GGF18, Washington, USA (11th-15th September 2006) David Spence, CCLRC (Id: 114). 4th October 2006. Shibboleth for Grids The “Shibboleth for Grids” workshop comprised of four sessions. The first two of the sessions comprised of reports on the progress of Shibboleth and Grid integration projects which were presented at GGF16: • Erik Vullings - presented the continuing Shibboleth work at MAMS in Australia and in particular their IAM suite. This is a generalised collaboration platform allowing VO users to gain access via Shibboleth to their VO’s resources including Grid resources in a non-VO specific way. • Christoph Witzig - presented the work SWITCH is doing as part of the EGEE-II project to enable Shibboleth-based authentication to EGEE resources. • Von Welch - presented an update on GridShib. Their recent work included providing means to place SAML assertions into X.509 certificates (including OASIS standards) and integration with myVocs. • David Spence - presented progress with the ShibGrid project, which had not started at the time of the GGF16 meeting. Areas covered included the projects user requirements feedback and the architecture developed. • Richard Sinnott - presented various projects from NeSC, including the DyVOSE project providing a dynamic privilege management infrastructure. • Mike Jones - presented progress with the SHEBANGS and ShibVomGSite projects along with questions about levels of assurance and standards for mappings between Shibboleth attributes and identities and X.509 DN identities and VOMS attributes. • David Chadwick - presented GridShibPERMIS as a policy decision point for GT4 and the web and recent developments in ease-of-use through a policy editor and a simplified version of PERMIS. The third session was taken up by a talk detailing the result of the recent discussions in the Shibboleth developer community over the features and implementation methods for Shibboleth 2.0. This talk was given by Nate Klingenstein (a Shibboleth developer) and gave the Grid community a chance to see how future developments in Shibboleth would affect their work and have their questions answered. The fourth session looked at some current issues that have an effect on all Shibboleth-Grid integration projects. • Alan Sill - looked at issues with Shibboleth integration for registration systems, which is an important issue, especially in systems with automatically generate X.509 identities for users. In particular he detailed how Shibboleth can be used with VOMRS/VOMS and opportunities for even deeper integration. • Christoph Witzig - presented discussions that he has had with the IGTF and PMAs about accreditation of Shibboleth-based CAs. • Tom Scavo - presented some of the new OASIS standards which have been submitted as part of the GridShib project, especially in the area of X.509 and SAML bindings. These sessions proved informative about the direction that different projects are working towards and the future of Shibboleth itself and its affect of Grid work in particular. The session showed that while many people have arrived at the same core solution for converting Shibboleth authentication assertions to GSI credentials (i.e. through the use of an online CA of some description) there was not much consensus in areas such as registration, level-of-assurance and identity and attribute mapping. Due to time constraints the discussion on an interoperability test-bed and points for interoperability were dropped, these would have been a great starting point for resolving these issues. Towards Worldwide Grid User Support This session looked at the area of providing consistent user support in Grids that span the whole globe, where users maybe in a different VO, continent and Grid to the resources they are employing. This is driven by the co-operation between EGEE and the Open Science Grid (OSG) which are interoperating to provide resources for the Worldwide LHC Computing Grid (WLCG). Both Torsten Antoni from the GGUS support helpdesk in EGEE and Rob Quick from the OSG Grid Operations Centre presented their individual solutions to large-scale user support and how the two systems were currently interoperating. In both cases they have both developed similar federated approaches consisting of VO, resource-, geographically- or function-local support units with a central system for routing non-local queries. This was a useful session looking at a non-technical issue which will affect Grids increasingly with increasing numbers of users and resources. Although these two systems are currently interoperating there seems to be an outstanding need to develop standard practices (and protocols) to support increasing user levels. Security Talks Blair Dillaway from Microsoft described the company’s unified approach to trust, delegation and authorization. This security policy assertion language (SecPAL) combines best features from other similar authorization schemes to provide this XML-based declarative logic-based security language. Jeff Tan from Monash University talked about work done to circumvent institution’s firewalls to enable Grid access. For this he used a combination of SOCKS and SSH. OGSA Auth WG meeting In this working group session a new charter for OGSA Auth was agreed, extra features were suggested for the Credential Validation Services (CVS) requirements document and some comments were made on the PERMIS and VOMS profiles. IGTF Issues This session started with the introduction of the new IGTF logo and was followed by reports from the three PMAs. The draft Member Integrated Credential Services (MICS) profile, which leverages a sites high quality accounts database, was discussed along with changes to the Classic CA profile. This part of the session led to a discussion of the relative roles of the IGTF and PMAs. In the second part of this session Peter Alterman gave a presentation on the Federal (US Government) PKI Architecture. This talk especially focused on PKI trust bridges which allow trust to be bridged between different trust providers. This talk proved useful in thinking about the future of Grid trust. Firewall Issues RG In this session Melinda Shore, from Cisco and chairperson of the IETF MIDCOM WG, presented the various solutions to firewall issues to kick off the next stage of work in the Firewall Issues WG, the production of an evaluation of IETF solutions to these problems and a solutions document. In addition other solutions and discussion were led by Ralph Niederberger, Thijs Metsch and Jeff Tan, which included ideas of how to “Grid-enable” firewalls. Topics in Identity Management The Topics in Identity Management session consisted of three talks: the first was by Von Welch who gave an overview of GridShib, the second and third were given by Stephen Langella (Ohio State University) and detailed Dorian and the Grid Trust Service (GTS) respectively. These are components which provided authentication, authorization, trust management and secure communications services to medical collaborations. The Dorian system provides the Grid user account management function and GTS provides secure inter-institutional trust. These talks were useful case-studies in different methods for providing easy-to-use secure access to Gird resources for non-Grid users.