SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure

SC06 – Powerful Beyond ImaginationTampa, FL Nov 14, 2006

Scaling TeraGrid Access:A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure

Von Welch

NCSA

Manager, Security Research and Development


Acknowledgments This represents thinking by myself and a number of others: Ian

Foster, Tom Scavo, Frank Siebenlist, Charlie Catlett, Jill Gemmill, Dane Skow

Whitepaper http//gridshib.globus.org/tg-paper.html

Workshop on TeraGrid Authentication, Authorization, and Account Management - August 30-31, 2006, Argonne National Laboratory Organizers: Von Welch, Tony Rimovsky, Jim Marsteller, Carolyn

Peters, Dane Skow Attendees: 42 persons, representatives from all TeraGrid Resource

Provider sites, OSG, Internet2, Globus http://www-fp.mcs.anl.gov/tgmeeting/AAA-Agenda.htm


A vision for the TeraGrid Federated Identity

Plan for a world where users can be authenticated via their home campus identity management system Outsource authentication and avoid identity management burden

Allow communities to assert user attributes Enable attribute-based authorization of users by RP site

Allow for user authentication with authorization by community

Prototype system in testbed, with involvement of interested parties to work out issues

All usage still billed to an allocation Community or individual


Identity

The Vision

Cam

pu

ses

Attributes

…nanoHUB NVOLEAD

Co

mm

un

itie

s


Testbed Use Cases

1. Individual New User

2. Individual Existing User Access

3. Shibboleth authentication to Gateway

4. Gateway attribute authorization to RP Use Case

5. OSG/VOMS access

6. Educational Access

7. Incident Response


Testbed


Challenges

Auditing/logging For incident response Tracking communities

Account management Community Accounts Dynamic Workspaces

Policy and Configuration Creation, distribution, management Balance with site autonomy


Testbed Timeline

Complete testbed definition by end of 2006 Start testbed deployment January 1, 2007

Ok, maybe January 2nd, 2007

Expect three to six months of evaluation Then generate plan for production deployment Seeking participation from admins, users,

communities, resources


Testbed Software Components Enhanced CTSSv3 stack

Grid authentication (GSI/PKI/X.509 certificates)

Existing GT component extensions to enable attribute-based authorization (GridShib, Virtual Workspace for VOMS)

Installed on TeraGrid resources - alternate ports or head nodes

VOMS test server Shibboleth and related software

myVocs, GridShib

Leverage InQueue/TestShib, InCommon, UTexas Federation OpenIdp


Grid Authentication

Globus Toolkit provides authentication services via X.509 credentials

When requesting a service, the user presents an X.509 certificate RFC 3820 proxy certificate or standard end entity

certificate

GridShib leverages the existing authentication mechanisms in GT


Grid Authorization

Today, Globus Toolkit provides identity-based authorization mechanisms: Access control lists (called grid-mapfiles) map DNs to

local identity (e.g., Unix logins) Community Authorization Service (CAS)

Some attribute-based authorization has appeared and is proving useful E.g. VOMS, caBIG

Extensions to GT exist from GridShib, Virtual Workspace project


VOMS

Attribute system developed by the EU Data Grid Uses X.509 attribute certificates (RFC 3281) In use by EGEE, OSG


Shibboleth

System developed by Internet2 to allow for federated identity management

Allows for inter-organization access to web resources

Not an identity management system Exposes campus identity and attributes in

standard format Based on SAML as defined by OASIS Policies for attribute release and transient handles to

allow privacy


Why Shibboleth?

A large (and growing) installed base on campuses around the world

Professional development and support team at Inetnet2

Additional tools from GridShib, UAB, MAMS (Australia), SWITCH, UK

Some commercial support now as well A standards-based, open source implementation A standard attribute vocabulary (eduPerson)


GridShib

Provides for interoperability between Shibboleth and Grids (Globus Toolkit 4.0)

GridShib for Globus Toolkit A plugin for GT 4.0

GridShib for Shibboleth A plugin for Shibboleth 1.3 IdP

GridShib SAML Tools Tools for adding SAML to Grid credentials

GridShib CA Converting Shibboleth authentication to Grid credentials


myVocs

myVocs developed @ UAB Gemmill and Robinson NMI funded http://www.myvocs.org

myVocs allows for VOs based on Shibboleth identities

Users register via Shibboleth and can be added to myVocs-maintained groups

myVocs acts as a Shibboleth proxy to add group information to user’s normal Shibboleth information


myVocs-GridShib integration

GridShib authorizes use of Grid Services based on Shibboleth identities

Integration allows for the creation and management of Grid VOs based on Shibboleth

Demo’ed at I2 in April (and can do so anytime for interest parties)


OpenIdp

A Shibboleth identity provider for those who don’t have one at their campus yet Also from UAB www.openidp.org Email-based registration

Helps to crack the egg Commercial equivalent: protectnetwork.com


Thank you

For more information Von Welch

• [email protected]

GridShib• http://gridshib.globus.org

The white paper - • http//gridshib.globus.org/tg-paper.html

Questions?

Documents

SC06 – Powerful Beyond Imagination Tampa, FL Nov 14, 2006 Scaling TeraGrid Access: A Roadmap (Testbed) for Federated Identity Management for a Large Cyberinfrastructure