Upload
alice-atkinson
View
216
Download
2
Embed Size (px)
Citation preview
2005 © SWITCH
InteroperabilityShibboleth and gLite
in EGEE-2
MWSG Amsterdam Dec 15, 2005
Christoph WitzigSWITCH
2005 © SWITCH 2MWSG Amsterdam Dec 15, 2005
Outline
• Introduction– Presentation of SWITCH
– Motivation of AAIs
– Overview of Shibboleth
• SWITCHaai: the six building blocks
• Interoperability Shibboleth - gLite in EGEE-2– Work in 3 phases
– Related work
– Policy issues
• Summary
Organisational
Framework
Service
Providers
Identity
Provider
Central
ServicesFunding
Inter-
operability
2005 © SWITCH 3MWSG Amsterdam Dec 15, 2005
SWITCH
Business Development
Strategic planningTechnology monitoring International relations
Management Services
Human Resources
Legal
Finance/Accounting
Marketing/Sales/PR/Coord. universities
Incident Handling
Beratung
Labor
Interne DLHW/OS, Beratung,
Security
Incident Handling
Consulting
Laboratory
Critical Infra-structure Protection
Network
Networkengineering
NetworkInfrastructure
Consulting
• SWITCHlambda
• IP Routing
• IPv6, QoS, Multicast
• PERT
Internet Identifiers
Domain Names(Registration)
Domain Names(further services)
• Invoicing
• Administration
• Help Desk
• Online-Queries
• Consulting
• Added Services for End Users
• Added Services for second level service provider
UserRegistration
NetServices
Grid technologies
virtual communities
e-mobility
• SWITCHaai• SWITCHmobile
• SWITCHvconf• Collaboration Tools• Content Delivery
and tools
consulting
2005 © SWITCH 4MWSG Amsterdam Dec 15, 2005
University A
Library B
University C
Without AAI
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
AuthorizationUser Administration
AuthenticationResource Credentials
Tedious user registration at all resources
Unreliable and outdated user data at resources
Different login processes
Many different passwords
Many resources not protected due to difficulties
Often IP-based authorization
Costly implementation of inter-institutional access
e-Journals
2005 © SWITCH 5MWSG Amsterdam Dec 15, 2005
University A
Library B
University C
AAI
With AAI
Student Admin
Web Mail
e-Learning
Literature DB
e-Learning
Research DB
AuthorizationUser Administration
AuthenticationResource Credentials
No user registration and user data maintenance at resource needed
Single login process for the users
Many new resources available for the users
Enlarged user communities for resources
Authorization independent of location
Efficient implementation of inter-institutional access
e-Journals
2005 © SWITCH 6MWSG Amsterdam Dec 15, 2005
SWITCHaai Project
2001 2002 2003 2004 2005 2006 2007
ImplementationPilot Operation Study
ArchitectureEvaluation
-> Shibboleth
2005 © SWITCH 7MWSG Amsterdam Dec 15, 2005
Shibboleth
Open Source Developed by Internet2 Federated Approach Privacy National deployment projects in the US, UK and Finland,
growing interest in other European countries Currenty for web resources only - will be extended Based on SAML Cooperations with Liberty Alliance Cooperations with Content Providers (e-journals)
http://shibboleth.internet2.edu/
2005 © SWITCH 9MWSG Amsterdam Dec 15, 2005
Demo (Try it yourself)
http://www.switch.ch/aaiLive Demodemo resource
http://www.switch.ch/aai/demo/demo_live.html
2005 © SWITCH 10MWSG Amsterdam Dec 15, 2005
Outline
• Introduction
• SWITCHaai: the six building blocks
• Interoperability Shibboleth - gLite in EGEE-2
• Summary
Organisational
Framework
Service
Providers
Identity
