100 likes | 179 Views
Shibboleth gJAF discussion. Tele-meeting 22 Feb. 2007. 4. SAML attributes. 2.authN. 3.handle. 1. ‘access’. Shibboleth (short primer). 4. SAML attributes. 2.authN. 3.handle. 1. ‘access’. Shibboleth Key Characteristics. concept of federation large user base, few resources
E N D
Shibboleth gJAF discussion Tele-meeting 22 Feb. 2007
4. SAML attributes 2.authN 3.handle 1. ‘access’ Shibboleth (short primer) Shibboleth gJAF tele-meeting
4. SAML attributes 2.authN 3.handle 1. ‘access’ Shibboleth Key Characteristics • concept of federation • large user base, few resources • single sign on Federation Shibboleth gJAF tele-meeting
4. SAML attributes 2.authN 3.handle 1. access GRID Grid, yet another Shib resource? • driving force: access to a highly attractive ‘resource’ (in particular for academia) • *but* the resource is protected by different concepts and mechanisms • Challenge: leverage existing identity management and allow easy access to the ‘grid resource’ Shibboleth gJAF tele-meeting
Does Grid Care? • authN/authZ paradigms in Grid: • VO and X509 based (VOMS), • existing granularity level ends at group & role level • facility for more granularity exists =>VOMS feature of storing key-value data on individual basis (version 1.7.10 on) • Problem/open issue: • who is going to provide the information for key-value user data? • if VOMS is to handle all the user management at such a level, we’re back to the pre-Shibboleth age Shibboleth gJAF tele-meeting
Grid meets Shibboleth • attributes that Shibboleth may provide for more granular authZ in the Grid • motivation to use Shibboleth attributes: • common understanding what they mean (“a rose is a rose is a rose”) • efforts to standardize attribute names with OIDs 4. SAML attributes 2.authN 3.handle 1. access GRID Shibboleth gJAF tele-meeting
Coping with the ‘Grid resource’ • Problem: - Shibboleth federation concept not applicable for grid! (each grid component would need to become a federation member) • 2 Complementary Approaches • SLCS & mediator service VASH • (Switch’s phase 3…) Shibboleth gJAF tele-meeting
Big Picture GRID for each VO and federation a Vash service/server Shibboleth gJAF tele-meeting
Vash Service Shibboleth gJAF tele-meeting
Grid authZ with Shibboleth • LCAS plugin (work in progress) • ACL xml file (no GACL as too limited, no XACML as no c impl.) • Example: <AccessControlList> <!-- simple rule example --> <AccessControlRule> <Attribute name="Unique ID"> 112358@switch.ch</Attribute> </AccessControlRule> <!-- AND rule example --> <AccessControlRule> <Attribute name="Shib-SwissEP-HomeOrganization">switch.ch</Attribute> <Attribute name="Shib-EP-Affiliation"> staff </Attribute> </AccessControlRule> <AccessControlRule> <Attribute name="Shib-SwissEP-HomeOrganization"> vho switchaai.ch</Attribute> </AccessControlRule> <AccessControlRule> <Attribute name="Shib-SwissEP-HomeOrganization">unizh.ch</Attribute> <Attribute name="Shib-EP-Affiliation">staff</Attribute> </AccessControlRule> </AccessControlList> Shibboleth gJAF tele-meeting