TeraGrid 08 The Third Annual TeraGrid Conference

http://gridshib.globus.org/

TeraGrid 08The Third Annual TeraGrid Conference

Tom Scavo, Jim Basney , Terry Fleury, Von Welch

National Center for Supercomputing Applications

June 9–13, 2008


Tutorial:Building Science Gateways

TeraGrid 08



June 9, 2008


Birds-of-a-Feather Session:Attribute-based Auditing and

Authorization for Science Gateways

TeraGrid 08



June 11, 2008


Science GatewaysWorking Group Session

TeraGrid 08



June 12, 2008


GridShib @ TeraGrid 08

Tutorial: Building Science Gateways Mon, 8:00am–12:00pm

Birds-of-a-Feather Session: Attribute-based Auditing and Authorization for Science Gateways Wed, 5:30–6:30pm

Poster Session: A Federated Identity Model for Science Gateways Wed, 6:30–8:30pm

Science Gateways Working Group Session Thu, 3:00–4:30pm


Grid Security Infrastructure(GSI)


Grid Authentication

Traditionally, grid authentication has been via trusted X.509 identity certificates

GSI relies heavily on X.509 proxy certificates A proxy cert is a short-lived certificate signed by the

user’s identity certificate

Multiple GSI authentication mechanisms: GSI Transport (SSL/TLS) GSI Secure Message (WS-Security) GSI Secure Conversation (WS-SecureConversation)


The Classic Grid Use Case

A non-browser userissues a proxy certificate

and initiates a grid requeston her own behalf.


X.509 Proxy CredentialIssuer: End UserSubject: End User+

Key

X.509 End Entity CredIssuer: Certification AuthoritySubject: End User

Key

grid-proxy-init

myproxy-logon

Issue a Proxy Certificate


GT4 ServerGT4 Client

Globus WS Client

Globus WS Client

Globus Web Service

Globus Web Service

X.509 proxy credential

Key

X.509 proxy certificate

Java WS Container

Gridmap

Classic GSI


Identity-based Access Control

The distinguished name (DN) in the proxy certificate is used as a basis for coarse-grained access control

If the subject DN is in an access control list called a gridmap file, access is allowed

A gridmap file also maps DNs to usernames Associated with each DN are zero or more local

usernames GRAM, for example, requires a local account in

which to run a job request


Gridmap File

The gridmap has a flat file format:

DN → [user0, user1, …, usern-1]

The gridmap has dual functions:1. Authorization Policy

2. Username Mapping Policy

A single gridmap file serves both functions Identity-based gridmap files trade off flexibility

and scalability for simplicity

DN1 username1

DN2 username2

…

DN1 username1

DN2 username2

…


GridShib-enabled GSI


GridShib Project

The goal of the GridShib Project is to introduce attribute-based authorization to Globus-based grids

GridShib software allows Globus Toolkit and Shibboleth to interoperate

Classic GridShib (circa 2004–2005) pulls attributes from a Shibboleth Attribute Service

The current emphasis is on browser users and attribute push, specifically, the TeraGrid Science Gateway Use Case


GridShib Software

GridShib for GT Consumes X.509-bound SAML assertions issued by the

GridShib CA or the GridShib SAML Tools. Issues SAML attribute queries to a Shibboleth IdP with GridShib for Shibboleth installed.

GridShib for Shibboleth Responds to attribute queries from GridShib for GT.

GridShib CA Issues short-lived X.509 credentials to browser users.

GridShib SAML Tools Issue or requests SAML assertions and optionally binds these

assertions to X.509 proxy certificates.


GridShib Software

GridShib for GT Consumes X.509-bound SAML assertions issued by the

GridShib CA or the GridShib SAML Tools. Issues SAML attribute queries to a Shibboleth IdP with GridShib for Shibboleth installed.

GridShib for Shibboleth Responds to attribute queries from GridShib for GT.

GridShib CA Issues short-lived X.509 credentials to browser users.

GridShib SAML Tools Issue or requests SAML assertions and optionally binds these

assertions to X.509 proxy certificates.


