GridShib: Shibboleth Integration with Grid and MyProxy Status and Plans GGF 16 Shib

1
GridShib Shibboleth Integration with Grid and
MyProxyStatus and PlansGGF 16 Shib Grid
Developers Ad Hoc BoFFeburary 14th, 2006Athens,
Greece

• Tom Scavo, Von Welch

2
Background

• GridShib
• Tom Barton, David Champion, Tim Freeman, Kate
  Keahey, Tom Scavo, Frank Siebenlist, Von Welch
• NSF NMI project to allow the use of
  Shibboleth-issued attributes for authorization in
  NMI Grids built on the Globus Toolkit
• http//gridshib.globus.org
• MyProxy
• Jim Basney, Bill Baker, Patrick Duda, Von Welch
• Current support from NCSA Core project, TeraGrid
• http//myproxy.ncsa.uiuc.edu
• Tom Barton, Jim Basney, Tim Freeman, Tom Scavo,
  Frank Siebenlist, Von Welch, Rachana
  Ananthakrishnan, Bill Baker, Monte Goode, and
  Kate Keahey. Identity Federation and
  Attribute-based Authorization through the Globus
  Toolkit, Shibboleth, Gridshib, and MyProxy. In
  5th Annual PKI RD Workshop (To appear), April
  2006.
• http//grid.ncsa.uiuc.edu/papers/gridshib-pki06-fi
  nal.pdf

3
GridShib Work to Date

• Integration with Shibboleth AA with GT
• GT can query Shib AA, get attributes and use
  attributes to make authz decisions
• Drop-in addition to GT 4.0 and Shibboleth 1.3
• Shib Idp plug-in to allow mapping of X509 DNs to
  Shib principal names
• Beta release publicly available
• Expect to officially release in GT 4.1/4.2

4
Shib Authorization in GT

• Currently have a simple authorization mechanisms
• List of attributes required to use service or
  container
• Mapping of attributes to local identity for GRAM
  job submission

5
Recent MyProxy Features

• On-line CA functionality
• Create short-lived certificates in response to
  user authentication
• Short-Lived Certificate Service
• Thanks to LBNL
• Number of authentication mechanisms supported
• Webiso pubcookie tokens
• PAM, OTP, Kerberos
• Funded by Grids Center

6
Future Plans

• Refine Attribute interoperability
• Turn attention to using Shibboleth and MyProxy
  for Grid SSO

7
Future Plans Attribute Refinement

• IdP discovery in GT via SAML Authn assertion
  embedded in EEC
• Provides pointer to IdP and NameId to use
• Name-binder service
• Allow users to bind DN to their Shib Id
• Integrate tools with OpenIdp MyVocs
• Authorization framework in Globus Toolkit 4.2
• XACML-based
• Pluggable PIP and PDP modulesConvert Attributes
  (SAML or X509) into common format for policy
  evaluation

8
Future Plans SSO

• Users without existing X509 credentials
• Or credentials only in MyProxy
• Turn attention to SSO
• Use Shibboleth to log onto Grid
• I.e. get short-lived X509 credential from
  Shibboleth authentication
• Consider command-line and portal users
• Will add Shib authentication support to MyProxy
• E.g. Pubcookie

9
Prototype SP-CA

• Shibboleth-protected MyProxy on-line CA
• Issues short-lived credentials to anyone who can
  authenticate via InQueue
• e.g. OpenIdP
• Uses Java Web Start to get certificate from the
  web to the desktop
• Installs in the right place for GT to use
• Try it out
• https//computer.ncsa.uiuc.edu/SP-CA/

10
Prototype SP-CA
1
SP-CALogic
SP
Browser
MyProxy CA
EPPN
3
Token
2
GridCred
Token
Java WS
GridCred
4
GridCred
/tmp
MyProxy System
Web Server
User System
11
Extra Slides
12
GridShib (Simplified)
SAML
Shibboleth
A
Attributes
DN
Grid
SSO
DN
SSL/TLS, WS-Security
DN
13
GridShib/MyProxy Integration
14
GridShib/MyProxy Integration