GridShib Project Update
Tom Barton1, Tim Freeman1,
Kate Keahey1, Raj Kettimuthu1,
Tom Scavo2, Frank Siebenlist1, Von Welch2
1University
of Chicago
2NCSA/University
of Illinois
Outline

GridShib Overview

GridShib Components

GridShib Profiles

GridShib Roadmap
What is GridShib?



GridShib enables secure attribute
sharing among Grid virtual organizations
and higher-educational institutions
The goal of GridShib is to allow
interoperability between the Globus
Toolkit® with Shibboleth®
GridShib adds attribute-based
authorization to Globus Toolkit
Some Background




Large scientific projects have spawned
Virtual Organizations (VOs)
The cyberinfrastructure and software
systems to support VOs are called grids
Globus Toolkit is the de facto standard
software solution for grids
Grid Security Infrastructure (GSI)
provides basic security services for grids
Grid Authentication



Globus Toolkit provides authentication
services via X.509 credentials
When requesting a service, the user
presents an X.509 certificate, usually a
proxy certificate
GridShib leverages the existing
authentication mechanisms in GT
Grid Authorization

Today, Globus Toolkit provides identitybased authorization mechanisms:




Access control lists (called grid-mapfiles)
map DNs to local identity (e.g., Unix logins)
Community Authorization Service (CAS)
PERMIS and VOMS
GridShib provides attribute-based
authorization based on Shibboleth
GridShib Project Motivation

VOs are difficult to manage


Identity-based access control methods
are inflexible and do not scale


Goal: Leverage existing identity
management infrastructure
Goal: Use attribute-based access control
Solution: Leverage Shibboleth with
Globus Toolkit!
GridShib Use Cases

Three use cases under consideration:
1.
Established grid user (non-browser)
2.
New grid user (non-browser)
3.
Portal grid user (browser)


Initial efforts concentrated on the nonbrowser use cases
Current efforts are focused on the
portal grid user
Established Grid User




User possesses an X.509 end entity
certificate
User may or may not use MyProxy Server
to manage X.509 credentials
User authenticates to Grid SP with a proxy
certificate
The current GridShib implementation
addresses this use case
New Grid User




User does not possess an X.509 end entity
certificate
User relies on GridShib CA to obtain shortlived X.509 certificates
User authenticates to Grid SP using shortlived X.509 credential
The myVocs-GridShib integration
addresses this use case
Portal Grid User




User does not possess an X.509 cert
A browser user authenticates to a Grid
Portal (which may or may not be Shibenabled)
The user delegates the Grid Portal to
request a service at the Grid SP
The Grid Portal authenticates to the Grid SP
using its “community credential”
Outline

GridShib Overview

GridShib Components

GridShib Profiles

GridShib Roadmap
Software Components

GridShib for Globus Toolkit

GridShib for Shibboleth

Includes GridShib Certificate Registry

GridShib Certificate Authority

GridShib Authentication Assertion Client

Shibboleth IdP Tester

Globus SAML Library (not distributed)
GridShib for Globus Toolkit


GridShib for Globus Toolkit is a plugin for
GT 4.0 (or later)
Features:

Standalone attribute requester

SAML attribute consumption

Attribute-based access control

Attribute-based local account mapping

SAML metadata consumption
GridShib for Shibboleth


GridShib for Shibboleth is a plugin for a
Shibboleth IdP v1.3 (or later)
Features:

Name Mapper


SAML name identifier implementations


Supports name mappings in both files and tables
X509SubjectName, emailAddress, etc.
Certificate Registry

Supports the established grid user
GridShib Certificate Registry

A Certificate Registry is integrated into
GridShib for Shibboleth 0.5:
https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateRegistry



An established grid user authenticates and
registers an X.509 end-entity cert
The Registry binds the cert to the principal
name and persists the binding in a
database
On the backend, GridShib maps the DN in
a query to a principal name in the DB
GridShib Authn Assertion Client



The GridShib Authn Assertion Client is a
standalone tool that creates an X.509 proxy
certificate with bound SAML authn assertion
The client uses the proxy to authenticate to a
Grid SP
The Grid SP queries a Shibboleth AA based on
the information in the bound SAML assertion
Shibboleth IdP Tester



The Shibboleth IdP Tester is a tool that
queries a Shibboleth AA for attributes
The IdP Tester can be used to:

Test an ordinary Shibboleth AA

Test a GridShib-enabled AA
The IdP Tester installs as a Shib IdP extension
(i.e., it does not disturb an existing Shib
deployment)
GridShib CA

The GridShib Certificate Authority is a webbased CA for new grid users:
https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority



The GridShib CA is protected by a Shib SP
and backended by either OpenSSL or the
MyProxy Online CA
The CA issues short-term credentials
suitable for authentication to a Grid SP
Credentials are downloaded to the desktop
via Java Web Start
Globus SAML Library




GridShib forked the OpenSAML 1.1 source
library in Jan 2006
Globus SAML Library is in synch with
OpenSAML 1.1 CVS HEAD
Globus SAML Library is bundled with
GridShib for GT
Globus SAML Library adds new features to
OpenSAML 1.1
Outline

GridShib Overview

GridShib Components

GridShib Profiles

GridShib Roadmap
Outline

GridShib Overview

GridShib Components

GridShib Profiles

GridShib Roadmap
Work in the Pipeline



New versions of GridShib for GT, GridShib
for Shib, and GridShib CA
GridShib Authn Assertion Client =>
GridShib SAML Issuer Tool
Shibboleth IdP Tester =>
GridShib Attribute Query Client

GridShib SAML Tools

Enhancements to Globus SAML Library
GridShib for GT Versions

GridShib for GT 0.5


GridShib for GT 0.5.1


Announced Nov 30, 2006
Expected ?
GridShib for GT 0.6

Expected ?
GridShib for GT 0.5

GridShib for GT 0.5 announced Nov 30


Compatible with both GT4.0 and GT4.1

GT4.1 introduces powerful authz framework

Separate binaries for each GT version

Source build auto-senses target GT platform
New identity-based authorization feature

Uses grid-mapfile instead of DN ACLs

Logging enhancements

Bug fixes
GridShib for GT 0.5.1

GridShib for GT 0.5.1 (expected ?)

