, federated identity management
    infrastructure has sprung up around Shibboleth!

11
Shibboleth Federations
  • A federation
  • Provides a common trust and policy framework
  • Issues credentials and distributes metadata
  • Provides discovery services for SPs
  • Shibboleth-based federations
  • InCommon (23 members) in U.S.
  • InQueue (157 members) in U.S.
  • SDSS (30 members) in U.K.
  • SWITCH (23 members) in Switzerland
  • HAKA (8 members) in Finland

12
InCommon Federation
13
Introduction
14
GridShib Project
  • GridShib is a project funded by the NSF
    Middleware Initiative (NMI awards 0438424 and
    0438385)
  • GridShib is a joint project of NCSA, University
    of Chicago, and Argonne National Laboratory
  • Project web sitehttp//gridshib.globus.org/

15
Milestones
  • Dec 2004, GridShib project commences
  • Feb 2005, Developers onboard
  • Apr 2005, Globus Toolkit 4.0 released
  • May 2005, GridShib Alpha released
  • Jul 2005, Shibboleth 1.3 released
  • Sep 2005, GridShib Beta released
  • Apr 2006, GridShib-myVocs integration

16
Related Projects
  • Globus Toolkithttp//www.globus.org/toolkit/
  • Shibbolethhttp//shibboleth.internet2.edu/
  • MyProxyhttp//grid.ncsa.uiuc.edu/myproxy/
  • SHEBANGShttp//www.sve.man.ac.uk/Research/AtoZ/SH
    EBANGS

17
Leveraged Standards
  • X.509 Public Key Infrastructure (RFC 3280)
  • Proxy certificates (RFC 3820)
  • OASIS SAML 1.1 http//www.oasis-open.org/committe
    es/tc_home.php?wg_abbrevsecuritysamlv11
  • Internet2 Shibbolethhttp//shibboleth.internet2.e
    du/docs/internet2-mace-shibboleth-arch-protocols-l
    atest.pdf

18
GridShib Use Cases
  • Three use cases under consideration
  • Established grid user (non-browser)
  • New grid user (non-browser)
  • Portal grid user (browser)
  • Initial efforts concentrated on the established
    grid user
  • Current efforts are focused on the new grid user

19
Established Grid User
  • User possesses an X.509 end entity certificate
  • User may or may not use MyProxy Server to manage
    X.509 credentials
  • User authenticates to Grid SP with proxy
    certificate obtained from MyProxy
  • The current GridShib implementation addresses
    this use case

20
New Grid User
  • User does not possess an X.509 end entity
    certificate
  • User relies on GridShib CA to issue short-lived
    X.509 certificates
  • User authenticates to Grid SP using short-lived
    X.509 credential
  • The myVocs-GridShib integration addresses this
    use case

21
Portal Grid User
  • User does not possess an X.509 cert
  • User accesses Grid SP via a browser interface,
    that is, the client delegates a web application
    to request a service at the Grid SP
  • MyProxy issues a short-lived X.509 certificate
    via a back-channel exchange
  • GridShib Browser Profiles apply

22
GridShib Implementation
23
Software Components
  • GridShib for Globus Toolkit
  • A plugin for Globus Toolkit 4.0
  • GridShib for Shibboleth
  • A plugin for Shibboleth 1.3 IdP
  • GridShib Certificate Authority
  • A web-based CA for new grid users
  • Visit the GridShib Downloads pagehttp//gridshib
    .globus.org/download.html

24
GridShib for Globus Toolkit
  • GridShib for Globus Toolkit is a plugin for GT4
  • Features
  • Standalone attribute requester
  • SAML attribute consumption
  • Attribute-based access control
  • Attribute-based local account mapping
  • SAML metadata consumption

25
Standalone Attribute Requester
  • A standalone attribute requester will query a
    Shib AA for attributes
  • By standalone we mean a query separate from a
    Shib browser profile
  • The attribute query is based on
  • The Subject DN of the proxy cert or
  • A SAML authn assertion embedded in an end-entity
    certificate

26
Attribute-based Access Control
  • Access control based on authorization policy with
    respect to attributes
  • DN-based access control
  • Attribute caching for efficiency

27
GridShib for Shibboleth
  • GridShib for Shibboleth is a plugin for a
    Shibboleth IdP v1.3 (or later)
  • Features
  • Name Mapper
  • SAML name identifier implementations
  • X509SubjectName, emailAddress, etc.
  • Certificate Registry

