Grid. Shib Project Update Tom Barton 1, Tim Freeman 1, Kate Keahey 1, Raj Kettimuthu 1, Tom Scavo 2, Frank Siebenlist 1, Von Welch 2 1 University of Chicago 2 NCSA/University of Illinois
Outline l Grid. Shib Overview l Grid. Shib Components l Grid. Shib Profiles l Grid. Shib Roadmap
What is Grid. Shib? l Grid. Shib enables secure attribute sharing among Grid virtual organizations and higher-educational institutions l The goal of Grid. Shib is to allow interoperability between the Globus Toolkit® with Shibboleth® l Grid. Shib adds attribute-based authorization to Globus Toolkit
Some Background l Large scientific projects have spawned Virtual Organizations (VOs) l The cyberinfrastructure and software systems to support VOs are called grids l Globus Toolkit is the de facto standard software solution for grids l Grid Security Infrastructure (GSI) provides basic security services for grids
Grid Authentication l Globus Toolkit provides authentication services via X. 509 credentials l When requesting a service, the user presents an X. 509 certificate, usually a proxy certificate l Grid. Shib leverages the existing authentication mechanisms in GT
Grid Authorization l Today, Globus Toolkit provides identitybased authorization mechanisms: u u Access control lists (called grid-mapfiles) map DNs to local identity (e. g. , Unix logins) Community Authorization Service (CAS) l PERMIS and VOMS l Grid. Shib provides attribute-based authorization based on Shibboleth
Grid. Shib Project Motivation l VOs are difficult to manage u l Identity-based access control methods are inflexible and do not scale u l Goal: Leverage existing identity management infrastructure Goal: Use attribute-based access control Solution: Leverage Shibboleth with Globus Toolkit!
Grid. Shib Use Cases l Three use cases under consideration: 1. Established grid user (non-browser) 2. New grid user (non-browser) 3. Portal grid user (browser) l Initial efforts concentrated on the nonbrowser use cases l Current efforts are focused on the portal grid user
Established Grid User l User possesses an X. 509 end entity certificate l User may or may not use My. Proxy Server to manage X. 509 credentials l User authenticates to Grid SP with a proxy certificate l The current Grid. Shib implementation addresses this use case
New Grid User l User does not possess an X. 509 end entity certificate l User relies on Grid. Shib CA to obtain shortlived X. 509 certificates l User authenticates to Grid SP using shortlived X. 509 credential l The my. Vocs-Grid. Shib integration addresses this use case
Portal Grid User l User does not possess an X. 509 cert l A browser user authenticates to a Grid Portal (which may or may not be Shibenabled) l The user delegates the Grid Portal to request a service at the Grid SP l The Grid Portal authenticates to the Grid SP using its “community credential”
Outline l Grid. Shib Overview l Grid. Shib Components l Grid. Shib Profiles l Grid. Shib Roadmap
Software Components l Grid. Shib for Globus Toolkit l Grid. Shib for Shibboleth u Includes Grid. Shib Certificate Registry l Grid. Shib Certificate Authority l Grid. Shib Authentication Assertion Client l Shibboleth Id. P Tester l Globus SAML Library (not distributed)
Grid. Shib for Globus Toolkit l Grid. Shib for Globus Toolkit is a plugin for GT 4. 0 (or later) l Features: u Standalone attribute requester u SAML attribute consumption u Attribute-based access control u Attribute-based local account mapping u SAML metadata consumption
Grid. Shib for Shibboleth l Grid. Shib for Shibboleth is a plugin for a Shibboleth Id. P v 1. 3 (or later) l Features: u Name Mapper l u SAML name identifier implementations l u Supports name mappings in both files and tables X 509 Subject. Name, email. Address, etc. Certificate Registry l Supports the established grid user
