GridShib Project Update

1
GridShib Project Update

• Tom Barton1, Tim Freeman1,
• Kate Keahey1, Raj Kettimuthu1,Tom Scavo2, Frank
  Siebenlist1, Von Welch2
• 1University of Chicago
• 2NCSA/University of Illinois

2
Outline

• GridShib Overview
• GridShib Components
• GridShib Profiles
• GridShib Roadmap

3
What is GridShib?

• GridShib enables secure attribute sharing among
  Grid virtual organizations and higher-educational
  institutions
• The goal of GridShib is to allow interoperability
  between the Globus Toolkit with Shibboleth
• GridShib adds attribute-based authorization to
  Globus Toolkit

4
Some Background

• Large scientific projects have spawned Virtual
  Organizations (VOs)
• The cyberinfrastructure and software systems to
  support VOs are called grids
• Globus Toolkit is the de facto standard software
  solution for grids
• Grid Security Infrastructure (GSI) provides basic
  security services for grids

5
Grid Authentication

• Globus Toolkit provides authentication services
  via X.509 credentials
• When requesting a service, the user presents an
  X.509 certificate, usually a proxy certificate
• GridShib leverages the existing authentication
  mechanisms in GT

6
Grid Authorization

• Today, Globus Toolkit provides identity-based
  authorization mechanisms
• Access control lists (called grid-mapfiles) map
  DNs to local identity (e.g., Unix logins)
• Community Authorization Service (CAS)
• PERMIS and VOMS
• GridShib provides attribute-based authorization
  based on Shibboleth

7
GridShib Project Motivation

• VOs are difficult to manage
• Goal Leverage existing identity management
  infrastructure
• Identity-based access control methods are
  inflexible and do not scale
• Goal Use attribute-based access control
• Solution Leverage Shibboleth with Globus
  Toolkit!

8
GridShib Use Cases

• Three use cases under consideration
• Established grid user (non-browser)
• New grid user (non-browser)
• Portal grid user (browser)
• Initial efforts concentrated on the non-browser
  use cases
• Current efforts are focused on the portal grid
  user

9
Established Grid User

• User possesses an X.509 end entity certificate
• User may or may not use MyProxy Server to manage
  X.509 credentials
• User authenticates to Grid SP with a proxy
  certificate
• The current GridShib implementation addresses
  this use case

10
New Grid User

• User does not possess an X.509 end entity
  certificate
• User relies on GridShib CA to obtain short-lived
  X.509 certificates
• User authenticates to Grid SP using short-lived
  X.509 credential
• The myVocs-GridShib integration addresses this
  use case

11
Portal Grid User

• User does not possess an X.509 cert
• A browser user authenticates to a Grid Portal
  (which may or may not be Shib-enabled)
• The user delegates the Grid Portal to request a
  service at the Grid SP
• The Grid Portal authenticates to the Grid SP
  using its community credential

12
Outline

• GridShib Overview
• GridShib Components
• GridShib Profiles
• GridShib Roadmap

13
Software Components

• GridShib for Globus Toolkit
• GridShib for Shibboleth
• Includes GridShib Certificate Registry
• GridShib Certificate Authority
• GridShib Authentication Assertion Client
• Shibboleth IdP Tester
• Globus SAML Library (not distributed)

14
GridShib for Globus Toolkit

• GridShib for Globus Toolkit is a plugin for GT
  4.0 (or later)
• Features
• Standalone attribute requester
• SAML attribute consumption
• Attribute-based access control
• Attribute-based local account mapping
• SAML metadata consumption

15
GridShib for Shibboleth

• GridShib for Shibboleth is a plugin for a
  Shibboleth IdP v1.3 (or later)
• Features
• Name Mapper
• Supports name mappings in both files and tables
• SAML name identifier implementations
• X509SubjectName, emailAddress, etc.
• Certificate Registry
• Supports the established grid user

16
GridShib Certificate Registry

• A Certificate Registry is integrated into
  GridShib for Shibboleth 0.5https//authdev.it.oh
  io-state.edu/twiki/bin/view/GridShib/GridShibCerti
  ficateRegistry
• An established grid user authenticates and
  registers an X.509 end-entity cert
• The Registry binds the cert to the principal name
  and persists the binding in a database
• On the backend, GridShib maps the DN in a query
  to a principal name in the DB

