http://gridshib.globus.org/
TeraGrid 08The Third Annual TeraGrid Conference
Tom Scavo, Jim Basney , Terry Fleury, Von Welch
National Center for Supercomputing Applications
June 9–13, 2008
http://gridshib.globus.org/
Tutorial:Building Science Gateways
TeraGrid 08
Tom Scavo, Jim Basney , Terry Fleury, Von Welch
National Center for Supercomputing Applications
June 9, 2008
http://gridshib.globus.org/
Birds-of-a-Feather Session:Attribute-based Auditing and
Authorization for Science Gateways
TeraGrid 08
Tom Scavo, Jim Basney , Terry Fleury, Von Welch
National Center for Supercomputing Applications
June 11, 2008
http://gridshib.globus.org/
Science GatewaysWorking Group Session
TeraGrid 08
Tom Scavo, Jim Basney , Terry Fleury, Von Welch
National Center for Supercomputing Applications
June 12, 2008
http://gridshib.globus.org/
GridShib @ TeraGrid 08
Tutorial: Building Science Gateways Mon, 8:00am–12:00pm
Birds-of-a-Feather Session: Attribute-based Auditing and Authorization for Science Gateways Wed, 5:30–6:30pm
Poster Session: A Federated Identity Model for Science Gateways Wed, 6:30–8:30pm
Science Gateways Working Group Session Thu, 3:00–4:30pm
http://gridshib.globus.org/
Grid Security Infrastructure(GSI)
http://gridshib.globus.org/
Grid Authentication
Traditionally, grid authentication has been via trusted X.509 identity certificates
GSI relies heavily on X.509 proxy certificates A proxy cert is a short-lived certificate signed by the
user’s identity certificate
Multiple GSI authentication mechanisms: GSI Transport (SSL/TLS) GSI Secure Message (WS-Security) GSI Secure Conversation (WS-SecureConversation)
http://gridshib.globus.org/
The Classic Grid Use Case
A non-browser userissues a proxy certificate
and initiates a grid requeston her own behalf.
http://gridshib.globus.org/
X.509 Proxy CredentialIssuer: End UserSubject: End User+
Key
X.509 End Entity CredIssuer: Certification AuthoritySubject: End User
Key
grid-proxy-init
myproxy-logon
Issue a Proxy Certificate
http://gridshib.globus.org/
GT4 ServerGT4 Client
Globus WS Client
Globus WS Client
Globus Web Service
Globus Web Service
X.509 proxy credential
Key
X.509 proxy certificate
Java WS Container
Gridmap
Classic GSI
http://gridshib.globus.org/
Identity-based Access Control
The distinguished name (DN) in the proxy certificate is used as a basis for coarse-grained access control
If the subject DN is in an access control list called a gridmap file, access is allowed
A gridmap file also maps DNs to usernames Associated with each DN are zero or more local
usernames GRAM, for example, requires a local account in
which to run a job request
http://gridshib.globus.org/
Gridmap File
The gridmap has a flat file format:
DN → [user0, user1, …, usern-1]
The gridmap has dual functions:1. Authorization Policy
2. Username Mapping Policy
A single gridmap file serves both functions Identity-based gridmap files trade off flexibility
and scalability for simplicity
DN1 username1
DN2 username2
…
DN1 username1
DN2 username2
…
http://gridshib.globus.org/
GridShib-enabled GSI
http://gridshib.globus.org/
GridShib Project
The goal of the GridShib Project is to introduce attribute-based authorization to Globus-based grids
GridShib software allows Globus Toolkit and Shibboleth to interoperate
Classic GridShib (circa 2004–2005) pulls attributes from a Shibboleth Attribute Service
The current emphasis is on browser users and attribute push, specifically, the TeraGrid Science Gateway Use Case
http://gridshib.globus.org/
GridShib Software
GridShib for GT Consumes X.509-bound SAML assertions issued by the
GridShib CA or the GridShib SAML Tools. Issues SAML attribute queries to a Shibboleth IdP with GridShib for Shibboleth installed.
