GridShib CIP Seminar December 6th, 2005 Tom Scavo [email protected] Von Welch...
-
Upload
ophelia-ashley-williamson -
Category
Documents
-
view
218 -
download
2
Transcript of GridShib CIP Seminar December 6th, 2005 Tom Scavo [email protected] Von Welch...
Dec. 6th, 2005 2CIP GridShib Seminar
What is GridShib• NSF NMI project to allow the use of Shibboleth-issued
attributes for authorization in NMI Grids built on the Globus Toolkit– Funded under NSF NMI program
• GridShib team: NCSA, U. Chicago, ANL– Tom Barton, David Champion, Tim Freemon, Kate Keahey,
Tom Scavo, Frank Siebenlist, Von Welch
• Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team
Dec. 6th, 2005 3CIP GridShib Seminar
Outline• Distributed systems authentication -
some history
• Attribute-based access control - why?
• Grid Security Overview
• Shibboleth Overview
• GridShib
Dec. 6th, 2005 4CIP GridShib Seminar
The single system story
Password
Password Password
Password
Dec. 6th, 2005 5CIP GridShib Seminar
Along came more systems…
Password Password
Dec. 6th, 2005 6CIP GridShib Seminar
And more passwords…
Password MyDogsName
drowssap
pAsSwOrDPass-wurd
Pass-wurdpAsSwOrD
drowssap MyDogsName
Dec. 6th, 2005 7CIP GridShib Seminar
Enterprise Authentication• Central authentication for a number of
systems in a organization– Simply put, one central authority at a site
for your password instead of each computer having its own.
• A number of systems exist:– Kerberos, Windows Domains, Radius, NIS,
LDAP, etc.
Dec. 6th, 2005 8CIP GridShib Seminar
Enterprise Auth
Password
Password
Dec. 6th, 2005 9CIP GridShib Seminar
Ok, the world is good now?
• Well, it’s better, inside a single organization at least.
• But what happens when you want to login somewhere else?
Dec. 6th, 2005 10CIP GridShib Seminar
Along come other sites…
Password NCSA
SDSC
Other sites…
Dec. 6th, 2005 11CIP GridShib Seminar
And more passwords…
Password
Pa55w0rd Sesame
Pa55w0rdSesame
PrettyPlease
PrettyPleaseKnockKnock
KnockKnock NCSA
Dec. 6th, 2005 12CIP GridShib Seminar
And then came the Web…
Password
Pa55w0rd Sesame
Pa55w0rdSesame
PrettyPlease
PrettyPleaseKnockKnock
KnockKnock NCSA
Amazon Ebay
NYTimes
MyBank
AA.com travelocity
Gmail
s3cr3t
s3cr3t
mypass
mypass
Dec. 6th, 2005 13CIP GridShib Seminar
Inter-site authentication• All this created a huge usability problem for
users– Multiple passwords hard to manage– Cumbersome to enter passwords over and over
• A number of approaches have been tried to solve these problems– Both in the web and computing worlds
• We present a brief survey here– Start with computing world…
Dec. 6th, 2005 14CIP GridShib Seminar
Site-to-Site Federations• Sites agree to couple their
authentication systems– E.g., Kerberos, Radius
• Works but is difficult– Requires interoperable site authentication
systems– Requires sites agree at highest-level -
since some systems like Kerberos are used for most trusted assets, this can be hard.
Dec. 6th, 2005 15CIP GridShib Seminar
SSH Public keys• SSH allows a user to establish their own keys
that they can use to log into any computers• User establishes their own network• Works well, but
– Requires sites support SSH• Much easier than Kerberos
– User-managed– Keys must be everywhere for this to work– If key is compromised, how do we clean up? How
do we even know?
