Title: TeraGrid 08 The Third Annual TeraGrid Conference Las Vegas, NV June 9
1TeraGrid 08The Third Annual TeraGrid
ConferenceLas Vegas, NVJune 913, 2008
- Tom Scavo, Jim Basney , Terry Fleury, Von Welch
- National Center for Supercomputing Applications
- University of Illinois at Urbana-Champaign
2TutorialScience Gateways, Security, and GridShib
- TeraGrid 08
- Tom Scavo, Jim Basney , Terry Fleury, Von Welch
- National Center for Supercomputing Applications
- University of Illinois at Urbana-Champaign
- June 9, 2008
3Birds-of-a-Feather SessionAttribute-based
Auditing and Authorization for Science Gateways
- TeraGrid 08
- Tom Scavo, Jim Basney , Terry Fleury, Von Welch
- National Center for Supercomputing Applications
- University of Illinois at Urbana-Champaign
- June 11, 2008
4Science GatewaysWorking Group Session
- TeraGrid 08
- Tom Scavo, Jim Basney , Terry Fleury, Von Welch
- National Center for Supercomputing Applications
- June 12, 2008
5GridShib _at_ TeraGrid 08
- Tutorial Science Gateways, Security, and
GridShib - Mon, 800am1200pm
- Birds-of-a-Feather Session Attribute-based
Auditing and Authorization for Science Gateways - Wed, 530630pm
- Poster Session A Federated Identity Model for
Science Gateways - Wed, 630830pm
- Science Gateways Working Group Session
- Thu, 300430pm
6Definition of Terms
Shib ! GridShib
7Grid Security Infrastructure(GSI)
8Grid Authentication
- Traditionally, grid authentication has been via
trusted X.509 identity certificates - GSI relies heavily on X.509 proxy certificates
- A proxy cert is a short-lived certificate signed
by the users identity certificate - Multiple GSI authentication mechanisms
- GSI Transport (SSL/TLS)
- GSI Secure Message (WS-Security)
- GSI Secure Conversation (WS-SecureConversation)
9The Classic Grid Use Case
A non-browser user issues a proxy
certificate and initiates a grid request on her
own behalf.
10Issue a Proxy Certificate
grid-proxy-init
X.509 Proxy Credential Issuer End User Subject
End User
X.509 End Entity Cred Issuer Certification
Authority Subject End User
Key
Key
myproxy-logon
11Classic GSI
GT4 Server
GT4 Client
Java WS Container
Globus WS Client
Globus Web Service
X.509 proxy certificate
X.509 proxy credential
Gridmap
Key
12Identity-based Access Control
- The distinguished name (DN) in the proxy
certificate is used as a basis for coarse-grained
access control - If the subject DN is in an access control list
called a gridmap file, access is allowed
- A gridmap file also maps DNs to usernames
- Associated with each DN are zero or more local
usernames - GRAM, for example, requires a local account in
which to run a job request
13Gridmap File
- The gridmap has a flat file formatDN ? user0,
user1, , usern-1 - The gridmap has dual functions
- Authorization Policy
- Username Mapping Policy
- A single gridmap file serves both functions
- Identity-based gridmap files trade off
flexibility and scalability for simplicity
DN1 username1 DN2 username2
14GridShib-enabled GSI
15GridShib Project
- The goal of the GridShib Project is to introduce
attribute-based authorization to Globus-based
grids - GridShib software allows Globus Toolkit and
Shibboleth to interoperate - Classic GridShib (circa 20042005) pulls
attributes from a Shibboleth Attribute Service - The current emphasis is on browser users and
attribute push, specifically, the TeraGrid
Science Gateway Use Case
16GridShib Software
- GridShib for GT
- Consumes X.509-bound SAML assertions issued by
the GridShib CA or the GridShib SAML Tools.
