MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center

myVocs and GridShib: Integrated VO Management

Jill Gemmill, John-Paul Robinson

University of Alabama at Birmingham

Tom Scavo, Von Welch

National Center for Supercomputing Applications

Outline

• Introduction: What are we trying to do, and why?

• myVocs Overview

• GridShib Overview

• myVocs-GridShib Integration

• Q & A

Acknowledgments

• myVocs and GridShib are funded by the NSF National Middleware Initiative (NMI awards 0330543, 0438424 and 0438385).

• Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation.

• We would also like to thank: – Serge Aumont, Olivier Salaun (CRU)

– Nate Klingenstein – Tom Barton– Tim Freeman – Raj Kettimuthu

What’s a Virtual Organization?

• A set of collaborators bound together by a project of common interest– very large scale science projects eg: Teragrid– Half a dozen or so collaborators in a funded

multidisciplinary project– Physicians at 60 cancer centers wanting to share

clinical data to increase N or focus on special sub-populations

– An Internet2 Working Group; a conference planning committee.

• In general, VO members are from different institutions

VO Requirements

• Ideally, VO resource access would use cross-domain SSO

• What architecture can support this requirement?– For myVocs: web-based applications– For grids: app’s that use grid certificates

What Cross-Domain Security Architectures Exist?

• GRIDS– Digital Certificates (X.509 / PKI)– Cross-domain trust can be managed scalably thru

Bridged CA’s– Carry only a user identifier (DN)

• FEDERATIONS (SAML, Shibboleth, WS-Security)– Digitally signed security assertions– Carry Identity, AuthN method, other attributes

Don’t Existing Solutions Provide What Is Needed by VO’s? (No!)

• Single Domain solutions inadequate• End-user certificate distribution and

management has proven to be troublesome and non-scalable

• Essential VO (Group) Membership information not provided consistently by either one

• Most collaboration tools accessed by web browser (not client software w. certificate)

What does Shibboleth bring to the table?

• A large (and growing) installed base• A standards-based, open source

implementation• Working SAML 1.1 code• A standard attribute vocabulary

(eduPerson)• A well-developed, federated identity

management infrastructure has sprung up around Shibboleth

Motivation 1

• The size and vast number of VOs makes it difficult for administrators to manage the identity of each user in the VO (and VO members don’t want more passwords to remember)– Goal: Leverage existing identity

management infrastructure

• eduPerson/Shibboleth infrastructure appeared promising for identity management

Motivation 2

• Identity-based access control methods are inflexible and do not scale– Goal: Use attribute-based access

control

• Shibboleth, an attribute transport mechanism linked to identity management, appeared promising

Motivation 3

• The most important attribute for VOs is: “member of VO-XYZ”

• Who is authoritative for VO attributes?– The enterprise? (No)– The VO? (Yes!)

• How are VO attributes created?

• Where are VO attributes stored?

myVocs Overview

A brief introduction to the myVocs system environment

myVocs Manages Attributes

This point is central to myVocs(and deserves a slide of its own)

Virtual Organization Aspects

• Virtual Organizations are Collections of Attributes

• Virtual Organizations are Collaborations Manifest

• Virtual Organizations cross Institutional Boundaries

• Virtual Organizations are Autonomous

Virtual Organization Realities

• Lighten their load and use trusted attributes

• Resist complication of inconsistent policies

• Influence poor so little hope for attribute sponsors

• They are a lot like real organizations

myVocs Supports VOs

myVocs lets you create and manage VOs

andsupplies key collaboration tools to the

members of the VO

A Look Inside myVocs

Attributes

Users VORoles

VOMembersVOs


Attributes

Users VORoles

VOMembe

rsVOs

AppApp1 AppNApp3App2


Attributes

Users VORoles

VOMembe

rsVOs

AppMailList

YourAppCMSWiki


Attributes

Users VORoles

VOMembe

rsVOs

AppMailList

YourAppCMSWiki

Shibboleth IdP

Shib SPShib SP Shib SP


Attributes

Users ListRoles

ListMembe

rsLists

AppMailList

YourAppCMSWiki

Shibboleth IdP


Why myVocs Uses Sympa

• Mailing lists are central to Collaborations• Specify a collection of individuals• Define useful member roles• Generally autonomous