Dec. 6th, 2005 16CIP GridShib Seminar
X509 Certificates• E.g., Grid
• Each user gets a private key and a global identity
• Certificate allows a key to be lost, but for identity to persist
• But…– Still user-managed keys as with SSH– Getting certificates can be a pain
Dec. 6th, 2005 17CIP GridShib Seminar
Online X509 Certificate Authorities• Started for the web
– U. Michigan KCA
• Now used in the Grid– KCA @ FNAL, MyProxy
• Turn local authentication into X509 certificate that can be used Globally
• Allows site to federate by turning local authentication into standard format (X509)
Dec. 6th, 2005 18CIP GridShib Seminar
Meanwhile, in the web…
Dec. 6th, 2005 19CIP GridShib Seminar
Microsoft Passport• One authentication server for all users
on the web that holds their password• Major sociological issues
– No one wants to trust Microsoft to hold their password to everything
– No one wants Microsoft to know what web sites they are using
• Probably is no single entity that would be trusted
Dec. 6th, 2005 20CIP GridShib Seminar
Liberty Alliance• In response to passport…• Allows users to link their accounts
together– E.g., I can say vwelch@Ebay is also
vonwelch@amazon is also vsw@paypal
• I log into one site, it can tell others I’ve logged in and they don’t have to re-authenticate me
• Was strong motivation for SAML
Dec. 6th, 2005 21CIP GridShib Seminar
Shibboleth• From higher-education community• Motivated by university users wanting access
to databases and online libraries• Allows site to express local authentication in
standard format (SAML)• Also allows site to express attributes about
user in standard format (eduPerson)– E.g., student, professor, department
• Growing adoption, federations of sites that allows cross-site authentication
Dec. 6th, 2005 22CIP GridShib Seminar
Summary• There has been an explosion of passwords as more
systems and web services have emerged• Intra-site is largely well controlled with various
solutions, but intersite is still unsolved• Both the web and computing community have come
up with solutions
Dec. 6th, 2005 23CIP GridShib Seminar
Outline• Distributed systems authentication -
some history
• Attribute-based access control - why?
• Grid Security Overview
• Shibboleth Overview• GridShib
Dec. 6th, 2005 24CIP GridShib Seminar
Attribute-based authorization• So far we’ve talked about identity-based
authorization– E.g. vwelch can access this web
page/computer/bank account/etc.– Authentication- establishing who you are– Authorization - establishing you are
allowed to do something
• This works well when you are providing a service to a relatively small number of people
Dec. 6th, 2005 25CIP GridShib Seminar
Attribute-based authorization• Often it’s more scalable to talk about
authorization based on attributes– E.g., Any NCSA staff member can access
this web page– E.g., Any UIUC staff or student can use the
library
• So often the process is authentication (who), establish attributes (what), and use those attributes to decide if something is allowed
Dec. 6th, 2005 26CIP GridShib Seminar
Outline• Distributed systems authentication -
some history
• Attribute-based access control - why?
• Grid Security Overview• Shibboleth Overview• GridShib
Dec. 6th, 2005 27CIP GridShib Seminar
Grid Security:The Grid Security Infrastructure
• The Grid Security Infrastructure (GSI) is a set of tools, libraries and protocols used in Globus to allow users and applications to securely access resources.
• Based on a public key infrastructure, with certificate authorities and X509 certificates
Dec. 6th, 2005 28CIP GridShib Seminar
GSI: Credentials• In the GSI system each user has a set
of credentials they use to prove their identity on the grid– Consists of a X509 certificate and private
key
• Long-term private key is kept encrypted with a pass phrase– Good for security, inconvenient for
repeated usage
Dec. 6th, 2005 29CIP GridShib Seminar
Certificates• A X.509 certificate
binds a public key to a name
• It includes a name and a public key (among other things) bundled together and signed by a trusted party (Issuer)
NameIssuerPublic KeySignature
Dec. 6th, 2005 30CIP GridShib Seminar
John Doe755 E. WoodlawnUrbana IL 61801
BD 08-06-65Male 6’0” 200lbsGRN Eyes
State ofIllinois
Seal
Certificates• Similar to passport or driver’s license
NameIssuerPublic KeySignature
Dec. 6th, 2005 31CIP GridShib Seminar
Certificates• By checking the signature, one can
determine that a public key belongs to a given user.
