Tools for Grid/Campus Integration:GridShib and MyProxyInternet2 Advanced CampJuly 1, 2005: Tools for Grid/Campus Integration: GridShib and MyProxy Internet2 Advanced Camp July 1, 2005 Von Welch vwelch@ncsa.uiuc.edu


Outline: Outline GridShib Overview of Shibboleth and Globus Our Motivation and Use Cases Integration Approach Status MyProxy Overview Local Authn Support


Shibboleth: Shibboleth http://shibboleth.internet2.edu/ Internet2 project Allows for inter-institutional sharing of web resources (via browsers) Provides attributes for authorization between institutions Allows for pseudonymity via temporary, meaningless identifiers called ‘Handles’ Standards-based (SAML) Being extended to non-web resources


Shibboleth: Shibboleth Identity Provider composed of single sign-on (SSO) and attribute authority (AA) services SSO: authenticates user locally and issues authentication assertion with Handle Assertion is short-lived bearer assertion Handle is also short-lived and non-identifying Handle is registered with AA Attribute Authority responds to queries regarding handle


Shibboleth: Shibboleth Service Provider composed of Assertion Consumer and Attribute Requestor Assertion Consumer parses authentication assertion Attribute Requestor: request attributes from AA Attributes used for authorization Where Are You From (WAYF) service determines user’s Identity Provider


Shibboleth (Simplified): Shibboleth (Simplified) AA SSO Shibboleth IdP Handle Attributes SAML AR ACS Shibboleth SP Handle LDAP (e.g.)


Globus Toolkit: Globus Toolkit http://www.globus.org Toolkit for Grid computing Job submission, data movement, data management, resource management Based on Web Services and WSRF Security based on X.509 identity- and proxy-certificates Maybe from conventional or on-line CAs Some initial attribute-based authorization


Motivation: Motivation Many Grid VOs are focused on science or business other than IT support Don’t have expertise or resources to run security services Allow for leveraging of Shibboleth code and deployments run by campuses


Use Cases: Use Cases Project leveraging campus attributes Simplest case Project-operated Shib service Project operates own service, conceptually easy, but not ideal Campus-operated, project-administered Shib Ideal mix, but need mechanisms for provisioning of attribute administration


Integration Approach: Integration Approach Conceptually, replace Shibboleth’s handle-based authentication with X509 Provides stronger security for non-web browser apps Works with existing PKI install base To allow leveraging of Shibboleth install base, require as few changes to Shibboleth AA as possible


GridShib (Simplified): GridShib (Simplified) A SSO Shibboleth DN Attributes DN DN SAML SSL/TLS, WS-Security


Integration Areas: Integration Areas Assertion Transmission Attribute Authority Discovery Distribute Attribute Administration User Registration Pseudonymous Interaction Authorization


Assertion Transmission: Assertion Transmission How to get SAML assertions from AA into Globus? Initially: Pull mode with Globus acting as a Shibboleth Attribute Requestor Will explore Pull modes to help with privacy and role combination Implement Grid Name Mapper to map X509 DNs to local identities used to obtain attributes


Attribute Authority Discovery: Attribute Authority Discovery No interactive WAYF service in the Grid Place identifier of Identity Provider in cert Either in long-term EEC or short-term Proxy Cert Will explore pushing attributes Avoids the problem Might also address combined attributes from multiple AAs


Distributed Attribute Administration: Distributed Attribute Administration Campus is ideal for running services, but may not know all attributes of users How does a campus issue attributes for which it is not authoritative? E.g. IEEE Membership of staff In Grid case, Project Membership This may be the largest hurdle due to social, political and/or legal issues Need accepted cookbook for process Plan on exploring signet http://middleware.internet2.edu/signet/


Getting Attributes into a Site’s Attribute Authority: LDAP Getting Attributes into a Site’s Attribute Authority uid: jdoe eduPersonAffiliation: … isMemberOf: … eduPersonEntitlement: … SIS HR On-site Authorities Loaders Person Registry Group Registry Grouper UI Privilege Registry Off-site Authorities Signet UI Attribute Authority Core Business Systems Shib/ GridShib using Shibboleth


