identity federation and attribute-based authorization through the globus toolkit, shibboleth,...
TRANSCRIPT
![Page 1: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/1.jpg)
Identity Federation and Attribute-based Authorization
through the Globus Toolkit, Shibboleth, GridShib, and MyProxy
Tom Barton1, Jim Basney2, Tim Freeman1, Tom Scavo2,
Frank Siebenlist1,3, Von Welch2, Rachana Ananthakrishnan3,
Bill Baker2, Monte Goode4, Kate Keahey1,3
1University of Chicago 2National Center for Supercomputing Applications, University of Illinois
3Mathematics and Computer Science Division, Argonne National Laboratory4Lawrence Berkeley National Laboratory
NIST PKI Workshop, April 4th 2006
![Page 2: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/2.jpg)
Background
![Page 3: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/3.jpg)
3NIST PKI Workshop April 4, 2006
Globus Toolkit• http://www.globus.org
• Toolkit for Grid computing– Job submission, data movement, data
management, resource management
• Based on Web Services and WSRF
• Security based on X.509 identity- and proxy-certificates– May be from conventional or on-line CAs
![Page 4: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/4.jpg)
4NIST PKI Workshop April 4, 2006
Grid PKI• Large investment in PKI at the international
level for Grids– Dozens of CAs, thousands of users
• International Grid Trust Federation– http://www.gridpma.org
• Intended for point-in-time authentication– As opposed to, e.g., document signing
• Uses RFC 3820 Proxy Certificates for delegation and single-sign on
• Keys stored in Highest Common Technology == User’s local filesystem
![Page 5: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/5.jpg)
5NIST PKI Workshop April 4, 2006
Shibboleth• Internet2 project• Standards-based (SAML)• Allows for Identity Federation
– Identity == Identifier + Attributes– Identifier may or may not be a persistent Name.– Allows for pseudonymity via temporary, meaningless
identifiers called ‘Handles’
• Allows for inter-institutional sharing of web resources (via browsers)– Provides attributes for authorization between institutions
• Being extended to non-web resources
![Page 6: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/6.jpg)
6NIST PKI Workshop April 4, 2006
MyProxy• The Team:
– Jim Basney (lead), Bill Baker, Patrick Duda, Von Welch• Many contributors
– E.g. Monte Hall (LBNL)• A service for managing X.509 PKI credentials
– A credential repository– Long-lived private keys never leave the server
• Originally, a method for delegating credentials to Web Portals– Work around for lack of delegation in Web Browsers– User delegates RFC 3820 Proxy Certificate to MyProxy,
Portal delegates from MyProxy• Open Source Software
– Included in Globus Toolkit 4.0 and CoG Kits– C, Java, Python, and Perl clients available
![Page 7: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/7.jpg)
7NIST PKI Workshop April 4, 2006
GridShib• NSF NMI project to allow the use of Shibboleth-issued
attributes for authorization in NMI Grids built on the Globus Toolkit– Funded under NSF NMI program
• GridShib team: NCSA, U. Chicago, ANL– Tom Barton, Tim Freemon, Kate Keahey, Raj Kettimuthu, Tom
Scavo, Frank Siebenlist, Von Welch
• Working in collaboration with the Internet2 Shibboleth Design team
![Page 8: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/8.jpg)
8NIST PKI Workshop April 4, 2006
Common Goals of GridShib and MyProxy
• Ease of use for Grid PKIs• X509 Credential management is a big
headache for all involved– Users hate process of getting certificates– Admins hate not know where private keys are– Everyone hates configuration overhead (mainly
CRLs)
• Both projects working to use federation combined with X509 to solve these problems
• Integration of Site with Grid security
![Page 9: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/9.jpg)
Results from Past Year
![Page 10: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/10.jpg)
10NIST PKI Workshop April 4, 2006
MyProxy Authentication• MyProxy has traditionally supported:
– Key Passphrase– X.509 Certificate for credential renewal
• In the past year, we have added:• Pluggable Authentication Modules (PAM)
– Kerberos password– One Time Password (OTP)– Lightweight Directory Access Protocol (LDAP) password
• Simple Authentication and Security Layer (SASL)– Kerberos ticket (SASL GSSAPI)
• PubCookie
![Page 11: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/11.jpg)
11NIST PKI Workshop April 4, 2006
MyProxy Online Certificate Authority• Issues short-lived X.509 End Entity Certificates
– Leverages MyProxy authentication mechanisms– Compatible with existing MyProxy clients
• Ties in to site authentication and account management– Using PAM and/or Kerberos authentication– “Gridmap” file maps username to certificate subject
• LDAP support for mapping
• Avoid need for long-lived user keys• Server can function as both CA and repository
– Issues certificate if no credentials for user are stored
