2005 © SWITCH Interoperability Shibboleth and gLite in EGEE-2 MWSG Amsterdam Dec 15, 2005 Christoph Witzig SWITCH

2005 © SWITCH

InteroperabilityShibboleth and gLite

in EGEE-2

MWSG Amsterdam Dec 15, 2005

Christoph WitzigSWITCH

2005 © SWITCH 2MWSG Amsterdam Dec 15, 2005

Outline

• Introduction– Presentation of SWITCH

– Motivation of AAIs

– Overview of Shibboleth

• SWITCHaai: the six building blocks

• Interoperability Shibboleth - gLite in EGEE-2– Work in 3 phases

– Related work

– Policy issues

• Summary

Organisational

Framework

Service

Providers

Identity

Provider

Central

ServicesFunding

Inter-

operability


SWITCH

Business Development

Strategic planningTechnology monitoring International relations

Management Services

Human Resources

Legal

Finance/Accounting

Marketing/Sales/PR/Coord. universities

Incident Handling

Beratung

Labor

Interne DLHW/OS, Beratung,

E-Mail

Security

Incident Handling

Consulting

Laboratory

Critical Infra-structure Protection

Network

Networkengineering

NetworkInfrastructure

Consulting

• SWITCHlambda

• IP Routing

• IPv6, QoS, Multicast

• PERT

Internet Identifiers

Domain Names(Registration)

Domain Names(further services)

• Invoicing

• Administration

• Help Desk

• Online-Queries

• Consulting

• Added Services for End Users

• Added Services for second level service provider

UserRegistration

NetServices

Grid technologies

virtual communities

e-mobility

• SWITCHaai• SWITCHmobile

• SWITCHvconf• Collaboration Tools• Content Delivery

and tools

consulting


University A

Library B

University C

Without AAI

Student Admin

Web Mail

e-Learning

Literature DB

e-Learning

Research DB

AuthorizationUser Administration

AuthenticationResource Credentials

Tedious user registration at all resources

Unreliable and outdated user data at resources

Different login processes

Many different passwords

Many resources not protected due to difficulties

Often IP-based authorization

Costly implementation of inter-institutional access

e-Journals


University A

Library B

University C

AAI

With AAI

Student Admin

Web Mail

e-Learning

Literature DB

e-Learning

Research DB

AuthorizationUser Administration

AuthenticationResource Credentials

No user registration and user data maintenance at resource needed

Single login process for the users

Many new resources available for the users

Enlarged user communities for resources

Authorization independent of location

Efficient implementation of inter-institutional access

e-Journals


SWITCHaai Project

2001 2002 2003 2004 2005 2006 2007

ImplementationPilot Operation Study

ArchitectureEvaluation

-> Shibboleth


Shibboleth

Open Source Developed by Internet2 Federated Approach Privacy National deployment projects in the US, UK and Finland,

growing interest in other European countries Currenty for web resources only - will be extended Based on SAML Cooperations with Liberty Alliance Cooperations with Content Providers (e-journals)

http://shibboleth.internet2.edu/


How it works


Demo (Try it yourself)

http://www.switch.ch/aaiLive Demodemo resource

http://www.switch.ch/aai/demo/demo_live.html


Outline

• Introduction


• Interoperability Shibboleth - gLite in EGEE-2

• Summary

Organisational

Framework

Service

Providers

Identity

Provider

Central

ServicesFunding

Inter-

operability


AAI Identity Provider

UniL

Operational

ETHZ

UniZH

UniBE

VHO

SWITCH

UniGE

120’000 Users of Swiss Higher Education already are AAI-enabled( = 65% of all users)

ZHWIN

UniLU

Getting ready (2005/2006)

USZ

UniFR

UniBAS

UniNE

UniSG

Identity Providers

USI/SUPSI


Directories within an AAI Identity Provider

AAI-enabled Identity Provider

UserDirectory

AuthenticationSystem

AAI

• Authentication System• any Apache compatible authentication • any Tomcat compatible authentication method• any IIS compatible authentication method

• User Directory• Integration via Java APIs

LDAP via JNDIDatabases via JDBC

Username is the link between the two parts

Identity Providers


Virtual Home Organization - VHO

Federation Member

IdentityProvider

ResourceOwner

End UserAdmin

Some end userswithout

Identity Provider

VHO Service @SWITCH User Dir

VHO PolicyIdentity Providers

Integrate End Users without Identity Provider• Resource Owner creates @VHO “AAI-enabled” accounts for users without an Identity Provider