Issues SAML attribute queries to a Shibboleth IdP
with GridShib for Shibboleth installed. - GridShib for Shibboleth
- Responds to attribute queries from GridShib for
GT. - GridShib CA
- Issues short-lived X.509 credentials to browser
users. - GridShib SAML Tools
- Issue or requests SAML assertions and optionally
binds these assertions to X.509 proxy
certificates.
17GridShib Software
- GridShib for GT
- Consumes X.509-bound SAML assertions issued by
the GridShib CA or the GridShib SAML Tools.
Issues SAML attribute queries to a Shibboleth IdP
with GridShib for Shibboleth installed. - GridShib for Shibboleth
- Responds to attribute queries from GridShib for
GT. - GridShib CA
- Issues short-lived X.509 credentials to browser
users. - GridShib SAML Tools
- Issue or requests SAML assertions and optionally
binds these assertions to X.509 proxy
certificates.
18GridShib SAML Tools
- The GridShib SAML Tools (GS-ST) are a standalone
suite of Java-based client tools - Binds a SAML assertion to an X.509 proxy
certificate - The same X.509-bound SAML token can be
transmitted at the transport level or the message
level (using WS-Security X.509 Certificate Token
Profile) - Includes the GridShib Security Framework, a Java
API for producing and consuming X.509-bound SAML
tokens - GS-ST is a SAML producer
19GS-ST Features
- Easily installed and configured
- Binds arbitrary content (not just SAML) to a
non-critical certificate extension - Multiple output options (SAML, X.509 proxy
credential, DER-encoded ASN.1) - CLI with shell scripts (UNIX and Windows)
- Includes a Java API for portal developers
- Leverages the Globus SAML Library, an enhanced
version of OpenSAML 1.1
20GS-ST Function
- Bind a SAML assertion to a non-critical X.509
v3 certificate extension
We call this an X.509-bound SAML token
21X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway
grid-proxy-init
X.509 Community Cred Issuer TeraGrid CA Subject
Science Gateway
Key
Key
22X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway
grid-proxy-init
X.509 Community Cred Issuer TeraGrid CA Subject
Science Gateway
Key
X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway X509v3
extension 1.3.6.1.4.1.3536.1.1.1.12
Key
ltsamlAssertiongt ltsamlNameIDgt trscavo
lt/samlNameIDgt lt/samlAssertiongt
gridshib-saml-issuer
Key
23X.509-bound SAML Token
- GridShib SAML Tools produces X.509-bound SAML
tokens, a new type of security token that enables
attributed-based authorization in X.509-based
Grids - The SAML token is bound to a noncritical X.509v3
certificate extension
X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway X509v3
extension 1.3.6.1.4.1.3536.1.1.1.12
ltsamlAssertiongt ltsamlNameIDgt trscavo
lt/samlNameIDgt lt/samlAssertiongt
Key
24WS-Security Token Profiles
- OASIS WS-Security Technical Committee
- WSS X.509 Certificate Token Profile 1
- WSS SAML Token Profile
- Globus implements the former
- We define a new token type
- X.509-bound SAML Token
- An implementation of 1 automatically handles
X.509-bound SAML tokens - No new wire protocols are needed!
