Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Shibboleth & Grid Integration STFC and University of Oxford

advertisement 
Shibboleth & Grid Integration
STFC and University of Oxford
(and University of Manchester)
Overview
•
•
•
•
•
•
Motivation
Why Shibboleth?
Previous work: ShibGrid
Other projects
Just starting: SARoNGS
Conclusions
Motivation
• We want to encourage more users to use
the Grid
– All areas of research
– Single researcher to large projects
– Security infrastructure must enable this
• Certificates are often a barrier
• Generalised not specific
• Straightforward to use
Why Shibboleth?
• JISC is encouraging all institutions to
transition from Athens to “Federated Access
Management”
• This technology is currently based on
Shibboleth
• It will become familiar to all academic users
• The Grid should also use this common
technology for authentication
Shibboleth Overview
• Web-based federated access management
system based on SAML
• Based on separation of authentication and
authorisation
– Authentication: Identity Provider (IdP) at
user’s home institution
– Authorisation: Service Provider (SP) based on
information about the user from the IdP
– Discovery: Where Are You From (WAYF)
service
• User can remain anonymous at the SP
Shibboleth Authentication and Authorisation
Web server
(Thanks to Kang Tang)
ShibGrid Use cases
• Access to the Grid solely with Shibboleth
• Use standard Grid certificates when something
extra is required – still many advantages
• Access to the Grid through a Portal
– NGS portal/project portals
• Access to the Grid through other access
methods
– Globus, Java GSI-SSH Terminal, CoG, etc.,
• Registration (for NGS) using Shibboleth
ShibGrid Authentication
access to the NGS
(via Portal)
Shibboleth
and Authorisation
(Thanks to Kang Tang)
Other Components
• Grid proxy download tool
– For non portal Grid access methods
• Grid proxy upload tool
• Registration service
– Data Protection Act/Acceptable Use Policy
– Check the user’s institution is supported
– Check the user has correct configuration
– Link to NGS user registration
Logon via Shibboleth…
…Choose your home institution…
…background log-in in using Kerberos…
…welcome to the Portal…
…and we have an automatically-generated
Grid proxy
Other Projects
• “There’s more than one way to skin a cat”
• This list is not exhaustive...
– UK – SHEBANGS, ShibGrid, GridSite,
DyVOSE/VOTES/BRIDGES/GLASS and
GridShibPERMIS
– US – GridShib
– Switzerland – SWITCH (gLite)
– Australia – MAMS
Other Shib+Grid
Projects:
SARoNGS
We want to support all
use cases.
GEMS:
Grid enabling MIMAS
data set.
SHEBANGS:
SARoNGS:
SARoNGS:
Shib+Grid: research with
VO support. Computation
focus.
Universal solution: VO,
compute and data
support.
Full production service
for NGS and MIMAS, etc.
ShibGrid:
ShibGrid:
Production quality, no VO
support. Computation
focus.
Possible production
service
VPMan:
VO-based resource
access control.
NGS:
NGS:
No VO-based access
control.
Full VO/VOMS support.
Just starting: SARoNGS
• Will provide a standard production bridge for all
UK Academics from the UK Federation into the
Grid world.
• Integrated access to compute and data
resources
• Will provide a much simpler model for
integrating resource.
• Will combine expertise from ShibGrid,
SHEBANGS and MIMAS.
The SARoNGS CTS (NGS default)
(Credential Translation Service)
Shib-enabled
MyProxy CA
VOMS
Server
Via email to VO manager
Request Authorisation
certificate (by DN)
Request certificate
NGS default CTS
NGS MyProxy
Server
Store
proxy
Add VOMS AC
Human Interface
Retrieve
credential
Redirect
User’s
browser
Portal –
logon
Machine Interface
Registration
Forms
Shibboleth Service Provider
Requests from tools
MyProxy username/password
The SARoNGS CTS (VO-based)
Shib-enabled
MyProxy CA
Request certificate
VO-based CTS
NGS MyProxy
Server
Store
proxy
Retrieve
credential
Generate VOMS AC
Human Interface
PERMIS
Policy
Machine Interface
PERMIS Access Control
Redirect
User’s
browser
Portal –
logon
Shibboleth Service Provider
Requests from tools
MyProxy username/password
Registration
Forms
(optional)
Conclusions
• There has been much research but this must
now be brought together to form a core
production service
• We are working towards fully integrating the
Grid with the national access management
federation:
– Compute (initially NGS)
– Data (initially MIMAS)
Questions
More than just portal access…
• Registration service
– Data Protection Act/Acceptable Use Policy
– Check the user’s institution is supported
– Check the user has correct configuration
– Link to NGS user registration
• Grid proxy download tool
– For non portal Grid access methods
• Grid proxy upload tool
Architectural Design
• Don’t change the user
– Prevent extra logical steps: portal first
– Easy to deploy in project portals
– Support other access methods
• Don’t change other services
– Work within Shibboleth and GSI
frameworks
Requirements highlights
• User/Project
– Transparent access to eScience facilities, consistent
with other SSO-enabled components.
– Access to components at home or away (even
Internet Café).
– Fit in with local authentication schemes.
– Don’t want to know about certificates.
– Want to use own project portal.
• NGS
– Must be compatible with GT2 and registration system.
• VOMS in the future.
ShibGrid MyProxy Checks
• IdP (trusted) authentication/authorisation
– Standard Shibboleth
• Portal (not trusted):
– Standard MyProxy checks
– + check the attribute assertion was created for the
portal
• Users:
– Authentication: at IdP
– Authorisation:
• Is user registered?
• username attribute = username used?
– Attributes used to construct low-assurance certificate
DNs
Related documents
National e-Science Centre Induction to Grid Computing and the National Grid
National e-Science Centre Induction to Grid Computing and the National Grid
Download
advertisement