Shibboleth for NonWebBased Applications: GridShib

1
Shibboleth for Non-Web-Based Applications
GridShib
http//arch.doit.wisc.edu/keith/midnetgridShib-05
0609-01.ppt Courtesy of Tom Barton, University
of Chicago and Von Welch, NCSA, UIUCMIDnet
Spring Conference, June 9, 2005
2
Some Background Shibboleth

• http//shibboleth.internet2.edu/
• Internet2 project
• Allows for inter-institutional sharing of web
  resources
• Federation of identities and attributes
• Uses attribute-based authorization
• Standards-based (SAML)
• Being extended to non-web resources
• Part of NMI/EDIT distribution

3
Some Background Globus Toolkit

• http//www.globus.org
• Collaborative work from the Globus Alliance
• Toolkit for Grid computing
• Job submission, data movement, data management,
  resource management
• Security based on X.509 identity- and
  proxy-certificates
• Part of NMI Grids Center Suite

4
NSF Middleware Initiative (NMI) GrantPolicy
Controlled Attribute Framework

• What shibbolize NMI Grids
• Allow the use of Shibboleth-issued attributes for
  authorization in NMI Grids built on the Globus
  Toolkit
• Participants
• Von Welch, UIUC/NCSA (PI)
• Kate Keahey, UChicago/Argonne (PI)
• Frank Siebenlist, Argonne
• Tom Barton, UChicago
• 2 years starting December 1, 2004
• We call it GridShib

5
The GridShib picture
User
Grid Service
(1) Grid Authentication
(0) Attribute Release Policy
Campus
(2) Shib Attribute Request
(4) Attribute-based authorization
(3) Attributes
Shibboleth
6
Why?

• Critical mass of grid deployments could use it
• Large grid, far-flung participants, several types
  of roles among them
• Examples NEESgrid, Earth System Grid, TeraGrid,
  Grid3 (GriPhyN, iVDGL, and PPDG)
• Centralized access to campus grid resources for
  research computing
• Examples UChicago, USC, UAB

7
Why?

• Values of integrating common infrastructure with
  Virtual Organizations are similar to Enterprise
  case

8
Time is finally right

• Shibboleth SAML have shown how to
• Authorize the anonymous user
• Extend integration of common infrastructure
  across administrative and operational domains
• Sufficiently abstracted security related
  interfaces provided by NMI Grid componentry
• Others are trying non-web-based shibbolization
  approaches roughly analogous to what we envision
• Plug all code elements above are NMI components.
  Were building on work of many people over 3
  years.

9
Grid-Shib integration essentials

• Design principles
• No modification to typical grid client
  applications
• No change to shibboleths model of administrative
  and end-user maintenance of attribute release
  policies
• Leverage high-quality campus Identity Provider
  operations
• Accommodations for Grid shibbolization
• Identity Provider Discovery (pull models)
• Basic sequence of events (push models)
• Use of an identifer in X.509 cert as a subject
  handle for use by the Attribute Authority

10
Basic integrationuser identified, attributes
pulled
11
Advanced integration examplepseudonymous push
12
Timeline

• December 1, 2004 formal start
• Year 1
• Basic integration code supporting pull model
  with user identified
• Year 2
• Advanced integration code supporting push and
  user pseudonymity

13
Project objectives

• Priority 0 Gather requirements, identify users,
  related work
• Users
• U Chicago
• USC (Henderson)
• TeraGrid
• Related work
• Already established coordination with ESP-Grid,
  Dr. Jeffreys, Oxford, UK
• UAB (Gemmil)
• Georgetown (Leonhardt)

14
Project objectives

• Priority 1 Pull mode operation
• Globus services contact Shibboleth to obtain
  attributes about identified user
• Support both GT4.x Web Services and pre-WS code
• Priority 2 Push mode operation
• User obtains Shib attributes and push to service
• Allows role selection
• Priority 3 Online CAs
• Pseudonymous operation
• Integration with local authentication services

15
GridShib Progress

• Developers hired February 2005
• Substantial resolution of GridShibs Shibboleth
  usage profile
• Shibboleth IdP plugin nearing completion
• Maps externally-issued X.509 identity
  certificates to local identifiers
• SAML attribute marshaling in GT4 runtime nearing
  completion

16
GridShib Progress (contd)

• Common attribute format internal to GT4 runtime
  to support access policies spanning SAML and
  X.509 PMI attribute sources
• Uses XACML Request Context
• Initial GridShib release for closed alpha
  deployment
• Readiness by end of June
• Overlays GT 4.0 and Shib 1.3

17
Timeline (cont)

• 2006 Second release
• Advanced integration code supporting push and
  user-pseudonymity
• Integration with MyProxy/GridLogon for improved
  usability
• Integration of feedback from Y1 release

18
GridShib Challenges

• Use of an identifier in X.509 certificate as a
  subject handle for use by the Shib Attribute
  Authority (SAA)
• Shibboleth v1.3 should handle this
• Allowing VOs to define attributes meaningful to
  them
• Attribute Authority identification
• Where are you from problem
• Plumbing interconnect
• Translating requirements into meaningful
  authorization policy
• Support pseudonymity

19
GridShib Challenges

• Identity Provider Discovery
• Compounded by need in some grids to consult
  several identity providers for each user
• Distributed Attribute Administration
• What happens when the folks running the attribute
  authority are not the ones authoritative for the
  attributes?
• Some projects dont have resources to run a 7x24
  security service, but are the only ones who know
  the attribute space
• Explore Signet, Grouper
• Mapping local subject identifier to externally
  issued EEC

20
Distributed Authorities
Session authentication credential
Attribute Authority
Authorities
Home Org
Affiliated Org
Grid user
Signet Grouper
Grid Service
Virtual Org
21
Getting Attributes into a Sites Attribute
Authority
SIS
Person Registry
Loaders
Attribute Authority
HR
Shib/ GridShib
Core Business Systems
Group Registry
LDAP
Grouper UI
On-site Authorities
uid jdoe eduPersonAffiliation isMemberOf
eduPersonEntitlement
Privilege Registry
Signet UI
using Shibboleth
Off-site Authorities
22
Potential objectives

• Collaboration with Signet folks to allow for
  distributed attribute administration
• Support for alternatives to GT4
• Standard PKI-authenticated web services in
  addition to GT4
• Some Grid projects looking at plain web services
  approach
• Support for GT2 legacy code?
• Will there still be demand?

23
Loose ends

• Use of VO-operated AA vs. one embedded within an
  Enterprises Identity Provider operation
• May be some use cases in which this is sufficient
  or desirable
• We dont address the problem of how to manage the
  attributes needed by grid resources, just how to
  transport them

24
Resources

• Grouper website http//middleware.internet2.edu/di
  r/groups/grouper/
• Signet website
• http//middleware.internet2.edu/signet/
• Internet2 Middleware Initiative
• http//middleware.internet2.edu/
• GridShib project
• http//grid.ncsa.uiuc.edu/GridShib/

25
Acknowledgements

• Working in collaboration with Steven Carmody and
  the Internet2 Shibboleth Design team
• Providers of much valuable advice.
• Funded under NSF award SCI-0438424

26
Questions?

• Project website
• http//grid.ncsa.uiuc.edu/GridShib/
• Or contact
• tbarton_at_uchicago.edu
• vwelch_at_ncsa.uiuc.edu
• For more information on NMI
• http//www.nsf-middleware.org/

27
Q A