• A VHO account is only usable for that resource managed by the Resource Owner


AAI Service Providers (Resources)

e-Learning Libraries

Other Web Applications

DOITDOIT

VITELSVITELS

Vista@SVCVista@SVC

AD Learn & CoAD Learn & Co

VconfVconf

Web-SMSWeb-SMS

EZproxyEZproxy

Commercial Contents

ScienceDirectScienceDirect

……

WebCT@ETHZWebCT@ETHZ

OLATOLAT

MoodleMoodle BSCWBSCW

BlackboardBlackboard

SwissLexSwissLex

IS-AcademiaIS-Academia

ILIASILIAS

TWikiTWikieShopseShops

CompiCampusCompiCampus

ca. 50 AAI-enabled hosts,ca. 10’000 active users

Service Providers

EBSCOEBSCO


Showcase: DOIT

DOIT: Dermatology Online with Interactive Technology

500 AAI Users

AAI Service Provider (Resource)

UniL

ETHZ

UniZH

UniBE

VHO

SWITCH

UniGE

ZHWIN

UniLU

Identity Provider

Access Rule:

HomeOrg = UniZH | UniBE | UniLAffiliation = StudentStudyBranch = MedicineStudyLevel = 20

http://www.cyberderm.net/ Service Providers


AAIportal: Integration of “black boxes”

Authentication/Authorization Gateway

User Management (optional) Adaptors to

Blackbox Applications: WebCT Vista WebCT CE …

AAIportal

Shibboleth

ApplicationSignOnA1

...

A2 API

Service Providers


Authorization Attributes (1)

• AAI transfers user attributes from a Home Organization to a Resource

• Requires a common understanding of what a value means

Authorization Attribute Specification v1.1

• A task force selected the attributes for SWITCHaai

• minimal set to start with

• attributes with pre-existing ‘common understanding’

• in line with foreign activities

http://www.switch.ch/aai/docs/AAI_Attr_Specs.pdf

Interoperation


• Unique Identifier

• Surname

• Given name

• E-mail

• Address(es)

• Phone number(s)

• Preferred language

• Date of birth

• Gender

• Name of

Home Organization

• Type of

Home Organization

• Affiliation (student,

staff, faculty, …)

• Study branch

• Study level

• Staff category

• Group membership

• Organization Path

• Organizational Unit

Path

• based on eduPerson specification

• study branch, study level, staff category are

based on SHIS/SIUS

• username and password are missing

only used locally!

• ‘Matrikelnummer’ is missing

for data protection reasons

Personal attributes Group membership

Authorization Attributes (2)

Group membership

Interoperation


International AAI ActivitiesShibboleth deployment underway in:

USA (Internet2, InCommon), Finland (HAKA), Switzerland (SWITCH)

Shibboleth related activities in:United Kingdom (JISC), France (CRU), Australia (AARNet),

University of Amsterdam (NL), KU Leuven (BE), Statsbiblioteket Denmark

Compatibility with Shibboleth planned for:PAPI (RedIRIS, ES), A-Select (SURFnet, NL), Athens

Terena TF-EMC2 – Task Force European Middleware Coordination and Collaborationhttp://www.terena.nl/tech/task-forces/tf-emc2/

GN2 – JRA5 – Ubiquity (Mobility) and Roaming Access to ServicesDefine, prototype and build a roaming infrastructure and an AAI

Cotswolds Group - Federations Coordination (Europe, US)

Interoperation


Organisational Framework

SWITCH acts as SWITCHaai Federation Service Provider

Federation membership based on signed service agreements

Organisation


Data Protection / Privacy Issues

Service Provider(Resource)

User’s IdentityProvider

Data protection laws (Switzerland, EU) allows only to gather personal data that is required

The Identity provider may restrict the data release as strict as seen fit

Attributes

ResourceRegistration

AuthorityRequiredAttributes

Admin

Proposed site.ARP

ResourceRegistry

operated bySWITCH)

<*.uniXY.ch> UniqueID allow Affiliation allow HomeOrgType allow HomeOrgName allow</*.uniXY.ch>

<Resource B> UniqueID allow FirstName allow LastName allow</Resource B>

<Resource C> UniqueID allow FirstName allow LastName allow EMail allow</Resource C>

site.ARP

Organisation


Funding

02000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010

funding / costs

pilot project project operational service

funded by SWITCH funded by subsidies funded by tariffs

Funding


Central AAI-Services

Strategy & Marketing International Contacts Support, Consulting, Training Providing Federation-specific Files and

Configuration Guides Operating WAYF (Where Are You From Server) Test-HomeOrg and Test-Resource Tools (AAIportal, AAIproxy) Virtual Home Organization Jump Start Service

