TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9

1
TeraGrid 08The Third Annual TeraGrid
ConferenceLas Vegas, NVJune 913, 2008

• Tom Scavo, Jim Basney , Terry Fleury, Von Welch
• National Center for Supercomputing Applications
• University of Illinois at Urbana-Champaign

2
TutorialScience Gateways, Security, and GridShib

• TeraGrid 08
• Tom Scavo, Jim Basney , Terry Fleury, Von Welch
• National Center for Supercomputing Applications
• University of Illinois at Urbana-Champaign
• June 9, 2008

3
Birds-of-a-Feather SessionAttribute-based
Auditing and Authorization for Science Gateways

• TeraGrid 08
• Tom Scavo, Jim Basney , Terry Fleury, Von Welch
• National Center for Supercomputing Applications
• University of Illinois at Urbana-Champaign
• June 11, 2008

4
Science GatewaysWorking Group Session

• TeraGrid 08
• Tom Scavo, Jim Basney , Terry Fleury, Von Welch
• National Center for Supercomputing Applications
• June 12, 2008

5
GridShib _at_ TeraGrid 08

• Tutorial Science Gateways, Security, and
  GridShib
• Mon, 800am1200pm
• Birds-of-a-Feather Session Attribute-based
  Auditing and Authorization for Science Gateways
• Wed, 530630pm
• Poster Session A Federated Identity Model for
  Science Gateways
• Wed, 630830pm
• Science Gateways Working Group Session
• Thu, 300430pm

6
Definition of Terms
Shib ! GridShib
7
Grid Security Infrastructure(GSI)
8
Grid Authentication

• Traditionally, grid authentication has been via
  trusted X.509 identity certificates
• GSI relies heavily on X.509 proxy certificates
• A proxy cert is a short-lived certificate signed
  by the users identity certificate
• Multiple GSI authentication mechanisms
• GSI Transport (SSL/TLS)
• GSI Secure Message (WS-Security)
• GSI Secure Conversation (WS-SecureConversation)

9
The Classic Grid Use Case
A non-browser user issues a proxy
certificate and initiates a grid request on her
own behalf.
10
Issue a Proxy Certificate
grid-proxy-init
X.509 Proxy Credential Issuer End User Subject
End User
X.509 End Entity Cred Issuer Certification
Authority Subject End User
Key
Key
myproxy-logon
11
Classic GSI
GT4 Server
GT4 Client
Java WS Container
Globus WS Client
Globus Web Service
X.509 proxy certificate
X.509 proxy credential
Gridmap
Key
12
Identity-based Access Control

• The distinguished name (DN) in the proxy
  certificate is used as a basis for coarse-grained
  access control
• If the subject DN is in an access control list
  called a gridmap file, access is allowed

• A gridmap file also maps DNs to usernames
• Associated with each DN are zero or more local
  usernames
• GRAM, for example, requires a local account in
  which to run a job request

13
Gridmap File

• The gridmap has a flat file formatDN ? user0,
  user1, , usern-1
• The gridmap has dual functions
• Authorization Policy
• Username Mapping Policy
• A single gridmap file serves both functions
• Identity-based gridmap files trade off
  flexibility and scalability for simplicity

DN1 username1 DN2 username2
14
GridShib-enabled GSI
15
GridShib Project

• The goal of the GridShib Project is to introduce
  attribute-based authorization to Globus-based
  grids
• GridShib software allows Globus Toolkit and
  Shibboleth to interoperate
• Classic GridShib (circa 20042005) pulls
  attributes from a Shibboleth Attribute Service
• The current emphasis is on browser users and
  attribute push, specifically, the TeraGrid
  Science Gateway Use Case

16
GridShib Software

• GridShib for GT
• Consumes X.509-bound SAML assertions issued by
  the GridShib CA or the GridShib SAML Tools.
  Issues SAML attribute queries to a Shibboleth IdP
  with GridShib for Shibboleth installed.
• GridShib for Shibboleth
• Responds to attribute queries from GridShib for
  GT.
• GridShib CA
• Issues short-lived X.509 credentials to browser
  users.
• GridShib SAML Tools
• Issue or requests SAML assertions and optionally
  binds these assertions to X.509 proxy
  certificates.

