1 / 19

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&a

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop. Tom Barton, Kate Keahey, Frank Siebenlist, Von Welch. Outline. Overview of Shibboleth and Globus Our Motivation and Use Cases Integration Approach. Shibboleth.

mercia
Download Presentation

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&a

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration4th Annual PKI R&D Workshop Tom Barton, Kate Keahey, Frank Siebenlist, Von Welch

  2. Outline • Overview of Shibboleth and Globus • Our Motivation and Use Cases • Integration Approach 4th Annual PKI R&D Workshop

  3. Shibboleth • http://shibboleth.internet2.edu/ • Internet2 project • Allows for inter-institutional sharing of web resources (via browsers) • Provides attributes for authorization between institutions • Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’ • Standards-based (SAML) • Being extended to non-web resources 4th Annual PKI R&D Workshop

  4. Shibboleth • Identity Provider composed of single sign-on (SSO) and attribute authority (AA) services • SSO: authenticates user locally and issues authentication assertion with Handle • Assertion is short-lived bearer assertion • Handle is also short-lived and non-identifying • Handle is registered with AA • Attribute Authority responds to queries regarding handle 4th Annual PKI R&D Workshop

  5. Shibboleth • Service Provider composed of Assertion Consumer and Attribute Requestor • Assertion Consumer parses authentication assertion • Attribute Requestor: request attributes from AA • Attributes used for authorization • Where Are You From (WAYF) service determines user’s Identity Provider 4th Annual PKI R&D Workshop

  6. Globus Toolkit • http://www.globus.org • Toolkit for Grid computing • Job submission, data movement, data management, resource management • Based on Web Services and WSRF • Security based on X.509 identity- and proxy-certificates • Maybe from conventional or on-line CAs • Some initial attribute-based authorization 4th Annual PKI R&D Workshop

  7. Motivation • Many Grid VOs are focused on science or business other than IT support • Don’t have expertise or resources to run security services • Allow for leveraging of Shibboleth code and deployments run by campuses 4th Annual PKI R&D Workshop

  8. Use Cases • Project leveraging campus attributes • Simplest case • Project-operated Shib service • Project operates own service, conceptually easy, but not ideal • Campus-operated, project-administered Shib • Ideal mix, but need mechanisms for provisioning of attribute administration 4th Annual PKI R&D Workshop

  9. Integration Approach • Conceptually, replace Shibboleth’s handle-based authentication with X509 • Provides stronger security for non-web browser apps • Works with existing PKI install base • To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible 4th Annual PKI R&D Workshop

  10. Integration Areas • Assertion Transmission • Attribute Authority Discovery • Distribute Attribute Administration • Pseudonymous Interaction • Authorization 4th Annual PKI R&D Workshop

  11. Assertion Transmission • How to get SAML assertions from AA into Globus? • Initially: Pull mode with Globus acting as a Shibboleth Attribute Requestor • Will explore Pull modes to help with privacy and role combination • Implement Grid Name Mapper to map X509 DNs to local identities used to obtain attributes 4th Annual PKI R&D Workshop

  12. Attribute Authority Discovery • No interactive WAYF service in the Grid • Place identifier of Identity Provider in cert • Either in long-term EEC or short-term Proxy Cert • Will explore pushing attributes • Avoids the problem • Might also address combined attributes from multiple AAs 4th Annual PKI R&D Workshop

  13. Distributed Attribute Administration • Campus is ideal for running services, but may not know all attributes of users • How does a campus issue attributes for which it is not authoritative? • E.g. IEEE Membership of staff • In Grid case, Project Membership • This may be the largest hurdle due to social, political and/or legal issues • Need accepted cookbook for process • Plan on exploring signet • http://middleware.internet2.edu/signet/ 4th Annual PKI R&D Workshop

  14. Pseudonymous Interaction • How to maintain Shibboleth pseudonymous functionality with X509? • Will develop online CA that issues certificates with non-identifying DNs • Register with AA just as SSO • Basically holder-of-key assertions 4th Annual PKI R&D Workshop

  15. Authorization • Develop authorization framework in Globus Toolkit • Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions • XACML used for expressing gathered identity, attribute and policy information • Convert Attributes into common format for policy evaluation • Allows for common evaluation of attributes expressed in SAML and X509 (and others…) 4th Annual PKI R&D Workshop

  16. 4th Annual PKI R&D Workshop

  17. Status • Working on X509 profiles in OASIS • Initial pieces tested • Developing initial pull-mode prototype for initial evaluation 4th Annual PKI R&D Workshop

  18. Acknowledgements and Details • NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit • Funded under NSF award SCI-0438424 • Goal: GT 4.2 & Shibboleth 1.3 • GridShib team: NCSA, U. Chicago, ANL • Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch • Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team 4th Annual PKI R&D Workshop

  19. Questions? • Project website: • http://grid.ncsa.uiuc.edu/GridShib/ 4th Annual PKI R&D Workshop

More Related