1 / 37

Interoperability AAI and Grids

Interoperability AAI and Grids. Christoph Witzig, SWITCH NORDUnet Conference April 9, 2008. Content. Introduction to AAIs Why interoperability AAI - Grids Authentication and authorization (AA) in Grids and Shibboleth Interoperability Shibboleth - Grid within EGEE

nuru
Download Presentation

Interoperability AAI and Grids

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Interoperability AAI and Grids Christoph Witzig, SWITCH NORDUnet Conference April 9, 2008

  2. Content • Introduction to AAIs • Why interoperability AAI - Grids • Authentication and authorization (AA) in Grids and Shibboleth • Interoperability Shibboleth - Grid within EGEE • Short-lived credential service (SLCS) • Attribute exchange to VOMS • Future developments within EGEE • Other activities in interoperability Shibboleth - Grids • Summary NORDUnet, Helsinki April 9, 2008

  3. Security Models • AAI solve the old problem of access control to resources • There are various technologies in use - their usefulness depends on the underlying infrastructure • Crusader Castle • League of Nations • Federations NORDUnet, Helsinki April 9, 2008

  4. Crusader Castle Appropriate for few, non-mobile users NORDUnet, Helsinki April 9, 2008

  5. Crusader Castle • Tedious user registration at all resources • Unreliable and outdated user data at resources • Different login processes • Many different passwords • Many resources not protected due to difficulties • Often IP-based authorization • Costly implementation of inter-institutional access University A Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials NORDUnet, Helsinki April 9, 2008

  6. League of Nations Standardized Credentials (International Conference on Passports 1920) University A X.509 credentials Student Admin • User registration process with CA • User has one credential to present to resources • authN and authZ at resource • User has to manage credential • Standard use in grids (IGTF) • Delegation mechanism Web Mail e-Learning Passport Issuer (CA) University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials NORDUnet, Helsinki April 9, 2008

  7. Federated Identity Management • No user registration and user data maintenance at resource needed • Single login process for the users • Many new resources available for the users • Enlarged user communities for resources • Efficient implementation of inter-institutional access Shibboleth • open source • internet2 • SAML • Web-based Single Sign-on • authN at Identity Provider • authZ at Service Provider based on user’s attributes as provided by IdP • Privacy University A Federated Identity Management Student Admin Web Mail e-Learning Library B e-Journals Literature DB University C Research DB e-Learning User Administration Authentication Authorization Resource Credentials NORDUnet, Helsinki April 9, 2008

  8. Example of an AAI: SWITCHaai NORDUnet, Helsinki April 9, 2008

  9. Why Interoperability AAI - Grid ? For AAI Federations: • Add grid resources to federation For Grids: • Add huge user base (campus network) For Users: • Simpler management of credentials • Easy access to grids For e-Science: • Unified user base • Bring stakeholders together (NRENs - Grids) NORDUnet, Helsinki April 9, 2008

  10. Interoperability Challenges • authN at grid resource • Attribute-based authZ • Federation attributes vs VO attributes • Delegation • Renewal of credentials NORDUnet, Helsinki April 9, 2008

  11. Content • Introduction to AAIs • Why interoperability AAI - Grids • Authentication and authorization (AA) in Grids and Shibboleth • Interoperability Shibboleth - Grid within EGEE • Short-lived credential service (SLCS) • Attribute exchange to VOMS • Future developments within EGEE • Other activities in interoperability Shibboleth - Grids • Summary NORDUnet, Helsinki April 9, 2008

  12. Overview Phase 1 and 2 SLCS = Short lived credential service VASH = VOMS attributes from Shibboleth NORDUnet, Helsinki April 9, 2008

  13. Design Decisions • SLCS CA and “VOMS SP” independent of each other • Separate Service Providers • Deployed independently • SLCS CA independent of the Grid middleware • VOMS SP only dependent on VOMS NORDUnet, Helsinki April 9, 2008

  14. Short Lived Credential Service (SLCS) NORDUnet, Helsinki April 9, 2008

  15. SLCS Profile • SLCS = Short Lived Credential Service • International Grid Trust Federation (IGTF) Profile • Minimum requirements: NORDUnet, Helsinki April 9, 2008

  16. SLCS Design • Private key is never transferred • Use commercial CA and only standard protocols • Modular design such that other people can use their own components • Shibboleth attributes determine DN NORDUnet, Helsinki April 9, 2008

  17. SLCS Operation • For the user: • Command line: slcs-init --idp <providerId> • Part of gLite User Interface (gLite-UI 3.1) (can also be installed independently) • For the RA from web-based admin tool: • Can enable or disable individual users (only for his institution) • Requirements formulated in CP/CPS • Can obtain log information (audit) • SWITCH: • Operates the service for the SWITCHaai federation NORDUnet, Helsinki April 9, 2008

  18. Status SLCS • Software development finished in 2006 • SWITCH SLCS Root CA accredited by EuGridPMA in February 2007 • SWITCH SLCS in production since April 2007 • http://www.switch.ch/grid/slcs NORDUnet, Helsinki April 9, 2008

  19. Attribute exchange to VOMS VOMS attributes from Shibboleth (VASH) NORDUnet, Helsinki April 9, 2008

  20. Problem • SLCS ties • AAI authentication to issuance of X.509 certificate • AAI attributes are used to construct the DN • SLCS intends to make AAI attributes available to grid resources for authorization decisions • Which AAI attributes are of interest to grid resource? • How does resource obtain attributes? (pull vs push) • Relation to VO attributes • Deployment issues NORDUnet, Helsinki April 9, 2008