17
GridShib Software

• GridShib for GT
• Consumes X.509-bound SAML assertions issued by
  the GridShib CA or the GridShib SAML Tools.
  Issues SAML attribute queries to a Shibboleth IdP
  with GridShib for Shibboleth installed.
• GridShib for Shibboleth
• Responds to attribute queries from GridShib for
  GT.
• GridShib CA
• Issues short-lived X.509 credentials to browser
  users.
• GridShib SAML Tools
• Issue or requests SAML assertions and optionally
  binds these assertions to X.509 proxy
  certificates.

18
GridShib SAML Tools

• The GridShib SAML Tools (GS-ST) are a standalone
  suite of Java-based client tools
• Binds a SAML assertion to an X.509 proxy
  certificate
• The same X.509-bound SAML token can be
  transmitted at the transport level or the message
  level (using WS-Security X.509 Certificate Token
  Profile)
• Includes the GridShib Security Framework, a Java
  API for producing and consuming X.509-bound SAML
  tokens
• GS-ST is a SAML producer

19
GS-ST Features

• Easily installed and configured
• Binds arbitrary content (not just SAML) to a
  non-critical certificate extension
• Multiple output options (SAML, X.509 proxy
  credential, DER-encoded ASN.1)
• CLI with shell scripts (UNIX and Windows)
• Includes a Java API for portal developers
• Leverages the Globus SAML Library, an enhanced
  version of OpenSAML 1.1

20
GS-ST Function

• Bind a SAML assertion to a non-critical X.509
  v3 certificate extension

We call this an X.509-bound SAML token
21
X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway
grid-proxy-init
X.509 Community Cred Issuer TeraGrid CA Subject
Science Gateway
Key
Key
22
X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway
grid-proxy-init
X.509 Community Cred Issuer TeraGrid CA Subject
Science Gateway
Key
X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway X509v3
extension 1.3.6.1.4.1.3536.1.1.1.12
Key
ltsamlAssertiongt ltsamlNameIDgt trscavo
lt/samlNameIDgt lt/samlAssertiongt
gridshib-saml-issuer
Key
23
X.509-bound SAML Token

• GridShib SAML Tools produces X.509-bound SAML
  tokens, a new type of security token that enables
  attributed-based authorization in X.509-based
  Grids
• The SAML token is bound to a noncritical X.509v3
  certificate extension

X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway X509v3
extension 1.3.6.1.4.1.3536.1.1.1.12
ltsamlAssertiongt ltsamlNameIDgt trscavo
lt/samlNameIDgt lt/samlAssertiongt
Key
24
WS-Security Token Profiles

• OASIS WS-Security Technical Committee
• WSS X.509 Certificate Token Profile 1
• WSS SAML Token Profile
• Globus implements the former
• We define a new token type
• X.509-bound SAML Token
• An implementation of 1 automatically handles
  X.509-bound SAML tokens
• No new wire protocols are needed!

25
Security Tokens
X.509 Token
SAML Token
SOAP Envelope
SOAP Envelope
SOAP Header
SOAP Header
X.509 certificate
SAMLassertion
SOAP Body
SOAP Body
26
Security Tokens
X.509-boundSAML Token
X.509 Token
SAML Token
SOAP Envelope
SOAP Envelope
SOAP Envelope
SOAP Header
SOAP Header
SOAP Header
X.509 certificate
X.509 certificate
SAMLassertion
SAMLassertion
SOAP Body
SOAP Body
SOAP Body
27
GridShib-enabled GSI

• A non-browser user binds
• a SAML assertion to a proxy certificate and
  initiates a grid request
• on her own behalf