Provider
Central
ServicesFunding
Inter-
operability
2005 © SWITCH 11MWSG Amsterdam Dec 15, 2005
AAI Identity Provider
UniL
Operational
ETHZ
UniZH
UniBE
VHO
SWITCH
UniGE
120’000 Users of Swiss Higher Education already are AAI-enabled( = 65% of all users)
ZHWIN
UniLU
Getting ready (2005/2006)
USZ
UniFR
UniBAS
UniNE
UniSG
Identity Providers
USI/SUPSI
2005 © SWITCH 12MWSG Amsterdam Dec 15, 2005
Directories within an AAI Identity Provider
AAI-enabled Identity Provider
UserDirectory
AuthenticationSystem
AAI
• Authentication System• any Apache compatible authentication • any Tomcat compatible authentication method• any IIS compatible authentication method
• User Directory• Integration via Java APIs
LDAP via JNDIDatabases via JDBC
Username is the link between the two parts
Identity Providers
2005 © SWITCH 13MWSG Amsterdam Dec 15, 2005
Virtual Home Organization - VHO
Federation Member
IdentityProvider
ResourceOwner
End UserAdmin
Some end userswithout
Identity Provider
VHO Service @SWITCH User Dir
VHO PolicyIdentity Providers
Integrate End Users without Identity Provider• Resource Owner creates @VHO “AAI-enabled” accounts for users without an Identity Provider
• A VHO account is only usable for that resource managed by the Resource Owner
2005 © SWITCH 14MWSG Amsterdam Dec 15, 2005
AAI Service Providers (Resources)
e-Learning Libraries
Other Web Applications
DOITDOIT
VITELSVITELS
Vista@SVCVista@SVC
AD Learn & CoAD Learn & Co
VconfVconf
Web-SMSWeb-SMS
EZproxyEZproxy
Commercial Contents
ScienceDirectScienceDirect
……
WebCT@ETHZWebCT@ETHZ
OLATOLAT
MoodleMoodle BSCWBSCW
BlackboardBlackboard
SwissLexSwissLex
IS-AcademiaIS-Academia
ILIASILIAS
TWikiTWikieShopseShops
CompiCampusCompiCampus
ca. 50 AAI-enabled hosts,ca. 10’000 active users
Service Providers
EBSCOEBSCO
2005 © SWITCH 15MWSG Amsterdam Dec 15, 2005
Showcase: DOIT
DOIT: Dermatology Online with Interactive Technology
500 AAI Users
AAI Service Provider (Resource)
UniL
ETHZ
UniZH
UniBE
VHO
SWITCH
UniGE
ZHWIN
UniLU
Identity Provider
Access Rule:
HomeOrg = UniZH | UniBE | UniLAffiliation = StudentStudyBranch = MedicineStudyLevel = 20
http://www.cyberderm.net/ Service Providers
2005 © SWITCH 16MWSG Amsterdam Dec 15, 2005
AAIportal: Integration of “black boxes”
Authentication/Authorization Gateway
User Management (optional) Adaptors to
Blackbox Applications: WebCT Vista WebCT CE …
AAIportal
Shibboleth
ApplicationSignOnA1
...
A2 API
Service Providers
2005 © SWITCH 17MWSG Amsterdam Dec 15, 2005
Authorization Attributes (1)
• AAI transfers user attributes from a Home Organization to a Resource
• Requires a common understanding of what a value means
Authorization Attribute Specification v1.1
• A task force selected the attributes for SWITCHaai
• minimal set to start with
• attributes with pre-existing ‘common understanding’
• in line with foreign activities
http://www.switch.ch/aai/docs/AAI_Attr_Specs.pdf
Interoperation
2005 © SWITCH 18MWSG Amsterdam Dec 15, 2005
• Unique Identifier
• Surname
• Given name
• Address(es)
• Phone number(s)
• Preferred language
• Date of birth
• Gender
• Name of
Home Organization
• Type of
Home Organization
• Affiliation (student,
staff, faculty, …)
• Study branch
• Study level
• Staff category
• Group membership
• Organization Path
• Organizational Unit
Path
• based on eduPerson specification
• study branch, study level, staff category are
based on SHIS/SIUS
• username and password are missing
only used locally!