25Security Tokens
X.509 Token
SAML Token
SOAP Envelope
SOAP Envelope
SOAP Header
SOAP Header
X.509 certificate
SAMLassertion
SOAP Body
SOAP Body
26Security Tokens
X.509-boundSAML Token
X.509 Token
SAML Token
SOAP Envelope
SOAP Envelope
SOAP Envelope
SOAP Header
SOAP Header
SOAP Header
X.509 certificate
X.509 certificate
SAMLassertion
SAMLassertion
SOAP Body
SOAP Body
SOAP Body
27GridShib-enabled GSI
- A non-browser user binds
- a SAML assertion to a proxy certificate and
initiates a grid request - on her own behalf
28GridShib for GT
- GridShib for GT (GS4GT) is a plug-in for GT 4.x
- GS4GT is compatible with both GT 4.0 and 4.2
- GS4GT is an implementation of a Grid Service
Provider, which is analogous to a Shibboleth
Service Provider, but for X.509-based grids - GS4GT is a SAML consumer
- Used together, GridShib SAML Tools and GridShib
for GT enable attribute-based access control in
Globus-based grids
29GS4GT Features
- Introduces attribute-based authorization into GT
- Exposes a single comprehensive policy decision
point called the GridShibPDP - Implements an attribute push model
- Restricts access based on blacklists of IP
addresses and/or name identifiers - Provides attribute-based account mapping
- Supports optional gridmap short-circuiting
- Defines an attribute-based authorization policy
language (in XML)
30GridShib-enabled GSI
GT4 Server
GT4 Client
Java WS Container (with GridShib for GT)
Globus WS Client
GridShibSAML PIP
Globus Web Service
proxy certificate
SAML
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Authz Policy
Blacklist Policy
end entity credential
Logs
Key
31GS4GT Configuration Files
GridShibSAML Entity Map
- The SAML Entity Map maps SAML issuers to X.509
issuers - A SAML issuer in this file is trusted
- The SAML Entity Map will be replaced by SAML
Metadata (XML) - A blacklist is a list of identifiers (SAML
identifiers or subject DNs) - A user whose identifier is on the blacklist will
be denied access - The flat file blacklist will be replaced by a
database table
entityID1 DN1 entityID2 DN2
GridShibBlacklist Policy
identifier1 identifier2
32GS4GT Policy Files
DN1 username1 DN2 username2
GlobusGridmap file
GridShibAuthz Policy
GridShibMapping Policy
33GS4GT Policy Files
- Two separate attribute-based policy files
- Authorization PolicyA0, A1, , Am-1
- Username Mapping PolicyA0, A1, , Am1-1 ?
user0, user1, , usern1-1A0, A1, , Am2-1 ?
user0, user1, , usern2-1 - A single XML-based policy file may encapsulate
both types of policies
34Summary
- Fine-grained, attribute-based authorization
- Introduces X.509-bound SAML tokens
- Works at both the transport level or the message
level - No modifications to GT clients are required
- If the service is not GridShib-enabled, the
X.509-bound SAML token is simply ignored
35A Grid Authorization Model for Science Gateways
36The Science Gateway Use Case
- A browser user authenticates to a grid portal.
The portal issues a proxy certificate and
initiates a grid request on behalf of the user
37Classic Science Gateway
A science gateway is a convenient intermediary
between a browser user and a grid resource
provider.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
community credential
community account
Key
Resource Provider
Science Gateway
38Classic Science Gateway
Each gateway is issued a community credential
that uniquely identifies the gateway.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
community credential
community account
Key
Resource Provider
Science Gateway
39Classic Science Gateway
Resource providers associate the community
credential with a local community account.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
community credential
community account
Key
Resource Provider
Science Gateway
40Classic Science Gateway
To submit a job, a browser user typically
authenticates to the gateway by presenting a
username and password.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
community credential
community account
Key
Resource Provider
Science Gateway
41Classic Science Gateway
The gateway then issues a short-lived proxy
credential signed by its community credential.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
proxy credential
community credential
community account
Key
Key
Resource Provider
Science Gateway
42Classic Science Gateway
The gateway submits the job on the users behalf,
authenticating as itself to the resource.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
proxy certificate
proxy credential
community credential
community account
Key
Key
Resource Provider
Science Gateway
43Classic Science Gateway
The resource authenticates the gateway and maps
the request to the community account based on the
identity in the proxy certificate.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
proxy certificate
proxy credential
community credential
community account
Key
Key
Resource Provider
Science Gateway
44Classic Science Gateway
After the job is executed, the result is returned
to the browser user via the gateway web
interface.