28
GridShib for GT

• GridShib for GT (GS4GT) is a plug-in for GT 4.x
• GS4GT is compatible with both GT 4.0 and 4.2
• GS4GT is an implementation of a Grid Service
  Provider, which is analogous to a Shibboleth
  Service Provider, but for X.509-based grids
• GS4GT is a SAML consumer
• Used together, GridShib SAML Tools and GridShib
  for GT enable attribute-based access control in
  Globus-based grids

29
GS4GT Features

• Introduces attribute-based authorization into GT
• Exposes a single comprehensive policy decision
  point called the GridShibPDP
• Implements an attribute push model
• Restricts access based on blacklists of IP
  addresses and/or name identifiers
• Provides attribute-based account mapping
• Supports optional gridmap short-circuiting
• Defines an attribute-based authorization policy
  language (in XML)

30
GridShib-enabled GSI
GT4 Server
GT4 Client
Java WS Container (with GridShib for GT)
Globus WS Client
GridShibSAML PIP
Globus Web Service
proxy certificate
SAML
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Authz Policy
Blacklist Policy
end entity credential
Logs
Key
31
GS4GT Configuration Files
GridShibSAML Entity Map

• The SAML Entity Map maps SAML issuers to X.509
  issuers
• A SAML issuer in this file is trusted
• The SAML Entity Map will be replaced by SAML
  Metadata (XML)
• A blacklist is a list of identifiers (SAML
  identifiers or subject DNs)
• A user whose identifier is on the blacklist will
  be denied access
• The flat file blacklist will be replaced by a
  database table

entityID1 DN1 entityID2 DN2
GridShibBlacklist Policy
identifier1 identifier2
32
GS4GT Policy Files
DN1 username1 DN2 username2
GlobusGridmap file
GridShibAuthz Policy
GridShibMapping Policy
33
GS4GT Policy Files

• Two separate attribute-based policy files
• Authorization PolicyA0, A1, , Am-1
• Username Mapping PolicyA0, A1, , Am1-1 ?
  user0, user1, , usern1-1A0, A1, , Am2-1 ?
  user0, user1, , usern2-1
• A single XML-based policy file may encapsulate
  both types of policies

34
Summary

• Fine-grained, attribute-based authorization
• Introduces X.509-bound SAML tokens
• Works at both the transport level or the message
  level
• No modifications to GT clients are required
• If the service is not GridShib-enabled, the
  X.509-bound SAML token is simply ignored

35
A Grid Authorization Model for Science Gateways
36
The Science Gateway Use Case

• A browser user authenticates to a grid portal. 
  The portal issues a proxy certificate and
  initiates a grid request on behalf of the user

37
Classic Science Gateway
A science gateway is a convenient intermediary
between a browser user and a grid resource
provider.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
community credential
community account
Key
Resource Provider
Science Gateway
38
Classic Science Gateway
Each gateway is issued a community credential
that uniquely identifies the gateway.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
community credential
community account
Key
Resource Provider
Science Gateway
39
Classic Science Gateway
Resource providers associate the community
credential with a local community account.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
community credential
community account
Key
Resource Provider
Science Gateway
40
Classic Science Gateway
To submit a job, a browser user typically
authenticates to the gateway by presenting a
username and password.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
community credential
community account
Key
Resource Provider
Science Gateway
41
Classic Science Gateway
The gateway then issues a short-lived proxy
credential signed by its community credential.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
proxy credential
community credential
community account
Key
Key
Resource Provider
Science Gateway
42
Classic Science Gateway
The gateway submits the job on the users behalf,
authenticating as itself to the resource.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
proxy certificate
proxy credential
community credential
community account
Key
Key
Resource Provider
Science Gateway
43
Classic Science Gateway
The resource authenticates the gateway and maps
the request to the community account based on the
identity in the proxy certificate.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
proxy certificate
proxy credential
community credential
community account
Key
Key
Resource Provider
Science Gateway
44
Classic Science Gateway
After the job is executed, the result is returned
to the browser user via the gateway web
interface.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
proxy certificate
proxy credential
community credential
community account
Key
Key
Resource Provider
Science Gateway
45
Community Account Model The Good