GridShib for Shibboleth Responds to attribute queries from GridShib for GT.
GridShib CA Issues short-lived X.509 credentials to browser users.
GridShib SAML Tools Issue or requests SAML assertions and optionally binds these
assertions to X.509 proxy certificates.
http://gridshib.globus.org/
GridShib Software
GridShib for GT Consumes X.509-bound SAML assertions issued by the
GridShib CA or the GridShib SAML Tools. Issues SAML attribute queries to a Shibboleth IdP with GridShib for Shibboleth installed.
GridShib for Shibboleth Responds to attribute queries from GridShib for GT.
GridShib CA Issues short-lived X.509 credentials to browser users.
GridShib SAML Tools Issue or requests SAML assertions and optionally binds these
assertions to X.509 proxy certificates.
http://gridshib.globus.org/
GridShib SAML Tools
The GridShib SAML Tools (GS-ST) are a standalone suite of Java-based client tools Binds a SAML assertion to an X.509 proxy certificate The same X.509-bound SAML token can be
transmitted at the transport level or the message level (using WS-Security X.509 Certificate Token Profile)
Includes the GridShib Security Framework, a Java API for producing and consuming X.509-bound SAML tokens
GS-ST is a SAML producer
http://gridshib.globus.org/
GS-ST Features
Easily installed and configured Binds arbitrary content (not just SAML) to a non-
critical certificate extension Multiple output options (SAML, X.509 proxy
credential, DER-encoded ASN.1) CLI with shell scripts (UNIX and Windows) Includes a Java API for portal developers Leverages the Globus SAML Library, an
enhanced version of OpenSAML 1.1
http://gridshib.globus.org/
GS-ST Function
Bind a SAML assertion to a non-critical X.509 v3 certificate extension
We call this an X.509-bound SAML token
http://gridshib.globus.org/
X.509 Community CredIssuer: TeraGrid CASubject: Science Gateway
Key
grid-proxy-initX.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+
Key
http://gridshib.globus.org/
X.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12:
<saml:Assertion> <saml:NameID> trscavo </saml:NameID></saml:Assertion>
Key
X.509 Community CredIssuer: TeraGrid CASubject: Science Gateway
Key
gridshib-saml-issuer
grid-proxy-initX.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+
Key
http://gridshib.globus.org/
X.509-bound SAML Token
GridShib SAML Tools produces X.509-bound SAML tokens, a new type of security token that enables attributed-based authorization in X.509-based Grids
The SAML token is bound to a noncritical X.509v3 certificate extension
X.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+
X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12:
<saml:Assertion> <saml:NameID> trscavo </saml:NameID></saml:Assertion>
Key
http://gridshib.globus.org/
WS-Security Token Profiles
OASIS WS-Security Technical Committee WSS X.509 Certificate Token Profile [1] WSS SAML Token Profile
Globus implements the former We define a new token type:
X.509-bound SAML Token
An implementation of [1] automatically handles X.509-bound SAML tokens
No new wire protocols are needed!