17
(No Transcript)
18
GridShib Authn Assertion Client

• The GridShib Authn Assertion Client is a
  standalone tool that creates an X.509 proxy
  certificate with bound SAML authn assertion
• The client uses the proxy to authenticate to a
  Grid SP
• The Grid SP queries a Shibboleth AA based on the
  information in the bound SAML assertion

19
Shibboleth IdP Tester

• The Shibboleth IdP Tester is a tool that queries
  a Shibboleth AA for attributes
• The IdP Tester can be used to
• Test an ordinary Shibboleth AA
• Test a GridShib-enabled AA
• The IdP Tester installs as a Shib IdP extension
  (i.e., it does not disturb an existing Shib
  deployment)

20
GridShib CA

• The GridShib Certificate Authority is a web-based
  CA for new grid usershttps//authdev.it.ohio-sta
  te.edu/twiki/bin/view/GridShib/GridShibCertificate
  Authority
• The GridShib CA is protected by a Shib SP and
  backended by either OpenSSL or the MyProxy Online
  CA
• The CA issues short-term credentials suitable for
  authentication to a Grid SP
• Credentials are downloaded to the desktop via
  Java Web Start

21
(No Transcript)
22
Globus SAML Library

• GridShib forked the OpenSAML 1.1 source library
  in Jan 2006
• Globus SAML Library is in synch with OpenSAML 1.1
  CVS HEAD
• Globus SAML Library is bundled with GridShib for
  GT
• Globus SAML Library adds new features to OpenSAML
  1.1

23
Outline

• GridShib Overview
• GridShib Components
• GridShib Profiles
• GridShib Roadmap

24
GridShib Attribute Pull Profile

• In the Classic GridShib profile, a Grid SP
  pulls attributes from a Shib IdP
• The Client is assumed to have an account (i.e.,
  local principal name) at the IdP
• The Grid SP and the IdP have been assigned a
  unique identifier (entityID)

IdP
C L I E N T
3
2
1
Grid SP
4
25
GridShib Attribute Pull Step 1

• The Grid Client requests a service at the Grid SP
• The Client presents an X.509 certificate to the
  Grid SP
• The Client may provide a pointer to its preferred
  IdP
• This is the so-called IdP Discovery problem

IdP
C L I E N T
1
Grid SP
26
GridShib Attribute Pull Step 2

• The Grid SP authenticates the Client and extracts
  the DN from the proxy cert
• The Grid SP queries the Attribute Authority (AA)
  at the IdP using the DN as a SAML name identifier

IdP
C L I E N T
2
1
Grid SP
27
GridShib Attribute Pull Step 3

• The AA authenticates the requester and maps the
  DN to a local principal name
• The AA returns an attribute assertion to the Grid
  SP
• The assertion is subject to Attribute Release
  Policy (ARP) at the IdP

IdP
C L I E N T
3
2
1
Grid SP
28
GridShib Attribute Pull Step 4

• The Grid SP parses the attribute assertion and
  performs the requested service
• The attributes are cached as necessary
• A response is returned to the Grid Client

IdP
C L I E N T
3
2
1
Grid SP
4
29
IdP Discovery

• Like the Shibboleth SP-initiated browser flows,
  the Grid SP needs to know the users preferred
  IdP
• SAML assertions bound to X.509 certs give clues
  as to the users preferred IdP
• For example, the GridShib Authentication
  Assertion Client sets the NameQualifier attribute
  to the unique identifier of the IdP
• Unfortunately, the NameQualifier attribute is
  deprecated in SAML V2.0

30
IdP Discovery (contd)

• The Issuer attribute is a better indicator of the
  users preferred IdP
• However, for self-issued assertions (assertion
  issuer certificate issuer) the Issuer is a DN,
  which doesnt help IdP discovery
• Solution Set the X.509 Subject Information
  Access extension to the IdP entityID

31
GridShib Attribute Push Profile

• The Client may push attributes at step 1
• SAML assertions are bound to X.509 certificates
  or SOAP messages
• The Grid SP may or may not query for attributes
  in this case