• The Community Account Model
• simplifies the user experience
• simplifies gateway implementation and deployment
• simplifies gridmap file management at the RP
• A community credential is issued to each gateway
• A single community account is created at the RP
• The gateway issues proxy certificates and makes
  grid requests on behalf of the user

46
Community Account Model The Bad

• The community account model has some significant
  drawbacks, however
• End user identity is unknown to the RP
• Course-grained access control at the resource (by
  design)
• Awkward approach to auditing and incident
  response
• In the event of an emergency, the RP is forced to
  disable all access to the community account
• Less than adequate accounting mechanisms
• All this can be traced to a single problem

47
Community Account Model The Ugly
All requests look exactly the same to the
resource provider!
If the gateway would only pass the users name
and contact information to the resource provider,
all previously mentioned problems would be solved
48
Grid Authorization Model

• We describe a grid authorization model that
  significantly increases the information flow
  between a science gateway and a resource provider
• Extends the Community Account Model
• Asserts end user identity to the RP
• Permits fine-grained access control at the RP
• Provides strong auditing and effective incident
  response
• Allows dynamic blacklisting of problem accounts
  or runaway processes
• A lightweight approach that does not require new
  wire protocols or extensive new middleware
  infrastructure
• Complements existing SAML-based middleware
  infrastructure on today's campuses

49
Grid Authorization Model

• The proposed model incorporates GridShib SAML
  Tools at the gateway and GridShib for GT at the
  resource provider
• Using GridShib SAML Tools, the gateway
• issues a SAML assertion containing the user's
  authentication context and attributes
• binds the SAML assertion to a proxy certificate
  signed by the community credential
• authenticates to the resource by presenting the
  SAML-laden proxy certificate
• http//gridfarm007.ucs.indiana.edu/gce07/images/e/
  e4/Scavo.pdf

50
X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway
ltsamlAssertiongt ltsamlNameIDgt trscavo
lt/samlNameIDgt lt/samlAssertiongt


Key
X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway X509v3
extension 1.3.6.1.4.1.3536.1.1.1.12
ltsamlAssertiongt ltsamlNameIDgt trscavo
lt/samlNameIDgt lt/samlAssertiongt
Key
51
GridShib-enabled Science Gateway

• A browser user authenticates to
• a grid portal.  The portal binds a
• self-issued SAML assertion to
• a proxy certificate and initiates a grid request
  on behalf of the user.

52
Grid Authorization Model for Gateways
An enhancement to the community account model
increases the information flow between the
gateway and the resource provider.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
53
Grid Authorization Model for Gateways
A software component called GridShib SAML Tools
is integrated into the gateway portal environment.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
54
Grid Authorization Model for Gateways
Another software component called GridShib for GT
is deployed at the resource provider.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
55
Grid Authorization Model for Gateways
These two GridShib software components produce
and consume Security Assertion Markup Language
(SAML) tokens.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
56
Grid Authorization Model for Gateways
Again the browser user authenticates to the
gateway by presenting a username and password.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
57
Grid Authorization Model for Gateways
This time the gateway uses the GridShib SAML
Tools to issue an X.509-bound SAML token.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
Key
Resource Provider
Science Gateway
58
Grid Authorization Model for Gateways
The SAML token bound to the proxy certificate
contains the name of the end user and other user
attributes (e.g., e-mail).
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway X509v3
extension 1.3.6.1.4.1.3536.1.1.1.12
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
ltsamlAssertiongt ltsamlNameIDgt trscavo
lt/samlNameIDgt lt/samlAssertiongt
Key
Resource Provider
Science Gateway
Key
59
Grid Authorization Model for Gateways
The gateway authenticates as itself to the
resource provider, presenting the proxy
certificate with bound SAML token.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
Key
Resource Provider
Science Gateway
60
Grid Authorization Model for Gateways
The GridShib for GT extracts the SAML token from
the proxy certificate, parses it, and writes the
information to a log file.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
Logs
Key
Resource Provider
Science Gateway
61
Grid Authorization Model for Gateways
The security information in the SAML token is
also used to populate a SAML security context
within the container.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
community credential
Logs
Key
Resource Provider
Science Gateway
62
Grid Authorization Model for Gateways
The service compares the information in the
security context to the blacklist, denying access
if any request info is on the blacklist.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Blacklist Policy
community credential
Logs
Key
Resource Provider
Science Gateway
63
Grid Authorization Model for Gateways
The service combines the information in the
security context with its access control policy,
allowing access if and only if policy is
satisfied.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Authz Policy
Blacklist Policy
community credential
Logs
Key
Resource Provider
Science Gateway
64
Grid Authorization Model for Gateways
As before, after the service executes the job,
the result is returned to the browser user via
the gateway web interface.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Authz Policy
Blacklist Policy
community credential
Logs
Key
Resource Provider
Science Gateway
65
GridShib-enabled Science Gateway