User Registration: User Registration How does the mapping from the User’s X509 DN to local Campus identity get made in NameMapper configuration? In initial version, this will be manual process Yes, far from ideal We envision Something akin to a registration service that authenticates user’s X509 and local credentials and puts mapping in automatically Or a portal that hides all the X509 from the user and also handles this mapping E.g. PURSE, GAMA


Pseudonymous Interaction: Pseudonymous Interaction How to maintain Shibboleth pseudonymous functionality with X509? Will develop online CA that issues certificates with non-identifying DNs Register with AA just as SSO Basically holder-of-key assertions


Authorization: Authorization Develop authorization framework in Globus Toolkit Pluggable modules for processing authentication, gathering and processing attributes and rendering decisions XACML used for expressing gathered identity, attribute and policy information Convert Attributes into common format for policy evaluation Allows for common evaluation of attributes expressed in SAML and X509 (and others…)


GridShib Status: GridShib Status Testing initial version internal to project Will be a drop-in addition to GT 4.0 and Shibboleth 1.3 Plan on releasing Beta version 2-3 weeks after Shibboleth 1.3 is released Looking for interested testers Project website: http://grid.ncsa.uiuc.edu/GridShib/


Acknowledgements and Details: Acknowledgements and Details NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit Funded under NSF award SCI-0438424 GridShib team: NCSA, U. Chicago, ANL Tom Barton, David Champion, Tim Freemon, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch Working in collaboration with Steven Carmody, Scott Cantor, Bob Morgan and the rest of the Internet2 Shibboleth Design team


MyProxy Enhancements for Local Integration: MyProxy Enhancements for Local Integration Bill Baker, Jim Basney and Von Welch NCSA


What is MyProxy?: What is MyProxy? Independent Globus Toolkit add-on since 2000 To be included in Globus Toolkit 4.0 A service for securing private keys Keys stored encrypted with user-chosen password Keys never leave the MyProxy server A service for retrieving proxy credentials A commonly-used service for grid portal security Integrated with OGCE, GridSphere, and GridPort, PURSE, GAMA


Proxy Credentials: Proxy Credentials RFC 3820: Proxy Certificate Profile Associate a new private key and certificate with existing credentials Short-lived, unencrypted credentials for multiple authentications in a session Restricted lifetime in certificate limits vulnerability of unencrypted key Credential delegation (forwarding) without transferring private keys Proxy A signs signs Proxy B signs


Proxy Delegation: Proxy Delegation Delegator Delegatee Generate new key pair Sign new proxy certificate Proxy Proxy certificate request Proxy Proxy 1 2 3 4


MyProxy System Architecture: MyProxy System Architecture MyProxy server Credential repository Retrieve proxy Store proxy Proxy delegation over private TLS channel MyProxy client


MyProxy: Credential Mobility: MyProxy: Credential Mobility myproxy.teragrid.org tg-login.uc.teragrid.org tg-login.caltech.teragrid.org tg-login.sdsc.teragrid.org tg-login.ncsa.teragrid.org ca.ncsa.uiuc.edu Obtain certificate Store proxy Retrieve proxy


MyProxy and Grid Portals: MyProxy and Grid Portals Portal MyProxy server GridFTP server Login Fetch proxy Access data


MyProxy and PAM: MyProxy and PAM MyProxy now has ability to use PAM for authentication As a replacement for locally-stored password Users can use existing authentication mechanism to access Grid Credentials Has been tested with PAM modules for LDAP, Kerberos, OTP (CryptoCard) via RADIUS


LTER Grid Example: LTER Grid Example MyProxy server PAM LTER LDAP LTER Portal Creds Job Submission GridFTP LDAP Username & Password Proxy


Status: Status PAM Support in MyProxy v2.0 which is released Available at http://myproxy.ncsa.uiuc.edu Pam-specific documentation: http://grid.ncsa.uiuc.edu/myproxy/pam.html PAM enhancements funded by NMI Grids Center