http://gridshib.globus.org/
Security Tokens
X.509 Token SAML Token
SOAP Envelope
SOAP Header
SAMLassertion
SOAP Body
SOAP Envelope
SOAP Header
X.509 certificate
SOAP Body
http://gridshib.globus.org/
Security Tokens
X.509 Token SAML TokenX.509-boundSAML Token
SOAP Envelope
SOAP Header
SAMLassertion
SOAP Body
SOAP Envelope
SOAP Header
X.509 certificate
SAMLassertion
SOAP Body
SOAP Envelope
SOAP Header
X.509 certificate
SOAP Body
http://gridshib.globus.org/
GridShib-enabled GSI
A non-browser user bindsa SAML assertion to a proxy certificate
and initiates a grid requeston her own behalf
http://gridshib.globus.org/
GridShib for GT
GridShib for GT (GS4GT) is a plug-in for GT 4.x GS4GT is compatible with both GT 4.0 and 4.2
GS4GT is an implementation of a Grid Service Provider, which is analogous to a Shibboleth Service Provider, but for X.509-based grids
GS4GT is a SAML consumer Used together, GridShib SAML Tools and
GridShib for GT enable attribute-based access control in Globus-based grids
http://gridshib.globus.org/
GS4GT Features
Introduces attribute-based authorization into GT Exposes a single comprehensive policy decision
point called the GridShibPDP Implements an attribute push model Restricts access based on blacklists of IP
addresses and/or name identifiers Provides attribute-based account mapping Supports optional gridmap short-circuiting Defines an attribute-based authorization policy
language (in XML)
http://gridshib.globus.org/
GT4 ServerGT4 Client
Globus WS Client
Globus WS Client
GridShibSAML PIP
GridShibSAML PIP
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
end entity credential
Key
SAML
Globus Web Service
Globus Web Service
Logs
Java WS Container(with GridShib for GT)
Security Context
proxy credential
SAML
Key
AuthzPolicy
BlacklistPolicy
GridShib-enabled GSI
http://gridshib.globus.org/
identifier1
identifier2
…
identifier1
identifier2
…
GridShibBlacklist Policy
GridShibSAML Entity Map
entityID1 DN1
entityID2 DN2
…
entityID1 DN1
entityID2 DN2
…
GS4GT Configuration Files
The SAML Entity Map maps SAML issuers to X.509 issuers
A SAML issuer in this file is trusted The SAML Entity Map will be
replaced by SAML Metadata (XML) A blacklist is a list of identifiers
(SAML identifiers or subject DNs) A user whose identifier is on the
blacklist will be denied access The flat file blacklist will be replaced
by a database table
http://gridshib.globus.org/
DN1 username1
DN2 username2
…
DN1 username1
DN2 username2
…
<XML><XML>
GlobusGridmap file
GridShibAuthz Policy
GridShibMapping Policy
GS4GT Policy Files
http://gridshib.globus.org/
GS4GT Policy Files
Two separate attribute-based policy files:
1. Authorization Policy
[A0, A1, …, Am-1]
2. Username Mapping Policy
[A0, A1, …, Am1-1] → [user0, user1, …, usern1-1]
[A0, A1, …, Am2-1] → [user0, user1, …, usern2-1] …
A single XML-based policy file may encapsulate both types of policies
http://gridshib.globus.org/
Summary
Fine-grained, attribute-based authorization Introduces X.509-bound SAML tokens
Works at both the transport level or the message level
No modifications to GT clients are required If the service is not GridShib-enabled, the X.509-
bound SAML token is simply ignored
http://gridshib.globus.org/
A Grid Authorization Model for Science Gateways
http://gridshib.globus.org/
The Science Gateway Use Case
A browser user authenticates to a grid portal. The portal issues a proxy
certificate and initiates a grid request on behalf of the user
http://gridshib.globus.org/
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
A science gateway is a convenient intermediary
between a browser user and a grid resource provider.
http://gridshib.globus.org/
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
Each gateway is issued a community credential that
uniquely identifies the gateway.
http://gridshib.globus.org/
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
Resource providers associate the community credential with a local community account.
http://gridshib.globus.org/
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
To submit a job, a browser user typically authenticates to the gateway by presenting a username and password.
http://gridshib.globus.org/
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
Key
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
The gateway then issues a short-lived proxy credential
signed by its community credential.
http://gridshib.globus.org/
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
proxy certificate
Key
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
The gateway submits the job on the user’s behalf,
authenticating as itself to the resource.
http://gridshib.globus.org/
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
proxy certificate
Key
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
The resource authenticates the gateway and maps the request
to the community account based on the identity in the
proxy certificate.