28
GridShib Name Mapper
  • The Name Mapper is a container for name mappings
  • Multiple name mappings are supported
  • File-based name mappings
  • DB-based name mappings

29
GridShib Certificate Registry
  • A Certificate Registry is integrated into
    GridShib for Shibboleth 0.5https//authdev.it.oh
    io-state.edu/twiki/bin/view/GridShib/GridShibCerti
    ficateRegistry
  • An established grid user authenticates and
    registers an X.509 end-entity cert
  • The Registry binds the cert to the principal name
    and persists the binding in a database
  • On the backend, GridShib maps the DN in a query
    to a principal name in the DB

30
(No Transcript)
31
GridShib CA
  • The GridShib Certificate Authority is a web-based
    CA for new grid usershttps//authdev.it.ohio-sta
    te.edu/twiki/bin/view/GridShib/GridShibCertificate
    Authority
  • The GridShib CA is protected by a Shib SP and
    backended by the MyProxy Online CA
  • The CA issues short-term credentials suitable for
    authentication to a Grid SP
  • Credentials are downloaded to the desktop via
    Java Web Start

32
(No Transcript)
33
Future Work
  • Solve IdP discovery problem for grids
  • Provide name mapping maintenance tools (for
    administrators)
  • Implement a profile for attribute push
  • Produce SAML metadata
  • Design metadata repositories and tools

34
GT Authorization Framework
  • Work is underway to develop and enhance the
    authorization framework in Globus Toolkit
  • Siebenlist et al. at Argonne
  • Pluggable modules for processing authentication,
    gathering and processing attributes and rendering
    decisions
  • Work in OGSA-Authz WG to allow for callouts to
    third-party authorization services
  • E.g., PERMIS
  • Convert Attributes (SAML or X.509) into common
    format for policy evaluation
  • XACML-based

35
Classic GridShibProfile
36
The GridShib Actors
  • Standard (non-browser) Grid Client
  • Globus Toolkit with GridShib installed (called a
    Grid SP)
  • Shibboleth IdP with GridShib installed

IdP
C L I E N T
Grid SP
37
GridShib Attribute Pull Profile
  • In the Classic GridShib profile, a Grid SP
    pulls attributes from a Shib IdP
  • The Client is assumed to have an account (i.e.,
    local principal name) at the IdP
  • The Grid SP and the IdP have been assigned a
    unique identifier (providerId)

IdP
C L I E N T
3
2
1
Grid SP
4
38
GridShib Attribute Pull Step 1
  • The Grid Client requests a service at the Grid SP
  • The Client presents an X.509 certificate to the
    Grid SP
  • The Client also provides a pointer to its
    preferred IdP
  • This is the so-called IdP Discovery problem

IdP
C L I E N T
1
Grid SP
39
IdP Discovery
  • The Grid SP needs to know the Clients preferred
    IdP
  • One approach is to embed the IdP providerId in
    the proxy certificate
  • Another approach is to use an IdP proxy (such as
    myVocs)
  • Currently the IdP providerId is configured into
    the Grid SP

40
GridShib Attribute Pull Step 2
  • The Grid SP authenticates the Client and extracts
    the DN from the proxy cert
  • The Grid SP queries the Attribute Authority (AA)
    at the IdP using the DN as a SAML name identifier

IdP
C L I E N T
2
1
Grid SP
41
Attribute Query
  • The Grid SP formulates a SAML attribute
    queryltsamlpAttributeQuery
    Resource"https//globus.org/gridshib"gt
    ltsamlSubjectgt ltsamlNameIdentifier
    Format"urnoasisnamestcSAML1.1nameid-format
    X509SubjectName" NameQualifier"http//idp.u
    chicago.edu/shibboleth"gt CNGridShib,OUNCSA
    ,OUIUC lt/samlNameIdentifiergt
    lt/samlSubjectgt lt!-- AttributeDesignator here
    --gt lt/samlpAttributeQuerygt
  • The Resource attribute is the Grid SP providerId
  • The NameQualifier attribute is the IdP providerId
  • The NameIdentifier is the DN from the proxy cert
  • Zero or more AttributeDesignator elements call
    out the desired attributes (but empty queries are
    the norm today)