• ‘Matrikelnummer’ is missing
for data protection reasons
Personal attributes Group membership
Authorization Attributes (2)
Group membership
Interoperation
2005 © SWITCH 19MWSG Amsterdam Dec 15, 2005
International AAI ActivitiesShibboleth deployment underway in:
USA (Internet2, InCommon), Finland (HAKA), Switzerland (SWITCH)
Shibboleth related activities in:United Kingdom (JISC), France (CRU), Australia (AARNet),
University of Amsterdam (NL), KU Leuven (BE), Statsbiblioteket Denmark
Compatibility with Shibboleth planned for:PAPI (RedIRIS, ES), A-Select (SURFnet, NL), Athens
Terena TF-EMC2 – Task Force European Middleware Coordination and Collaborationhttp://www.terena.nl/tech/task-forces/tf-emc2/
GN2 – JRA5 – Ubiquity (Mobility) and Roaming Access to ServicesDefine, prototype and build a roaming infrastructure and an AAI
Cotswolds Group - Federations Coordination (Europe, US)
Interoperation
2005 © SWITCH 20MWSG Amsterdam Dec 15, 2005
Organisational Framework
SWITCH acts as SWITCHaai Federation Service Provider
Federation membership based on signed service agreements
Organisation
2005 © SWITCH 21MWSG Amsterdam Dec 15, 2005
Data Protection / Privacy Issues
Service Provider(Resource)
User’s IdentityProvider
Data protection laws (Switzerland, EU) allows only to gather personal data that is required
The Identity provider may restrict the data release as strict as seen fit
Attributes
ResourceRegistration
AuthorityRequiredAttributes
Admin
Proposed site.ARP
ResourceRegistry
operated bySWITCH)
<*.uniXY.ch> UniqueID allow Affiliation allow HomeOrgType allow HomeOrgName allow</*.uniXY.ch>
<Resource B> UniqueID allow FirstName allow LastName allow</Resource B>
<Resource C> UniqueID allow FirstName allow LastName allow EMail allow</Resource C>
site.ARP
Organisation
2005 © SWITCH 22MWSG Amsterdam Dec 15, 2005
Funding
02000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
funding / costs
pilot project project operational service
funded by SWITCH funded by subsidies funded by tariffs
Funding
2005 © SWITCH 23MWSG Amsterdam Dec 15, 2005
Central AAI-Services
Strategy & Marketing International Contacts Support, Consulting, Training Providing Federation-specific Files and
Configuration Guides Operating WAYF (Where Are You From Server) Test-HomeOrg and Test-Resource Tools (AAIportal, AAIproxy) Virtual Home Organization Jump Start Service
Central Services
2005 © SWITCH 24MWSG Amsterdam Dec 15, 2005
SWITCHaai Outlook
Adding new institutions Adding new resources New directions:
ECTS (Study) AAA (Study)
Federation Partners Interoperability with grid: EGEE-2
2005 © SWITCH 25MWSG Amsterdam Dec 15, 2005
Outline
• Introduction
• SWITCHaai: the six building blocks
• Interoperability Shibboleth - gLite in EGEE-2– Work in 3 phases
– Related work
– Policy issues
• Summary
Organisational
Framework
Service
Providers
Identity
Provider
Central
ServicesFunding
Inter-
operability
2005 © SWITCH 26MWSG Amsterdam Dec 15, 2005
Interoperability Shibboleth - gLite
• Part of EGEE-2 proposal (by SWITCH in EGEE NREN Federation)
• Focus is on – Interoperability (NO replacement for X.509)
– Specific for EGEE infrastructure (VOMS etc)
– Integrate, re-use, re-engineer existing code, write new code only as needed
• Key Concepts: – Home institution of the user should be the Identity Provider
– Home institution provides some attributes
– But VO is needed for (grid specific) attributes
• Proposal of doing work in three phases:– Two initial, shorter phases with the intention of hooking SWITCHaai up to the
grid with a minimal amount of effort to have a working system
– A third phase with adding support for SAML at the resource (service provider)
2005 © SWITCH 28MWSG Amsterdam Dec 15, 2005
Access for Grid Users to Shib SP
Intention: add “symmetry” between enabling access for Shib and grid users