http://gridshib.globus.org/
Classic Science Gateway
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
WS GRAM ServiceWS GRAM Service
proxy credential
proxy certificate
Key
Java WS Container
WebappWebapp
Web Interface
Web Browser
community credential
Key
community account
After the job is executed, the result is returned to the
browser user via the gateway web interface.
http://gridshib.globus.org/
Community Account Model: The Good
The Community Account Model simplifies the user experience simplifies gateway implementation and deployment simplifies gridmap file management at the RP
A community credential is issued to each gateway
A single community account is created at the RP The gateway issues proxy certificates and
makes grid requests on behalf of the user
http://gridshib.globus.org/
Community Account Model: The Bad
The community account model has some significant drawbacks, however: End user identity is unknown to the RP Course-grained access control at the resource (by
design) Awkward approach to auditing and incident response In the event of an emergency, the RP is forced to
disable all access to the community account Less than adequate accounting mechanisms
All this can be traced to a single problem…
http://gridshib.globus.org/
Community Account Model: The Ugly
All requests look exactly the sameto the resource provider!
If the gateway would only pass the user’s name and contact information
to the resource provider, all previously mentioned problems would be solved
http://gridshib.globus.org/
Grid Authorization Model
We describe a grid authorization model that significantly increases the information flow between a science gateway and a resource provider Extends the Community Account Model Asserts end user identity to the RP Permits fine-grained access control at the RP Provides strong auditing and effective incident response Allows dynamic blacklisting of problem accounts or runaway
processes A lightweight approach that does not require new wire protocols
or extensive new middleware infrastructure Complements existing SAML-based middleware infrastructure
on today's campuses
http://gridshib.globus.org/
Grid Authorization Model
The proposed model incorporates GridShib SAML Tools at the gateway and GridShib for GT at the resource provider
Using GridShib SAML Tools, the gateway1. issues a SAML assertion containing the user's
authentication context and attributes
2. binds the SAML assertion to a proxy certificate signed by the community credential
3. authenticates to the resource by presenting the SAML-laden proxy certificate
http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf
http://gridshib.globus.org/
X.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+
Key
<saml:Assertion> <saml:NameID> trscavo </saml:NameID></saml:Assertion>
+ =
X.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12:
<saml:Assertion> <saml:NameID> trscavo </saml:NameID></saml:Assertion>
Key
http://gridshib.globus.org/
GridShib-enabled Science Gateway
A browser user authenticates toa grid portal. The portal binds aself-issued SAML assertion to
a proxy certificate and initiates a grid request on behalf of the user.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
An enhancement to the community account model
increases the information flow between the gateway and the
resource provider.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
A software component called GridShib SAML Tools is
integrated into the gateway portal environment.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
Another software component called GridShib for GT is deployed at the resource
provider.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
These two GridShib software components produce and
consume Security Assertion Markup Language (SAML)
tokens.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
Again the browser user authenticates to the gateway
by presenting a username and password.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
This time the gateway uses the GridShib SAML Tools to issue an X.509-bound SAML token.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
X.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+
X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12:
<saml:Assertion> <saml:NameID> trscavo </saml:NameID></saml:Assertion>
Key
The SAML token bound to the proxy certificate contains the
name of the end user and other user attributes (e.g., e-mail).
http://gridshib.globus.org/
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
The gateway authenticates as itself to the resource provider, presenting the proxy certificate
with bound SAML token.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
The GridShib SAML policy information point (PIP) extracts the SAML token from the proxy certificate, parses it, and writes
the information to a log file.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
The security information in the SAML token is also used to populate a SAML security
context within the container.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
BlacklistPolicy
The service compares the information in the security context to the blacklist,
denying access if any request info is on the blacklist.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
AuthzPolicy
BlacklistPolicy
The service combines the information in the security
context with its access control policy, allowing access if and
only if policy is satisfied.
http://gridshib.globus.org/
Grid Authorization Model for Gateways
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
WebappWebappattributes
Web Interface
Web Browser
username
proxy credential
SAML
Key
AuthzPolicy
BlacklistPolicy
As before, after the service executes the job, the result is returned to the browser user
via the gateway web interface.