  21. VASH Design (1) • VASH: • VOMS Attributes from Shibboleth • Shibboleth SP • Browser-based • Specific for • Federation • VO • “lightweight” SP • No administrator duties • No management of attributes • Simply transfers attributes upon user request NORDUnet, Helsinki April 9, 2008

  22. VASH Design (2) • X.509 and proxy X.509 with VOMS AC unchanged • No change in VOMS • Requires VOMS version 1.7.10 or higher • VO registration not changed • Administrative domain between Shibboleth federation and VOMS fully decoupled • User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509) NORDUnet, Helsinki April 9, 2008

  23. Deployment Options • Option 1: • As an add-on to an existing VOMS-based VO • Option 2: • As a registration tool which allows the member of a Shibboleth IdP become a member of a VOMS-based VO • Suitable for production VOs as well as temporary VOs (e.g. summer schools, grid classes) NORDUnet, Helsinki April 9, 2008

  24. Status VASH • Software implementation done • MJRA1.5 document: https://edms.cern.ch/document/807849/1 • Plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource available • Access to VOMS AC • LCAS/LCMAPS plugin • http://www.switch.ch/grid/vash NORDUnet, Helsinki April 9, 2008

  25. Future developments within EGEE SAML Support in Grids NORDUnet, Helsinki April 9, 2008

  26. SAML Support • Goal: Extend use of SAML in grids beyond what is already provided by EGEE-II (SLCS, VASH) • Benefits: • (Average) User has no certificates anymore • Introduce SAML gently beyond phase 1 and 2, gain experience • Compatible with Shibboleth roadmap (2.0, 2.1) and WS-Trust STS implementation • Options open for future • Requires: A mean for service to transform a security tokens it has into a security token it needs NORDUnet, Helsinki April 9, 2008

  27. Security Token Service • WS-Trust defines mechanisms for brokering trust to an authority called Security Token Service (STS) • The Security Token Service have a trust relationship with both the client and the service. NORDUnet, Helsinki April 9, 2008

  28. Use Cases • Grid: • Shibboleth user wants to access a Grid resource (e.g. WMS, File Catalogue, Storage Element…) • He needs to obtains security token that the Grid services understand (X.509) • Non-browser based Shibboleth applications: • User agent contacts Shibboleth IdP with credential (e.g. username, password) • User agent receives SAML assertion to be sent to a Shibboleth SP NORDUnet, Helsinki April 9, 2008

  29. Content • Introduction to AAIs • Why interoperability AAI - Grids • Authentication and authorization (AA) in Grids and Shibboleth • Interoperability Shibboleth - Grid within EGEE • Short-lived credential service (SLCS) • Attribute exchange to VOMS • Future developments within EGEE • Other activities in interoperability Shibboleth - Grids • Summary NORDUnet, Helsinki April 9, 2008

  30. Other Activities • GridShib • Globus • Community Access to TeraGrid through gateways • Activities in UK • Shebangs and ShibGrid • Shintau: attribute aggregation from multiple IdPs • OMII-Europe: • SAML assertions from VOMS NORDUnet, Helsinki April 9, 2008

  31. GridShib Software Components • GridShib for Globus Toolkit • A plugin for GT 4.0 • GridShib for Shibboleth • A plugin for Shibboleth 1.3 IdP • GridShib CA • A web-based CA for new grid users • GridShib SAML Tools • Tools for portals and users to embed attributes into X.509 credentials • All at: http://gridshib.globus.org/ Slide: Courtesy of Von Welch, NCSA NORDUnet, Helsinki April 9, 2008

  32. Community Access via Science Gateway GridShibfor GT GridShibfor Shib GridShibfor Shib Authenticate Attributes Web Portal Local Attributes (may bedynamic) GridShibSAML Tools Slide: Courtesy of Von Welch, NCSA Grid Requests NORDUnet, Helsinki April 9, 2008

  33. Summary • Interoperability AAI - Grids makes the Grid accessible for a large user community • Interoperability Grid - Shibboleth in EGEE: • SLCS service • Online CA issuing X.509 certificates based upon authN at Shibboleth IdP • VASH service • Transfers Shibboleth attributes into VOMS • Shib attributes are available to grid resources as part of VOMS AC • SLCS and VASH can be used independent of gLite • SAML support in Grids through Security Token Service (STS) • Other Interoperability Efforts • GridShib • UK e-Science: ShibGrid, Shintau, NORDUnet, Helsinki April 9, 2008

  34. Q & A NORDUnet, Helsinki April 9, 2008

  35. SWITCH SLCS Setup • 3 separate servers in increasingly secure environment (network and physical access) • Front End • Shibboleth SP • SLCS Server • Tomcat web app • Online CA • Microsoft Certificate Server • Hardware Security Module (HSM) • Offline CA • Sign the Online CA • Stored in a bank safe NORDUnet, Helsinki April 9, 2008

  36. Web Interface VASH Service NORDUnet, Helsinki April 9, 2008

  37. Multiple Security Domains • A client may need to communicate with services that operate across trust boundaries (i.e. Shibboleth SAML vs Grid X.509) • Multiple STS can be used in a trust chain across security domains (delegated trust) NORDUnet, Helsinki April 9, 2008

More Related