Central Services


SWITCHaai Outlook

Adding new institutions Adding new resources New directions:

ECTS (Study) AAA (Study)

Federation Partners Interoperability with grid: EGEE-2


Outline

• Introduction


• Interoperability Shibboleth - gLite in EGEE-2– Work in 3 phases

– Related work

– Policy issues

• Summary

Organisational

Framework

Service

Providers

Identity

Provider

Central

ServicesFunding

Inter-

operability


Interoperability Shibboleth - gLite

• Part of EGEE-2 proposal (by SWITCH in EGEE NREN Federation)

• Focus is on – Interoperability (NO replacement for X.509)

– Specific for EGEE infrastructure (VOMS etc)

– Integrate, re-use, re-engineer existing code, write new code only as needed

• Key Concepts: – Home institution of the user should be the Identity Provider

– Home institution provides some attributes

– But VO is needed for (grid specific) attributes

• Proposal of doing work in three phases:– Two initial, shorter phases with the intention of hooking SWITCHaai up to the

grid with a minimal amount of effort to have a working system

– A third phase with adding support for SAML at the resource (service provider)


Phase 1 and 2


Access for Grid Users to Shib SP

Intention: add “symmetry” between enabling access for Shib and grid users

Test-bed SWITCH INFN in 2006


SAML Support at the Resource

• Third (and main) phase of project

• Goal: Support for SAML for authentication and authorization without relying on X.509 (on a configurable basis)

• Should be based on SAML2

– Supports ECP Profile (constrained delegation)

– Will be used in Shibboleth 2


Related Efforts

• GridShib:– Emphasis is on providing attributes based authorization– Based on GT4 and Shib 1.3– Beta version available since Sept 05

• OGSA authZ working group:– Defines specifications for basic interoperability and pluggability of authorization

modules in OGSA framework

• Condor Shibboleth Merger Project– Phase I: Shib enabled Condor web portal– Phase II: Shib enabled Condor fat client

• Shibboleth - grid activities in UK– ESP-Grid– Further work is planned (JISC) to look at CA/Shib issues

• Issue of attribute management between IdP and VO (e.g. Signet)


Policy Issues for Phase 1

• Question: – what policy shall be formulated for the certificates generated out of

SWITCHaai?

• Minimum requirements for– SLCS certificates: TAGPMA (recently adopted)

– “traditional” certificates: EUGRIDPMA


Minimum requirements

SLCS Traditional user certificates

Several SLCS One CA per country

Automated generation based on user management system

“Traditional” RA (e.g. copy of passport)

Lifetime < 1mio sec Lifetime < 1year + 1month

Revocation handling optional

Revocation handling mandatory

Minimum requirements for SLCS and traditional

user certificates


Policy Issues for Phase 1

• Question 1: why two minimum requirements documents?– Wouldn’t it be easier to have one document and simply state the

differences where appropriate?

• Question 2: Why distinguish between SLCS and “traditional” certificates?– If you really trust your identity management systems, why not generate

the traditional certificates?


What SWITCH would like to do….

Generation of X.509 by Shib Resource based on AuthN at IdP

Admin. Procedures

are key for quality of

user management

System (EUGRIDPMA

compliant)

User generates key pair and submits certificate signing request


Issue of certificates by SWITCHpki

• Generation of server certificates as now (unchanged)

• Generation of user certificates – If { Shib IdP EUGRIDPMA compliant } then { automatic generation }

– Else { user follows “standard” procedures (e.g. picture id) }

• Example: – User management of HEP staff physicists of University of Berne

follows EUGRIDPMA compliant norms

– They have access to Shib resource to obtain their user certificate (with varying lifetime)


Advantages

• One set of requirements for all certificates – simplicity of policy

• One infrastructure to handle all certificate requests

• Only valid or revocated certificates at all times

• Capitalize on the high standards of the user management system of SWITCHaai – for those institutions who follow the more stringent requirements


Summary

• There is interest and activity for interoperability AAI / Shibboleth - grid– But X.509 is still the standard security mechanism for grids (and likely to remain so for

quite some time)

– Issue is not only authentication but also attribute sharing between IdP, VO, SP

• GridShib: – beta version available

– GT4 and Shib 1.3

• SWITCH looks forward to participate in EGEE-2 to add interoperability Shibboleth - gLite– Implement interoperability Shibboleth - gLite

– Policy issues

– Building a Swiss gLite grid with our partners (universities, CSCS)

Documents

2005 © SWITCH Interoperability Shibboleth and gLite in EGEE-2 MWSG Amsterdam Dec 15, 2005 Christoph Witzig SWITCH