GridShib Project Update Tom Barton1, Tim Freeman1, Kate Keahey1, Raj Kettimuthu1, Tom Scavo2, Frank Siebenlist1, Von Welch2 1University of Chicago 2NCSA/University of Illinois Outline GridShib Overview GridShib Components GridShib Profiles GridShib Roadmap What is GridShib? GridShib enables secure attribute sharing among Grid virtual organizations and higher-educational institutions The goal of GridShib is to allow interoperability between the Globus Toolkit® with Shibboleth® GridShib adds attribute-based authorization to Globus Toolkit Some Background Large scientific projects have spawned Virtual Organizations (VOs) The cyberinfrastructure and software systems to support VOs are called grids Globus Toolkit is the de facto standard software solution for grids Grid Security Infrastructure (GSI) provides basic security services for grids Grid Authentication Globus Toolkit provides authentication services via X.509 credentials When requesting a service, the user presents an X.509 certificate, usually a proxy certificate GridShib leverages the existing authentication mechanisms in GT Grid Authorization Today, Globus Toolkit provides identitybased authorization mechanisms: Access control lists (called grid-mapfiles) map DNs to local identity (e.g., Unix logins) Community Authorization Service (CAS) PERMIS and VOMS GridShib provides attribute-based authorization based on Shibboleth GridShib Project Motivation VOs are difficult to manage Identity-based access control methods are inflexible and do not scale Goal: Leverage existing identity management infrastructure Goal: Use attribute-based access control Solution: Leverage Shibboleth with Globus Toolkit! GridShib Use Cases Three use cases under consideration: 1. Established grid user (non-browser) 2. New grid user (non-browser) 3. Portal grid user (browser) Initial efforts concentrated on the nonbrowser use cases Current efforts are focused on the portal grid user Established Grid User User possesses an X.509 end entity certificate User may or may not use MyProxy Server to manage X.509 credentials User authenticates to Grid SP with a proxy certificate The current GridShib implementation addresses this use case New Grid User User does not possess an X.509 end entity certificate User relies on GridShib CA to obtain shortlived X.509 certificates User authenticates to Grid SP using shortlived X.509 credential The myVocs-GridShib integration addresses this use case Portal Grid User User does not possess an X.509 cert A browser user authenticates to a Grid Portal (which may or may not be Shibenabled) The user delegates the Grid Portal to request a service at the Grid SP The Grid Portal authenticates to the Grid SP using its “community credential” Outline GridShib Overview GridShib Components GridShib Profiles GridShib Roadmap Software Components GridShib for Globus Toolkit GridShib for Shibboleth Includes GridShib Certificate Registry GridShib Certificate Authority GridShib Authentication Assertion Client Shibboleth IdP Tester Globus SAML Library (not distributed) GridShib for Globus Toolkit GridShib for Globus Toolkit is a plugin for GT 4.0 (or later) Features: Standalone attribute requester SAML attribute consumption Attribute-based access control Attribute-based local account mapping SAML metadata consumption GridShib for Shibboleth GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later) Features: Name Mapper SAML name identifier implementations Supports name mappings in both files and tables X509SubjectName, emailAddress, etc. Certificate Registry Supports the established grid user GridShib Certificate Registry A Certificate Registry is integrated into GridShib for Shibboleth 0.5: https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateRegistry An established grid user authenticates and registers an X.509 end-entity cert The Registry binds the cert to the principal name and persists the binding in a database On the backend, GridShib maps the DN in a query to a principal name in the DB GridShib Authn Assertion Client The GridShib Authn Assertion Client is a standalone tool that creates an X.509 proxy certificate with bound SAML authn assertion The client uses the proxy to authenticate to a Grid SP The Grid SP queries a Shibboleth AA based on the information in the bound SAML assertion Shibboleth IdP Tester The Shibboleth IdP Tester is a tool that queries a Shibboleth AA for attributes The IdP Tester can be used to: Test an ordinary Shibboleth AA Test a GridShib-enabled AA The IdP Tester installs as a Shib IdP extension (i.e., it does not disturb an existing Shib deployment) GridShib CA The GridShib Certificate Authority is a webbased CA for new grid users: https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority The GridShib CA is protected by a Shib SP and backended by either OpenSSL or the MyProxy Online CA The CA issues short-term credentials suitable for authentication to a Grid SP Credentials are downloaded to the desktop via Java Web Start Globus SAML Library GridShib forked the OpenSAML 1.1 source library in Jan 2006 Globus SAML Library is in synch with OpenSAML 1.1 