OverviewWe describe a grid authorization model that significantly increases the information flow between a science gateway and a resource provider

Extends the Community Account ModelAsserts end user identity to the RPPermits fine-grained access control at the RPProvides strong auditing and effective incident responseAllows dynamic blacklisting of problem accounts or runaway processesA lightweight approach that does not require new wire protocols or extensive new middleware infrastructureComplements existing SAML-based middleware infrastructure on today's campuses

AcknowledgmentsThe Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA.The GridShib work was funded by the NSF National Middleware Initiative (NMI awards 0438424 and 0438385). Opinions and recommendations in this presentation are those of the authors and do not necessarily reflect the views of NSF.Internet2 Shibboleth Project

Special mention: Frank Siebenlist, Tim Freeman, Tom Barton, Kate Keahey, Jim Basney, Scott Cantor

See the following paper for more detail:http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf

The Classic Grid Use Case

A non-browser user issues a proxy certificate and initiates a grid request.

The Classic Grid Use Case

GSI relies on proxy certificatestransport-level security (SSL/TLS)message-level security (WS-Security)

Authorization based on gridmap filesThe DN bound to the proxy is mapped to a local system account

Course-grained, identity-based access control

Trades off flexibility and scalability for simplicity

X.509-bound SAML Token

Bind a SAML assertion to a non-critical X.509 v3 certificate extension.

X.509-bound SAML Token

Can be used with either transport-level or message-level securityAdvantage: An implementation of WS-Security X.509 Token Profile (such as Globus Secure Message) is automatically an implementation of the X.509-bound SAML Token ProfileBonus: An X.509-bound SAML token can also be used with Globus Secure TransportNo new wire protocols are needed!

GridShib-enabled GSI

A non-browser user binds a SAML assertion to a proxy certificate and

initiates a grid request.

GridShib-enabled GSI

Fine-grained, attribute-based authzBased on X.509-bound SAML tokensNo modifications to GT clients are requiredIf the service is not GridShib-enabled, the X.509-bound SAML token is just ignoredGridShib SAML Tools on the gateway

Includes GridShib Security FrameworkExposes both a command-line interface and a Java API

GridShib for Globus Toolkit on the RPExposes a SAML security context

The Science Gateway Use Case

A browser user authenticates to a grid portal. The portal issues a

proxy certificate and initiates a grid request on behalf of the user.

The Science Gateway Use Case

The Community Account Modelsimplifies the user experiencesimplifies gateway implementation and deploymentsimplifies gridmap file management at the RP

but...

The Science Gateway Use Case

Problem: All requests from the gateway look the same to the resource provider

End user identity is unknown to the RPExtreme course-grained access control at the resourceResults in a rather convoluted approach to auditingIn the event of an emergency, the RP disables all access to the community accountAccounting is difficult

GridShib-enabled Science Gateway

A browser user authenticates to a grid portal. The portal binds a self-issued SAML assertion to a proxy

certificate and initiates a grid request on behalf of the user.

GridShib-enabled Science Gateway

Simple installation and configuration at the gatewayEnd user identity and contact information (e-mail) transmitted to RPBlacklist an IP address or name identifier on demandThree types of SAML security information:1. Authentication context2. Attributes3. Authorization decisions

Comparison with VOMS

Virtual Organization Membership Service The most successful grid authz model today

VOMS binds X.509 attribute certificates (instead of SAML) to proxy certificatesVOMS requires the requester to be the subject; VOMS will not issue an AC to a requester acting on behalf of the subjectTherefore, a gateway can not call out to a VOMS server to obtain attributesConclusion: VOMS can not be used as a basis for gateway security

Future Work

Not all are covered by our current SOW:Pluggable Attribute Resolver simplifies integration at the gatewayEnhanced blacklisting based on ranges of IP addresses or user identitySupport for both SAML V1.1 and V2.0Implement Attribute Acceptance PolicySupport the TG Accounting modelIntegrate GridShib with Globus CAS (i.e., support SAML authorization decisions)Support for SAML metadata

Future Directions

A long term goal is to introduce federated identity at the science gatewayShibboleth , an open-source implementation of the SAML Browser Profiles, provides:UbiquityManageabilityUsabilitySecuritySince Shibboleth is based on SAML, our model complements existing campus infrastructure

Thank You!