Grid. Shib Certificate Registry l A Certificate Registry is integrated into Grid. Shib for Shibboleth 0. 5: https: //authdev. it. ohio-state. edu/twiki/bin/view/Grid. Shib. Certificate. Registry l An established grid user authenticates and registers an X. 509 end-entity cert l The Registry binds the cert to the principal name and persists the binding in a database l On the backend, Grid. Shib maps the DN in a query to a principal name in the DB
Grid. Shib Authn Assertion Client l The Grid. Shib Authn Assertion Client is a standalone tool that creates an X. 509 proxy certificate with bound SAML authn assertion l The client uses the proxy to authenticate to a Grid SP l The Grid SP queries a Shibboleth AA based on the information in the bound SAML assertion
Shibboleth Id. P Tester l The Shibboleth Id. P Tester is a tool that queries a Shibboleth AA for attributes l The Id. P Tester can be used to: u u l Test an ordinary Shibboleth AA Test a Grid. Shib-enabled AA The Id. P Tester installs as a Shib Id. P extension (i. e. , it does not disturb an existing Shib deployment)
Grid. Shib CA l The Grid. Shib Certificate Authority is a webbased CA for new grid users: https: //authdev. it. ohio-state. edu/twiki/bin/view/Grid. Shib. Certificate. Authority l The Grid. Shib CA is protected by a Shib SP and backended by either Open. SSL or the My. Proxy Online CA l The CA issues short-term credentials suitable for authentication to a Grid SP l Credentials are downloaded to the desktop via Java Web Start
Globus SAML Library l Grid. Shib forked the Open. SAML 1. 1 source library in Jan 2006 l Globus SAML Library is in synch with Open. SAML 1. 1 CVS HEAD l Globus SAML Library is bundled with Grid. Shib for GT l Globus SAML Library adds new features to Open. SAML 1. 1
Outline l Grid. Shib Overview l Grid. Shib Components l Grid. Shib Profiles l Grid. Shib Roadmap
Outline l Grid. Shib Overview l Grid. Shib Components l Grid. Shib Profiles l Grid. Shib Roadmap
Work in the Pipeline l New versions of Grid. Shib for GT, Grid. Shib for Shib, and Grid. Shib CA l Grid. Shib Authn Assertion Client => Grid. Shib SAML Issuer Tool l Shibboleth Id. P Tester => Grid. Shib Attribute Query Client l Grid. Shib SAML Tools l Enhancements to Globus SAML Library
Grid. Shib for GT Versions l Grid. Shib for GT 0. 5 u l Grid. Shib for GT 0. 5. 1 u l Announced Nov 30, 2006 Expected ? Grid. Shib for GT 0. 6 u Expected ?
Grid. Shib for GT 0. 5 l Grid. Shib for GT 0. 5 announced Nov 30 u Compatible with both GT 4. 0 and GT 4. 1 l l Separate binaries for each GT version l u GT 4. 1 introduces powerful authz framework Source build auto-senses target GT platform New identity-based authorization feature l Uses grid-mapfile instead of DN ACLs u Logging enhancements u Bug fixes
Grid. Shib for GT 0. 5. 1 l Grid. Shib for GT 0. 5. 1 (expected ? ) u Combined VOMS/SAML attribute to account mapping l As with the current gridmap situation, GT 4. 0. x deployments cannot take advantage of permit overrides and arbitrarily configure fallbacks l To accommodate this we’ll allow for a name mapping scheme that checks in this order and continues to fall back if no match/authz is granted: gridmap, VOMS, Shibboleth/SAML
Grid. Shib for GT 0. 6 l Grid. Shib for GT 0. 6 (expected ? ) u Full-featured attribute push PIP l u TBA More powerful attribute-based authz policies l Allow unique issuer in authz policy rules
Grid. Shib for Shib Versions l Grid. Shib for Shib 0. 5. 1 u l Announced Aug 8, 2006 Grid. Shib for Shib 0. 6 u u Expected Jan 2007 Will include SAML Issuer Tool (derived from Shib resolvertest tool)