IdP
C L I E N T
3
2
1
Grid SP
4
32
Outline

• GridShib Overview
• GridShib Components
• GridShib Profiles
• GridShib Roadmap

33
Online Roadmap

• We present current plans and timelines
• Roadmap online at GridShib dev.globus incubator
  site
• http//dev.globus.org/wiki/GridShib_Development_Ro
  admap
• Roadmap will be maintained as work progresses,
  check web page for updates

34
Attribute Push

• For the past six months, GridShib has
  concentrated on attribute push
• Advantages of attribute push
• IdP Discovery is less of an issue
• Disadvantages of attribute push
• What to push? (we call this SP Discovery)

35
GridShib X.509 Certificate

• The anatomy of an X.509 certificate suitable for
  GridShib attribute push
• short lifetime
• IdP entityID in Subject Information Access
  extension
• SAML Subject in the Subject Alt Name extension
• SAML assertion(s) bound to X.509 v3 certificate
  extension
• SSO assertion(s) nested in the Advice element of
  a bound SAML assertion

36
X.509 Binding for SAML

• We bind an ASN.1 SEQUENCE of SAML elements at a
  well-known, non-critical X.509 v3 certificate
  extension
• GridShib and Globus CAS already have limited
  ability to bind ltAssertiongt elements to X.509
  proxy certificates
• Future versions of the GridShib CA will bind SAML
  to end-entity certificates

37
X.509 v3 Certificate ExtensionOID
1.3.6.1.4.1.3536.1.1.1.10
ltsamlAssertion gt lt/samlAssertiongt ltsaml
Assertion gt lt/samlAssertiongt
38
X.509 Binding for SAML (contd)

• Initially, we bind a ltsaml1Assertiongt element to
  the X.509 certificate
• Eventually we would like to support
• ltsaml1Assertiongt
• ltsaml1AssertionIDReferencegt
• ltsaml2Assertiongt
• ltsaml2EncryptedAssertiongt
• ltsaml2AssertionIDRefgt
• ltsaml2AssertionURIRefgt

39
X.509 Binding Use Cases

• Presenter is the Subject
• Principal Self-assertion
• Principal Self-query
• Shib-enabled GridShib CA
• MyProxy Online CA
• Community Authorization Service
• Presenter Acting on Behalf of the Subject
• nanoHUB Pull
• National Virtual Observatory (NVO) Push
• Shib-enabled Science Gateway

40
Use Case nanoHUB
41
Use Case NVO
42
Use Case Science Gateway
SSO Assertion
43
Outline

• GridShib Overview
• GridShib Components
• GridShib Profiles
• GridShib Roadmap

44
Work in the Pipeline

• New versions of GridShib for GT, GridShib for
  Shib, and GridShib CA
• GridShib Authn Assertion Client gt GridShib
  SAML Issuer Tool
• Shibboleth IdP Tester gt GridShib Attribute
  Query Client
• GridShib SAML Tools
• Enhancements to Globus SAML Library

45
GridShib for GT Versions

• GridShib for GT 0.5
• Announced Nov 30, 2006
• GridShib for GT 0.5.1
• Expected ?
• GridShib for GT 0.6
• Expected ?

46
GridShib for GT 0.5

• GridShib for GT 0.5 announced Nov 30
• Compatible with both GT4.0 and GT4.1
• GT4.1 introduces powerful authz framework
• Separate binaries for each GT version
• Source build auto-senses target GT platform
• New identity-based authorization feature
• Uses grid-mapfile instead of DN ACLs
• Logging enhancements
• Bug fixes

47
GridShib for GT 0.5.1

• GridShib for GT 0.5.1 (expected ?)
• Combined VOMS/SAML attribute to account mapping
• As with the current gridmap situation, GT4.0.x
  deployments cannot take advantage of permit
  overrides and arbitrarily configure fallbacks
• To accommodate this well allow for a name
  mapping scheme that checks in this order and
  continues to fall back if no match/authz is
  granted gridmap, VOMS, Shibboleth/SAML