GridShib SAML Tools

The GridShib SAML Tools (GS-ST) are a standalone suite of Java-based client tools Binds a SAML assertion to an X.509 proxy certificate The same X.509-bound SAML token can be

transmitted at the transport level or the message level (using WS-Security X.509 Certificate Token Profile)

Includes the GridShib Security Framework, a Java API for producing and consuming X.509-bound SAML tokens

GS-ST is a SAML producer


GS-ST Features

Easily installed and configured Binds arbitrary content (not just SAML) to a non-

critical certificate extension Multiple output options (SAML, X.509 proxy

credential, DER-encoded ASN.1) CLI with shell scripts (UNIX and Windows) Includes a Java API for portal developers Leverages the Globus SAML Library, an

enhanced version of OpenSAML 1.1


GS-ST Function

Bind a SAML assertion to a non-critical X.509 v3 certificate extension

We call this an X.509-bound SAML token


X.509 Community CredIssuer: TeraGrid CASubject: Science Gateway

Key

grid-proxy-initX.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+

Key


X.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12:

<saml:Assertion> <saml:NameID> trscavo </saml:NameID></saml:Assertion>

Key

X.509 Community CredIssuer: TeraGrid CASubject: Science Gateway

Key

gridshib-saml-issuer

grid-proxy-initX.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+

Key


X.509-bound SAML Token

GridShib SAML Tools produces X.509-bound SAML tokens, a new type of security token that enables attributed-based authorization in X.509-based Grids

The SAML token is bound to a noncritical X.509v3 certificate extension

X.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+

X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12:


Key


WS-Security Token Profiles

OASIS WS-Security Technical Committee WSS X.509 Certificate Token Profile [1] WSS SAML Token Profile

Globus implements the former We define a new token type:

X.509-bound SAML Token

An implementation of [1] automatically handles X.509-bound SAML tokens

No new wire protocols are needed!


Security Tokens

X.509 Token SAML Token

SOAP Envelope

SOAP Header

SAMLassertion

SOAP Body

SOAP Envelope

SOAP Header

X.509 certificate

SOAP Body


Security Tokens

X.509 Token SAML TokenX.509-boundSAML Token

SOAP Envelope

SOAP Header

SAMLassertion

SOAP Body

SOAP Envelope

SOAP Header

X.509 certificate

SAMLassertion

SOAP Body

SOAP Envelope

SOAP Header

X.509 certificate

SOAP Body



A non-browser user bindsa SAML assertion to a proxy certificate

and initiates a grid requeston her own behalf


GridShib for GT

GridShib for GT (GS4GT) is a plug-in for GT 4.x GS4GT is compatible with both GT 4.0 and 4.2

GS4GT is an implementation of a Grid Service Provider, which is analogous to a Shibboleth Service Provider, but for X.509-based grids

GS4GT is a SAML consumer Used together, GridShib SAML Tools and

GridShib for GT enable attribute-based access control in Globus-based grids


GS4GT Features

Introduces attribute-based authorization into GT Exposes a single comprehensive policy decision

point called the GridShibPDP Implements an attribute push model Restricts access based on blacklists of IP

addresses and/or name identifiers Provides attribute-based account mapping Supports optional gridmap short-circuiting Defines an attribute-based authorization policy

language (in XML)


GT4 ServerGT4 Client

Globus WS Client

Globus WS Client

GridShibSAML PIP

GridShibSAML PIP

proxy certificate

GridShib SAML Tools

GridShib SAML Tools

end entity credential

Key

SAML

Globus Web Service

Globus Web Service

Logs

Java WS Container(with GridShib for GT)

