NSF Middleware Initiative: GridShib

NSF Middleware Initiative: GridShibNSF Middleware Initiative: GridShib

Tom BartonUniversity of Chicago

Tom BartonUniversity of Chicago

2

What is GridShib?What is GridShib?

• NSF Middleware Initiative (NMI) Grant:“Policy Controlled Attribute Framework”

• Allow the use of Shibboleth-transported attributes for authorization in NMI Grids built on the Globus Toolkit v4

• 2 year project started December 1, 2004• Participants• Von Welch, UIUC/NCSA (PI)• Kate Keahey, UChicago/Argonne (PI)• Frank Siebenlist, Argonne• Tom Barton, UChicago

3

Why?Why?

• Attribute-based authorization has shown itself to be useful in large grids with far-flung participants in several types of roles• Identity-based approach scales poorly

• Shibboleth is well supported and becoming widely deployed

• SAML is used by larger identity federation world, not just Shibboleth. Integrating SAML support into Grids opens the door to leveraging this large technology space

4

GridShib Integration PrinciplesGridShib Integration Principles

• No modification to typical grid client applications• Modifications only to Grid Services and

security clients (e.g. grid-proxy-init)

• Leverage shibboleth’s attribute marshaling capability and release policies

• Leverage strategic investment that campuses make in Identity Management operations

5

GridShib ProgressGridShib Progress

• Developers hired February 2005• Substantial resolution of GridShib’s

Shibboleth usage profile• Shibboleth IdP plugin nearing

completion• Maps externally-issued X.509 identity

certificates to local identifiers

• SAML attribute marshaling in GT4 runtime nearing completion

6

GridShib Progress (cont’d)GridShib Progress (cont’d)

• Common attribute format internal to GT4 runtime to support access policies spanning SAML and X.509 PMI attribute sources• Uses XACML Request Context

• Initial GridShib release for closed alpha deployment• Readiness by end of June• Overlays GT 4.0 and Shib 1.3

7

Potential Early AdoptersPotential Early Adopters

• Focused efforts to understand and evaluate potential use of GridShib in:• caBIG, Cancer Bioinformatics Grid• UK eScience Grid • LOOKING, Laboratory for the Ocean

Observatory Knowledge Integration Grid• University of Southern California• University of Alabama at Birmingham• SURAgrid

8

GridShib ChallengesGridShib Challenges

• Identity Provider Discovery• Compounded by need in some grids to consult

several identity providers for each user• Distributed Attribute Administration• What happens when the folks running the

attribute authority are not the ones authoritative for the attributes?

• Some projects don’t have resources to run a 7x24 security service, but are the only ones who know the attribute space

• Explore Signet, Grouper• Mapping local subject identifier to externally

issued EEC

9

Distributed AuthoritiesDistributed Authorities

Grid Service

Session authentication

credential

Attribute Authority

Home Org

Virtual Org

Affiliated Org

Authorities

Grid user

Signet, Grouper

10

Project objectivesProject objectives

• Priority 1: Pull mode operation• Globus services contact Shibboleth to obtain

attributes about identified user• Support both GT4.x Web Services and pre-WS

code

• Priority 2: Push mode operation• User obtains Shib attributes and push to service• Allows role selection

• Priority 3: Online CAs• Pseudonymous operation• Integration with local authentication services

11

TimelineTimeline

• December 1, 2004: formal start• February 1, 2005: Developers on board and

coding• Mid-Summer 2005: closed alpha release• pull model with user identified

• Fall 2005: public releases• Production pull model with user identified• Beta push model with user identified• Implementation of simple policy description

language• Targeting GT 4.1.x and Shibboleth 1.3

• 2006: Integration with online CAs