Web Browser
WebAuthn
Web Interface
Java WS Container
WS GRAM Client
WS GRAM Service
Webapp
proxy certificate
proxy credential
community credential
community account
Key
Key
Resource Provider
Science Gateway
45Community Account Model The Good
- The Community Account Model
- simplifies the user experience
- simplifies gateway implementation and deployment
- simplifies gridmap file management at the RP
- A community credential is issued to each gateway
- A single community account is created at the RP
- The gateway issues proxy certificates and makes
grid requests on behalf of the user
46Community Account Model The Bad
- The community account model has some significant
drawbacks, however - End user identity is unknown to the RP
- Course-grained access control at the resource (by
design) - Awkward approach to auditing and incident
response - In the event of an emergency, the RP is forced to
disable all access to the community account - Less than adequate accounting mechanisms
- All this can be traced to a single problem
47Community Account Model The Ugly
All requests look exactly the same to the
resource provider!
If the gateway would only pass the users name
and contact information to the resource provider,
all previously mentioned problems would be solved
48Grid Authorization Model
- We describe a grid authorization model that
significantly increases the information flow
between a science gateway and a resource provider - Extends the Community Account Model
- Asserts end user identity to the RP
- Permits fine-grained access control at the RP
- Provides strong auditing and effective incident
response - Allows dynamic blacklisting of problem accounts
or runaway processes - A lightweight approach that does not require new
wire protocols or extensive new middleware
infrastructure - Complements existing SAML-based middleware
infrastructure on today's campuses
49Grid Authorization Model
- The proposed model incorporates GridShib SAML
Tools at the gateway and GridShib for GT at the
resource provider - Using GridShib SAML Tools, the gateway
- issues a SAML assertion containing the user's
authentication context and attributes - binds the SAML assertion to a proxy certificate
signed by the community credential - authenticates to the resource by presenting the
SAML-laden proxy certificate - http//gridfarm007.ucs.indiana.edu/gce07/images/e/
e4/Scavo.pdf
50X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway
ltsamlAssertiongt ltsamlNameIDgt trscavo
lt/samlNameIDgt lt/samlAssertiongt
Key
X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway X509v3
extension 1.3.6.1.4.1.3536.1.1.1.12
ltsamlAssertiongt ltsamlNameIDgt trscavo
lt/samlNameIDgt lt/samlAssertiongt
Key
51GridShib-enabled Science Gateway
- A browser user authenticates to
- a grid portal. The portal binds a
- self-issued SAML assertion to
- a proxy certificate and initiates a grid request
on behalf of the user.
52Grid Authorization Model for Gateways
An enhancement to the community account model
increases the information flow between the
gateway and the resource provider.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
53Grid Authorization Model for Gateways
A software component called GridShib SAML Tools
is integrated into the gateway portal environment.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
54Grid Authorization Model for Gateways
Another software component called GridShib for GT
is deployed at the resource provider.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
55Grid Authorization Model for Gateways
These two GridShib software components produce
and consume Security Assertion Markup Language
(SAML) tokens.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
56Grid Authorization Model for Gateways
Again the browser user authenticates to the
gateway by presenting a username and password.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
57Grid Authorization Model for Gateways
This time the gateway uses the GridShib SAML
Tools to issue an X.509-bound SAML token.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
Key
Resource Provider
Science Gateway
58Grid Authorization Model for Gateways
The SAML token bound to the proxy certificate
contains the name of the end user and other user
attributes (e.g., e-mail).