http://gridshib.globus.org/
GridShib-enabled Science Gateway
Simple installation and configuration of GridShib SAML Tools at the gateway
Includes GridShib Security Framework Exposes both a command-line interface and a Java
API End user identity and contact information (e.g.,
e-mail) transmitted to RP Push much of the responsibility for auditing and
incident response back onto the RP Big Advantage: No need to shut down the
entire gateway in the event of an incident!
http://gridshib.globus.org/
User Attributes
Gateway entityID: https://gridshib.gisolve.org/idp
Subject name identifier: [email protected]
Authentication statement authentication method: urn:oasis:names:tc:SAML:1.0:am:password
authentication instant: 2007-08-02T12:10:34-0400 IP address: 10.81.193.244
Attribute statement isMemberOf attribute: group://gisolve.org/gisolve mail attribute: [email protected]
http://gridshib.globus.org/
GridShib-enabled Resource Provider
The end user and the end user’s contact information (and other attributes) are logged
Effective auditing and incident response Blacklist an IP address or name identifier on
demand Exposes a SAML security context Fine-grained, attribute-based access control
http://gridshib.globus.org/
Comparison with VOMS
Virtual Organization Membership Service The most successful grid authorization model today
VOMS binds X.509 attribute certificates (instead of SAML) to proxy certificates
VOMS requires the requester to be the subject; VOMS will not issue an AC to a requester acting on behalf of the subject
Therefore, a gateway can not call out to a VOMS server to obtain attributes for a user
Conclusion: VOMS can not be used as a basis for gateway security
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
GridShibSAML PIP
GridShibSAML PIP
WS GRAM Service
WS GRAM Service
PolicyLogs
Java WS Container(with GridShib for GT)
Security Context
Security table
GRAM audit table
TGCDB
AMIEupload
The GridShib-enhanced community account model
permits fine-grained access control and effective incident
response at the resource.
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
GridShibSAML PIP
GridShibSAML PIP
WS GRAM Service
WS GRAM Service
PolicyLogs
Java WS Container(with GridShib for GT)
Security Context
Security table
GRAM audit table
TGCDB
AMIEupload
Since each request is now associated with a unique end
user, we push job info to TeraGrid Central for
improved auditing and accounting.
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
GridShibSAML PIP
GridShibSAML PIP
WS GRAM Service
WS GRAM Service
PolicyLogs
Java WS Container(with GridShib for GT)
Security Context
Security table
GRAM audit table
TGCDB
AMIEupload
First, the security context associated with each
incoming request is captured in a security table.
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
GridShibSAML PIP
GridShibSAML PIP
WS GRAM Service
WS GRAM Service
PolicyLogs
Java WS Container(with GridShib for GT)
Security Context
Security table
GRAM audit table
TGCDB
AMIEupload
Likewise the disposition of every job request is captured in an enhanced GRAM audit
table.
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
GridShibSAML PIP
GridShibSAML PIP
WS GRAM Service
WS GRAM Service
PolicyLogs
Java WS Container(with GridShib for GT)
Security Context
Security table
GRAM audit table
TGCDB
AMIEupload
An AMIE process joins these two tables and pushes an information packet to the
TeraGrid Central Database.