42
GridShib Attribute Pull Step 3
  • The AA authenticates the requester and maps the
    DN to a local principal name
  • The AA returns an attribute assertion to the Grid
    SP
  • The assertion is subject to Attribute Release
    Policy (ARP) at the IdP

IdP
C L I E N T
3
2
1
Grid SP
43
Attribute Assertion
  • The assertion contains an attribute
    statementltsamlAttributeStatementgt
    ltsamlSubjectgt ltsamlNameIdentifier
    Format"urnoasisnamestcSAML1.1nameid-format
    X509SubjectName" NameQualifier"http//idp.
    uchicago.edu/shibboleth"gt
    CNGridShib,OUNCSA,OUIUC lt/samlNameIdentifi
    ergt lt/samlSubjectgt ltsamlAttribute
    AttributeName"urnmacedirattribute-defeduPerso
    nAffiliation" AttributeNamespace"urnmaceshi
    bboleth1.0attributeNamespaceuri"gt
    ltsamlAttributeValuegt member
    lt/samlAttributeValuegt ltsamlAttributeValuegt
    student lt/samlAttributeValuegt
    lt/samlAttributegtlt/samlAttributeStatementgt
  • The Subject is identical to the Subject of the
    query
  • Attributes may be single-valued or multi-valued
  • Attributes may be scoped (e.g.,
    member_at_uchicago.edu)

44
Name Mapping File
  • An IdP does not issue X.509 certs so it has no
    prior knowledge of the DN
  • Solution Create a name mapping file at the IdP
    (similar to the grid-mapfile at the Grid SP)
    Default name mapping fileCNGridShib,OUNCSA,OUI
    UC gridshib"CNsome user,OUPeople,DCdoegrids"
    test
  • The DN must conform to RFC 2253

45
Name Mapping Table
  • The Name Mapper supports table-based name
    mappings (in addition to files)
  • Define a JDBC source in a config file (JDBC
    driver, JDBC URL, etc.)
  • Relational scripts and tools are provided

46
GridShib Attribute Pull Step 4
  • The Grid SP parses the attribute assertion and
    performs the requested service
  • The attributes are cached as necessary
  • A response is returned to the Grid Client

IdP
C L I E N T
3
2
1
Grid SP
4
47
GridShib-MyProxyIntegration
48
Shib Browser Profile
  • Consider a Shib browser profile stripped to its
    bare essentials
  • Authentication and attribute assertions are
    produced at steps 2 and 5, resp.
  • The SAML Subject in the authentication assertion
    becomes the Subject of the attribute query at
    step 4

1
IdP
C L I E N T
2
5
4
3
SP
6
49
GridShib Non-Browser Profile
  • Replace the SP with a Grid SP and the browser
    client with a non-browser client
  • Three problems arise
  • Client must possess X.509 credential to
    authenticate to Grid SP
  • Grid SP needs to know what IdP to query (IdP
    Discovery)
  • The IdP must map the SAML Subject to a local
    principal

IdP
C L I E N T
Grid SP
50
The Role of MyProxy
  • Consider a new grid user instead of the
    established grid user
  • For a new grid user, we are led to a
    significantly different solution
  • Obviously, we must issue an X.509 credential to a
    new grid user
  • A short-lived credential is preferred
  • Enter MyProxy Online CA

51
MyProxy-first Attribute Pull
  • MyProxy with Online CA
  • MyProxy inserts a SAML authN assertion into a
    short-lived, reusable EEC
  • IdP collocated with MyProxy

IdP
C L I E N T
1
MyProxy
5
4
2
3
Grid SP
6
52
MyProxy-first Attribute Pull Step 1
  • A MyProxy Client sends a MyProxy Protocol request
    to a MyProxy Server
  • Any authentication method supported by MyProxy
    may be used

IdP
C L I E N T
1
MyProxy
Grid SP
53
MyProxy-first Attribute Pull Step 2
  • The MyProxy Server authenticates the requester
  • MyProxy issues an X.509 credential with embedded
    authN assertion
  • The credential is returned in a MyProxy Protocol
    response

