1 / 28

Interoperability Shibboleth - gLite

Interoperability Shibboleth - gLite. Christoph Witzig, SWITCH TNC 2007 - Copenhagen 22.5.2007. Content. Introduction Motivation for interoperability Shibboleth - Grids Authentication and authorization (AA) in Grids and Shibboleth General approach

dima
Download Presentation

Interoperability Shibboleth - gLite

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Interoperability Shibboleth - gLite Christoph Witzig, SWITCH TNC 2007 - Copenhagen 22.5.2007

  2. Content • Introduction • Motivation for interoperability Shibboleth - Grids • Authentication and authorization (AA) in Grids and Shibboleth • General approach • Phase 1: Short-lived credential service (SLCS) • Phase 2: Attribute exchange to VOMS • Outlook: Phase 3 • Other activities in interoperability Shibboleth - Grids • Summary TNC2007, Kopenhagen, 22.5.2007

  3. Why Interoperability AAI - Grid ? For AAI Federations: • Add grid resources to federation For Grids: • Add huge user base (campus network) For Users: • Simpler management of credentials • Easy access to grids For e-Science: • Unified user base • Bring stakeholders together (NRENs - Grids) TNC2007, Kopenhagen, 22.5.2007

  4. AAI Models • AAI solve the old problem of access control to resources • There are various technologies in use - their usefulness depends on the underlying infrastructure • Passport Model (PKI / Grids) • Federated Identity (Shibboleth) TNC2007, Kopenhagen, 22.5.2007

  5. Passport Model (PKI) X.509 Proxy X.509 w/ VOMS AC job submission attributes VO Resource Broker Worker Node (WN) Computing Element (CE) VOMS = virtual organization management system AC = attribute certificate TNC2007, Kopenhagen, 22.5.2007

  6. Federated Identity Model 2. authN Home Organization / Identity Provider 1. Attempts access authN = authentication authZ = authorization SAML = security assertion markup language 3. SAML 4. authZ ? Service Provider TNC2007, Kopenhagen, 22.5.2007

  7. Topics • authN at grid resource • Attribute-based authZ • Federation attributes vs VO attributes • Delegation • Renewal of credentials TNC2007, Kopenhagen, 22.5.2007

  8. General Approach • EGEE-II: • April 2006 - Mar 2008 • Year 1: Phase 1 and 2 • Add interoperability by starting “small” with minimal changes to gLite • Year 2: Phase 3: Extend SAML to selected grid services • EGEE-III: • Continuation in EGEE-III TNC2007, Kopenhagen, 22.5.2007

  9. Overview Phase 1 and 2 SLCS = Short lived credential service VASH = VOMS attributes from Shibboleth TNC2007, Kopenhagen, 22.5.2007

  10. Design Decisions • SLCS CA and “VOMS SP” independent of each other • Separate Service Providers • Deployed independently • SLCS CA independent of the Grid middleware • VOMS SP only dependent on VOMS TNC2007, Kopenhagen, 22.5.2007

  11. Content • Introduction • Motivation for interoperability Shibboleth - Grids • Authentication and authorization (AA) in Grids and Shibboleth • General approach • Phase 1: Short-lived credential service (SLCS) • Phase 2: Attribute exchange to VOMS • Outlook: Phase 3 • Other activities • Summary TNC2007, Kopenhagen, 22.5.2007

  12. SLCS Profile • SLCS = short lived credential service • IGTF profile • Minimum requirements: TNC2007, Kopenhagen, 22.5.2007

  13. SWITCHslcs: Operation • For the user: • from the command line: invisible • part of gLite User Interface [UI] (3.1) (can also be installed independently) • For the RA from web-based admin tool: • Can enable or disable individual users (only for his institution) • Requirements formulated in CP/CPS • Can obtain log information • SWITCH: • Operates the service TNC2007, Kopenhagen, 22.5.2007

  14. SWITCHslcs • Private key is never transferred • Use commercial CA and only standard protocols • Modular design such that other people can use their own components • Shibboleth attributes determine DN TNC2007, Kopenhagen, 22.5.2007

  15. Status SLCS • Software development is finished in 2006 • Accredited by EuGridPMA in February 2007 • Production operation since April 2007 • http://www.switch.ch/grid/slcs TNC2007, Kopenhagen, 22.5.2007

