1 / 25

Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist, Von Welch

GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC. Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist, Von Welch. Goals. Allow users to use existing Campus Idm systems to authenticate to the Grid

oriel
Download Presentation

Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist, Von Welch

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. GridShib:Grid/Shibboleth IntegrationUpdateGGF 18 Shibboleth Developers BoFSeptember 10-11, 2006Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu,Tom Scavo, Frank Siebenlist, Von Welch

  2. Goals • Allow users to use existing Campus Idm systems to authenticate to the Grid • Assume Shibboleth every where • Allow Grid access to campus attributes • Hide as much of X.509 from users as possible GGF 18

  3. Previous Work (from GGF 16) • Integration with Shibboleth AA with GT • GT can query Shib AA, get attributes and use attributes to make authz decisions • Drop-in addition to GT 4.0 and Shibboleth 1.3 • Shib Idp plug-in to allow mapping of X509 DNs to Shib principal names • GridShib-CA • Beta release publicly available • Expect to officially release in GT 4.1/4.2 GGF 18

  4. Shib Authorization in GT • Currently have a simple authorization mechanisms • List of attributes required to use service or container • Mapping of attributes to local identity for GRAM job submission GGF 18

  5. Recent Work: AuthnAssertions in Certificates • IdP discovery and name specification in GT via SAML Authn assertion embedded in certificate • Provides pointer to IdP and NameId to use • Big picture is it lets the credential issuer control the name binding • Allows certificate issuer to tell Grid Service what IdP (AA) to contact and what name (w/Format and qualifier) to use • Allows use of standard AA as it doesn’t have to be involed in X.509 anymore • Also allow for trusted EECs to put identity into first-level proxy certificate • Intended for Grid Portals and Science Gateways GGF 18

  6. nanoHUB nanoHUBPortal User authenticates to portal X.509 w/SAML Authn AA SAML Attribute Query GGF 18

  7. Collaboration with Jill Gemmill and John-Paul Robinson U. Alabama-Birmingham myVocs allows for formation of Shibboleth-based VO’s Coupling with GridShib allows for myVocs-based VOs to access Grid Resources myVocs integration GGF 18

  8. GridShib CA GridShib-myVocs Integration GGF 18

  9. GridShib CA User Registers with myVocs Identity Auth GGF 18

  10. GGF 18

  11. GGF 18

  12. GGF 18

  13. GridShib CA VO Admin Adds User to VO VO attributes GGF 18

  14. GridShib CA Grid Logon Identity Identity Auth Grid Creds. GGF 18

  15. GGF 18

  16. GGF 18

  17. GGF 18

  18. GGF 18

  19. GridShib CA Grid Service Invocation VO Attributes Grid Id Grid Creds. GGF 18

  20. GGF 18

  21. GGF 18

  22. Future Plans: Attribute Push • Turning to attribute push • Our observation is that most Grid use cases want: • Persistent Id from Home Institution • Attributes from VO • Shib/X.509 Gateway is natural point to collection Attributes from home institution and VO and push to Grid • Push model seems to be easier - Shib2, VOMS, CAS GGF 18

  23. Attribute-push mode • User authenticates to Portal • Could be GridShib-CA • Portal gather up Shibboleth-issued attributes • Combines with VO-issued attributes • Pushes attributes in X.509 certificate • Including original Shibboleth Assertions • Can include Authn assertion if Grid service wants to query for more GGF 18

  24. SAML/X509 Binding Specification • SAML V1.1 Profiles for X.509 Subjects • http://www.oasis-open.org/committees/document.php?document_id=19996&wg_abbrev=security • Includes the following profiles: • X.509 SAML Subject Profile • SAML Assertion Profile for X.509 Subjects • SAML Attribute Query Profile for X.509 Subjects • SAML Attribute Self-Query Profile for X.509 Subjects GGF 18

  25. More Information http://gridshib.globus.org • Tom Barton, Jim Basney, Tim Freeman, Tom Scavo, Frank Siebenlist, Von Welch, Rachana Ananthakrishnan, Bill Baker, Monte Goode, and Kate Keahey. Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Gridshib, and MyProxy. In 5th Annual PKI R&D Workshop, April 2006. http://grid.ncsa.uiuc.edu/papers/gridshib-pki06-final.pdf • GridShib is a project funded by the NSF Middleware Initiative (NMI awards 0438424 and 0438385) • dev.globus incubator: • http://dev.globus.org/wiki/Incubator/GridShib GGF 18

More Related