egee-ii infso-ri-031688 enabling grids for e-science egee and glite are registered trademarks...

EGEE-II INFSO-RI-

031688

Enabling Grids for E-sciencE

www.eu-egee.org

EGEE and gLite are registered

trademarks

Interoperability AAI and Grids

Christoph Witzig, SWITCH

NORDUnet Conference April 9, 2008

NORDUnet, Helsinki April 9, 2008 2


EGEE-II INFSO-RI-031688

Content

• Introduction to AAIs– Why interoperability AAI - Grids– Authentication and authorization (AA) in Grids and Shibboleth

• Interoperability Shibboleth - Grid within EGEE– Short-lived credential service (SLCS)– Attribute exchange to VOMS– Future developments within EGEE

• Other activities in interoperability Shibboleth - Grids

• Summary




Security Models

• AAI solve the old problem of access control to resources

• There are various technologies in use - their usefulness depends on the underlying infrastructure

1. Crusader Castle2. League of Nations3. Federations




Crusader Castle

Appropriate for few, non-mobile users


EGEE-II INFSO-RI-031688 5NORDUnet, Helsinki April 9, 2008

University A

Library B

University C

Student Admin

Web Mail

e-Learning

Literature DB

e-Learning

Research DB

AuthorizationUser Administration

AuthenticationResource Credentials

e-Journals

Tedious user registration at all resources

Unreliable and outdated user data at resources

Different login processes

Many different passwords

Many resources not protected due to difficulties

Often IP-based authorization

Costly implementation of inter-institutional access

Crusader Castle



University A

University C

League of Nations

Student Admin

Web Mail

e-Learning

e-Learning

Research DB



User registration process with CA

User has one credential to present to resources

authN and authZ at resource

User has to manage credential

Standard use in grids (IGTF)

Delegation mechanism

Standardized Credentials (International Conference on Passports 1920)

PassportIssuer (CA)

X.509 credentials



University A

Library B

University C

Federated IdentityManagement

Student Admin

Web Mail

e-Learning

Literature DB

e-Learning

Research DB



e-Journals

No user registration and user data maintenance at resource needed

Single login process for the users

Many new resources available for the users

Enlarged user communities for resources

Efficient implementation of inter-institutional access

Shibboleth

• open source • internet2

• SAML

• Web-based Single Sign-on• authN at Identity Provider• authZ at Service Provider based on user’s attributes as provided by IdP

• Privacy

Federated Identity Management




Example of an AAI: SWITCHaai




Why Interoperability AAI - Grid ?

For AAI Federations:• Add grid resources to

federation

For Grids:• Add huge user base

(campus network)

For e-Science:• Unified user base• Bring stakeholders

together (NRENs - Grids)

For Users:• Simpler management of

credentials• Easy access to grids




Interoperability Challenges

• authN at grid resource

• Attribute-based authZ

• Federation attributes vs VO attributes

• Delegation

• Renewal of credentials




Content




• Summary




Overview Phase 1 and 2

SLCS = Short lived credential serviceVASH = VOMS attributes from Shibboleth




Design Decisions

• SLCS CA and “VOMS SP” independent of each other– Separate Service Providers – Deployed independently

• SLCS CA independent of the Grid middleware

• VOMS SP only dependent on VOMS




Short Lived Credential Service (SLCS)




SLCS Profile

• SLCS = Short Lived Credential Service • International Grid Trust Federation (IGTF) Profile

• Minimum requirements:

SLCS X.509 Certificate

Certificate is generated based on Identity

Management system

“traditional” Registration Authority (e.g. passport)

Lifetime < 1mio sec Lifetime < 1 year + 1 month

Revocation handling optional

Revocation handling mandatory




SLCS Design

• Private key is never transferred• Use commercial CA and only standard

protocols• Modular design such that other people can

use their own components• Shibboleth attributes determine DN




SLCS Operation

• For the user:• Command line: slcs-init --idp <providerId>• Part of gLite User Interface (gLite-UI 3.1)

(can also be installed independently)

• For the RA from web-based admin tool:• Can enable or disable individual users (only for his institution)• Requirements formulated in CP/CPS• Can obtain log information (audit)

• SWITCH: • Operates the service for the SWITCHaai federation




Status SLCS

• Software development finished in 2006

• SWITCH SLCS Root CA accredited by EuGridPMA in February 2007

• SWITCH SLCS in production since April 2007

• http://www.switch.ch/grid/slcs




Attribute exchange

to VOMS VOMS attributes

from Shibboleth (VASH)




Problem

• SLCS ties – AAI authentication to issuance of X.509 certificate– AAI attributes are used to construct the DN

