230 likes | 246 Views
GridShib is an NSF NMI project that enables the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit. It aims to leverage existing Shibboleth codebase and deployments while addressing higher-level issues in Identity Federation for Grids. GridShib allows for the federation of sites to support Virtual Organizations (VOs) and provides solutions for managing multiple attributes across VOs. The project aims to standardize X509 profile for Shibboleth/SAML AA and modify the GT to request, receive, and parse SAML attributes from Shib.
E N D
GridShib:Grid-Shibboleth Integration(Identity Federation and Grids)April 11, 2005 Von Welch vwelch@ncsa.uiuc.edu http://grid.ncsa.uiuc.edu/GridShib/
What is GridShib? • NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit • Funded under NSF award SCI-0438424 • Goal: GT 4.2 & Shibboleth 1.3 • GridShib team: NCSA, U. Chicago, ANL • Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch • Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team GridShib: UK eScience Security Workshop
Why? Someone else… • Leverage Shibboleth code base • Someone else is writing and debugging it • Leverage Shibboleth deployments • Someone else is supporting them • Leverage larger issues going on in Identity Federation world • Someone else is helping to write them • Even more someone else’s will be writing and deploying them • SAML standard, profiles • Leverage someone else’s attributes? • Are campus attributes useful to Grids? GridShib: UK eScience Security Workshop
Outline • Low-level technical discussion • Shibboleth • GridShib • Higher-level discussion of Identity Federation for Grids • How do sites federate to support a VO? GridShib: UK eScience Security Workshop
Shibboleth Federation Model Attrs Attrs SAML IDs IDs GridShib: UK eScience Security Workshop
Shibboleth (Simplified) SAML Shibboleth Attrs Attributes Handle WWW IDs Handle GridShib: UK eScience Security Workshop
GridShib (Simplified) SAML Shibboleth Attrs Attributes DN Grid IDs DN SSL/TLS, WS-Security DN GridShib: UK eScience Security Workshop
GridShib Goals • Work with others to standardize X509 profile for Shibboleth/SAML AA • Change as little as possible on Shibboleth side • Limit to installation of new NameMapper plug-in for Shibboleth to recognize and map DNs to local identities • Privacy • In “V2” GridShib: UK eScience Security Workshop
GridShib Goals (cont) • Modifications to GT to request, receive and parse SAML attributes from Shib • Frank Siebenlist’s earlier talk • General PDP functionality • Grid uses cases can be very complicated and varied in terms of authz policy • Try to support union of many “simple” cases • Allow for deployment of custom PDPs GridShib: UK eScience Security Workshop
How does Identity federation apply to Grids? Shibboleth model is very good for allowing a single site to federate their user’s attributes If the site attributes are all the matter, then this is all you need E.g. a “campus grid” for campus users Higher-level Issues GridShib: UK eScience Security Workshop
However, most VOs have their own attributes Domain-specific, VO-organization, etc. This means multiple attribute authorities for the same set of user How do these multiple attributes get served up? VO Attributes GridShib: UK eScience Security Workshop
Requires a large, resourced VO Must have skills, support staff, time Requires more complexity in authorization Need to map attributes to authority To some extend defeats the purpose VO runs Shibboleth Server GridShib: UK eScience Security Workshop
Puts services in the right place Campuses are good at running production services Requires campus to somehow outsource administration of attributes Two sub-models: One campus for VO attributes for all VO users Each campus handles VO attributes for own users Campus runs Shibboleth GridShib: UK eScience Security Workshop
Arranging for administration of each VO user’s attributes will be hard at first Significant social issues with campuses Initially, we will be finding one campus to serve attributes for each VO That campus out sources administration for a VO attribute space to that VO Allows remote administration by VO They still run services Prediction GridShib: UK eScience Security Workshop
Questions? • Project website: • http://grid.ncsa.uiuc.edu/GridShib/ • Or contact: • vwelch@ncsa.uiuc.edu • For more information on NMI: • http://www.nsf-middleware.org/ GridShib: UK eScience Security Workshop
Extra Slides GridShib: UK eScience Security Workshop
Shibboleth • http://shibboleth.internet2.edu/ • Internet2 project • Allows for inter-institutional sharing of web resources (via browsers) • Federation of identities and attributes • Uses attribute-based authorization • Standards-based (SAML) • Being extended to non-web resources GridShib: UK eScience Security Workshop
Globus Toolkit • http://www.globus.org • Collaborative work from the Globus Alliance • Toolkit for Grid computing • Job submission, data movement, data management, resource management • Based on Web Services and WSRF • Security based on X.509 identity- and proxy-certificates GridShib: UK eScience Security Workshop
Campus running Grid, Shibboleth service Users with campus-issued certificates Maybe a few outside users Desires to use campus attributes to authorize use of campus grid E.g. USC Campus Grid Use Case GridShib: UK eScience Security Workshop
Multi-site Grid based around a virtual organization Users have certificates from one or more Grid CAs, probably not run by VO Grid wishes to establish attributes for their users to do role-based authorization Grid is either large enough to establish and run their own Shibboleth AA or someone is willing to do it for them E.g. TeraGrid, OSG Grid Deployment Use Case GridShib: UK eScience Security Workshop
Grid based on virtual organization but wants to make resources available to larger community E.g. Allow all chemists to access some dataset Users have certificates from one or more Grid CAs, probably not run by VO Want to use campus-asserted attributes, from campus-run Shibboleth services to authorize access to VO resources Currently done by issuing light-weight Grid credentials to users via a portal E.g. ESG Hybrid Use Case GridShib: UK eScience Security Workshop
GridShib Integration Goals • Use Shibboleth 1.3 out of box • With additional NameMapper module to handle mapping X.509 identities to local names • Work with Shib identity provider metadata • Working with Shib developers to achieve • Don’t require modification to typical grid client applications for simple use cases • Most of work going into Grid services GridShib: UK eScience Security Workshop
Project objectives • Priority 1: Pull mode operation • Globus services contact Shibboleth to obtain attributes about identified user • Priority 2: Push mode operation • User obtains Shib attributes and push to service • Allows role selection • Priority 3: Pseudonymous access with MyProxy/GridLogon GridShib: UK eScience Security Workshop