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
X.509 Proxy Credential Issuer Science
Gateway Subject Science Gateway X509v3
extension 1.3.6.1.4.1.3536.1.1.1.12
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
ltsamlAssertiongt ltsamlNameIDgt trscavo
lt/samlNameIDgt lt/samlAssertiongt
Key
Resource Provider
Science Gateway
Key
59Grid Authorization Model for Gateways
The gateway authenticates as itself to the
resource provider, presenting the proxy
certificate with bound SAML token.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
Key
Resource Provider
Science Gateway
60Grid Authorization Model for Gateways
The GridShib for GT extracts the SAML token from
the proxy certificate, parses it, and writes the
information to a log file.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
Logs
Key
Resource Provider
Science Gateway
61Grid Authorization Model for Gateways
The security information in the SAML token is
also used to populate a SAML security context
within the container.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
community credential
Logs
Key
Resource Provider
Science Gateway
62Grid Authorization Model for Gateways
The service compares the information in the
security context to the blacklist, denying access
if any request info is on the blacklist.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Blacklist Policy
community credential
Logs
Key
Resource Provider
Science Gateway
63Grid Authorization Model for Gateways
The service combines the information in the
security context with its access control policy,
allowing access if and only if policy is
satisfied.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Authz Policy
Blacklist Policy
community credential
Logs
Key
Resource Provider
Science Gateway
64Grid Authorization Model for Gateways
As before, after the service executes the job,
the result is returned to the browser user via
the gateway web interface.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibfor GT
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Authz Policy
Blacklist Policy
community credential
Logs
Key
Resource Provider
Science Gateway
65GridShib-enabled Science Gateway
- Simple installation and configuration of GridShib
SAML Tools at the gateway - Includes GridShib Security Framework
- Exposes both a command-line interface and a Java
API - End user identity and contact information (e.g.,
e-mail) transmitted to RP - Push much of the responsibility for auditing and
incident response back onto the RP - Big Advantage No need to shut down the entire
gateway in the event of an incident!
66User Attributes
- Gateway entityID
- https//gridshib.gisolve.org/idp
- Subject name identifier
- trscavo_at_gisolve.org
- Authentication statement
- authentication method urnoasisnamestcSAML1.0
ampassword - authentication instant 2007-08-02T121034-0400
- IP address 10.81.193.244
- Attribute statement
- isMemberOf attribute group//gisolve.org/gisolve
- mail attribute trscavo_at_gmail.com
67Configuring GridShib SAML Tools
- Some information in the SAML token is static
- Each gateway provides a configuration file that
customizes the static content of each token - http//www.teragridforum.org/mediawiki/index.php?t
itleScience_Gateway_Credential_with_Attributes
IdP.entityIDhttps//gridshib.gisolve.org/idp Name
ID.Formaturnoid1.3.6.1.4.1.5923.1.1.1.6 NameID.
Format.templatePRINCIPAL_at_gisolve.org Attribute.
isMemberOf.Nameurnoid1.3.6.1.4.1.5923.1.5.1.1 A
ttribute.isMemberOf.Valuegroup//gisolve.org/giso
lve
68JAR Dependencies
- Java developers have the following JAR
dependencies - Copy these JARs to WEB-INF/lib
cog-jglobus.jar commons-codec-1.3.jar commons-logg
ing.jar globus-opensaml-1.1.jar gridshib-common-0_
4_2.jar jce-jdk13-131.jar log4j-1.2.8.jar xalan.ja
r xercesImpl.jar xml-apis.jar xmlsec-1.2.1.jar
Endorse!
69Creating the X.509-bound SAML Token
- Other content in the SAML token is dynamic
- GridShib SAML Tools provides a Java API that a
gateway developer can use to issue SAML tokens
with dynamic content - http//www.teragridforum.org/mediawiki/index.php?t
itleScience_Gateway_Credential_with_Attributes
GlobusCredential issuingCredential
... GatewayCredential gc new
GatewayCredential("trscavo") gc.setCredential(iss
uingCredential) gc.addEmailAddress("trscavo_at_gmail
.com") // compute authnMethod, authnInstant, and
ipAddress... gc.setAuthnContext(authnMethod,
authnInstant, ipAddress) GlobusCredential proxy
gc.issue()
70GridShib-enabled Resource Provider
- The end user and the end users contact
information (and other attributes) are logged - Effective auditing and incident response
- Blacklist an IP address or name identifier on
demand - Exposes a SAML security context
- Fine-grained, attribute-based access control
71Comparison with VOMS
- Virtual Organization Membership Service
- The most successful grid authorization model
today - VOMS binds X.509 attribute certificates (instead
of SAML) to proxy certificates - VOMS requires the requester to be the subject
VOMS will not issue an AC to a requester acting
on behalf of the subject - Therefore, a gateway can not call out to a VOMS
server to obtain attributes for a user - Conclusion VOMS can not be used as a basis for
gateway security
72Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
The GridShib-enhanced community account model
permits fine-grained access control and effective
incident response at the resource.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
73Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
Since each request is now associated with a
unique end user, we push job info to TeraGrid
Central for improved auditing and accounting.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
74Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
First, the security context associated with each
incoming request is captured in a security table.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
75Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
Likewise the disposition of every job request is
captured in an enhanced GRAM audit table.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
76Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
An AMIE process joins these two tables and pushes
an information packet to the TeraGrid Central
Database.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
77Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
A gateway can query the TGCDB for individual
accounting records, permitting fine-grained
accounting at the gateway.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
78Integration with TeraGrid Central Database
Resource Provider
Java WS Container (with GridShib for GT)
TeraGrid adminstrators can query the TGCDB for
aggregate accounting data for the purposes of NSF
reporting and planning.