NameIssuerPublic KeySignature
Hash
=?Decrypt
Public Key fromIssuer
Dec. 6th, 2005 32CIP GridShib Seminar
Certificate Authorities (CAs)• A Certificate
Authority is an entity that exists only to sign user certificates
• The CA signs its own certificate, which is distributed in a trusted manner
Name: CAIssuer: CACA’s Public KeyCA’s Signature
Dec. 6th, 2005 33CIP GridShib Seminar
Grid CAs• There are a large number of Grid CAs
– http://www.gridpma.org/
• Currently this is a X509 system that users may join by getting a certificate– This X509 system is independent for the
user’s local authentication system
Dec. 6th, 2005 34CIP GridShib Seminar
Grid Online CAs• Usability issues with user-managed
certificates have driven interest in online CAs– E.g., FNAL, NERSC, KCA, MyProxy
• This may lead to a federated style of authentication
Dec. 6th, 2005 35CIP GridShib Seminar
Outline• Distributed systems authentication -
some history
• Attribute-based access control - why?
• Grid Security Overview
• Shibboleth Overview• GridShib
Dec. 6th, 2005 36CIP GridShib Seminar
What is Shibboleth?• Shibboleth provides cross-domain
single sign-on and attribute-based authorization while preserving user privacy
• Shibboleth is simultaneously:1. A project
2. A specification
3. An implementation
Dec. 6th, 2005 37CIP GridShib Seminar
Shibboleth Project• Shibboleth, a project of Internet2-MACE:
– Advocates a federated identity management policy framework focused on user privacy
– Develops middleware architectures to facilitate inter-institutional attribute sharing
– Manages an open source reference implementation of the Shibboleth spec
• Shibboleth has made significant contributions to the SAML-based identity management space
Dec. 6th, 2005 38CIP GridShib Seminar
Collaborations
Shibboleth
Internet2
E-Auth
Liberty
Vendors
OASIS
Educause
Dec. 6th, 2005 39CIP GridShib Seminar
Shibboleth Specification• Shibboleth is an extension of the SAML
1.1 browser profiles:– Shibboleth Browser/POST Profile– Shibboleth Browser/Artifact Profile– Shibboleth Attribute Exchange Profile
• See the Shibboleth spec for details:S. Cantor et al., Shibboleth Architecture: Protocols and Profiles. Internet2-MACE, 10 September 2005.
Dec. 6th, 2005 40CIP GridShib Seminar
Shibboleth Implementation• The Shibboleth implementation consists
of two components:1. Shibboleth Identity Provider
2. Shibboleth Service Provider
• The Identity Provider is a J2EE webapp
• The Service Provider is a C++ Apache module
– A pure Java Service Provider is in beta
Dec. 6th, 2005 41CIP GridShib Seminar
The Shibboleth Wiki• For example, the Shibboleth wiki (hosted at
ohio-state.edu) is “shibbolized”:https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/WebHome
• To edit wiki pages, a user must be known to the wiki
• Users have wikiNames but do not have wiki passwords
• Users log into their home institution, which asserts user identity to the wiki
Dec. 6th, 2005 42CIP GridShib Seminar
Dec. 6th, 2005 43CIP GridShib Seminar
Shib Browser Profile• The user clicks
the link “Login via InQueue IdP”
• This initiates a sequence of steps known as the Shibboleth Browser Profile
7
8
6
5
UIUC
OSU
CLIENT
3
4
2
1
InQueue
Dec. 6th, 2005 44CIP GridShib Seminar
Dec. 6th, 2005 45CIP GridShib Seminar
Shib Browser Profile• InQueue
provides a “Where Are You From?” service
• The user chooses their preferred identity provider from a menu
7
8
6
5
UIUC
OSU
CLIENT
3
4
2
1
InQueue
Dec. 6th, 2005 46CIP GridShib Seminar
Dec. 6th, 2005 47CIP GridShib Seminar
Shib Browser Profile• The user is
redirected to UIUC login page
• After login, the user is issued a SAML assertion and redirected back to the wiki
7
8
6
5
UIUC
OSU
CLIENT
3
4
2
1
InQueue
Dec. 6th, 2005 48CIP GridShib Seminar
Dec. 6th, 2005 49CIP GridShib Seminar
Shib Browser Profile• After validating
the assertion, the wiki@OSU retrieves user attributes via back-channel Shib attribute exchange
7
8
6
5
UIUC
OSU
CLIENT
3
4
2
1
InQueue
Dec. 6th, 2005 50CIP GridShib Seminar