CVS HEAD Globus SAML Library is bundled with GridShib for GT Globus SAML Library adds new features to OpenSAML 1.1 Outline GridShib Overview GridShib Components GridShib Profiles GridShib Roadmap Outline GridShib Overview GridShib Components GridShib Profiles GridShib Roadmap Work in the Pipeline New versions of GridShib for GT, GridShib for Shib, and GridShib CA GridShib Authn Assertion Client => GridShib SAML Issuer Tool Shibboleth IdP Tester => GridShib Attribute Query Client GridShib SAML Tools Enhancements to Globus SAML Library GridShib for GT Versions GridShib for GT 0.5 GridShib for GT 0.5.1 Announced Nov 30, 2006 Expected ? GridShib for GT 0.6 Expected ? GridShib for GT 0.5 GridShib for GT 0.5 announced Nov 30 Compatible with both GT4.0 and GT4.1 GT4.1 introduces powerful authz framework Separate binaries for each GT version Source build auto-senses target GT platform New identity-based authorization feature Uses grid-mapfile instead of DN ACLs Logging enhancements Bug fixes GridShib for GT 0.5.1 GridShib for GT 0.5.1 (expected ?) Combined VOMS/SAML attribute to account mapping As with the current gridmap situation, GT4.0.x deployments cannot take advantage of permit overrides and arbitrarily configure fallbacks To accommodate this we’ll allow for a name mapping scheme that checks in this order and continues to fall back if no match/authz is granted: gridmap, VOMS, Shibboleth/SAML GridShib for GT 0.6 GridShib for GT 0.6 (expected ?) Full-featured attribute push PIP TBA More powerful attribute-based authz policies Allow unique issuer in authz policy rules GridShib for Shib Versions GridShib for Shib 0.5.1 Announced Aug 8, 2006 GridShib for Shib 0.6 Expected Jan 2007 Will include SAML Issuer Tool (derived from Shib resolvertest tool) GridShib for Shib 0.6 GridShib for Shib 0.6 (expected Jan 2007) Core (already included in 0.5) Requires Shib IdP Includes basic plugins and handlers Certificate Registry (already included in 0.5) Requires GridShib for Shib Core Includes Derby embedded database SAML Tools (new in 0.6) Requires GridShib for Shib Core Includes SAML Issuer Tool and SAML X.509 Binding Tool GridShib CA Versions GridShib CA 0.3 Announced Nov 27, 2006 GridShib CA 0.4 Expected March, 2007 GridShib CA 0.3 GridShib CA 0.3 announced Nov 27, 2006 Substantial improvement over version 0.2 More robust protocol Installation of trusted CAs at the client Pluggable back-end CAs Uses an openssl-based CA by default A module to use a MyProxy CA is included Certificate registry functionality A module that auto-registers DNs with myVocs GridShib SAML Tools GridShib SAML Issuer Tool Shibboleth SAML Issuer Tool Derived from Shib resolvertest tool GridShib Attribute Query Client Derived from Authentication Assertion Client Derived from Shib IdP Tester GridShib X.509 Binding Tool Derived from GT CAS/SAML utilities GridShib SAML Tools (cont’d) Config Files (inputs) GridShib SAML Issuer Tool SAML SAML X.509 Binding Tool X.509 SAML SAML X.509 Binding Tool X.509 Shibboleth IdP Config (inputs) Shibboleth SAML Issuer Tool GridShib SAML Tools (inputs) Shibboleth SAML Issuer Tool (inputs) GridShib Attribute Query Client (inputs) GridShib SAML Issuer Tool SAML (cont’d) SAML X.509 Binding Tool X.509 SAML Tool Distributions The Shib SAML Issuer Tool and the SAML X.509 Binding Tool will be distributed with GridShib for Shib 0.6 The GridShib SAML Issuer Tool, GridShib Attribute Query Client, and SAML X.509 Binding Tool will be distributed as a single, standalone package Note: The latter does not require GridShib for Shib or GridShib for GT Globus SAML Library Features and enhancements: Support for SAML V2.0 metadata SAML object equivalence implementation Enhanced SAMLNameIdentifier class SAML NameIdentifier format handlers New SAMLSubjectAssertion class New SubjectStatement class Additional unit tests and examples Requires JDK 1.4 or above New Software Components GridShib for Globus Toolkit 0.6 GridShib for Shibboleth 0.6 Optional Certificate Registry Optional SAML Issuer Tool GridShib Certificate Authority 0.4 GridShib SAML Tools SAML Issuer Tool Attribute Query Client SAML X.509 Binding Tool Globus SAML Library (enhanced) Profiles and Bindings Specs SAML V1.1 Profiles for X.509 Subjects http://www.oasis-open.org/committees/download.php/19996/sstc-saml1-profiles-x509-draft-01.pdf Subject-based Assertion Profile for SAML V1.1 X.509 Binding for SAML Assertions Attribute Query Profile for SAML V1.1 SAML V1.1 Deployment Profiles for X.509 Subjects SAML V2.0 Deployment Profiles for X.509 Subjects Acknowledgments GridShib is a project funded by the NSF Middleware Initiative NMI awards 0438424 and 0438385 Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. Also many thanks to Internet2 Shibboleth Project Summary GridShib has a number of tools for leveraging Shibboleth for the Grid Both for user authentication and attribute-based authorization Deploys easily on Shibboleth 1.3 and Globus 4.0 Available under Apache2 license For more information and software: http://gridshib.globus.org vwelch@ncsa.uiuc.edu http://dev.globus.org/wiki/Incubator/GridShib Questions?