GridShibSAML PIP
WS GRAM Service
Security Context
Logs
Policy
AMIEupload
Security table
GRAM audit table
TGCDB
79Gateway Job Accounting
TeraGrid Resource Provider (RP)
-No Changes required to AMIE-DAI provides
virtualization for audit and accounting DBs
GT4 Java Container
Core Audit Table
Core
Deleg Audit Table
Delegation
Diagram courtesy of Stu Martin
RFT Audit Table
RFT
Client / Gateway
sudo
RM adapter
Create Job Get EPR
Control Jobwith EPR
MJFS
Resource Manager
RM log
- Query Using Grid JID
SEG
MEJS
GRAM Audit Table
RM Accounting
- Reply with Accounting record
User Job(s)
OGSA DAI
GET UNIQUE USER ID
Local AMIE Accounting
Locally convert EPR to Grid JID
AMIE upload
Central TG Accounting DB
80Benefits of TGCDB Integration
- The gateway can query the TGCDB (via OGSA-DAI)
and implement local, fine-grained accounting
mechanisms - TeraGrid administrators can obtain aggregate
accounting data for NSF reporting and planning
81TeraGrid Deployment Strategy
- GridShib SAML Tools at the Gateway
- http//www.teragridforum.org/mediawiki/index.php?t
itleScience_Gateway_Credential_with_Attributes - GridShib for GT at the RP
- Integrate GS4GT into CTSS4
- Integrate with TeraGrid Central Database
- Retrofit GRAM 4.0 Audit with end user identity
- Assist with the design and implementation of GRAM
4.2 Audit (in particular, the security table)
82A Federated Identity Model for Science Gateways
83Federated Identity
- The long term vision is to introduce federated
identity at the science gateway - Shibboleth, an open-source implementation of the
SAML Browser Profiles, provides - Ubiquity
- Manageability
- Usability
- Security
- Since Shibboleth is based on SAML, our model
complements existing campus infrastructure
84It is well-known that password management at the
gateway is a significant administrative burden
for both the gateway and the end user.
Web Browser
WebAuthn
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
community credential
Key
Resource Provider
Science Gateway
85SAML Identity Provider
To avoid having to manage passwords at the
gateway, we propose a federated identity solution
on the browser-facing side of the gateway.
WebAuthn
Web Browser
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
86SAML Identity Provider
A third-party Identity Provider on each campus
manages user identity and credentials.
WebAuthn
Web Browser
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
87SAML Identity Provider
The gateway, which is protected by a Service
Provider, trusts the Identity Provider to
authenticate the browser user.
WebAuthn
Web Browser
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
88SAML Identity Provider
Since were already invested in SAML on the back
end, we prefer an implementation of the standard
SAML browser profiles (such as Shibboleth).
WebAuthn
Web Browser
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
89SAML Identity Provider
WebAuthn
A browser user authenticates to their preferred
campus Identity Provider instead of the science
gateway.
Web Browser
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
90SAML Identity Provider
WebAuthn
SAMLAssertion
The SAML Identity Provider issues a SAML token
that the user transmits to the gateway via the
browser.
