Embed Size (px)
Citation preview
Shibboleth and Grids
Oxford Internet Institute, Oxford e-Science Centre
and e-Horizons Institute
Mark Norman 10 May 2006
10 May 2006 2
This talk
• What is Shibboleth• Can we use it on grids?
– The Customer-Service Provider (portal) model
– Shibbolizing myProxy etc.
• Oxford projects in this area
10 May 2006 3
What is Shibboleth?
• “Shibboleth is a system designed to exchange attributes across realms for the primary purpose of authorisation”– It’s not strictly an authentication mechanism
– Nor an authorisation mechanism• It enables both
• But in plainer speaking…
10 May 2006 4
What is Shibboleth?
• It’s all about how to transmit the authorisation and role information from your home institution to outside service providers
• And how those service providers can ask for that information
• Access management and the communication of authorisation credentials
• Aims: separate authentication from authorisation– Devolve authentication to the ‘home’ organisation
– Devolve the management of authorisation information as well
10 May 2006 5
Accessing a service
• Graphics thanks to the SWITCH project
• Swiss Education and Research Network
• http://www.switch.ch/aai/demo/intro.html
• (A very good resource for an introduction).
10 May 2006 6
Accessing a service
IdP User SP
10 May 2006 7
Making the first connection
You must be authorised to use this
service
I need you to log in somewhere!
The WAYF will help to find your home site (IdP)
10 May 2006 8
Go home to authenticate
You must be authorised to use this
service
I need you to log in somewhere!
OK, you say you’re from Hometown
University?
10 May 2006 9
Your handle is supplied
OK, you’ve been authenticated, but
are you authorised to use this resource?
OK, you say you’re from Hometown
University?
Log in to Hometown (your IdP)
Hometown finds you in the user
database(steps 6&7)
Hometown (IdP) asserts to SP
and supplies a unique handle
(step 8)
10 May 2006 10
Attributes for authorisation
OK, you’ve been authenticated, but
are you authorised to use this resource?
OK, this user has these attributes that she is happy for you
to know…(step 10)
I’d like to know this…
…about the user(step 9)
10 May 2006 11
Access permitted, authorised to…
Those attributes look fine
–
Come on in!!
Ah, I see you’re a lecturer in film
studies…
We’ve let you in and assigned you: access all areas,
read only…
10 May 2006 12
Can we use it on grids?
• It’s not quite that easy!– Grids tend to use digital certificates
• (Centrally/Nationally issued)
• A bit hard to use (but that’s a different matter)
– Shibboleth is (so far) based in the web world• HTTP only
– Some grid people think that• Certificates = secure
• University libraries/SSO = insecure– (This is probably wrong, but grids do need higher security)
10 May 2006 13
A benefit of Shibboleth to grids
• Grids haven’t done very well in managing authorisation
• Grid architects have not considered privacy much
• Shibboleth can simplify authorisation and enable privacy use cases
10 May 2006 14
Combining Shibboleth and Grid
• A ‘Customer-Service Provider’ model– Like a portal with an
application
– From user-SP it is classic Shibboleth (web-based)
– From SP-grid it is classic grid (using host certificates)
10 May 2006 15
Shib and Grid: other approaches
• ‘Shibbolize’ myProxy– Access to your proxy certificate using your home
institution’s SSO
• Shibbolize myProxy-CA (or other CAs)– Temporary or low-assurance digital certificates
• Shibbolize a grid portal– This is really the Customer-Service Provider model– See http://wiki.oucs.ox.ac.uk/esp-grid/NeSC_Shibbolized_Resources
10 May 2006 16
Projects active in these areas (Oxford)
• ESP-GRID (Evaluation of Shibboleth and PKI for Grids)– Thinking about policies and building demonstrators
along the C-SP model• http://www.oesc.ox.ac.uk/activities/projects/eprojects/esp-grid/
• ShibGrid (Integrating NGS into the academic framework)– Building the myProxy and grid portal use cases
Shibboleth and Grids
This presentation at:http://users.ox.ac.uk/~markn/Presentations/
ChinaDelegOeRC_OIImay06.ppt
Mark Norman 10 May 2006
