EGEE-II INFSO-RI-
031688
Enabling Grids for E-sciencE
www.eu-egee.org
EGEE and gLite are registered
trademarks
Interoperability Shibboleth - gLite
Christoph Witzig, SWITCH
TNC 2007 - Copenhagen 22.5.2007
TNC2007, Kopenhagen, 22.5.2007 2
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Content
• Introduction– Motivation for interoperability Shibboleth - Grids– Authentication and authorization (AA) in Grids and Shibboleth– General approach
• Phase 1: Short-lived credential service (SLCS)
• Phase 2: Attribute exchange to VOMS
• Outlook: Phase 3
• Other activities in interoperability Shibboleth - Grids
• Summary
TNC2007, Kopenhagen, 22.5.2007 3
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Why Interoperability AAI - Grid ?
For AAI Federations:• Add grid resources to
federation
For Grids:• Add huge user base
(campus network)
For e-Science:• Unified user base• Bring stakeholders
together (NRENs - Grids)
For Users:• Simpler management of
credentials• Easy access to grids
TNC2007, Kopenhagen, 22.5.2007 4
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
AAI Models
• AAI solve the old problem of access control to resources
• There are various technologies in use - their usefulness depends on the underlying infrastructure
1. Passport Model (PKI / Grids)
2. Federated Identity (Shibboleth)
TNC2007, Kopenhagen, 22.5.2007 5
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Passport Model (PKI)
Resource Broker
Computing Element (CE)Worker Node (WN)
X.509
Proxy X.509w/ VOMS ACjob submission
VOattributes
VOMS = virtual organization management systemAC = attribute certificate
TNC2007, Kopenhagen, 22.5.2007 6
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Federated Identity Model
Home Organization / Identity Provider
2. authN
3. SAML
1. Attempts access
?
4. authZ
Service Provider
authN = authenticationauthZ = authorizationSAML = security assertion markup language
TNC2007, Kopenhagen, 22.5.2007 7
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Topics
• authN at grid resource
• Attribute-based authZ
• Federation attributes vs VO attributes
• Delegation
• Renewal of credentials
TNC2007, Kopenhagen, 22.5.2007 8
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
General Approach
• EGEE-II:– April 2006 - Mar 2008– Year 1: Phase 1 and 2
Add interoperability by starting “small” with minimal changes to gLite
– Year 2: Phase 3: Extend SAML to selected grid services
• EGEE-III:– Continuation in EGEE-III
TNC2007, Kopenhagen, 22.5.2007 9
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Overview Phase 1 and 2
SLCS = Short lived credential serviceVASH = VOMS attributes from Shibboleth
TNC2007, Kopenhagen, 22.5.2007 10
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Design Decisions
• SLCS CA and “VOMS SP” independent of each other– Separate Service Providers – Deployed independently
• SLCS CA independent of the Grid middleware
• VOMS SP only dependent on VOMS
TNC2007, Kopenhagen, 22.5.2007 11
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Content
• Introduction– Motivation for interoperability Shibboleth - Grids– Authentication and authorization (AA) in Grids and Shibboleth– General approach
• Phase 1: Short-lived credential service (SLCS)
• Phase 2: Attribute exchange to VOMS
• Outlook: Phase 3
• Other activities
• Summary
TNC2007, Kopenhagen, 22.5.2007 12
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
SLCS Profile
• SLCS = short lived credential service • IGTF profile
• Minimum requirements:
SLCS X.509 Certificate
Certificate is generated based on Identity
Management system
“traditional” Registration Authority (e.g. passport)
Lifetime < 1mio sec Lifetime < 1 year + 1 month
Revocation handling optional
Revocation handling
TNC2007, Kopenhagen, 22.5.2007 13
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
SWITCHslcs: Operation
• For the user:• from the command line: invisible• part of gLite User Interface [UI] (3.1)
(can also be installed independently)
• For the RA from web-based admin tool:• Can enable or disable individual users (only for his institution)• Requirements formulated in CP/CPS• Can obtain log information
• SWITCH: • Operates the service
TNC2007, Kopenhagen, 22.5.2007 14
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
SWITCHslcs
• Private key is never transferred• Use commercial CA and only standard
protocols• Modular design such that other people
can use their own components• Shibboleth attributes determine DN
TNC2007, Kopenhagen, 22.5.2007 15
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Status SLCS
• Software development is finished in 2006
• Accredited by EuGridPMA in February 2007
• Production operation since April 2007
• http://www.switch.ch/grid/slcs
TNC2007, Kopenhagen, 22.5.2007 16
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Content
• Introduction– Motivation for interoperability Shibboleth - Grids– Authentication and authorization (AA) in Grids and Shibboleth– General approach
• Phase 1: Short-lived credential service (SLCS)
• Phase 2: Attribute exchange to VOMS
• Outlook: Phase 3
• Other activities in interoperability Shibboleth - Grids
• Summary
TNC2007, Kopenhagen, 22.5.2007 17
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
The Problem
• Phase 1 ties – AAI authentication to issuance of X.509 certificate– AAI attributes are used to construct the DN
• Phase 2 intends to make AAI attributes available to grid resources for authorization decisions– Which AAI attributes are of interest to grid resource?– How does resource obtain attributes? (pull vs push)– Relation to VO attributes– Deployment issues
TNC2007, Kopenhagen, 22.5.2007 18
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Shibboleth Attributes
• Need common understanding of attributes• given within a federation• but inter-federation access (?)
