2005 © SWITCH
Perspectives of Integrating AAI with Grid in EGEE-2
Christoph Witzig
Amsterdam, October 17, 2005
2005 © SWITCH 2
Outline
• Introduction– Overview of SWITCH– SWITCH activities in AAI and Grid
• SWITCHaai: The Swiss Shibboleth-based AAI – How it works– Shibboleth concepts
• EGEE security framework– Introduction EGEE– How it works– Grid security concepts
• SWITCH proposal for interoperability Shibboleth - gLite• Related efforts• Summary
2005 © SWITCH 3
Introduction
• SWITCH has four strategic business areas– Network: operating the Swiss Research and Eduction network– Domain name registration for .ch and .li– Security
Operates (among other things) SWITCHpki – NetServices
providing services on top of the network for academic users
• NetServices– Video conferences, streaming technologies, support for (physical)
mobility – SWITCHaai: Shibboleth-based AAI for the Swiss academic sector– Grid: targeted Grid services as new strategic direction
There is no Swiss grid program Various grid efforts at some universities
Introduction
2005 © SWITCH 4
SWITCHaai = federated, national, Shibboleth-based authentication and authorization infrastructure (AAI).
SWITCHaai
Main efforts:
• > 110’000 users ( 50%) of the Swiss higher education sector are currently “AAI-enabled”.
• Federally funded cooperation projects will complete the national roll-out and increase the number of new resources.
• Define cooperation with other federations.• Develop accounting (AAAI) services.
Introduction
2005 © SWITCH 5
Grid support = new strategic direction: national AAI-enabled grid infrastructure in Switzerland.
SWITCH Activities in Grid Computing
Two main strategic efforts:
• Within the context of EGEE-2 we want to add interoperability between Shibboleth and the gLite middleware stack.
• Within the national context we want to work together with our partners (universities, computing centers) to build up such a national grid infrastructure based on the AAI-enabled gLite middleware.
Introduction
2005 © SWITCH 6
Disclaimer
• Decision of EU regarding EGEE-2 proposal is pending • Assuming a positive answer from the EU EGEE-2 will start in
April 2006 and last for two years
Introduction
2005 © SWITCH 7
University A
Library B
University C
The World without AAI
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
AuthorizationUser Administration Authentication Resource Credentials
Tedious user registration at all resources Unreliable and outdated user data at resources Different login processes Many different passwords Many resources not protected due to difficulties Often IP-based authorization Costly implementation of inter-institutional access
e-Journals
SWITCHaai
2005 © SWITCH 8
University A
Library B
University C
AAI
The World with AAI
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
AuthorizationUser Administration Authentication Resource Credentials
No user registration and user data maintenance at resource needed Single login process for the users Many new resources available for the users Enlarged user communities for resources Authorization independent of location Efficient implementation of inter-institutional access
e-Journals
SWITCHaai
2005 © SWITCH 9
How it works
SWITCHaai
2005 © SWITCH 10
Shibboleth Concepts
SWITCHaai
• Based on SAML• Initial focus on Web-based resources
2005 © SWITCH 11
EGEE: Enabling Grids for E-sciencE
• EU sponsored grid project within FP6– Funding 2004 - 2006: 32 Mio €– Proposal for second phase submitted (2006 - 2008)
• Emphasis is on – not software development– operating a production grid and supporting the end-users– Hardening, re-engineering and extending existing middleware
functionality
• Large collaboration– > 180 sites– 20 VO’s – > 800 registered users
EGEE
2005 © SWITCH 12
EGEE Security Framework
EGEE
2005 © SWITCH 13
EGEE Security Concepts
EGEE
2005 © SWITCH 14
Interoperability Shibboleth - gLite
• Part of EGEE-2 proposal (by SWITCH in EGEE NREN Federation)• Focus is on
– Interoperability (NO replacement for X.509) – Specific for EGEE infrastructure (VOMS etc)– Integrate, re-use, re-engineer existing code, write new code only as needed
• Key Concepts: – Home institution of the user should be the Identity Provider– Home institution provides some attributes– But VO is needed for (grid specific) attributes
• Proposal of doing work in three phases:– Two initial, shorter phases with the intention of hooking SWITCHaai up to the
grid with a minimal amount of effort to have a working system– A third phase with adding support for SAML at the resource (service provider)
Interop. Shib gLite
2005 © SWITCH 15
Phase 1 and 2Note: • no changes at the Resource• Work is more than just software (policies)
Interop. Shib gLite
2005 © SWITCH 16
Access for Grid Users to Shib SP
• Intention: add “symmetry” between enabling access for Shib and grid users
• Test-bed between SWITCH and INFN in 2006
Interop. Shib gLite
2005 © SWITCH 17
SAML Support at the Resource• Third (and main) phase of project• Goal: Support for SAML for authentication and authorization without
relying on X.509 (on a configurable basis)• Should be based on SAML2
– Supports ECP Profile (constrained delegation)– Will be used in Shibboleth 2
Interop. Shib gLite
2005 © SWITCH 18
Related Efforts• GridShib:
– Emphasis is on providing attributes based authorization– Based on GT4 and Shib 1.3– Beta version available since Sept 05
• OGSA authZ working group:– Defines specifications for basic interoperability and pluggability of authorization
modules in OGSA framework
• Condor Shibboleth Merger Project– Phase I: Shib enabled Condor web portal– Phase II: Shib enabled Condor fat client
• Shibboleth - grid activities in UK– ESP-Grid– Further work is planned (JISC) to look at CA/Shib issues
• Issue of attribute management between IdP and VO (e.g. Signet)Related Efforts
2005 © SWITCH 19
Summary
• There is interest and activity for interoperability AAI / Shibboleth - grid– But X.509 is still the standard security mechanism for grids (and likely to remain
so for quite some time)– Issue is not only authentication but also attribute sharing between IdP, VO, SP– Opportunity and need for NREN and Grid communities to interoperate
• GridShib: – beta version available– GT4 and Shib 1.3
• SWITCH participates in EGEE-2 to add interoperability Shibboleth - gLite– Pending approval by EU (expected in November)– We are interested in learn about other activities, share experiences and
coordinate efforts
2005 © SWITCH 20