Asserting Identity• Initially, the user is unknown to the wiki• After querying the home institution, the
wiki knows the user’s identity• “trscavo-uiuc.edu” is wiki-speak for
[email protected]• The latter is eduPersonPrincipalName,
an identity attribute asserted by the user’s home institution
Dec. 6th, 2005 51CIP GridShib Seminar
OpenIdP.org• By design, a user with an account at an
institution belonging to InCommon, InQueue, or SDSS can log into the wiki:https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/WebHome
• Other users can register at openidp.org, which is a zero-admin Shibboleth IdP
• The openidp asserts an alternate form of identity (email addresses as opposed to eduPersonPrincipalName)
Dec. 6th, 2005 52CIP GridShib Seminar
Identity Provider
Service Provider
The Actors• Identity Provider
– The Identity Provider (IdP) creates, maintains, and manages user identity
– A Shibboleth IdP produces SAML assertions
• Service Provider– The Service Provider (SP)
controls access to services and resources
– A Shibboleth SP consumes SAML assertions
AuthenticationAuthority
AttributeAuthority
SSOService
AssertionConsumer
Service
Resource
ArtifactResolution
Service
AttributeRequester
Dec. 6th, 2005 53CIP GridShib Seminar
Shib SSO Profiles• Shibboleth SSO profiles are SP-first• Shibboleth specifies an Authentication
Request Profile• Shibboleth Browser/POST Profile =
Shib Authn Request Profile + SAML Browser/POST Profile
• Shibboleth Browser/Artifact Profile = Shib Authn Request Profile + SAML Browser/Artifact Profile
Dec. 6th, 2005 54CIP GridShib Seminar
Shib AuthN Request Profile• A Shibboleth authentication request is an
ordinary GET request:https://idp.org/shibboleth/SSO? providerId=https://sp.org/shibboleth/& shire=https://sp.org/shibboleth/SSO& target=https://sp.org/myresource& time=1102260120
• The client is redirected to this location after requesting a protected resource at the SP without a security context
Dec. 6th, 2005 55CIP GridShib Seminar
8
7
1
2
5
6
3
4
Identity Provider
Service Provider
Shib Browser/POST Profile• Browser/POST is
an SP-first profile• The IdP
produces an assertion at step 4, which the SP consumes at step 5
CLIENT
AuthenticationAuthority
AttributeAuthority
SSOService
AssertionConsumer
Service
Resource
Dec. 6th, 2005 56CIP GridShib Seminar
Shib Attribute Exchange• A Shibboleth SP often queries an IdP for
attributes after validating an authN assertion
• An opaque, transient identifier called a handle is embedded in the authN assertion
• The SP sends a SAML AttributeQuery message with handle attached
Dec. 6th, 2005 57CIP GridShib Seminar
Browser/POST Profile• The first 5 steps of
this profile are identical to ordinary Browser/POST
• Before redirecting the Client to the Resource Manager, the SP queries for attributes via a back-channel exchange
10
9
1
2
5
8
3
4
Identity Provider
Service Provider
CLIENT
AuthenticationAuthority
AttributeAuthority
SSOService
AssertionConsumer
Service
Resource
AttributeRequester
7 6
Dec. 6th, 2005 58CIP GridShib Seminar
Directory Schema• Neither Shibboleth nor SAML define
any attributes per se
• It is left to individual deployments to define their own attributes
• A standard approach to user attributes is crucial
• Without such standards, interoperability is impossible
Dec. 6th, 2005 59CIP GridShib Seminar
eduPerson• Internet2 and EDUCAUSE have jointly
developed a set of attributes and associated bindings called eduPerson
• The LDAP binding of eduPerson is derived from the standard LDAP object class called inetOrgPerson [RFC 2798]
• Approximately 40 attributes have been defined by InCommon as common identity attributes
Dec. 6th, 2005 60CIP GridShib Seminar
InCommon Attributes• InCommon’s 6 “highly recommended” attributes:
Attribute Name Attribute Value
givenName Mary
sn (surname) Smith
cn (common name) Mary Smith
eduPersonScopedAffiliation [email protected]
eduPersonPrincipalName [email protected]
eduPersonTargetedID ?