  16. Content • Introduction • Motivation for interoperability Shibboleth - Grids • Authentication and authorization (AA) in Grids and Shibboleth • General approach • Phase 1: Short-lived credential service (SLCS) • Phase 2: Attribute exchange to VOMS • Outlook: Phase 3 • Other activities in interoperability Shibboleth - Grids • Summary TNC2007, Kopenhagen, 22.5.2007

  17. The Problem • Phase 1 ties • AAI authentication to issuance of X.509 certificate • AAI attributes are used to construct the DN • Phase 2 intends to make AAI attributes available to grid resources for authorization decisions • Which AAI attributes are of interest to grid resource? • How does resource obtain attributes? (pull vs push) • Relation to VO attributes • Deployment issues TNC2007, Kopenhagen, 22.5.2007

  18. Shibboleth Attributes • Need common understanding of attributes • given within a federation • but inter-federation access (?) • In SWITCHaai: Attributes are derived from eduPerson • Only a subset of attributes is really interesting for grid resources • Home Organization (IdP) • Affiliation • Study level and branch • Staff • Member of TNC2007, Kopenhagen, 22.5.2007

  19. Design (1) • VASH: • VOMS Attributes from Shibboleth • Shibboleth SP • Browser-based • Specific for • Federation • VO • “lightweight” SP • No administrator duties • No management of attributes • Simply transfers attributes upon user request TNC2007, Kopenhagen, 22.5.2007

  20. Design (2) • X.509 and proxy X.509 with VOMS AC unchanged • No change in VOMS • Needs version 1.7.10 or higher • VO registration not changed • Administrative domain between Shibboleth federation and VOMS fully decoupled • User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509) • Becomes a service which knows the mapping Shibboleth userid - DN • Has to respect data privacy laws TNC2007, Kopenhagen, 22.5.2007

  21. Web Interface VASH Service TNC2007, Kopenhagen, 22.5.2007

  22. Status • Software implementation done • MJRA1.5 document: https://edms.cern.ch/document/807849/1 • Currently in process to develop plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource • Access to VOMS AC • LCAS/LCMAPS TNC2007, Kopenhagen, 22.5.2007

  23. Content • Introduction • Motivation for interoperability Shibboleth - Grids • Authentication and authorization (AA) in Grids and Shibboleth • General approach • Phase 1: Short-lived credential service (SLCS) • Phase 2: Attribute exchange to VOMS • Outlook: Phase 3 • Other activities in interoperability Shibboleth - Grids • Summary TNC2007, Kopenhagen, 22.5.2007

  24. Phase 3 • Goal of phase 3: Extend use of SAML in grids beyond what is already provided by phase 1 and 2 • SAML-enable those services, with which the user interacts directly • WMS • File access • Benefits: • (Average) User has no certificates any more • Introduce SAML gently beyond phase 1 and 2, gain experience • No modifications on most grid software (--> deployment) • Compatible with Shibboleth roadmap (2.0, 2.1) and ID-WSF implementation • All options open for future TNC2007, Kopenhagen, 22.5.2007

  25. Content • Introduction • Motivation for interoperability Shibboleth - Grids • Authentication and authorization (AA) in Grids and Shibboleth • General approach • Phase 1: Short-lived credential service (SLCS) • Phase 2: Attribute exchange to VOMS • Outlook: Phase 3 • Other activities in interoperability Shibboleth - Grids • Summary TNC2007, Kopenhagen, 22.5.2007

  26. Other Activities • GridShib • Globus • Community Access to TeraGrid through gateways • Activities in UK • Shebangs and ShibGrid • Shintau: attribute aggregation from multiple IdPs • OMII-Europe: • SAML assertions from VOMS TNC2007, Kopenhagen, 22.5.2007

  27. Summary • Interoperability gLite - Shibboleth: • Phase 1: SLCS service • Online CA issuing X.509 certificates based upon authN at Shibboleth IdP • In operation • Phase 2: VASH • Transfers Shibboleth attributes into VOMS • Shib attributes are available to grid resources as part of VOMS AC • Software development finished • Phase 3: • Is starting now • Idea to SAML-enable a selected (small) number of grid services (those close to the user) TNC2007, Kopenhagen, 22.5.2007

  28. Q & A TNC2007, Kopenhagen, 22.5.2007

More Related