Security Context

proxy credential

SAML

Key

AuthzPolicy

BlacklistPolicy



identifier1

identifier2

…

identifier1

identifier2

…

GridShibBlacklist Policy

GridShibSAML Entity Map

entityID1 DN1

entityID2 DN2

…

entityID1 DN1

entityID2 DN2

…

GS4GT Configuration Files

The SAML Entity Map maps SAML issuers to X.509 issuers

A SAML issuer in this file is trusted The SAML Entity Map will be

replaced by SAML Metadata (XML) A blacklist is a list of identifiers

(SAML identifiers or subject DNs) A user whose identifier is on the

blacklist will be denied access The flat file blacklist will be replaced

by a database table


DN1 username1

DN2 username2

…

DN1 username1

DN2 username2

…

<XML><XML>

GlobusGridmap file

GridShibAuthz Policy

GridShibMapping Policy

GS4GT Policy Files


GS4GT Policy Files

Two separate attribute-based policy files:

1. Authorization Policy

[A0, A1, …, Am-1]

2. Username Mapping Policy

[A0, A1, …, Am1-1] → [user0, user1, …, usern1-1]

[A0, A1, …, Am2-1] → [user0, user1, …, usern2-1] …

A single XML-based policy file may encapsulate both types of policies


Summary

Fine-grained, attribute-based authorization Introduces X.509-bound SAML tokens

Works at both the transport level or the message level

No modifications to GT clients are required If the service is not GridShib-enabled, the X.509-

bound SAML token is simply ignored


A Grid Authorization Model for Science Gateways


The Science Gateway Use Case

A browser user authenticates to a grid portal. The portal issues a proxy

certificate and initiates a grid request on behalf of the user


Classic Science Gateway

WebAuthn

Resource ProviderScience Gateway

WS GRAM Client

WS GRAM Client

WS GRAM ServiceWS GRAM Service

Java WS Container

WebappWebapp

Web Interface

Web Browser

community credential

Key

community account

A science gateway is a convenient intermediary

between a browser user and a grid resource provider.



WebAuthn


WS GRAM Client

WS GRAM Client


Java WS Container

WebappWebapp

Web Interface

Web Browser


Key

community account

Each gateway is issued a community credential that

uniquely identifies the gateway.



WebAuthn


WS GRAM Client

WS GRAM Client


Java WS Container

WebappWebapp

Web Interface

Web Browser


Key

community account

Resource providers associate the community credential with a local community account.



WebAuthn


WS GRAM Client

WS GRAM Client


Java WS Container

WebappWebapp

Web Interface

Web Browser


Key

community account

To submit a job, a browser user typically authenticates to the gateway by presenting a username and password.



WebAuthn


WS GRAM Client

WS GRAM Client


proxy credential

Key

Java WS Container

WebappWebapp

Web Interface

Web Browser


Key

community account

The gateway then issues a short-lived proxy credential

signed by its community credential.



WebAuthn


WS GRAM Client

WS GRAM Client


proxy credential

proxy certificate

Key

Java WS Container

WebappWebapp

Web Interface

Web Browser


Key

community account

The gateway submits the job on the user’s behalf,

authenticating as itself to the resource.



WebAuthn


WS GRAM Client

WS GRAM Client


proxy credential

proxy certificate

Key

Java WS Container

WebappWebapp

Web Interface

Web Browser


Key

community account

The resource authenticates the gateway and maps the request

to the community account based on the identity in the

proxy certificate.



WebAuthn


WS GRAM Client

WS GRAM Client


proxy credential

proxy certificate

Key

Java WS Container

WebappWebapp

Web Interface

Web Browser


Key

community account

After the job is executed, the result is returned to the

browser user via the gateway web interface.


Community Account Model: The Good

The Community Account Model simplifies the user experience simplifies gateway implementation and deployment simplifies gridmap file management at the RP

A community credential is issued to each gateway

A single community account is created at the RP The gateway issues proxy certificates and

makes grid requests on behalf of the user


Community Account Model: The Bad

The community account model has some significant drawbacks, however: End user identity is unknown to the RP Course-grained access control at the resource (by

design) Awkward approach to auditing and incident response In the event of an emergency, the RP is forced to

disable all access to the community account Less than adequate accounting mechanisms

All this can be traced to a single problem…


Community Account Model: The Ugly

All requests look exactly the sameto the resource provider!