(eduPersonTargetedID does not have a precise value syntax)
Dec. 6th, 2005 61CIP GridShib Seminar
Outline• Distributed systems authentication -
some history
• Attribute-based access control - why?
• Grid Security Overview
• Shibboleth Overview
• GridShib
Dec. 6th, 2005 62CIP GridShib Seminar
What is GridShib?• GridShib enables secure attribute
sharing between Grid virtual organizations and higher-educational institutions
• The goal of GridShib is to integrate the Globus Toolkit® with Shibboleth®
• GridShib adds attribute-based authorization to Globus Toolkit
Dec. 6th, 2005 63CIP GridShib Seminar
Motivation• Large scientific projects have spawned
Virtual Organizations (VOs)• The cyberinfrastructure and software
systems to support VOs are called grids• Globus Toolkit is the de facto standard
software solution for grids• Grid Security Infrastructure provides
basic security services…but does it scale?
Dec. 6th, 2005 64CIP GridShib Seminar
Tale of Two Technologies
GridClient
GlobusToolkit
Shibboleth
X.509
SAMLGrid Security Infrastructure
Shibboleth Federation
Bridging Grid/X.509 with Shib/SAML
Dec. 6th, 2005 65CIP GridShib Seminar
Grid Authentication• Globus Toolkit provides authentication
services via X.509
• When requesting a service, the user presents an X.509 certificate, usually a proxy certificate
• GridShib leverages the existing authentication mechanisms in GT
Dec. 6th, 2005 66CIP GridShib Seminar
Grid Authorization• Today, Globus Toolkit provides identity-
based authorization mechanisms:– List of attributes required to use service or
container– Mapping of attributes to local identity (in
grid-mapfiles) for job submission
• GridShib hopes to augment identity-based authorization with attribute-based authorization
Dec. 6th, 2005 67CIP GridShib Seminar
GT Authorization Framework• Work is underway to develop and enhance the
authorization framework in Globus Toolkit– Siebenlist et al. at Argonne– Pluggable modules for processing authentication,
gathering and processing attributes and rendering decisions
• Work in OGSA-Authz WG to allow for callouts to third-party authorization services– E.g., PERMIS
• Convert Attributes (SAML or X.509) into common format for policy evaluation– XACML-based
Dec. 6th, 2005 68CIP GridShib Seminar
Why Shibboleth?
• What does Shibboleth bring to the table?– A large (and growing) installed base– A standards-based, open source
implementation– A standard attribute vocabulary (eduPerson)
• A well-developed, federated identity management infrastructure has sprung up around Shibboleth
Dec. 6th, 2005 69CIP GridShib Seminar
Shibboleth Federations• A federation
– Provides a common trust and policy framework– Issues credentials and distributes metadata– Provides discovery services for SPs
• Shibboleth-based federations:– InCommon (23 members)– InQueue (157 members)– SDSS (30 members)– SWITCH (23 members)– HAKA (8 members)
Dec. 6th, 2005 70CIP GridShib Seminar
InCommon Federation
Dec. 6th, 2005 71CIP GridShib Seminar
Use Cases• There are three use cases under
consideration:1. Established grid user (non-browser)
2. New grid user (non-browser)
3. Portal grid user (browser)
Initial efforts have concentrated on the established grid user (i.e., user with existing long-term X.509 credentials )
Dec. 6th, 2005 72CIP GridShib Seminar
Established Grid User• User possesses an X.509 end entity
certificate
• User may or may not use MyProxy Server to manage X.509 credentials
• User authenticates to Grid SP with proxy certificate (grid-proxy-init)
• The current GridShib implementation addresses this use case
Dec. 6th, 2005 73CIP GridShib Seminar
New Grid User• User does not possess an X.509 end
entity certificate
• User relies on MyProxy Online CA to issue short-lived X.509 certificates
• User authenticates to Grid SP using short-lived X.509 credential
• Emerging GridShib Non-Browser Profiles address this use case
Dec. 6th, 2005 74CIP GridShib Seminar
Portal Grid User• User does not possess an X.509 cert
• User accesses Grid SP via a browser interface, that is, the client delegates a web application to request a service at the Grid SP
• MyProxy issues a short-lived X.509 certificate via a back-channel exchange
• GridShib Browser Profiles apply
Dec. 6th, 2005 75CIP GridShib Seminar
Software Components• GridShib for Globus Toolkit