• SLCS intends to make AAI attributes available to grid resources for authorization decisions– Which AAI attributes are of interest to grid resource?– How does resource obtain attributes? (pull vs push)– Relation to VO attributes– Deployment issues




VASH Design (1)

• VASH: – VOMS Attributes

from Shibboleth

• Shibboleth SP– Browser-based– Specific for

Federation VO

• “lightweight” SP– No administrator

duties– No management of

attributes– Simply transfers

attributes upon user request




VASH Design (2)

• X.509 and proxy X.509 with VOMS AC unchanged

• No change in VOMS– Requires VOMS version 1.7.10 or higher

• VO registration not changed

• Administrative domain between Shibboleth federation and VOMS fully decoupled

• User manages mapping between DN in VOMS and Shibboleth user id (for classic X.509 and SLCS X.509)




Deployment Options

• Option 1:– As an add-on to an existing VOMS-based VO

• Option 2:– As a registration tool which allows the member of a Shibboleth

IdP become a member of a VOMS-based VO Suitable for production VOs as well as temporary VOs (e.g. summer

schools, grid classes)




Status VASH

• Software implementation done

• MJRA1.5 document: https://edms.cern.ch/document/807849/1

• Plug-ins and mechanisms to evaluate the Shibboleth attributes at the grid resource available– Access to VOMS AC– LCAS/LCMAPS plugin

• http://www.switch.ch/grid/vash




Future developments

within EGEE

SAML Support in Grids




SAML Support

• Goal: Extend use of SAML in grids beyond what is already provided by EGEE-II (SLCS, VASH)

• Benefits:– (Average) User has no certificates anymore– Introduce SAML gently beyond phase 1 and 2, gain experience– Compatible with Shibboleth roadmap (2.0, 2.1) and WS-Trust

STS implementation– Options open for future

• Requires: A mean for service to transform a security tokens it has into a security token it needs




Security Token Service

• WS-Trust defines mechanisms for brokering trust to an authority called Security Token Service (STS)

• The Security Token Service have a trust relationship with both the client and the service.




Use Cases

• Grid: – Shibboleth user wants to access a Grid resource (e.g. WMS, File

Catalogue, Storage Element…)– He needs to obtains security token that the Grid services understand

(X.509)

• Non-browser based Shibboleth applications: – User agent contacts Shibboleth IdP with credential (e.g. username,

password)– User agent receives SAML assertion to be sent to a Shibboleth SP




Content




• Summary




Other Activities

• GridShib– Globus – Community Access to TeraGrid through gateways

• Activities in UK– Shebangs and ShibGrid– Shintau: attribute aggregation from multiple IdPs

• OMII-Europe:– SAML assertions from VOMS




GridShib Software Components

• GridShib for Globus Toolkit– A plugin for GT 4.0

• GridShib for Shibboleth– A plugin for Shibboleth 1.3 IdP

• GridShib CA– A web-based CA for new grid users

• GridShib SAML Tools– Tools for portals and users to embed attributes into X.509

credentials• All at: http://gridshib.globus.org/

Slide: Courtesy of Von Welch, NCSA




GridShibSAML Tools

Attributes

Web Portal

Authenticate

Grid Requests

Community Access via Science Gateway

GridShibfor GT

LocalAttributes(may bedynamic)

GridShibfor Shib

GridShibfor Shib

Slide: Courtesy of Von Welch, NCSA




Summary

• Interoperability AAI - Grids makes the Grid accessible for a large user community

• Interoperability Grid - Shibboleth in EGEE:– SLCS service

Online CA issuing X.509 certificates based upon authN at Shibboleth IdP

– VASH service Transfers Shibboleth attributes into VOMS Shib attributes are available to grid resources as part of VOMS AC

– SLCS and VASH can be used independent of gLite– SAML support in Grids through Security Token Service (STS)

• Other Interoperability Efforts– GridShib– UK e-Science: ShibGrid, Shintau,




Q & A




SWITCH SLCS Setup

• 3 separate servers in increasingly secure environment (network and physical access)

• Front End– Shibboleth SP

• SLCS Server– Tomcat web app

• Online CA– Microsoft Certificate Server– Hardware Security Module (HSM)

• Offline CA– Sign the Online CA– Stored in a bank safe




Web Interface VASH Service




Multiple Security Domains

• A client may need to communicate with services that operate across trust boundaries (i.e. Shibboleth SAML vs Grid X.509)

• Multiple STS can be used in a trust chain across security domains (delegated trust)

egee-ii infso-ri-031688 enabling grids for e-science egee and glite are registered trademarks...

Documents

enabling grids

escience egee

nrens grids

shibboleth slide

resource user

grids christoph witzig

ca user

switchaai slide