IdP
C L I E N T
1
MyProxy
2
Grid SP
54
Authentication Assertion
  • MyProxy inserts an assertion containing a minimal
    authentication statement into the
    certificateltsamlAuthenticationStatement
    AuthenticationInstant"2004-12-05T092200Z"
    AuthenticationMethod"urnoasisnamestcSAML1.0
    ampassword"gt ltsamlSubjectgt
    ltsamlNameIdentifier Format"urnoasisname
    stcSAML1.1nameid-formatemailAddress"
    NameQualifier"https//idp.example.org/shibboleth"
    gt user_at_idp.example.org
    lt/samlNameIdentifiergt lt/samlSubjectgtlt/samlAut
    henticationStatementgt
  • AuthenticationMethod may be used by Grid SP
  • The NameQualifier attribute is the IdP providerId
  • The IdP easily maps the NameIdentifier to the
    desired local principal

55
MyProxy-first Attribute Pull Step 3
  • A Grid Client requests a service at a Grid SP
  • The client presents the decorated X.509
    certificate obtained from MyProxy

IdP
C L I E N T
1
MyProxy
2
3
Grid SP
56
MyProxy-first Attribute Pull Step 4
  • The Grid SP authenticates the Client and
    processes the assertion
  • The Grid SP queries the Shib Attribute Authority
    (AA) referred to in the assertion

IdP
C L I E N T
1
MyProxy
4
2
3
Grid SP
57
MyProxy-first Attribute Pull Step 5
  • The AA authenticates the requester and returns an
    attribute assertion to the Grid SP
  • The assertion is subject to policy

IdP
C L I E N T
1
MyProxy
5
4
2
3
Grid SP
58
MyProxy-first Attribute Pull Step 6
  • The Grid SP parses the attribute assertion and
    makes an access control decision
  • A response is returned to the Client

IdP
C L I E N T
1
MyProxy
5
4
2
3
Grid SP
6
59
MyProxy-first Advantages
  • Relatively easy to implement
  • Requires only one round trip by the client
  • Requires no modifications to the Shib IdP
  • Requires no modifications to the Client
  • Supports multiple authentication mechanisms
    out-of-the-box
  • Uses transparent, persistent identifiers
  • No coordination of timeouts necessary
  • Mapping to local principal is straightforward

60
IdP-first Non-Browser Profiles
  • The IdP-first profiles require no shared state
    between MyProxy and the IdP
  • Supports separate security domains
  • Leverages existing name identifier mappings at
    the IdP
  • IdP-first profiles may be used with either
    Attribute Pull or Attribute Push

61
Attribute Pull or Push?
Pull
Push
user
user
Grid SP
request
request
attributes
attributes
AA
AA
62
IdP-first Attribute Pull
  • MyProxy with Online CA
  • MyProxy consumes and produces SAML authN
    assertions
  • The Client authenticates to MyProxy with a SAML
    authN assertion

1
IdP
C L I E N T
2
3
MyProxy
7
6
4
5
Grid SP
8
63
IdP-first Attribute Push
  • The IdP pushes an attribute assertion to the
    Client
  • The Client authenticates to MyProxy with a SAML
    authN assertion
  • MyProxy consumes both SAML authN and attribute
    assertions

1
IdP
C L I E N T
2
3
MyProxy
4
5
Grid SP
6
64
IdP-first Advantages
  • Since IdP controls both ends of the flow
  • Mapping NameIdentifier to a local principal is
    straightforward
  • Choice of NameIdentifier format is left to the
    IdP
  • Attribute push simplifies IdP config and trust
    relationships
  • Reusable by grid portal use case

65
GridShib Browser Profiles
66
IdP-first Browser Profiles
  • As a consequence of the IdP-first Non-Browser
    profiles, MyProxy gains the ability to consume
    SAML assertions
  • If we replace the non-browser client with a web
    component, we can reuse that functionality in the
    following GridShib Browser Profile

67
IdP-first Attribute Pull
  • The first three steps are normal Shib
    Browser/POST
  • A Shib SP is protecting a web version of MyProxy
    Client

1
IdP
C L I E N T
2
MyProxy
7
8
5
4
6
3
SP
Grid SP
9
10
68
The 3-tier Problem
  • How does the browser user delegate authority to
    the web component to retrieve an X.509 credential
    on its behalf?
  • This problem is an instance of the so-called
    n-tier problem (n 3)

69
Delegation Profile
  • No widely accepted solution to this problem
    exists today
  • The Shib Project is proposing Liberty WSF
    2.0https//authdev.it.ohio-state.edu/twiki/bin/v
    iew/Shibboleth/LibertyAllianceProject
  • The implications for GridShib are not clear at
    this point
Write a Comment
User Comments (0)
About PowerShow.com