– A plugin for GT 4.0
• GridShib for Shibboleth– A plugin for Shibboleth 1.3 IdP
• Shibboleth IdP Tester– A test application for Shibboleth 1.3 IdP
• Visit the GridShib Download page:http://gridshib.globus.org/download.html
Dec. 6th, 2005 76CIP GridShib Seminar
The Actors• Standard (non-browser)
Grid Client• Globus Toolkit with GridShib
installed (which we call a “Grid SP”)
• Shibboleth IdP with GridShib installed
IdP
Grid SP
CLIENT
Dec. 6th, 2005 77CIP GridShib Seminar
GridShib Attribute Pull Profile• In the current
implementation, a Grid SP “pulls” attributes from a Shib IdP
• The Client is assumed to have an account (i.e., local principal name) at the IdP
• The Grid SP and the IdP have been assigned a unique identifier (providerId)
3
4
2
1
IdP
Grid SP
CLIENT
Dec. 6th, 2005 78CIP GridShib Seminar
1
GridShib Attribute Pull Step 1• The Grid Client requests a
service at the Grid SP• The Client presents a
standard proxy certificate to the Grid SP
• The Client also provides a pointer to its preferred IdP
IdP
Grid SP
CLIENT
Dec. 6th, 2005 79CIP GridShib Seminar
IdP Discovery• The Grid SP needs to know the Client’s
preferred IdP
• One approach is to embed the IdP providerId in the proxy certificate
• This requires modifications to the MyProxy client software, however
• Currently the IdP providerId is configured into the Grid SP
Dec. 6th, 2005 80CIP GridShib Seminar
2
1
GridShib Attribute Pull Step 2• The Grid SP
authenticates the Client and extracts the DN from the proxy cert
• The Grid SP queries the Attribute Authority (AA) at the IdP
IdP
Grid SP
CLIENT
Dec. 6th, 2005 81CIP GridShib Seminar
Attribute Query• The Grid SP formulates a SAML attribute query:
<samlp:AttributeQuery Resource="https://globus.org/gridshib"> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName" NameQualifier="http://idp.uchicago.edu/shibboleth"> CN=GridShib,OU=NCSA,O=UIUC </saml:NameIdentifier> </saml:Subject> <!-- AttributeDesignator here --> </samlp:AttributeQuery>
• The Resource attribute is the Grid SP providerId• The NameQualifier attribute is the IdP providerId• The NameIdentifier is the DN from the proxy cert• Zero or more AttributeDesignator elements call out the
desired attributes
Dec. 6th, 2005 82CIP GridShib Seminar
32
1
GridShib Attribute Pull Step 3• The AA authenticates
the requester and returns an attribute assertion to the Grid SP
• The assertion is subject to Attribute Release Policy (ARP)
IdP
Grid SP
CLIENT
Dec. 6th, 2005 83CIP GridShib Seminar
Attribute Assertion• The assertion contains an attribute statement:
<saml:AttributeStatement> <saml:Subject> <saml:NameIdentifier Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
NameQualifier="http://idp.uchicago.edu/shibboleth"> CN=GridShib,OU=NCSA,O=UIUC </saml:NameIdentifier> </saml:Subject> <saml:Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"> <saml:AttributeValue> member </saml:AttributeValue> <saml:AttributeValue> student </saml:AttributeValue> </saml:Attribute></saml:AttributeStatement>
• The Subject is identical to the Subject of the query• Attributes may be single-valued or multi-valued• Attributes may be scoped (e.g., [email protected])
Dec. 6th, 2005 84CIP GridShib Seminar
Name Mapping• An IdP does not issue X.509 certs so it
has no prior knowledge of the DN• Solution: Create a name mapping file at
the IdP (similar to the grid-mapfile at the Grid SP)# Default name mapping fileCN=GridShib,OU=NCSA,O=UIUC gridshib"CN=some user,OU=People,DC=doegrids" test
• The DN must conform to RFC 2253
Dec. 6th, 2005 85CIP GridShib Seminar
3
4
2
1
GridShib Attribute Pull Step 4• The Grid SP parses the
attribute assertion and performs the requested service
• A generalized attribute framework is being developed for GT
• A response is returned to the Grid Client
IdP
Grid SP
CLIENT
Dec. 6th, 2005 86CIP GridShib Seminar
Future Work• Solve the IdP Discovery problem
– Implement shib-proxy-init
• Implement DB-based name mapping
• Provide name mapping maintenance tools (for administrators)
• Design an interactive name registry service (for users)
• Devise metadata repositories and tools
Dec. 6th, 2005 87CIP GridShib Seminar
Shib Browser Profile• Consider a Shib browser
profile stripped to its bare essentials
• Authentication and attribute assertions are produced at steps 2 and 5, resp.