• Sympa mailing list software supports Shibboleth

• Sympa developers were active collaborators

Why myVocs Uses Sympa

Simply by creating and managingmailing lists

with a familiar web interfacethe end user can manage VOs

their membershipand privileges


Sympa

Users ListRoles

ListMembe

rsLists

AppMailList

YourAppCMSWiki

Shibboleth IdP



Sympa

Users ListRoles

ListMembe

rsLists

AppMailList

YourAppCMSWiki

Shibboleth IdP



Sympa

Users ListRoles

ListMembe

rsLists

AppMailList

YourAppCMSWiki

Shibboleth IdP

Shib SPShib SP Shib SPShib SP


VO Attribute Authority

Users ListRoles

ListMembe

rsLists

AppMailList

YourAppCMSWiki

Shibboleth IdP




Users VORoles

VOMembe

rsVOs

AppMailList

YourAppCMSWiki

Shibboleth IdP




Users VORoles

VOMembe

rsVOs

AppMailList

YourAppCMSWiki

VO IdP




Users VORoles

VOMembe

rsVOs

AppMailList

YourAppCMSWiki

VO IdP

VO SPVO SP VO SPVO SP



AppMailList

YourAppCMSWiki

VO IdP




AppMailList

YourAppCMSWiki

VO IdP




AppMailList

YourAppCMSWiki

VO IdP


VO Space



AppMailList

YourAppCMSWiki

VO IdP


VO Space



AppMailList

YourAppCMSWiki

VO IdP


VO Space

Shibboleth SP

This is myVocs


AppMailList

YourAppCMSWiki

VO IdP


VO Space

Shibboleth SP

myVocs

This is myVocs


AppMailList

YourAppCMSWiki

VO IdP


VO Space

Shibboleth SPmyVocs

myVocs



AppMailList

YourAppCMSWiki

VO IdP


VO Space

Shibboleth SP

UABIdP

myVocs



AppMailList

YourAppCMSWiki

VO IdP


VO Space

Shibboleth SP

UABIdP

U. ChicagoIdP

myVocs



AppMailList

YourAppCMSWiki

VO IdP


VO Space

Shibboleth SP

UABIdP

UIUCIdP

U. ChicagoIdP

myVocs



AppMailList

YourAppCMSWiki

VO IdP


VO Space

Shibboleth SP

UABIdP

UIUCIdP

openidp.orgIdP

U. ChicagoIdP

myVocs



AppMailList

YourAppCMSWiki

VO IdP


VO Space

Shibboleth SP

UABIdP

UIUCIdP

openidp.orgIdP

U. ChicagoIdP

IdentitySpace


Users VORoles

VOMembe

rsVOs

AppMailList

YourAppCMSWiki

UABIdP

UIUCIdP

openidp.orgIdP

U. ChicagoIdP


Users VORoles

VOMembe

rsVOs

AppMailList

YourAppCMSWiki

UABIdP

UIUCIdP

openidp.orgIdP

U. ChicagoIdP


Users VORoles

VOMembe

rsVOs

AppMailList

YourAppCMSWiki

UABIdP

UIUCIdP

openidp.orgIdP

U. ChicagoIdP


Users VORoles

VOMembe

rsVOs

AppMailList

YourAppCMSWiki

UABIdP

UIUCIdP

openidp.orgIdP

U. ChicagoIdP

Shibboleth Drives myVocsThe user accesses a web resource.

The browser is guided

through any required steps

by standard Shibboleth mechanisms.

The system components

remain invisible.

Shibboleth Drives myVocs

Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP


Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP


Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP

myVocs Shib


Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP

myVocs Shib Identity Federation Shib


Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP



Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP



Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP



Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP



Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP



Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP



Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP



Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP


IdentityAttributes


Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP



Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP


VOAttribs


Client Web Browser

CMS openidp.org

VOAttribs

WAYFVO SP VO IdP

ID SP


myVocs Visual Experience

User Selects

VO Resource


User Selects

Identity Provider


User Validates

Identity


User Accesses

VO Resource

myVocs User Experience




Last Year's WishToday's Reality

Make it possible for a VO to add it's own grid resources

A good example: Enable registering a group of desktops owned

by film animation students working on different campuses so they can render their animation on their own grid resources

Keep up with what GridShib is doing

GridShib Overview

What is GridShib?