Grid. Shib for Shib 0. 6 l Grid. Shib for Shib 0. 6 (expected Jan 2007) u Core (already included in 0. 5) l l u Requires Shib Id. P Includes basic plugins and handlers Certificate Registry (already included in 0. 5) l l u Requires Grid. Shib for Shib Core Includes Derby embedded database SAML Tools (new in 0. 6) l Requires Grid. Shib for Shib Core l Includes SAML Issuer Tool and SAML X. 509 Binding Tool
Grid. Shib CA Versions l Grid. Shib CA 0. 3 u l Announced Nov 27, 2006 Grid. Shib CA 0. 4 u Expected March, 2007
Grid. Shib CA 0. 3 l Grid. Shib CA 0. 3 announced Nov 27, 2006 u Substantial improvement over version 0. 2 u More robust protocol u Installation of trusted CAs at the client u Pluggable back-end CAs l l u Uses an openssl-based CA by default A module to use a My. Proxy CA is included Certificate registry functionality l A module that auto-registers DNs with my. Vocs
Grid. Shib SAML Tools l Grid. Shib SAML Issuer Tool u l Shibboleth SAML Issuer Tool u l Derived from Shib resolvertest tool Grid. Shib Attribute Query Client u l Derived from Authentication Assertion Client Derived from Shib Id. P Tester Grid. Shib X. 509 Binding Tool u Derived from GT CAS/SAML utilities
Grid. Shib SAML Tools (cont’d) Config Files (inputs) Grid. Shib SAML Issuer Tool SAML X. 509 Binding Tool X. 509 Shibboleth Id. P Config (inputs) Shibboleth SAML Issuer Tool
Grid. Shib SAML Tools (cont’d) (inputs) Shibboleth SAML Issuer Tool (inputs) Grid. Shib Attribute Query Client (inputs) Grid. Shib SAML Issuer Tool SAML X. 509 Binding Tool X. 509
SAML Tool Distributions l The Shib SAML Issuer Tool and the SAML X. 509 Binding Tool will be distributed with Grid. Shib for Shib 0. 6 l The Grid. Shib SAML Issuer Tool, Grid. Shib Attribute Query Client, and SAML X. 509 Binding Tool will be distributed as a single, standalone package l Note: The latter does not require Grid. Shib for Shib or Grid. Shib for GT
Globus SAML Library l Features and enhancements: u Support for SAML V 2. 0 metadata u SAML object equivalence implementation u Enhanced SAMLName. Identifier class u SAML Name. Identifier format handlers u New SAMLSubject. Assertion class u New Subject. Statement class u Additional unit tests and examples u Requires JDK 1. 4 or above
New Software Components l Grid. Shib for Globus Toolkit 0. 6 l Grid. Shib for Shibboleth 0. 6 u Optional Certificate Registry u Optional SAML Issuer Tool l Grid. Shib Certificate Authority 0. 4 l Grid. Shib SAML Tools u u Attribute Query Client u l SAML Issuer Tool SAML X. 509 Binding Tool Globus SAML Library (enhanced)
Profiles and Bindings Specs l SAML V 1. 1 Profiles for X. 509 Subjects http: //www. oasis-open. org/committees/download. php/19996/sstc-saml 1 -profiles-x 509 -draft-01. pdf l Subject-based Assertion Profile for SAML V 1. 1 l X. 509 Binding for SAML Assertions l Attribute Query Profile for SAML V 1. 1 l SAML V 1. 1 Deployment Profiles for X. 509 Subjects l SAML V 2. 0 Deployment Profiles for X. 509 Subjects
Acknowledgments l Grid. Shib is a project funded by the NSF Middleware Initiative u u l NMI awards 0438424 and 0438385 Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. Also many thanks to Internet 2 Shibboleth Project
Summary l l Grid. Shib has a number of tools for leveraging Shibboleth for the Grid Both for user authentication and attribute-based authorization Deploys easily on Shibboleth 1. 3 and Globus 4. 0 Available under Apache 2 license For more information and software: l http: //gridshib. globus. org l vwelch@ncsa. uiuc. edu l http: //dev. globus. org/wiki/Incubator/Grid. Shib
Questions?
Скачать презентацию Grid Shib Project Update Tom Barton 1 Tim
a180989ab840f067236a52a1f0e35a9d.ppt