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
GridShibSAML PIP
GridShibSAML PIP
WS GRAM Service
WS GRAM Service
PolicyLogs
Java WS Container(with GridShib for GT)
Security Context
Security table
GRAM audit table
TGCDB
AMIEupload
A gateway can query the TGCDB for individual accounting records,
permitting fine-grained accounting at the gateway.
http://gridshib.globus.org/
Integration with TeraGrid Central Database
Resource Provider
GridShibSAML PIP
GridShibSAML PIP
WS GRAM Service
WS GRAM Service
PolicyLogs
Java WS Container(with GridShib for GT)
Security Context
Security table
GRAM audit table
TGCDB
AMIEupload
TeraGrid adminstrators can query the TGCDB for
aggregate accounting data for the purposes of NSF reporting and planning.
http://gridshib.globus.org/
GT4 Java Container
Delegation
ResourceManager
UserJob(s)
sud
o
RMadapter
RM logMEJS **
MJFS
RFT
SEG
RMAccounting
Create JobGet EPR
Control Jobwith EPR
Client /Gateway
**
- Query Using Grid JID
TeraGrid Resource Provider (RP)
- Reply withAccounting record
Local AMIEAccounting
Central TGAccounting
DB
CoreCore Audit
Table
RFT AuditTable
Deleg AuditTable
GRAM AuditTable
AMIE upload
OGSA DAI
** Locally convert EPR to Grid JID
-No Changes required to AMIE-DAI provides virtualization for audit and accounting DBs
GET UNIQUEUSER ID +
Diagram courtesyof Stu Martin
Gateway Job Accounting
http://gridshib.globus.org/
Benefits of TGCDB Integration
The gateway can query the TGCDB (via OGSA-DAI) and implement local, fine-grained accounting mechanisms
TeraGrid administrators can obtain aggregate accounting data for NSF reporting and planning
http://gridshib.globus.org/
TeraGrid Deployment Strategy
1. GridShib SAML Tools at the Gateway• http://www.teragridforum.org/mediawiki/index.php?title=Scienc
e_Gateway_Credential_with_Attributes
2. GridShib for GT at the RP• Integrate GS4GT into CTSS4
3. Integrate with TeraGrid Central Database• Retrofit GRAM 4.0 Audit with end user identity• Assist with the design and implementation of GRAM
4.2 Audit (in particular, the security table)
http://gridshib.globus.org/
A Federated Identity Model for Science Gateways
http://gridshib.globus.org/
Federated Identity
The long term vision is to introduce federated identity at the science gateway
Shibboleth, an open-source implementation of the SAML Browser Profiles, provides: Ubiquity Manageability Usability Security
Since Shibboleth is based on SAML, our model complements existing campus infrastructure
http://gridshib.globus.org/
WebAuthn
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
Web Interface
Web Browser
username
It is well-known that password management at the gateway is
a significant administrative burden for both the gateway
and the end user.
Resource ProviderScience Gateway
http://gridshib.globus.org/
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
username
SAML Service Provider
SAML Identity Provider
Web Interface
Web Browser
To avoid having to manage passwords at the gateway, we propose a federated identity solution on the browser-facing
side of the gateway.
http://gridshib.globus.org/
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
username
SAML Service Provider
SAML Identity Provider
Web Interface
Web Browser
A third-party Identity Provider on each campus manages user
identity and credentials.
http://gridshib.globus.org/
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
username
SAML Service Provider
SAML Identity Provider
Web Interface
Web Browser
The gateway, which is protected by a Service
Provider, trusts the Identity Provider to authenticate the
browser user.
http://gridshib.globus.org/
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
username
SAML Service Provider
SAML Identity Provider
Web Interface
Web Browser
Since we’re already invested in SAML on the back end, we
prefer an implementation of the standard SAML browser
profiles (such as Shibboleth).
http://gridshib.globus.org/
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
username
SAML Service Provider
SAML Identity Provider
Web Interface
Web Browser
A browser user authenticates to their preferred campus
Identity Provider instead of the science gateway.
http://gridshib.globus.org/
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
username
SAML Service Provider
SAML Identity Provider
Web Interface
Web Browser
SAMLAssertion The SAML Identity Provider
issues a SAML token that the user transmits to the gateway
via the browser.
http://gridshib.globus.org/
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
username
SAML Service Provider
SAML Identity Provider
Web Interface
Web Browser
SAMLAssertion
SAMLAssertion
The SAML Service Provider protecting the gateway
consumes the SAML token in lieu of a username/password.