• GridShib enables secure attribute sharing among Grid virtual organizations and higher-educational institutions

• The goal of GridShib is to integrate the Globus Toolkit® with Shibboleth®

• GridShib adds attribute-based authorization to Globus Toolkit

Some Background

• Large scientific projects have spawned Virtual Organizations (VOs)

• The cyberinfrastructure and software systems to support VOs are called grids

• Globus Toolkit is the de facto standard software solution for grids

• Grid Security Infrastructure (GSI) provides basic security services for grids

Grid Authentication

• Globus Toolkit provides authentication services via X.509 credentials

• When requesting a service, the user presents an X.509 certificate, usually a proxy certificate

• GridShib leverages the existing authentication mechanisms in GT

Grid Authorization

• Today, Globus Toolkit provides identity-based authorization mechanisms:– Access control lists (called grid-mapfiles)

map DNs to local identity (e.g., Unix logins)– Community Authorization Service (CAS)

• PERMIS and VOMS• GridShib provides attribute-based

authorization based on Shibboleth

GridShib Project Motivation

• VOs are difficult to manage– Goal: Leverage existing identity

management infrastructure

• Identity-based access control methods are inflexible and do not scale– Goal: Use attribute-based access control

• Solution: Integrate GT and Shibboleth!

Tale of Two Technologies

GridClient

GlobusToolkit

X.509

Grid Security Infrastructure

Existing GSI basedon X.509…

Tale of Two Technologies

GridClient

GlobusToolkit

Shibboleth

X.509

SAMLGrid Security Infrastructure

Shibboleth Federation

Graft Shib/SAMLonto GSI/X.509

Why Shibboleth?

• What does Shibboleth bring to the table?– A large (and growing) installed base on

campuses around the world– A standards-based, open source implementation– A standard attribute vocabulary (eduPerson)

• A well-developed, federated identity management infrastructure has sprung up around Shibboleth!

GridShib Use Cases

• Three use cases under consideration:1. Established grid user (non-browser)2. New grid user (non-browser)3. Portal grid user (browser)

• Initial efforts concentrated on the established grid user

• Current efforts are focused on the new grid user

Established Grid User

• User possesses an X.509 end entity certificate

• User may or may not use MyProxy Server to manage X.509 credentials

• User authenticates to Grid SP with proxy certificate obtained from MyProxy

• The current GridShib implementation addresses this use case

New Grid User

• User does not possess an X.509 end entity certificate

• User relies on GridShib CA to issue short-lived X.509 certificates

• User authenticates to Grid SP using short-lived X.509 credential

• The myVocs-GridShib integration addresses this use case

Software Components

• GridShib for Globus Toolkit– A plugin for GT 4.0

• GridShib for Shibboleth– A plugin for Shibboleth 1.3 IdP

• GridShib CA– A web-based CA for new grid users

• Visit the GridShib Downloads page:http://gridshib.globus.org/download.html

GridShib for Globus Toolkit

• GridShib for Globus Toolkit is a plugin for GT4

• Features:– Standalone attribute requester– SAML attribute consumption– Attribute-based access control– Attribute-based local account mapping– SAML metadata consumption

Standalone Attribute Requester

• A standalone attribute requester will query a Shib AA for attributes– By “standalone” we mean a query separate

from a Shib browser profile

• The attribute query is based on– The Subject DN of the proxy cert or– A SAML authn assertion embedded in an

end-entity cert

GridShib for Shibboleth

• GridShib for Shibboleth is a plugin for a Shibboleth IdP v1.3 (or later)

• Features:– Name Mapper– SAML name identifier implementations

• X509SubjectName, emailAddress, etc.