• Simple installation and configuration of GridShib
  SAML Tools at the gateway
• Includes GridShib Security Framework
• Exposes both a command-line interface and a Java
  API
• End user identity and contact information (e.g.,
  e-mail) transmitted to RP
• Push much of the responsibility for auditing and
  incident response back onto the RP
• Big Advantage No need to shut down the entire
  gateway in the event of an incident!

66
User Attributes

• Gateway entityID
• https//gridshib.gisolve.org/idp
• Subject name identifier
• trscavo_at_gisolve.org
• Authentication statement
• authentication method urnoasisnamestcSAML1.0
  ampassword
• authentication instant 2007-08-02T121034-0400
• IP address 10.81.193.244
• Attribute statement
• isMemberOf attribute group//gisolve.org/gisolve
• mail attribute trscavo_at_gmail.com

67
Configuring GridShib SAML Tools

• Some information in the SAML token is static
• Each gateway provides a configuration file that
  customizes the static content of each token
• http//www.teragridforum.org/mediawiki/index.php?t
  itleScience_Gateway_Credential_with_Attributes

IdP.entityIDhttps//gridshib.gisolve.org/idp Name
ID.Formaturnoid1.3.6.1.4.1.5923.1.1.1.6 NameID.
Format.templatePRINCIPAL_at_gisolve.org Attribute.
isMemberOf.Nameurnoid1.3.6.1.4.1.5923.1.5.1.1 A
ttribute.isMemberOf.Valuegroup//gisolve.org/giso
lve
68
JAR Dependencies

• Java developers have the following JAR
  dependencies
• Copy these JARs to WEB-INF/lib

cog-jglobus.jar commons-codec-1.3.jar commons-logg
ing.jar globus-opensaml-1.1.jar gridshib-common-0_
4_2.jar jce-jdk13-131.jar log4j-1.2.8.jar xalan.ja
r xercesImpl.jar xml-apis.jar xmlsec-1.2.1.jar
Endorse!
69
Creating the X.509-bound SAML Token

• Other content in the SAML token is dynamic
• GridShib SAML Tools provides a Java API that a
  gateway developer can use to issue SAML tokens
  with dynamic content
• http//www.teragridforum.org/mediawiki/index.php?t
  itleScience_Gateway_Credential_with_Attributes

GlobusCredential issuingCredential
... GatewayCredential gc new
GatewayCredential("trscavo") gc.setCredential(iss
uingCredential) gc.addEmailAddress("trscavo_at_gmail
.com") // compute authnMethod, authnInstant, and
ipAddress... gc.setAuthnContext(authnMethod,
authnInstant, ipAddress) GlobusCredential proxy
gc.issue()
70
GridShib-enabled Resource Provider

• The end user and the end users contact
  information (and other attributes) are logged
• Effective auditing and incident response
• Blacklist an IP address or name identifier on
  demand
• Exposes a SAML security context
• Fine-grained, attribute-based access control

