370 likes | 567 Views
Interoperability AAI and Grids. Christoph Witzig, SWITCH NORDUnet Conference April 9, 2008. Content. Introduction to AAIs Why interoperability AAI - Grids Authentication and authorization (AA) in Grids and Shibboleth Interoperability Shibboleth - Grid within EGEE
E N D
Interoperability AAI and Grids Christoph Witzig, SWITCH NORDUnet Conference April 9, 2008
Content • Introduction to AAIs • Why interoperability AAI - Grids • Authentication and authorization (AA) in Grids and Shibboleth • Interoperability Shibboleth - Grid within EGEE • Short-lived credential service (SLCS) • Attribute exchange to VOMS • Future developments within EGEE • Other activities in interoperability Shibboleth - Grids • Summary NORDUnet, Helsinki April 9, 2008
Security Models • AAI solve the old problem of access control to resources • There are various technologies in use - their usefulness depends on the underlying infrastructure • Crusader Castle • League of Nations • Federations NORDUnet, Helsinki April 9, 2008
Crusader Castle Appropriate for few, non-mobile users NORDUnet, Helsinki April 9, 2008
Crusader Castle • Tedious user registration at all resources • Unreliable and outdated user data at resources • Different login processes • Many different passwords • Many resources not protected due to difficulties • Often IP-based authorization • Costly implementation of inter-institutional access University A Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials NORDUnet, Helsinki April 9, 2008
League of Nations Standardized Credentials (International Conference on Passports 1920) University A X.509 credentials Student Admin • User registration process with CA • User has one credential to present to resources • authN and authZ at resource • User has to manage credential • Standard use in grids (IGTF) • Delegation mechanism Web Mail e-Learning Passport Issuer (CA) University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials NORDUnet, Helsinki April 9, 2008
Federated Identity Management • No user registration and user data maintenance at resource needed • Single login process for the users • Many new resources available for the users • Enlarged user communities for resources • Efficient implementation of inter-institutional access Shibboleth • open source • internet2 • SAML • Web-based Single Sign-on • authN at Identity Provider • authZ at Service Provider based on user’s attributes as provided by IdP • Privacy University A Federated Identity Management Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials NORDUnet, Helsinki April 9, 2008
Example of an AAI: SWITCHaai NORDUnet, Helsinki April 9, 2008
Why Interoperability AAI - Grid ? For AAI Federations: • Add grid resources to federation For Grids: • Add huge user base (campus network) For Users: • Simpler management of credentials • Easy access to grids For e-Science: • Unified user base • Bring stakeholders together (NRENs - Grids) NORDUnet, Helsinki April 9, 2008
Interoperability Challenges • authN at grid resource • Attribute-based authZ • Federation attributes vs VO attributes • Delegation • Renewal of credentials NORDUnet, Helsinki April 9, 2008
Content • Introduction to AAIs • Why interoperability AAI - Grids • Authentication and authorization (AA) in Grids and Shibboleth • Interoperability Shibboleth - Grid within EGEE • Short-lived credential service (SLCS) • Attribute exchange to VOMS • Future developments within EGEE • Other activities in interoperability Shibboleth - Grids • Summary NORDUnet, Helsinki April 9, 2008
Overview Phase 1 and 2 SLCS = Short lived credential service VASH = VOMS attributes from Shibboleth NORDUnet, Helsinki April 9, 2008
Design Decisions • SLCS CA and “VOMS SP” independent of each other • Separate Service Providers • Deployed independently • SLCS CA independent of the Grid middleware • VOMS SP only dependent on VOMS NORDUnet, Helsinki April 9, 2008
Short Lived Credential Service (SLCS) NORDUnet, Helsinki April 9, 2008
SLCS Profile • SLCS = Short Lived Credential Service • International Grid Trust Federation (IGTF) Profile • Minimum requirements: NORDUnet, Helsinki April 9, 2008
SLCS Design • Private key is never transferred • Use commercial CA and only standard protocols • Modular design such that other people can use their own components • Shibboleth attributes determine DN NORDUnet, Helsinki April 9, 2008
SLCS Operation • For the user: • Command line: slcs-init --idp <providerId> • Part of gLite User Interface (gLite-UI 3.1) (can also be installed independently) • For the RA from web-based admin tool: • Can enable or disable individual users (only for his institution) • Requirements formulated in CP/CPS • Can obtain log information (audit) • SWITCH: • Operates the service for the SWITCHaai federation NORDUnet, Helsinki April 9, 2008
Status SLCS • Software development finished in 2006 • SWITCH SLCS Root CA accredited by EuGridPMA in February 2007 • SWITCH SLCS in production since April 2007 • http://www.switch.ch/grid/slcs NORDUnet, Helsinki April 9, 2008
Attribute exchange to VOMS VOMS attributes from Shibboleth (VASH) NORDUnet, Helsinki April 9, 2008