http://gridshib.globus.org/
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
username
proxy credential
SAML+
Key
SAML Service Provider
SAML Identity Provider
Web Interface
Web Browser
SAMLAssertion
SAMLAssertion
The gateway issues a combined SAML token containing both campus
attributes and local attributes.
http://gridshib.globus.org/
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML+
WS GRAM Service
WS GRAM Service
Java WS Container(with GridShib for GT)
WebappWebappattributes
username
proxy credential
SAML+
Key
SAML Service Provider
SAML Identity Provider
Web Interface
Web Browser
SAMLAssertion
SAMLAssertion
The gateway authenticates as itself to the resource provider,
presenting the combined X.509-bound SAML token.
http://gridshib.globus.org/
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML+
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
WebappWebappattributes
username
proxy credential
SAML+
Key
SAML Service Provider
SAML Identity Provider
Web Interface
Web Browser
SAMLAssertion
SAMLAssertion
Since the gateway did not authenticate the end user
directly, the resource provider must decide if it trusts the combined SAML token.
http://gridshib.globus.org/
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML+
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
WebappWebappattributes
username
proxy credential
SAML+
Key
AuthzPolicy
BlacklistPolicy
SAML Service Provider
SAML Identity Provider
Web Interface
Web Browser
SAMLAssertion
SAMLAssertion
In the case of federated identity, access control policy
at the resource provider is more complex since a third
security domain is involved.
http://gridshib.globus.org/
WebAuthn
Resource ProviderScience Gateway
WS GRAM Client
WS GRAM Client
GridShibSAML PIP
GridShibSAML PIP
proxy certificate
GridShib SAML Tools
GridShib SAML Tools
community credential
Key
SAML+
WS GRAM Service
WS GRAM Service
Logs
Java WS Container(with GridShib for GT)
Security Context
WebappWebappattributes
username
proxy credential
SAML+
Key
AuthzPolicy
BlacklistPolicy
SAML Service Provider
SAML Identity Provider
Web Interface
Web Browser
SAMLAssertion
SAMLAssertion
SAML Web Browser SSO closes the loop for complete end-to-end flow of security
information
http://gridshib.globus.org/
Federated Identity Model for Gateways
Shib-enabledGrid Portal
GridShib-enabled Grid Client
ShibbolethSSO Service
GridShib-enabled Attribute Service
GridShib-enabled Grid SP
Browser
X.509proxy certificate
SAML
response response
C
DA
BX.509proxy credential
SAML
Key
X.509end entity credential Key
Shibboleth Identity Provider
TeraGrid Science Gateway
SAMLAssertion
SAMLAssertion
SAMLAssertion
SAMLRequest
X.509
SAMLRequest
http://gridshib.globus.org/
Birds-of-a-Feather Session
http://gridshib.globus.org/
Is your gateway infrastructure built on a JEE portal framework?
If so, which one? If not, what application server do you use?
http://gridshib.globus.org/
Is your gateway security framework built on the community credential model?
If not, describe your security framework.
http://gridshib.globus.org/
Do you use MyProxy? If not, is the community credential stored in the
file system?
http://gridshib.globus.org/
In your application server environment, how easy is it to obtain the following information: Username Authentication instant IP address E-mail address
Does your portal framework provide an API to obtain this information or do you have to query a database?
http://gridshib.globus.org/
Does your gateway control its own DNS domain?
If not, what is the URL of your gateway? [relate this to "scope"]
http://gridshib.globus.org/
Acknowledgments
Original Project PIs Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist
Developers Rachana Ananthakrishnan, Jim Basney, Tim Freeman,
Raj Kettimuthu, Terry Fleury, Tom Scavo
The GridShib work was funded by the NSF National Middleware Initiative (NMI awards 0438424 and 0438385). Opinions and recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF.
The Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA.
http://gridshib.globus.org/
Thank you!
GridShib
http://gridshib.globus.org/