1 / 11

NSF Middleware Initiative: GridShib

NSF Middleware Initiative: GridShib. Tom Barton University of Chicago. What is GridShib?. NSF Middleware Initiative (NMI) Grant: “Policy Controlled Attribute Framework” Allow the use of Shibboleth-transported attributes for authorization in NMI Grids built on the Globus Toolkit v4

hilary-walls
Download Presentation

NSF Middleware Initiative: GridShib

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NSF Middleware Initiative: GridShib Tom BartonUniversity of Chicago

  2. What is GridShib? • NSF Middleware Initiative (NMI) Grant:“Policy Controlled Attribute Framework” • Allow the use of Shibboleth-transported attributes for authorization in NMI Grids built on the Globus Toolkit v4 • 2 year project started December 1, 2004 • Participants • Von Welch, UIUC/NCSA (PI) • Kate Keahey, UChicago/Argonne (PI) • Frank Siebenlist, Argonne • Tom Barton, UChicago

  3. Why? • Attribute-based authorization has shown itself to be useful in large grids with far-flung participants in several types of roles • Identity-based approach scales poorly • Shibboleth is well supported and becoming widely deployed • SAML is used by larger identity federation world, not just Shibboleth. Integrating SAML support into Grids opens the door to leveraging this large technology space

  4. GridShib Integration Principles • No modification to typical grid client applications • Modifications only to Grid Services and security clients (e.g. grid-proxy-init) • Leverage shibboleth’s attribute marshaling capability and release policies • Leverage strategic investment that campuses make in Identity Management operations

  5. GridShib Progress • Developers hired February 2005 • Substantial resolution of GridShib’s Shibboleth usage profile • Shibboleth IdP plugin nearing completion • Maps externally-issued X.509 identity certificates to local identifiers • SAML attribute marshaling in GT4 runtime nearing completion

  6. GridShib Progress (cont’d) • Common attribute format internal to GT4 runtime to support access policies spanning SAML and X.509 PMI attribute sources • Uses XACML Request Context • Initial GridShib release for closed alpha deployment • Readiness by end of June • Overlays GT 4.0 and Shib 1.3

  7. Potential Early Adopters • Focused efforts to understand and evaluate potential use of GridShib in: • caBIG, Cancer Bioinformatics Grid • UK eScience Grid • LOOKING, Laboratory for the Ocean Observatory Knowledge Integration Grid • University of Southern California • University of Alabama at Birmingham • SURAgrid

  8. GridShib Challenges • Identity Provider Discovery • Compounded by need in some grids to consult several identity providers for each user • Distributed Attribute Administration • What happens when the folks running the attribute authority are not the ones authoritative for the attributes? • Some projects don’t have resources to run a 7x24 security service, but are the only ones who know the attribute space • Explore Signet, Grouper • Mapping local subject identifier to externally issued EEC

  9. Distributed Authorities Session authentication credential Attribute Authority Authorities Home Org Affiliated Org Grid user Signet, Grouper Virtual Org Grid Service

  10. Project objectives • Priority 1: Pull mode operation • Globus services contact Shibboleth to obtain attributes about identified user • Support both GT4.x Web Services and pre-WS code • Priority 2: Push mode operation • User obtains Shib attributes and push to service • Allows role selection • Priority 3: Online CAs • Pseudonymous operation • Integration with local authentication services

  11. Timeline • December 1, 2004: formal start • February 1, 2005: Developers on board and coding • Mid-Summer 2005: closed alpha release • pull model with user identified • Fall 2005: public releases • Production pull model with user identified • Beta push model with user identified • Implementation of simple policy description language • Targeting GT 4.1.x and Shibboleth 1.3 • 2006: Integration with online CAs

More Related