• The SAML Subject in the authentication assertion becomes the Subject of the attribute query at step 4
5
6
4
3
IdP
SP
CLIENT
1
2
Dec. 6th, 2005 88CIP GridShib Seminar
GridShib Non-Browser Profile• Replace the SP with a Grid
SP and the browser client with a non-browser client
• Three problems arise:– Client must possess X.509
credential to authenticate to Grid SP
– Grid SP needs to know what IdP to query (IdP Discovery)
– The IdP must map the SAML Subject to a local principal
IdP
Grid SP
CLIENT
Dec. 6th, 2005 89CIP GridShib Seminar
The Role of MyProxy• Consider a new grid user instead of the
established grid user
• For a new grid user, we are led to a significantly different solution
• Obviously, we must issue an X.509 credential to a new grid user
• A short-lived credential is preferred
• Enter MyProxy Online CA…
Dec. 6th, 2005 90CIP GridShib Seminar
MyProxy-first Attribute Pull• MyProxy with
Online CA• MyProxy inserts
a SAML authN assertion into a short-lived, reusable EEC
• IdP collocated with MyProxy 6
54
3
2
1
IdP
Grid SP
MyProxy
CLIENT
Dec. 6th, 2005 91CIP GridShib Seminar
MyProxy-first Advantages• Relatively easy to implement • Requires only one round trip by the client • Requires no modifications to the Shib IdP • Requires no modifications to the Client • Supports multiple authentication mechanisms
out-of-the-box • Uses transparent, persistent identifiers:
– No coordination of timeouts necessary – Mapping to local principal is straightforward
Dec. 6th, 2005 92CIP GridShib Seminar
IdP-first Non-Browser Profiles• The IdP-first profiles require no shared
state between MyProxy and the IdP
• Supports separate security domains
• Leverages existing name identifier mappings at the IdP
• IdP-first profiles may be used with either Attribute Pull or Attribute Push
Dec. 6th, 2005 93CIP GridShib Seminar
Attribute Pull or Push?
attributes
user
AA
Grid SP
user
AA
request request
attributes
Pull Push
Dec. 6th, 2005 94CIP GridShib Seminar
IdP-first Attribute Pull• MyProxy with
Online CA• MyProxy
consumes and produces SAML authN assertions
• The Client authenticates to MyProxy with a SAML authN assertion
8
76
5
4
3
2
1
IdP
Grid SP
MyProxy
CLIENT
Dec. 6th, 2005 95CIP GridShib Seminar
IdP-first Attribute Push• The IdP “pushes” an
attribute assertion to the Client
• The Client authenticates to MyProxy with a SAML authN assertion
• MyProxy consumes both SAML authN and attribute assertions
5
6
4
3
1
2
IdP
Grid SP
MyProxy
CLIENT
Dec. 6th, 2005 96CIP GridShib Seminar
IdP-first Advantages• Since IdP controls both ends of the flow:
– Mapping NameIdentifier to a local principal is straightforward
– Choice of NameIdentifier format is left to the IdP
• Attribute push simplifies IdP config and trust relationships
• Reusable by grid portal use case
Dec. 6th, 2005 97CIP GridShib Seminar
Conclusion• Globus Toolkit is the de facto standard
software solution for grids
• Shibboleth is a popular approach to federated identity management
• GridShib leverages existing Shibboleth deployments to add attribute-based authorization to Globus Toolkit
Dec. 6th, 2005 98CIP GridShib Seminar
Questions?• GridShib web site
http://gridshib.globus.org/
• Tom [email protected]
• Von [email protected]
Thank You!