71
Comparison with VOMS

• Virtual Organization Membership Service
• The most successful grid authorization model
  today
• VOMS binds X.509 attribute certificates (instead
  of SAML) to proxy certificates
• VOMS requires the requester to be the subject
  VOMS will not issue an AC to a requester acting
  on behalf of the subject
• Therefore, a gateway can not call out to a VOMS
  server to obtain attributes for a user
• Conclusion  VOMS can not be used as a basis for
  gateway security

72
Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
The GridShib-enhanced community account model
permits fine-grained access control and effective
incident response at the resource.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
73
Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
Since each request is now associated with a
unique end user, we push job info to TeraGrid
Central for improved auditing and accounting.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
74
Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
First, the security context associated with each
incoming request is captured in a security table.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
75
Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
Likewise the disposition of every job request is
captured in an enhanced GRAM audit table.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
76
Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
An AMIE process joins these two tables and pushes
an information packet to the TeraGrid Central
Database.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
77
Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
A gateway can query the TGCDB for individual
accounting records, permitting fine-grained
accounting at the gateway.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
78
Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
TeraGrid adminstrators can query the TGCDB for
aggregate accounting data for the purposes of NSF
reporting and planning.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
79
Gateway Job Accounting
TeraGrid Resource Provider (RP)
-No Changes required to AMIE-DAI provides
virtualization for audit and accounting DBs
GT4 Java Container
Core Audit Table
Core
Deleg Audit Table
Delegation
Diagram courtesy of Stu Martin
RFT Audit Table
RFT
Client / Gateway
sudo
RM adapter
Create Job Get EPR
Control Jobwith EPR
MJFS
Resource Manager
RM log
- Query Using Grid JID
SEG
MEJS
GRAM Audit Table
RM Accounting
- Reply with Accounting record
User Job(s)
OGSA DAI
GET UNIQUE USER ID
Local AMIE Accounting
Locally convert EPR to Grid JID
AMIE upload
Central TG Accounting DB
80
Benefits of TGCDB Integration

• The gateway can query the TGCDB (via OGSA-DAI)
  and implement local, fine-grained accounting
  mechanisms
• TeraGrid administrators can obtain aggregate
  accounting data for NSF reporting and planning

81
TeraGrid Deployment Strategy

• GridShib SAML Tools at the Gateway
• http//www.teragridforum.org/mediawiki/index.php?t
  itleScience_Gateway_Credential_with_Attributes
• GridShib for GT at the RP
• Integrate GS4GT into CTSS4
• Integrate with TeraGrid Central Database
• Retrofit GRAM 4.0 Audit with end user identity
• Assist with the design and implementation of GRAM
  4.2 Audit (in particular, the security table)

82
A Federated Identity Model for Science Gateways
83
Federated Identity

• The long term vision is to introduce federated
  identity at the science gateway
• Shibboleth, an open-source implementation of the
  SAML Browser Profiles, provides
• Ubiquity
• Manageability
• Usability
• Security
• Since Shibboleth is based on SAML, our model
  complements existing campus infrastructure