• In SWITCHaai: Attributes are derived from eduPerson
• Only a subset of attributes is really interesting for grid resources
• Home Organization (IdP)• Affiliation• Study level and branch• Staff• Member of
TNC2007, Kopenhagen, 22.5.2007 19
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Design (1)
• VASH: – VOMS Attributes
from Shibboleth
• Shibboleth SP– Browser-based– Specific for
Federation VO
• “lightweight” SP– No administrator
duties– No management
of attributes– Simply transfers
attributes upon user request
TNC2007, Kopenhagen, 22.5.2007 20
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Design (2)
• X.509 and proxy X.509 with VOMS AC unchanged
• No change in VOMS– Needs version 1.7.10 or higher
• VO registration not changed
• Administrative domain between Shibboleth federation and VOMS fully decoupled
• User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509)
• Becomes a service which knows the mapping Shibboleth userid - DN
• Has to respect data privacy laws
TNC2007, Kopenhagen, 22.5.2007 21
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Web Interface VASH Service
TNC2007, Kopenhagen, 22.5.2007 22
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Status
• Software implementation done
• MJRA1.5 document: https://edms.cern.ch/document/807849/1
• Currently in process to develop plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource– Access to VOMS AC– LCAS/LCMAPS
TNC2007, Kopenhagen, 22.5.2007 23
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Content
• Introduction– Motivation for interoperability Shibboleth - Grids– Authentication and authorization (AA) in Grids and Shibboleth– General approach
• Phase 1: Short-lived credential service (SLCS)
• Phase 2: Attribute exchange to VOMS
• Outlook: Phase 3
• Other activities in interoperability Shibboleth - Grids
• Summary
TNC2007, Kopenhagen, 22.5.2007 24
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Phase 3
• Goal of phase 3: Extend use of SAML in grids beyond what is already provided by phase 1 and 2
• SAML-enable those services, with which the user interacts directly– WMS– File access
• Benefits:– (Average) User has no certificates any more– Introduce SAML gently beyond phase 1 and 2, gain experience– No modifications on most grid software (--> deployment)– Compatible with Shibboleth roadmap (2.0, 2.1) and ID-WSF
implementation– All options open for future
TNC2007, Kopenhagen, 22.5.2007 25
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Content
• Introduction– Motivation for interoperability Shibboleth - Grids– Authentication and authorization (AA) in Grids and Shibboleth– General approach
• Phase 1: Short-lived credential service (SLCS)
• Phase 2: Attribute exchange to VOMS
• Outlook: Phase 3
• Other activities in interoperability Shibboleth - Grids
• Summary
TNC2007, Kopenhagen, 22.5.2007 26
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Other Activities
• GridShib– Globus – Community Access to TeraGrid through gateways
• Activities in UK– Shebangs and ShibGrid– Shintau: attribute aggregation from multiple IdPs
• OMII-Europe:– SAML assertions from VOMS
TNC2007, Kopenhagen, 22.5.2007 27
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Summary
• Interoperability gLite - Shibboleth:– Phase 1: SLCS service
Online CA issuing X.509 certificates based upon authN at Shibboleth IdP
In operation
– Phase 2: VASH Transfers Shibboleth attributes into VOMS Shib attributes are available to grid resources as part of VOMS AC Software development finished
– Phase 3: Is starting now Idea to SAML-enable a selected (small) number of grid services
(those close to the user)
TNC2007, Kopenhagen, 22.5.2007 28
Enabling Grids for E-sciencE
EGEE-II INFSO-RI-031688
Q & A