An Example

1. A simple example of a GridShib SAML Tools command line

2. Using the Java API3. A more realistic example of a

GridShib SAML Tools command line4. A GridShib SAML Tools config file5. A self-issued assertion6. A two-step policy declaration7. Two GridShib for GT policy files

Using the Command-line Interface I

A simple GridShib SAML Tools command line:

$ gridshib-saml-issuer \ --user trscavo --x509 --authn

the argument to the --user option is the portal userid (becomes the SAML Subject)the --x509 option indicates output should be an X.509 proxy credentialthe --authn option indicates a SAML AuthenticationStatement is desire

Using the Java APISelfIssuedAssertion assertion = new SelfIssuedAssertion( issueInstant, entityID, lifetime, nameid, nameQualifier, format);assertion.addAuthnStatement(authnMethod, authnInstant, subjectIP);assertion.addAttributeStatement(attributeList);GlobusCredential proxy = assertion.bindToX509Proxy(credential);

Using the Command-line Interface II

A more realistic GridShib SAML Tools command line:

$ gridshib-saml-issuer \ --user trscavo --x509 --authn \ --address 127.0.0.1 \ --properties \ Attribute.role.Name= \ urn:mace:dir:attribute-def:eduPersonEntitlement \ Attribute.role.Value= \ http://www.teragrid.org/names/roles/guest

Note the SAML attribute name-value pair.

A Configuration File

# GridShib SAML Tools config properties# Identity Provider entityIDIdP.entityID=https://gridshib.gisolve.org/idp# SAML AttributeAttribute.isMemberOf.Name=urn:oid:1.3.6.1.4.1.5923.1.5.1.1Attribute.isMemberOf.Value=http://www.gisolve.org# X.509 Issuing CredentialcertLocation=file:///etc/grid-security/community-cert.pemkeyLocation=file:///etc/grid-security/community-key.pem

A Self-issued SAML Assertion

<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AssertionID="_3f89fecd323e4f1fa0f897b0ebb5f81c" IssueInstant="2007-10-29T16:46:35.673Z" Issuer="https://gridshib.gisolve.org/idp" MajorVersion="1" MinorVersion="1"> <!-- statements go here --></saml:Assertion>

A SAML Authentication Statement

<saml:AuthenticationStatement AuthenticationInstant="2007-10-29T16:46:34.872Z" AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"> trscavo </saml:NameIdentifier> </saml:Subject> <saml:SubjectLocality IPAddress="127.0.0.1"/></saml:AuthenticationStatement>

A SAML Attribute Statement<saml:AttributeStatement> <!-- redundant SAML Subject goes here --> <saml:Attribute AttributeName="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" ...> <saml:AttributeValue ...> http://www.gisolve.org </saml:AttributeValue> </saml:Attribute> <!-- additional attributes go here --></saml:AttributeStatement>

RP Policy Declaration

Suppose an RP declares the following two-step policy:1. Access is limited to a user who is a

member of a recognized community.2. Access is further limited to a user

acting in an acceptable role.Two policy files are needed in this case.

RP Policy File I<attributePolicy ...> <entry> <listOfAttributes> <saml:Attribute AttributeName="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" ...> <saml:AttributeValue> http://www.gisolve.org</saml:AttributeValue> </saml:Attribute> </listOfAttributes> <listOfUsernames> <username>gisolve</username> </listOfUsernames> </entry> <!-- additional entries go here --></attributePolicy>

RP Policy File II<attributePolicy ...> <entry> <listOfAttributes> <saml:Attribute ... AttributeName="urn:mace:dir:attribute-def:eduPersonEntitlement"> <saml:AttributeValue> http://www.teragrid.org/names/roles/guest </saml:AttributeValue> </saml:Attribute> </listOfAttributes> <listOfUsernames> <username>tg-guest</username> </listOfUsernames> </entry> ...</attributePolicy>