Combined VOMS/SAML attribute to account
mapping


As with the current gridmap situation, GT4.0.x
deployments cannot take advantage of permit overrides
and arbitrarily configure fallbacks
To accommodate this we’ll allow for a name mapping
scheme that checks in this order and continues to fall back
if no match/authz is granted: gridmap, VOMS,
Shibboleth/SAML
GridShib for GT 0.6

GridShib for GT 0.6 (expected ?)

Full-featured attribute push PIP


TBA
More powerful attribute-based authz policies

Allow unique issuer in authz policy rules
GridShib for Shib Versions

GridShib for Shib 0.5.1


Announced Aug 8, 2006
GridShib for Shib 0.6


Expected Jan 2007
Will include SAML Issuer Tool (derived from
Shib resolvertest tool)
GridShib for Shib 0.6

GridShib for Shib 0.6 (expected Jan 2007)



Core (already included in 0.5)

Requires Shib IdP

Includes basic plugins and handlers
Certificate Registry (already included in 0.5)

Requires GridShib for Shib Core

Includes Derby embedded database
SAML Tools (new in 0.6)

Requires GridShib for Shib Core

Includes SAML Issuer Tool and SAML X.509 Binding Tool
GridShib CA Versions

GridShib CA 0.3


Announced Nov 27, 2006
GridShib CA 0.4

Expected March, 2007
GridShib CA 0.3

GridShib CA 0.3 announced Nov 27, 2006

Substantial improvement over version 0.2

More robust protocol

Installation of trusted CAs at the client

Pluggable back-end CAs


Uses an openssl-based CA by default

A module to use a MyProxy CA is included
Certificate registry functionality

A module that auto-registers DNs with myVocs
GridShib SAML Tools

GridShib SAML Issuer Tool


Shibboleth SAML Issuer Tool


Derived from Shib resolvertest tool
GridShib Attribute Query Client


Derived from Authentication Assertion Client
Derived from Shib IdP Tester
GridShib X.509 Binding Tool

Derived from GT CAS/SAML utilities
GridShib SAML Tools
(cont’d)
Config
Files
(inputs)
GridShib
SAML Issuer
Tool
SAML
SAML
X.509 Binding
Tool
X.509
SAML
SAML
X.509 Binding
Tool
X.509
Shibboleth
IdP Config
(inputs)
Shibboleth
SAML Issuer
Tool
GridShib SAML Tools
(inputs)
Shibboleth
SAML Issuer
Tool
(inputs)
GridShib
Attribute Query
Client
(inputs)
GridShib
SAML Issuer
Tool
SAML
(cont’d)
SAML
X.509 Binding
Tool
X.509
SAML Tool Distributions



The Shib SAML Issuer Tool and the SAML
X.509 Binding Tool will be distributed with
GridShib for Shib 0.6
The GridShib SAML Issuer Tool, GridShib
Attribute Query Client, and SAML X.509
Binding Tool will be distributed as a single,
standalone package
Note: The latter does not require GridShib for
Shib or GridShib for GT
Globus SAML Library

Features and enhancements:

Support for SAML V2.0 metadata

SAML object equivalence implementation

Enhanced SAMLNameIdentifier class

SAML NameIdentifier format handlers

New SAMLSubjectAssertion class

New SubjectStatement class

Additional unit tests and examples

Requires JDK 1.4 or above
New Software Components

GridShib for Globus Toolkit 0.6

GridShib for Shibboleth 0.6

Optional Certificate Registry

Optional SAML Issuer Tool

GridShib Certificate Authority 0.4

GridShib SAML Tools


SAML Issuer Tool

Attribute Query Client

SAML X.509 Binding Tool
Globus SAML Library (enhanced)
Profiles and Bindings Specs

SAML V1.1 Profiles for X.509 Subjects
http://www.oasis-open.org/committees/download.php/19996/sstc-saml1-profiles-x509-draft-01.pdf

Subject-based Assertion Profile for SAML V1.1

X.509 Binding for SAML Assertions

Attribute Query Profile for SAML V1.1

SAML V1.1 Deployment Profiles for X.509 Subjects

SAML V2.0 Deployment Profiles for X.509 Subjects
Acknowledgments

GridShib is a project funded by the NSF
Middleware Initiative



NMI awards 0438424 and 0438385
Opinions and recommendations are those of the
authors and do not necessarily reflect the views
of the National Science Foundation.
Also many thanks to Internet2
Shibboleth Project
Summary




GridShib has a number of tools for leveraging
Shibboleth for the Grid
Both for user authentication and attribute-based
authorization
Deploys easily on Shibboleth 1.3 and Globus 4.0
Available under Apache2 license
For more information and software:
 http://gridshib.globus.org
 vwelch@ncsa.uiuc.edu
 http://dev.globus.org/wiki/Incubator/GridShib
Questions?