• When combined with pluggable authentication, allows for easy way to leverage existing authentication for X509 access– Kx509/KCA replacing Kerberos with various technologies
• (Implemented by Monte Goode @ LBNL)
![Page 12: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/12.jpg)
12NIST PKI Workshop April 4, 2006
MyProxy: Managing Trust Roots• Based on ideas put forth in Gutmann’s
plug-and-play PKI paper
• When user authenticates to get X509 credential, also provide needed trust information– CA certificates, CRLS, other related policy
![Page 13: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/13.jpg)
13NIST PKI Workshop April 4, 2006
GridShib Overview• Two components
– GridShib handlers for Globus Toolkit (GT4)– GridShib plugin for Shibboleth (1.3)
• Working together they allow GT service to request Shibboleth attributes
• And make authz decision based on those attributes
• All software open source
![Page 14: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/14.jpg)
14NIST PKI Workshop April 4, 2006
GridShib for Globus Plugin• Three components• Basic SAML Query Policy Information
Provider (PIP)– Queries Shibboleth AA using X509 DN and
retrieves user attributes– Needs GridShib for Shibboleth plugin at AA
• SAML identity mapper PIP determines local username from SAML attributes
• SAML PDP makes access control decision based on SAML attributes
![Page 15: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/15.jpg)
15NIST PKI Workshop April 4, 2006
GT Authorization Architecture• GridShib work is forming basis for rich authorization
architecture in GT• Configurable collection of PIPs gather attributes
regarding user– SAML, X509, local, etc.– Canonicalize to XACML Request Context
• Configurable collection of PDPs render authorization decision– PDPs can be local or remote (GGF OGSA-Authz SAML
protocol)– PDPs can be combined logically in different ways (AND or
OR)– PDPs can gather own attributes (e.g. PERMIS)
![Page 16: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/16.jpg)
16NIST PKI Workshop April 4, 2006
GridShib for Shibboleth Plugin• NameMapper for Shibboleth IdP
• Converts X509 DN into locally meaningful name
• Currently uses static mapping– Already being improved on
![Page 17: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/17.jpg)
17NIST PKI Workshop April 4, 2006
GridShib Flow: Putting it together• User makes request of GT service as usual
– X509 authentication with SOAP
• GT SAML PIP queries Shibboleth AA using DN– SAML Query protocol
• GridShib Namemapper converts from DN to local principal name
• Shibboleth AA returns SAML assertion with attributes– SAML Response protocol
• GT SAML PIP binds attributes to DN in GT internal state
• GT then maps user to local account and/or renders access control decision
![Page 18: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/18.jpg)
Next Steps
![Page 19: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/19.jpg)
19NIST PKI Workshop April 4, 2006
GridShib/MyProxy Integration• Allow for leveraging of Shibboleth SSO for Grids
– Need to convert Shibboleth SAML into X509
• Accomplish by adding SAML authentication support to MyProxy– Ala Pubcookie
• Have implemented prototype GridShib CA– Portal authenticates user, MyProxy trusts portal to have
done so and issues X509 Credential– Java Web Start application download credential from portal
to user desktop
• Investigating full Shibboleth authentication to MyProxy– May have to wait until Shibboleth 2.x
![Page 20: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/20.jpg)
20NIST PKI Workshop April 4, 2006
The Name Mapping Problem
• End-to-end flow involves both protocol and name conversion– Site, SAML, X509
• Not clear that these conversions should be co-located, who should be authoritative
![Page 21: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/21.jpg)
21NIST PKI Workshop April 4, 2006
Name Binding• If site is authority for both SAML and X509 names, then they
can make mappings or use algorithmic transformation• Today this is often not the case
– E.g. CA is run by Grid community
• Two options we’re exploring:• User binds names by dual-authentication• CA binds names when it issues a credential
– Either by direct communication with Shibboleth AA• Allow Shibboleth AA to recognize DN
– Or by embedding information into the X509 certificate• Allows resource to know Shibboleth Name
• Working in collaboration with Jill Gemmill, J.P. Robinson @ UAB (myVocs)
![Page 22: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman](https://reader035.vdocuments.us/reader035/viewer/2022062422/56649f1f5503460f94c36c73/html5/thumbnails/22.jpg)
22NIST PKI Workshop April 4, 2006
Questions?• [email protected]• Project URLS
– http://gridshib.globus.org– http://myproxy.ncsa.uiuc.edu– http://shibboleth.internet2.edu/
• Acknowledgements– The GridShib work is funded by the NSF National Middleware
Initiative (NMI awards 0438424 and 0438385). Opinions and recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF.
– The MyProxy work was funded by the NSF NMI Grids Center and the NCSA NSF Core awards. The online CA work was implemented at LBNL.