Problem • SLCS ties • AAI authentication to issuance of X.509 certificate • AAI attributes are used to construct the DN • SLCS intends to make AAI attributes available to grid resources for authorization decisions • Which AAI attributes are of interest to grid resource? • How does resource obtain attributes? (pull vs push) • Relation to VO attributes • Deployment issues NORDUnet, Helsinki April 9, 2008
VASH Design (1) • VASH: • VOMS Attributes from Shibboleth • Shibboleth SP • Browser-based • Specific for • Federation • VO • “lightweight” SP • No administrator duties • No management of attributes • Simply transfers attributes upon user request NORDUnet, Helsinki April 9, 2008
VASH Design (2) • X.509 and proxy X.509 with VOMS AC unchanged • No change in VOMS • Requires VOMS version 1.7.10 or higher • VO registration not changed • Administrative domain between Shibboleth federation and VOMS fully decoupled • User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509) NORDUnet, Helsinki April 9, 2008
Deployment Options • Option 1: • As an add-on to an existing VOMS-based VO • Option 2: • As a registration tool which allows the member of a Shibboleth IdP become a member of a VOMS-based VO • Suitable for production VOs as well as temporary VOs (e.g. summer schools, grid classes) NORDUnet, Helsinki April 9, 2008
Status VASH • Software implementation done • MJRA1.5 document: https://edms.cern.ch/document/807849/1 • Plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource available • Access to VOMS AC • LCAS/LCMAPS plugin • http://www.switch.ch/grid/vash NORDUnet, Helsinki April 9, 2008
Future developments within EGEE SAML Support in Grids NORDUnet, Helsinki April 9, 2008
SAML Support • Goal: Extend use of SAML in grids beyond what is already provided by EGEE-II (SLCS, VASH) • Benefits: • (Average) User has no certificates anymore • Introduce SAML gently beyond phase 1 and 2, gain experience • Compatible with Shibboleth roadmap (2.0, 2.1) and WS-Trust STS implementation • Options open for future • Requires: A mean for service to transform a security tokens it has into a security token it needs NORDUnet, Helsinki April 9, 2008
Security Token Service • WS-Trust defines mechanisms for brokering trust to an authority called Security Token Service (STS) • The Security Token Service have a trust relationship with both the client and the service. NORDUnet, Helsinki April 9, 2008
Use Cases • Grid: • Shibboleth user wants to access a Grid resource (e.g. WMS, File Catalogue, Storage Element…) • He needs to obtains security token that the Grid services understand (X.509) • Non-browser based Shibboleth applications: • User agent contacts Shibboleth IdP with credential (e.g. username, password) • User agent receives SAML assertion to be sent to a Shibboleth SP NORDUnet, Helsinki April 9, 2008
Content • Introduction to AAIs • Why interoperability AAI - Grids • Authentication and authorization (AA) in Grids and Shibboleth • Interoperability Shibboleth - Grid within EGEE • Short-lived credential service (SLCS) • Attribute exchange to VOMS • Future developments within EGEE • Other activities in interoperability Shibboleth - Grids • Summary NORDUnet, Helsinki April 9, 2008
Other Activities • GridShib • Globus • Community Access to TeraGrid through gateways • Activities in UK • Shebangs and ShibGrid • Shintau: attribute aggregation from multiple IdPs • OMII-Europe: • SAML assertions from VOMS NORDUnet, Helsinki April 9, 2008
GridShib Software Components • GridShib for Globus Toolkit • A plugin for GT 4.0 • GridShib for Shibboleth • A plugin for Shibboleth 1.3 IdP • GridShib CA • A web-based CA for new grid users • GridShib SAML Tools • Tools for portals and users to embed attributes into X.509 credentials • All at: http://gridshib.globus.org/ Slide: Courtesy of Von Welch, NCSA NORDUnet, Helsinki April 9, 2008
Community Access via Science Gateway GridShibfor GT GridShibfor Shib GridShibfor Shib Authenticate Attributes Web Portal Local Attributes (may bedynamic) GridShibSAML Tools Slide: Courtesy of Von Welch, NCSA Grid Requests NORDUnet, Helsinki April 9, 2008
Summary • Interoperability AAI - Grids makes the Grid accessible for a large user community • Interoperability Grid - Shibboleth in EGEE: • SLCS service • Online CA issuing X.509 certificates based upon authN at Shibboleth IdP • VASH service • Transfers Shibboleth attributes into VOMS • Shib attributes are available to grid resources as part of VOMS AC • SLCS and VASH can be used independent of gLite • SAML support in Grids through Security Token Service (STS) • Other Interoperability Efforts • GridShib • UK e-Science: ShibGrid, Shintau, NORDUnet, Helsinki April 9, 2008
Q & A NORDUnet, Helsinki April 9, 2008
SWITCH SLCS Setup • 3 separate servers in increasingly secure environment (network and physical access) • Front End • Shibboleth SP • SLCS Server • Tomcat web app • Online CA • Microsoft Certificate Server • Hardware Security Module (HSM) • Offline CA • Sign the Online CA • Stored in a bank safe NORDUnet, Helsinki April 9, 2008
Web Interface VASH Service NORDUnet, Helsinki April 9, 2008
Multiple Security Domains • A client may need to communicate with services that operate across trust boundaries (i.e. Shibboleth SAML vs Grid X.509) • Multiple STS can be used in a trust chain across security domains (delegated trust) NORDUnet, Helsinki April 9, 2008