Test-bed SWITCH INFN in 2006
2005 © SWITCH 29MWSG Amsterdam Dec 15, 2005
SAML Support at the Resource
• Third (and main) phase of project
• Goal: Support for SAML for authentication and authorization without relying on X.509 (on a configurable basis)
• Should be based on SAML2
– Supports ECP Profile (constrained delegation)
– Will be used in Shibboleth 2
2005 © SWITCH 30MWSG Amsterdam Dec 15, 2005
Related Efforts
• GridShib:– Emphasis is on providing attributes based authorization– Based on GT4 and Shib 1.3– Beta version available since Sept 05
• OGSA authZ working group:– Defines specifications for basic interoperability and pluggability of authorization
modules in OGSA framework
• Condor Shibboleth Merger Project– Phase I: Shib enabled Condor web portal– Phase II: Shib enabled Condor fat client
• Shibboleth - grid activities in UK– ESP-Grid– Further work is planned (JISC) to look at CA/Shib issues
• Issue of attribute management between IdP and VO (e.g. Signet)
2005 © SWITCH 31MWSG Amsterdam Dec 15, 2005
Policy Issues for Phase 1
• Question: – what policy shall be formulated for the certificates generated out of
SWITCHaai?
• Minimum requirements for– SLCS certificates: TAGPMA (recently adopted)
– “traditional” certificates: EUGRIDPMA
2005 © SWITCH 32MWSG Amsterdam Dec 15, 2005
Minimum requirements
SLCS Traditional user certificates
Several SLCS One CA per country
Automated generation based on user management system
“Traditional” RA (e.g. copy of passport)
Lifetime < 1mio sec Lifetime < 1year + 1month
Revocation handling optional
Revocation handling mandatory
Minimum requirements for SLCS and traditional
user certificates
2005 © SWITCH 33MWSG Amsterdam Dec 15, 2005
Policy Issues for Phase 1
• Question 1: why two minimum requirements documents?– Wouldn’t it be easier to have one document and simply state the
differences where appropriate?
• Question 2: Why distinguish between SLCS and “traditional” certificates?– If you really trust your identity management systems, why not generate
the traditional certificates?
2005 © SWITCH 34MWSG Amsterdam Dec 15, 2005
What SWITCH would like to do….
Generation of X.509 by Shib Resource based on AuthN at IdP
Admin. Procedures
are key for quality of
user management
System (EUGRIDPMA
compliant)
User generates key pair and submits certificate signing request
2005 © SWITCH 35MWSG Amsterdam Dec 15, 2005
Issue of certificates by SWITCHpki
• Generation of server certificates as now (unchanged)
• Generation of user certificates – If { Shib IdP EUGRIDPMA compliant } then { automatic generation }
– Else { user follows “standard” procedures (e.g. picture id) }
• Example: – User management of HEP staff physicists of University of Berne
follows EUGRIDPMA compliant norms
– They have access to Shib resource to obtain their user certificate (with varying lifetime)
2005 © SWITCH 36MWSG Amsterdam Dec 15, 2005
Advantages
• One set of requirements for all certificates – simplicity of policy
• One infrastructure to handle all certificate requests
• Only valid or revocated certificates at all times
• Capitalize on the high standards of the user management system of SWITCHaai – for those institutions who follow the more stringent requirements
2005 © SWITCH 37MWSG Amsterdam Dec 15, 2005
Summary
• There is interest and activity for interoperability AAI / Shibboleth - grid– But X.509 is still the standard security mechanism for grids (and likely to remain so for
quite some time)
– Issue is not only authentication but also attribute sharing between IdP, VO, SP
• GridShib: – beta version available
– GT4 and Shib 1.3
• SWITCH looks forward to participate in EGEE-2 to add interoperability Shibboleth - gLite– Implement interoperability Shibboleth - gLite
– Policy issues
– Building a Swiss gLite grid with our partners (universities, CSCS)