84
It is well-known that password management at the
gateway is a significant administrative burden
for both the gateway and the end user.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
85
SAML Identity Provider
To avoid having to manage passwords at the
gateway, we propose a federated identity solution
on the browser-facing side of the gateway.
WebAuthn
Web Browser
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
86
SAML Identity Provider
A third-party Identity Provider on each campus
manages user identity and credentials.
WebAuthn
Web Browser
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
87
SAML Identity Provider
The gateway, which is protected by a Service
Provider, trusts the Identity Provider to
authenticate the browser user.
WebAuthn
Web Browser
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
88
SAML Identity Provider
Since were already invested in SAML on the back
end, we prefer an implementation of the standard
SAML browser profiles (such as Shibboleth).
WebAuthn
Web Browser
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
89
SAML Identity Provider
WebAuthn
A browser user authenticates to their preferred
campus Identity Provider instead of the science
gateway.
Web Browser
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
90
SAML Identity Provider
WebAuthn
SAMLAssertion
The SAML Identity Provider issues a SAML token
that the user transmits to the gateway via the
browser.
Web Browser
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
91
SAML Identity Provider
WebAuthn
SAMLAssertion
The SAML Service Provider protecting the gateway
consumes the SAML token in lieu of a
username/password.
Web Browser
SAMLAssertion
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
92
SAML Identity Provider
WebAuthn
SAMLAssertion
The gateway issues a combined SAML token
containing both campus attributes and local
attributes.
Web Browser
SAMLAssertion
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
Key
Resource Provider
Science Gateway
93
SAML Identity Provider
WebAuthn
SAMLAssertion
The gateway authenticates as itself to the
resource provider, presenting the combined
X.509-bound SAML token.
Web Browser
SAMLAssertion
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
Key
Resource Provider
Science Gateway
94
SAML Identity Provider
WebAuthn
SAMLAssertion
Since the gateway did not authenticate the end
user directly, the resource provider must decide
if it trusts the combined SAML token.
Web Browser
SAMLAssertion
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
community credential
Logs
Key
Resource Provider
Science Gateway
95
SAML Identity Provider
WebAuthn
SAMLAssertion
In the case of federated identity, access control
policy at the resource provider is more complex
since a third security domain is involved.
Web Browser
SAMLAssertion
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Authz Policy
Blacklist Policy
community credential
Logs
Key
Resource Provider
Science Gateway
96
SAML Identity Provider
WebAuthn
SAMLAssertion
SAML Web Browser SSO closes the loop for complete
end-to-end flow of security information
Web Browser
SAMLAssertion
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Authz Policy
Blacklist Policy
community credential
Logs
Key
Resource Provider
Science Gateway
97
Federated Identity Model for Gateways
TeraGrid Science Gateway
C
B
SAMLAssertion
Shib-enabledGrid Portal
GridShib-enabled Grid Client
response
response
X.509end entity credential
GridShib-enabled Grid SP
Key
Browser
D
A
SAMLRequest
ShibbolethSSO Service
GridShib-enabled Attribute Service
SAMLAssertion
SAMLAssertion
Shibboleth Identity Provider
98
Birds-of-a-Feather Session
99
Discussion Topic 1

• Is your gateway infrastructure built on a JEE
  portal framework?
• If so, which one?
• If not, what application server do you use?

100
Discussion Topic 2

• Is your gateway security framework built on the
  community credential model?
• If not, describe your security framework.

101
Discussion Topic 3

• Do you use MyProxy?
• If not, is the community credential stored in the
  file system?

102
Discussion Topic 4

• In your application server environment, how easy
  is it to obtain the following information
• Username
• Authentication instant
• IP address
• E-mail address
• Does your portal framework provide an API to
  obtain this information or do you have to query a
  database?

103
Discussion Topic 5

• Does your gateway control its own DNS domain?
• If not, what is the URL of your gateway?

104
Summary

• Using GridShib SAML Tools, science gateways send
  user attributes to resource providers
• Using GridShib for GT, resource providers use
  these attributes to perform auditing, incident
  response, and attribute-based access control
• The TeraGrid central database captures
  TeraGrid-wide accounting data

105
Acknowledgments

• GridShib Project PIs
• Von Welch, Tom Barton, Kate Keahey, Frank
  Siebenlist
• GridShib Developers
• Rachana Ananthakrishnan, Jim Basney, Terry
  Fleury, Tim Freeman, Raj Kettimuthu, Tom Scavo
• The GridShib work was funded by the NSF National
  Middleware Initiative (NMI awards 0438424 and
  0438385). Opinions and recommendations in this
  paper are those of the authors and do not
  necessarily reflect the views of NSF.
• The Science Gateway integration work is funded by
  the NSF TeraGrid Grid Integration Group through a
  sub-award to NCSA.

Thank You!