Download
1 / 26
260 likes | 363 Views
Shibboleth & Grid Integration. STFC and University of Oxford (and University of Manchester). Overview. Motivation Why Shibboleth? Previous work: ShibGrid Other projects Just starting: SARoNGS Conclusions. Motivation. We want to encourage more users to use the Grid All areas of research
E N D
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Overview • Motivation • Why Shibboleth? • Previous work: ShibGrid • Other projects • Just starting: SARoNGS • Conclusions
Motivation • We want to encourage more users to use the Grid • All areas of research • Single researcher to large projects • Security infrastructure must enable this • Certificates are often a barrier • Generalised not specific • Straightforward to use
Why Shibboleth? • JISC is encouraging all institutions to transition from Athens to “Federated Access Management” • This technology is currently based on Shibboleth • It will become familiar to all academic users • The Grid should also use this common technology for authentication
Shibboleth Overview • Web-based federated access management system based on SAML • Based on separation of authentication and authorisation • Authentication: Identity Provider (IdP) at user’s home institution • Authorisation: Service Provider (SP) based on information about the user from the IdP • Discovery: Where Are You From (WAYF) service • User can remain anonymous at the SP
Shibboleth Authentication and Authorisation Web server (Thanks to Kang Tang)
ShibGrid Use cases • Access to the Grid solely with Shibboleth • Use standard Grid certificates when something extra is required – still many advantages • Access to the Grid through a Portal • NGS portal/project portals • Access to the Grid through other access methods • Globus, Java GSI-SSH Terminal, CoG, etc., • Registration (for NGS) using Shibboleth
ShibGrid access to the NGS (via Portal) Shibboleth Authentication and Authorisation (Thanks to Kang Tang)
Other Components • Grid proxy download tool • For non portal Grid access methods • Grid proxy upload tool • Registration service • Data Protection Act/Acceptable Use Policy • Check the user’s institution is supported • Check the user has correct configuration • Link to NGS user registration
Other Projects • “There’s more than one way to skin a cat” • This list is not exhaustive... • UK – SHEBANGS, ShibGrid, GridSite, DyVOSE/VOTES/BRIDGES/GLASS and GridShibPERMIS • US – GridShib • Switzerland – SWITCH (gLite) • Australia – MAMS
Other Shib+Grid Projects: We want to support all use cases. SARoNGS GEMS: Grid enabling MIMAS data set. SARoNGS: Universal solution: VO, compute and data support. SHEBANGS: Shib+Grid: research with VO support. Computation focus. SARoNGS: Full production service for NGS and MIMAS, etc. ShibGrid: Production quality, no VO support. Computation focus. ShibGrid: Possible production service VPMan: VO-based resource access control. NGS: Full VO/VOMS support. NGS: No VO-based access control.
Just starting: SARoNGS • Will provide a standard production bridge for all UK Academics from the UK Federation into the Grid world. • Integrated access to compute and data resources • Will provide a much simpler model for integrating resource. • Will combine expertise from ShibGrid, SHEBANGS and MIMAS.
The SARoNGS CTS (NGS default) (Credential Translation Service) Shib-enabled MyProxy CA VOMS Server Via email to VO manager Request Authorisation certificate (by DN) Request certificate NGS default CTS NGS MyProxy Server Store proxy Add VOMS AC Registration Forms Human Interface Machine Interface Retrieve credential Shibboleth Service Provider Redirect User’s browser Portal – logon Requests from tools MyProxy username/password
The SARoNGS CTS (VO-based) Shib-enabled MyProxy CA Request certificate VO-based CTS NGS MyProxy Server Store proxy Generate VOMS AC PERMIS Policy Registration Forms (optional) Human Interface Machine Interface Retrieve credential PERMIS Access Control Shibboleth Service Provider Redirect User’s browser Portal – logon Requests from tools MyProxy username/password
Conclusions • There has been much research but this must now be brought together to form a core production service • We are working towards fully integrating the Grid with the national access management federation: • Compute (initially NGS) • Data (initially MIMAS)
More than just portal access… • Registration service • Data Protection Act/Acceptable Use Policy • Check the user’s institution is supported • Check the user has correct configuration • Link to NGS user registration • Grid proxy download tool • For non portal Grid access methods • Grid proxy upload tool
Architectural Design • Don’t change the user • Prevent extra logical steps: portal first • Easy to deploy in project portals • Support other access methods • Don’t change other services • Work within Shibboleth and GSI frameworks
Requirements highlights • User/Project • Transparent access to eScience facilities, consistent with other SSO-enabled components. • Access to components at home or away (even Internet Café). • Fit in with local authentication schemes. • Don’t want to know about certificates. • Want to use own project portal. • NGS • Must be compatible with GT2 and registration system. • VOMS in the future.
ShibGrid MyProxy Checks • IdP (trusted) authentication/authorisation • Standard Shibboleth • Portal (not trusted): • Standard MyProxy checks • + check the attribute assertion was created for the portal • Users: • Authentication: at IdP • Authorisation: • Is user registered? • username attribute = username used? • Attributes used to construct low-assurance certificate DNs
