slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Von Welch vwelch@ncsa.uiuc PowerPoint Presentation
Download Presentation
Von Welch vwelch@ncsa.uiuc

Loading in 2 Seconds...

play fullscreen
1 / 23

Von Welch vwelch@ncsa.uiuc - PowerPoint PPT Presentation


  • 100 Views
  • Uploaded on

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005. Von Welch vwelch@ncsa.uiuc.edu. What is GridShib.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Von Welch vwelch@ncsa.uiuc' - aspen


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

GridShib:Campus/Grid RBAC IntegrationGGF15 Workshop: Leveraging Site Infrastructure for Multi-Site GridsOctober 3th, 2005

Von Welch

vwelch@ncsa.uiuc.edu

what is gridshib
What is GridShib
  • NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit
    • Funded under NSF award SCI-0438424
  • GridShib team: NCSA, U. Chicago, ANL
    • Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch
  • Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team

GGF15

motivation
Motivation
  • Many Grid VOs are focused on science or business other than IT support
    • Don’t have expertise or resources to run security services
  • Allow for leveraging of Shibboleth code and deployments run by campuses

GGF15

outline
Outline
  • Overview of Shibboleth
  • Overview of Globus/Grid PKI
  • Approach
  • Status and Future Plans

GGF15

campus infrastructure
Campus Infrastructure

Attributes

Example U.

Identities

GGF15

slide6

Example U.

Student?

Check out book…

Access student records…

Is student John Smith?

GGF15

slide7

Ersatz State

Example U.

Privacy

Check out book…

Different protocols

Different Schemas

GGF15

shibboleth
Shibboleth
  • http://shibboleth.internet2.edu/
  • Internet2 project
  • Allows for inter-institutional sharing of web resources (via browsers)
    • Provides attributes for authorization between institutions
  • Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’
  • Standards-based (SAML)
  • Being extended to non-web resources

GGF15

slide9

Uses SAML to express

Identity and attributes to

Allow for interoperability

Ersatz State

SAML

Authn/Authz

Shibboleth

Uses short-lived identifiers

To protest privacy of users.

GGF15

slide10

Example U.

Ersatz State

Pseudonymous

Identifier

Is a student

Shibboleth

Check out book…

Pseudonymous

Identifier

GGF15

shibboleth1
Shibboleth
  • Identity Provider composed of single sign-on (SSO) and attribute authority (AA) services
  • SSO: authenticates user locally and issues authentication assertion with Handle
    • Assertion is short-lived bearer assertion
    • Handle is also short-lived and non-identifying
    • Handle is registered with AA
  • Attribute Authority responds to queries regarding handle

GGF15

shibboleth2
Shibboleth
  • Service Provider composed of Assertion Consumer and Attribute Requestor
  • Assertion Consumer parses authentication assertion
  • Attribute Requestor: request attributes from AA
    • Attributes used for authorization
  • Where Are You From (WAYF) service determines user’s Identity Provider

GGF15

shibboleth simplified
Shibboleth (Simplified)

SAML

Shibboleth

IdP

Shibboleth

SP

LDAP

(e.g.)

AA

AR

Attributes

Handle

SSO

ACS

WWW

Handle

GGF15

globus toolkit
Globus Toolkit
  • http://www.globus.org
  • Toolkit for Grid computing
    • Job submission, data movement, data management, resource management
  • Based on Web Services and WSRF
  • Security based on X.509 identity- and proxy-certificates
    • Maybe from conventional or on-line CAs
  • Some initial attribute-based authorization

GGF15

grid pki
Grid PKI
  • Large investment in PKI at the international level for Grids
    • TAGPMA, GridPMA, APGridPMA
    • Dozens of CAs, thousands of users
  • Really painful to establish
  • But its working…
    • And it’s not going way easily

GGF15

integration approach
Integration Approach
  • Conceptually, replace Shibboleth’s handle-based authentication with X509
    • Provides stronger security for non-web browser apps
    • Works with existing PKI install base
  • To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible

GGF15

use cases
Use Cases
  • Project leveraging campus attributes
    • Simplest case
  • Project-operated Shib service
    • Project operates own service, conceptually easy, but not ideal
  • Campus-operated, project-administered Shib
    • Ideal mix, but need mechanisms for provisioning of attribute administration

GGF15

gridshib simplified
GridShib (Simplified)

SAML

Shibboleth

A

Attributes

DN

Grid

SSO

DN

SSL/TLS, WS-Security

DN

GGF15

authorization
Authorization
  • Delivering attributes is half the story…
  • Currently have a simple authorization mechanisms
    • List of attributes required to use service or container
  • Developing finer-grain authorization for GRAM

GGF15

authorization plans
Authorization Plans
  • Develop authorization framework in Globus Toolkit
    • Siebenlist et. al. at Argonne
    • Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions
  • Work in OGSA-Authz WG to allow for callouts to third-party authorization services
    • E.G. PERMIS
  • Convert Attributes (SAML or X509) into common format for policy evaluation
    • XACML-based

GGF15

gridshib status
GridShib Status
  • Beta release publically available
  • Drop-in addition to GT 4.0 and Shibboleth 1.3
  • Project website:
    • http://gridshib.globus.org
  • Very interested in feedback

GGF15

future plans
Future Plans
  • Integration of GridShib with MyProxy Online CA
    • Allow for use of Grid Resources by users without long-term X509 credentials
    • Collaboration with Jim Basney
  • Signet/Grouper integration for distributed attribute administration
    • See Tom Barton’s talk

GGF15

questions
Questions?
  • My email:
    • vwelch@ncsa.uiuc.edu
  • Project website:
    • http://gridshib.globus.org

GGF15