48
GridShib for GT 0.6

• GridShib for GT 0.6 (expected ?)
• Full-featured attribute push PIP
• TBA
• More powerful attribute-based authz policies
• Allow unique issuer in authz policy rules

49
GridShib for Shib Versions

• GridShib for Shib 0.5.1
• Announced Aug 8, 2006
• GridShib for Shib 0.6
• Expected Jan 2007
• Will include SAML Issuer Tool (derived from Shib
  resolvertest tool)

50
GridShib for Shib 0.6

• GridShib for Shib 0.6 (expected Jan 2007)
• Core (already included in 0.5)
• Requires Shib IdP
• Includes basic plugins and handlers
• Certificate Registry (already included in 0.5)
• Requires GridShib for Shib Core
• Includes Derby embedded database
• SAML Tools (new in 0.6)
• Requires GridShib for Shib Core
• Includes SAML Issuer Tool and SAML X.509 Binding
  Tool

51
GridShib CA Versions

• GridShib CA 0.3
• Announced Nov 27, 2006
• GridShib CA 0.4
• Expected March, 2007

52
GridShib CA 0.3

• GridShib CA 0.3 announced Nov 27, 2006
• Substantial improvement over version 0.2
• More robust protocol
• Installation of trusted CAs at the client
• Pluggable back-end CAs
• Uses an openssl-based CA by default
• A module to use a MyProxy CA is included
• Certificate registry functionality
• A module that auto-registers DNs with myVocs

53
GridShib SAML Tools

• GridShib SAML Issuer Tool
• Derived from Authentication Assertion Client
• Shibboleth SAML Issuer Tool
• Derived from Shib resolvertest tool
• GridShib Attribute Query Client
• Derived from Shib IdP Tester
• GridShib X.509 Binding Tool
• Derived from GT CAS/SAML utilities

54
GridShib SAML Tools (contd)
55
GridShib SAML Tools (contd)
56
SAML Tool Distributions

• The Shib SAML Issuer Tool and the SAML X.509
  Binding Tool will be distributed with GridShib
  for Shib 0.6
• The GridShib SAML Issuer Tool, GridShib Attribute
  Query Client, and SAML X.509 Binding Tool will be
  distributed as a single, standalone package
• Note The latter does not require GridShib for
  Shib or GridShib for GT

57
Globus SAML Library

• Features and enhancements
• Support for SAML V2.0 metadata
• SAML object equivalence implementation
• Enhanced SAMLNameIdentifier class
• SAML NameIdentifier format handlers
• New SAMLSubjectAssertion class
• New SubjectStatement class
• Additional unit tests and examples
• Requires JDK 1.4 or above

58
New Software Components

• GridShib for Globus Toolkit 0.6
• GridShib for Shibboleth 0.6
• Optional Certificate Registry
• Optional SAML Issuer Tool
• GridShib Certificate Authority 0.4
• GridShib SAML Tools
• SAML Issuer Tool
• Attribute Query Client
• SAML X.509 Binding Tool
• Globus SAML Library (enhanced)

59
Profiles and Bindings Specs

• SAML V1.1 Profiles for X.509 Subjects
  http//www.oasis-open.org/committees/download.php
  /19996/sstc-saml1-profiles-x509-draft-01.pdf
• Subject-based Assertion Profile for SAML V1.1
• X.509 Binding for SAML Assertions
• Attribute Query Profile for SAML V1.1
• SAML V1.1 Deployment Profiles for X.509 Subjects
• SAML V2.0 Deployment Profiles for X.509 Subjects

60
Acknowledgments

• GridShib is a project funded by the NSF
  Middleware Initiative
• NMI awards 0438424 and 0438385
• Opinions and recommendations are those of the
  authors and do not necessarily reflect the views
  of the National Science Foundation.
• Also many thanks to Internet2 Shibboleth Project

61
Summary

• GridShib has a number of tools for leveraging
  Shibboleth for the Grid
• Both for user authentication and attribute-based
  authorization
• Deploys easily on Shibboleth 1.3 and Globus 4.0
• Available under Apache2 license
• For more information and software
• http//gridshib.globus.org
• vwelch_at_ncsa.uiuc.edu
• http//dev.globus.org/wiki/Incubator/GridShib

62
Questions?