– Certificate Registry

GridShib Name Mapper

• The Name Mapper is a container for name mappings

• Multiple name mappings are supported:– File-based name

mappings – DB-based name

mappings

NameMapFile NameMapTable

NameMapper

GridShib Certificate Registry

• A Certificate Registry is integrated into GridShib for Shibboleth:https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateRegistry

• An established grid user authenticates and registers an X.509 end-entity cert

• The Registry binds the cert to the principal name and persists the binding in a database

• On the backend, GridShib maps the DN in a query to a principal name in the DB

GridShib CA

• The GridShib Certificate Authority is a web-based CA for new grid users:https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority

• The GridShib CA is protected by a Shib SP and backended by the MyProxy Online CA

• The CA issues short-term credentials suitable for authentication to a Grid SP

• Credentials are downloaded to the desktop via Java Web Start

GridShib Attribute Pull Profile

• In the “Classic GridShib” profile, a Grid SP “pulls” attributes from a Shib IdP

• The Client is assumed to have an account (i.e., local principal name) at the IdP

• The Grid SP and the IdP have been assigned a unique identifier (providerId)

3

4

2

1

IdPIdP

Grid SPGrid SP

CLIENT

CLIENT

1

GridShib Attribute Pull Step 1

• The Grid Client requests a service at the Grid SP

• The Client presents a X.509 certificate to the Grid SP

• The Client also provides a pointer to its preferred IdP– This is the so-called IdP

Discovery problem

IdPIdP

Grid SPGrid SP

CLIENT

CLIENT

2

1


• The Grid SP authenticates the Client and extracts the DN from the proxy cert

• The Grid SP queries the Attribute Authority (AA) at the IdP using the DN as a SAML name identifier

IdPIdP

Grid SPGrid SP

CLIENT

CLIENT

32

1


• The AA authenticates the requester and maps the DN to a local principal name

• The AA returns an attribute assertion to the Grid SP– The assertion is subject to

Attribute Release Policy (ARP) at the IdP

IdPIdP

Grid SPGrid SP

CLIENT

CLIENT

3

4

2

1


• The Grid SP parses the attribute assertion and performs the requested service

• The attributes are cached as necessary

• A response is returned to the Grid Client

IdPIdP

Grid SPGrid SP

CLIENT

CLIENT

Future Work

• Solve IdP discovery problem for grids

• Provide name mapping maintenance tools (for administrators)

• Implement a profile for attribute push

• Produce SAML metadata

• Design metadata repositories and tools

Results of Integration

Motivation Review

• myVocs allows for VOs based on Shibboleth identities

• GridShib authorizes use of Grid Services based on Shibboleth identities

• Goal of Integration:

Creation and Management of Grid VOs based on Shibboleth Identities

What we have enabled

• Turn-key Grid VO creation through the integration of GridShib and myVocs

• myVocs used to create and manage VOs• GridShib allows myVocs users to create Grid

credentials and access Grid resources• Grid resources obtains, and allows access,

based on attributes from myVocs

Key Components

• myVocs– VO creation and management

• GridShib CA• creates Grid credentials from Shibboleth identities

• GridShib Certificate Registry and IdP Plugin• maps Grid identities to Shibboleth identities

• GridShib GT plugin• issues SAML attributes queries from GT to

myVocs/Shibboleth

System Walk-through

• A quick tour of the integrated system

• Architecture view on these slides

• User view on the other projector

User Registers with myVocs

Identity

Auth

VO Admin Adds User to VO

Grid Logon

Identity

Auth

Identity

Grid Creds.

Grid Id

Grid Service Invocation

VOAttributes

Grid Creds.

Grid Id

Remaining Challenges

• Name binding on global scale

• Attribute Aggregation

• Defining VO membership, roles and attributes

• Group and role management

Questions?

For more information:

• GridShib: http://gridshib.globus.org/

• myVocs: http://www.myvocs.org/

• Email: [email protected]

[email protected]

[email protected]

[email protected]

Documents

MyVocs and GridShib: Integrated VO Management Jill Gemmill, John-Paul Robinson University of Alabama at Birmingham Tom Scavo, Von Welch National Center