GridShib: Grid/Shibboleth Integration Update GGF 18 Shibboleth Developers BoF September 10-11, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist, Von Welch
Feb 05, 2016
GridShib:Grid/Shibboleth Integration
UpdateGGF 18 Shibboleth Developers BoF
September 10-11, 2006Washington, DC
Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu,Tom Scavo, Frank Siebenlist, Von Welch
Sep 11-12, 2006 2GGF 18
Goals• Allow users to use existing Campus Idm
systems to authenticate to the Grid– Assume Shibboleth every where
• Allow Grid access to campus attributes
• Hide as much of X.509 from users as possible
Sep 11-12, 2006 3GGF 18
Previous Work (from GGF 16)• Integration with Shibboleth AA with GT
– GT can query Shib AA, get attributes and use attributes to make authz decisions
– Drop-in addition to GT 4.0 and Shibboleth 1.3
• Shib Idp plug-in to allow mapping of X509 DNs to Shib principal names
• GridShib-CA• Beta release publicly available
– Expect to officially release in GT 4.1/4.2
Sep 11-12, 2006 4GGF 18
Shib Authorization in GT• Currently have a simple authorization
mechanisms
• List of attributes required to use service or container
• Mapping of attributes to local identity for GRAM job submission
Sep 11-12, 2006 5GGF 18
Recent Work: AuthnAssertions in Certificates
• IdP discovery and name specification in GT via SAML Authn assertion embedded in certificate– Provides pointer to IdP and NameId to use
• Big picture is it lets the credential issuer control the name binding– Allows certificate issuer to tell Grid Service what IdP (AA) to
contact and what name (w/Format and qualifier) to use– Allows use of standard AA as it doesn’t have to be involed in
X.509 anymore
• Also allow for trusted EECs to put identity into first-level proxy certificate– Intended for Grid Portals and Science Gateways
Sep 11-12, 2006 6GGF 18
nanoHUB
nanoHUBPortal
AA
X.509w/SAML
Authn
User authenticatesto portal
SAML AttributeQuery
Sep 11-12, 2006 7GGF 18
myVocs integration• Collaboration with Jill Gemmill and
John-Paul Robinson– U. Alabama-Birmingham
• myVocs allows for formation of Shibboleth-based VO’s
• Coupling with GridShib allows for myVocs-based VOs to access Grid Resources
Sep 11-12, 2006 8GGF 18
GridShib-myVocs Integration
Sep 11-12, 2006 9GGF 18
User Registers with myVocs
Identity
Auth
Sep 11-12, 2006 10GGF 18
Sep 11-12, 2006 11GGF 18
Sep 11-12, 2006 12GGF 18
Sep 11-12, 2006 13GGF 18
VO Admin Adds User to VO
VO attributes
Sep 11-12, 2006 14GGF 18
Grid Logon
Identity
Auth
Identity
Grid Creds.
Sep 11-12, 2006 15GGF 18
Sep 11-12, 2006 16GGF 18
Sep 11-12, 2006 17GGF 18
Sep 11-12, 2006 18GGF 18
Sep 11-12, 2006 19GGF 18
Grid Service Invocation
VOAttributes
Grid Creds.
Grid Id
Sep 11-12, 2006 20GGF 18
Sep 11-12, 2006 21GGF 18
Sep 11-12, 2006 22GGF 18
Future Plans: Attribute Push• Turning to attribute push• Our observation is that most Grid use cases
want:– Persistent Id from Home Institution– Attributes from VO
• Shib/X.509 Gateway is natural point to collection Attributes from home institution and VO and push to Grid– Push model seems to be easier - Shib2, VOMS,
CAS
Sep 11-12, 2006 23GGF 18
Attribute-push mode• User authenticates to Portal
– Could be GridShib-CA
• Portal gather up Shibboleth-issued attributes
• Combines with VO-issued attributes• Pushes attributes in X.509 certificate
– Including original Shibboleth Assertions
• Can include Authn assertion if Grid service wants to query for more
Sep 11-12, 2006 24GGF 18
SAML/X509 Binding Specification• SAML V1.1 Profiles for X.509 Subjects
– http://www.oasis-open.org/committees/document.php?document_id=19996&wg_abbrev=security
• Includes the following profiles:– X.509 SAML Subject Profile– SAML Assertion Profile for X.509 Subjects– SAML Attribute Query Profile for X.509 Subjects– SAML Attribute Self-Query Profile for X.509
Subjects
Sep 11-12, 2006 25GGF 18
More Informationhttp://gridshib.globus.org
• Tom Barton, Jim Basney, Tim Freeman, Tom Scavo, Frank Siebenlist, Von Welch, Rachana Ananthakrishnan, Bill Baker, Monte Goode, and Kate Keahey. Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Gridshib, and MyProxy. In 5th Annual PKI R&D Workshop, April 2006.
http://grid.ncsa.uiuc.edu/papers/gridshib-pki06-final.pdf
• GridShib is a project funded by the NSF Middleware Initiative (NMI awards 0438424 and 0438385)
• dev.globus incubator:– http://dev.globus.org/wiki/Incubator/GridShib