Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1 , Jim Basney 2 , Tim Freeman 1 , Tom Scavo 2 , Frank Siebenlist 1,3 , Von Welch 2 , Rachana Ananthakrishnan 3 , Bill Baker 2 , Monte Goode 4 , Kate Keahey 1,3 1 University of Chicago 2 National Center for Supercomputing Applications, University of Illinois 3 Mathematics and Computer Science Division, Argonne National Laboratory 4 Lawrence Berkeley National Laboratory
22
Embed
Tom Barton 1 , Jim Basney 2 , Tim Freeman 1 , Tom Scavo 2 ,
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy. Tom Barton 1 , Jim Basney 2 , Tim Freeman 1 , Tom Scavo 2 , Frank Siebenlist 1,3 , Von Welch 2 , Rachana Ananthakrishnan 3 , Bill Baker 2 , Monte Goode 4 , Kate Keahey 1,3 - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Identity Federation and Attribute-based Authorization
through the Globus Toolkit, Shibboleth, GridShib, and MyProxy
Tom Barton1, Jim Basney2, Tim Freeman1, Tom Scavo2,Frank Siebenlist1,3, Von Welch2, Rachana Ananthakrishnan3,
Bill Baker2, Monte Goode4, Kate Keahey1,3
1University of Chicago 2National Center for Supercomputing Applications, University of Illinois
3Mathematics and Computer Science Division, Argonne National Laboratory4Lawrence Berkeley National Laboratory
NIST PKI Workshop, April 4th 2006
Background
3NIST PKI Workshop April 4, 2006
Globus Toolkit• http://www.globus.org• Toolkit for Grid computing
– Job submission, data movement, data management, resource management
• Based on Web Services and WSRF• Security based on X.509 identity- and
proxy-certificates– May be from conventional or on-line CAs
4NIST PKI Workshop April 4, 2006
Grid PKI• Large investment in PKI at the international level
for Grids– Dozens of CAs, thousands of users
• International Grid Trust Federation– http://www.gridpma.org
• Intended for point-in-time authentication– As opposed to, e.g., document signing
• Uses RFC 3820 Proxy Certificates for delegation and single-sign on
• Keys stored in Highest Common Technology == User’s local filesystem
Shibboleth• Internet2 project• Standards-based (SAML)• Allows for Identity Federation
– Identity == Identifier + Attributes– Identifier may or may not be a persistent Name.– Allows for pseudonymity via temporary, meaningless
identifiers called ‘Handles’
• Allows for inter-institutional sharing of web resources (via browsers)– Provides attributes for authorization between institutions
• Being extended to non-web resources
6NIST PKI Workshop April 4, 2006
MyProxy• The Team:
– Jim Basney (lead), Bill Baker, Patrick Duda, Von Welch• Many contributors
– E.g. Monte Hall (LBNL)• A service for managing X.509 PKI credentials
– A credential repository– Long-lived private keys never leave the server
• Originally, a method for delegating credentials to Web Portals– Work around for lack of delegation in Web Browsers– User delegates RFC 3820 Proxy Certificate to MyProxy,
Portal delegates from MyProxy• Open Source Software
– Included in Globus Toolkit 4.0 and CoG Kits– C, Java, Python, and Perl clients available
7NIST PKI Workshop April 4, 2006
GridShib• NSF NMI project to allow the use of Shibboleth-issued
attributes for authorization in NMI Grids built on the Globus Toolkit– Funded under NSF NMI program
• GridShib team: NCSA, U. Chicago, ANL– Tom Barton, Tim Freemon, Kate Keahey, Raj Kettimuthu, Tom
Scavo, Frank Siebenlist, Von Welch
• Working in collaboration with the Internet2 Shibboleth Design team
8NIST PKI Workshop April 4, 2006
Common Goals of GridShib and MyProxy
• Ease of use for Grid PKIs• X509 Credential management is a big
headache for all involved– Users hate process of getting certificates– Admins hate not know where private keys are– Everyone hates configuration overhead (mainly
CRLs)• Both projects working to use federation
combined with X509 to solve these problems• Integration of Site with Grid security
Results from Past Year
10NIST PKI Workshop April 4, 2006
MyProxy Authentication• MyProxy has traditionally supported:
– Key Passphrase– X.509 Certificate for credential renewal
• In the past year, we have added:• Pluggable Authentication Modules (PAM)
– Kerberos password– One Time Password (OTP)– Lightweight Directory Access Protocol (LDAP) password
• Acknowledgements– The GridShib work is funded by the NSF National Middleware
Initiative (NMI awards 0438424 and 0438385). Opinions and recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF.
– The MyProxy work was funded by the NSF NMI Grids Center and the NCSA NSF Core awards. The online CA work was implemented at LBNL.