VOMS Attributes Authority & Shibboleth Authentication

1

VOMS Attributes Authority & Shibboleth Authentication

Thai Thi Thu Thuy

2

Content

Virtual Organization Membership Service (VOMS)

Shibboleth Grid and Shibboleth integration

3

Attribute Authority Infrastructure in Grid Security infrastructure based on X.509 certificates (PKI) Authentication

Needs “trusted third parties”, i.e. Certificate authorities (CAs) Users identified with “identity” certificates signed by CAs Delegation & single sign-on via proxy certificates

Authorization Several entities involved

resource providers Virtual organizations

Authorization cannot be decided only on local site basis but must reflect the service level agreements settled between VOsand resource providers

VOs administer user membership (groups, roles, ...) RPs evaluate attributes granted by VOs to their users and mapthem to local credentials used to access resources

4

Why VOMS?

In a grid environment, VOs tend to be extremely large and change frequently. Hundreds or even thousands of users.

Sites need to know the users because of the need to prepare local accounts and eventually apply authorization policies.

It is not scalable to manage them by hand

5

VO Membership Service (VOMS) Virtual Organization Membership Service

an Attribute Authority (AA) that issues attributes (in the form of signed assertions) expressing membership information of a subject in the context of a Virtual Organization (VO)

A VO management service A VO registration service A source of trust for authorization

Extends the X509 AAI with attributes related to VOstructure so that access to resources can be authorized accordingly!

6

VOMS Attributes

Group membership A VO member may be part of several VO

groups Role assignment

A VO member may be assigned roles Generic attributes

(Name,Value) pairs that can be associated with a VO membership

7

Obtaining VOMS attributes The user must have an x.509 certificate signed by a trusted

CA The user must be registered in a VOMS server as a member

of a VO The User contacts the VOMS server for his VO using a

command line client (voms-proxy-init) or VOMS APIs A proxy certificate is created containing the user VO

membership information In particular, VOMS creates a signed Attribute Certificate

(AC) containing this info that is then packed into a proxy certificate

The proxy certificate is used to authenticate and authorize the User at remote services

8

VOMS Architecture

9

VOMS Management and Registration services (Voms Admin) A J2EE Web application that

manages the contents of the VOMS database provides registration services

Used by VO Administrators mainly to add/remove users to the VO, put them in VOMS groups, assign VOMS roles to them manage generic attributes

Provides a WSDL interface to its functions Has a command line client Has a web-based user interface

10

VOMS Management and Registration services (Voms Admin) All Operations on the VOMS Admin are authorized via

ACLs ACLs are (Context, Principal, Permission) triples

The Context is a FQAN The Principal is either

a (DN, CA) couple (i.e., an X509 certificate) a FQAN ANY_AUTHENTICATED_USER

The Permission states what the principal can do in the Context List/Add members to a Group/Role Create subgroups Manage attributes Manage requests/subscriptions pertaining groups/roles

11

VOMS-Admin architecture

12

VOMSd

VOMSd is the component which listens for user requests and creates Attribute Certificates. All communication is secured and mutually

authenticated. Allows high customization of ACs.

Which roles to present, validity length, targeting, etc…

13

VOMS data format

Attributes (groups, roles, general purpose) returned by VOMS are inserted into an RFC-3281 compliant Attribute Certificate.

The provided clients insert the AC in a non-critical extension of the user proxy

14

VOMS clients

The clients provided are command-line based. But APIs are available in C,C++ and JAVA.

You could write your own client

15

Example of data:[marotta@datatag6 marotta]$ /data/marotta/installs/17series/bin/voms-proxy-info --allsubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschini/CN=proxyissuer : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniidentity : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschinitype : proxystrength : 512 bitspath : /tmp/x509up_u502timeleft : 11:59:58=== VO valerio extension information ===VO : valeriosubject : /C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Vincenzo Ciaschiniissuer : /C=IT/O=INFN/OU=Host/L=CNAF/CN=datatag6.cnaf.infn.itattribute : /valerio/Role=NULL/Capability=NULLattribute : /valerio/asdasd/Role=NULL/Capability=NULLattribute : /valerio/qwerty/Role=NULL/Capability=NULLattribute : attributeOne = 111 (valerio)attribute : attributeTwo = 222 (valerio)timeleft : 11:59:58

Proxy’s Subject

16


Proxy’s issuer

17


Certificate’s subject

18


Type of proxy

19


Proxy’s key strength

20


Proxy’s Location

21


Proxy’s validity

22


VO Name

23


Owner’s Data

24


Owner’s Group membership

25


General-Purpose attributes

26


AC validity

27

Shibboleth

Many grids are looking for less complex ways to authenticate its users

Shibboleth is being adopted as a top down authentication infrastructure

28

What is Shibboleth? An Internet2/MACE initiative to develop a

standards-based architecture and policy framework supporting the sharing of secured web resources and services

A software project delivering an open source implementation of the architecture and framework

Based on the OASIS SAML standard (http://www.oasis-open.org/)

29

Shibboleth Architecture

IdP/ Original Site SP/ Target Site

Authentication Server

Handle Service

Attribute Authority

ShibAuthZ

SHAR

SHIRE

WAYF

User1

2

3

4a

4b

5

6

7

8

30

Shibboleth Architecture

SHIRE: Shibboleth Indexical Reference Establish

SHAR: Shibboleth Attribute Requester WAYF: Where Are You From

31

Shibboleth & VOMS similarities

Maintain lists of user identities. Add attributes to user identities. Offer a way to distribute such attributes

32

Shibboleth & VOMS differences

Shibboleth IdP VOMS

Has good support for federations Has basic support for federations

Does not support X.509 Supports X.509

Supports SAML SAML support in development

Allows third parties to get information on users Does not allow third parties to get information on users.

Pull model Push model

Mostly geared to website authorization Mostly geared to grid authorization

Delegation of credentials not well supported Delegation of credentials well supported

33

Grid & Shibboleth integration SWITCH AAI http://www.switch.ch/aai/ GridShib http://gridshib.globus.org/ ShibGrid

http://www.oerc.ox.ac.uk/activities/projects/index.xml?ID=ShibGrid

SHEBANGS http://www.mc.manchester.ac.uk/research/projects/shebangs

Has VOMS component: SWITCH and SHEBANGS

34

GridShib (attribute pull)

Certificate(6)

Client

GridShib CA with SAML tools

Shibboleth WAYF

Shibboleth IdP

Grid Resource7

10

2

3

4

5

89

1

35

ShibGrid

36

Shebangs

37

About my thesis

Research and develop single sign-on mechanism through web environment for VN-Grid

38

Approach

Key words: single sign-on, web environment, Shibboleth, GSI, VOMS

How to bridge the gap between Shibboleth and Grid?

39

Reference

www.globus.org www.shibboleth.internet2.edu …

40

Thank you for your attention!

Documents

VOMS Attributes Authority & Shibboleth Authentication