Web Browser
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
91SAML Identity Provider
WebAuthn
SAMLAssertion
The SAML Service Provider protecting the gateway
consumes the SAML token in lieu of a
username/password.
Web Browser
SAMLAssertion
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
Resource Provider
Science Gateway
92SAML Identity Provider
WebAuthn
SAMLAssertion
The gateway issues a combined SAML token
containing both campus attributes and local
attributes.
Web Browser
SAMLAssertion
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
Key
Resource Provider
Science Gateway
93SAML Identity Provider
WebAuthn
SAMLAssertion
The gateway authenticates as itself to the
resource provider, presenting the combined
X.509-bound SAML token.
Web Browser
SAMLAssertion
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
proxy credential
SAML
Key
community credential
Key
Resource Provider
Science Gateway
94SAML Identity Provider
WebAuthn
SAMLAssertion
Since the gateway did not authenticate the end
user directly, the resource provider must decide
if it trusts the combined SAML token.
Web Browser
SAMLAssertion
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
community credential
Logs
Key
Resource Provider
Science Gateway
95SAML Identity Provider
WebAuthn
SAMLAssertion
In the case of federated identity, access control
policy at the resource provider is more complex
since a third security domain is involved.
Web Browser
SAMLAssertion
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Authz Policy
Blacklist Policy
community credential
Logs
Key
Resource Provider
Science Gateway
96SAML Identity Provider
WebAuthn
SAMLAssertion
SAML Web Browser SSO closes the loop for complete
end-to-end flow of security information
Web Browser
SAMLAssertion
SAML Service Provider
Web Interface
Java WS Container (with GridShib for GT)
WS GRAM Client
GridShibSAML PIP
WS GRAM Service
Webapp
attributes
proxy certificate
SAML
username
GridShib SAML Tools
Security Context
proxy credential
SAML
Key
Authz Policy
Blacklist Policy
community credential
Logs
Key
Resource Provider
Science Gateway
97Federated Identity Model for Gateways
TeraGrid Science Gateway
C
B
SAMLAssertion
Shib-enabledGrid Portal
GridShib-enabled Grid Client
response
response
X.509end entity credential
GridShib-enabled Grid SP
Key
Browser
D
A
SAMLRequest
ShibbolethSSO Service
GridShib-enabled Attribute Service
SAMLAssertion
SAMLAssertion
Shibboleth Identity Provider
98Birds-of-a-Feather Session
99Discussion Topic 1
- Is your gateway infrastructure built on a JEE
portal framework? - If so, which one?
- If not, what application server do you use?
100Discussion Topic 2
- Is your gateway security framework built on the
community credential model? - If not, describe your security framework.
101Discussion Topic 3
- Do you use MyProxy?
- If not, is the community credential stored in the
file system?
102Discussion Topic 4
- In your application server environment, how easy
is it to obtain the following information - Username
- Authentication instant
- IP address
- E-mail address
- Does your portal framework provide an API to
obtain this information or do you have to query a
database?
103Discussion Topic 5
- Does your gateway control its own DNS domain?
- If not, what is the URL of your gateway?
104Summary
- Using GridShib SAML Tools, science gateways send
user attributes to resource providers - Using GridShib for GT, resource providers use
these attributes to perform auditing, incident
response, and attribute-based access control - The TeraGrid central database captures
TeraGrid-wide accounting data
105Acknowledgments
- GridShib Project PIs
- Von Welch, Tom Barton, Kate Keahey, Frank
Siebenlist - GridShib Developers
- Rachana Ananthakrishnan, Jim Basney, Terry
Fleury, Tim Freeman, Raj Kettimuthu, Tom Scavo - The GridShib work was funded by the NSF National
Middleware Initiative (NMI awards 0438424 and
0438385). Opinions and recommendations in this
paper are those of the authors and do not
necessarily reflect the views of NSF. - The Science Gateway integration work is funded by
the NSF TeraGrid Grid Integration Group through a
sub-award to NCSA.
Thank You!