If the gateway would only pass the user’s name and contact information

to the resource provider, all previously mentioned problems would be solved


Grid Authorization Model

We describe a grid authorization model that significantly increases the information flow between a science gateway and a resource provider Extends the Community Account Model Asserts end user identity to the RP Permits fine-grained access control at the RP Provides strong auditing and effective incident response Allows dynamic blacklisting of problem accounts or runaway

processes A lightweight approach that does not require new wire protocols

or extensive new middleware infrastructure Complements existing SAML-based middleware infrastructure

on today's campuses


Grid Authorization Model

The proposed model incorporates GridShib SAML Tools at the gateway and GridShib for GT at the resource provider

Using GridShib SAML Tools, the gateway1. issues a SAML assertion containing the user's

authentication context and attributes

2. binds the SAML assertion to a proxy certificate signed by the community credential

3. authenticates to the resource by presenting the SAML-laden proxy certificate

http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf



Key


+ =

X.509 Proxy CredentialIssuer: Science GatewaySubject: Science Gateway+X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12:


Key


GridShib-enabled Science Gateway

A browser user authenticates toa grid portal. The portal binds aself-issued SAML assertion to

a proxy certificate and initiates a grid request on behalf of the user.


Grid Authorization Model for Gateways

WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools


Key

WS GRAM Service

WS GRAM Service


WebappWebappattributes

Web Interface

Web Browser

username

An enhancement to the community account model

increases the information flow between the gateway and the

resource provider.



WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools


Key

WS GRAM Service

WS GRAM Service



Web Interface

Web Browser

username

A software component called GridShib SAML Tools is

integrated into the gateway portal environment.



WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools


Key

WS GRAM Service

WS GRAM Service



Web Interface

Web Browser

username

Another software component called GridShib for GT is deployed at the resource

provider.



WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools


Key

WS GRAM Service

WS GRAM Service



Web Interface

Web Browser

username

These two GridShib software components produce and

consume Security Assertion Markup Language (SAML)

tokens.



WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools


Key

WS GRAM Service

WS GRAM Service



Web Interface

Web Browser

username

Again the browser user authenticates to the gateway

by presenting a username and password.



WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools


Key

WS GRAM Service

WS GRAM Service



Web Interface

Web Browser

username

proxy credential

SAML

Key

This time the gateway uses the GridShib SAML Tools to issue an X.509-bound SAML token.



WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools


Key

WS GRAM Service

WS GRAM Service



Web Interface

Web Browser

username

proxy credential

SAML

Key


X509v3 extension: 1.3.6.1.4.1.3536.1.1.1.12:


Key

The SAML token bound to the proxy certificate contains the

name of the end user and other user attributes (e.g., e-mail).



WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

proxy certificate

GridShib SAML Tools

GridShib SAML Tools


Key

SAML

WS GRAM Service

WS GRAM Service



Web Interface

Web Browser

username

proxy credential

SAML

Key

The gateway authenticates as itself to the resource provider, presenting the proxy certificate

with bound SAML token.



WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

proxy certificate

GridShib SAML Tools

GridShib SAML Tools


Key

SAML

WS GRAM Service

WS GRAM Service

Logs



Web Interface

Web Browser

username

proxy credential

SAML

Key

The GridShib SAML policy information point (PIP) extracts the SAML token from the proxy certificate, parses it, and writes

the information to a log file.



WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

proxy certificate

GridShib SAML Tools

GridShib SAML Tools


Key

SAML

WS GRAM Service

WS GRAM Service

Logs


Security Context


Web Interface

Web Browser

username

proxy credential

SAML

Key

The security information in the SAML token is also used to populate a SAML security

context within the container.



WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

proxy certificate

GridShib SAML Tools

GridShib SAML Tools


Key

SAML

WS GRAM Service

WS GRAM Service

Logs


Security Context


Web Interface

Web Browser

username

proxy credential

SAML

Key

BlacklistPolicy

The service compares the information in the security context to the blacklist,

denying access if any request info is on the blacklist.



WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

proxy certificate

GridShib SAML Tools

GridShib SAML Tools


Key

SAML

WS GRAM Service

WS GRAM Service

Logs


Security Context


Web Interface

Web Browser

username

proxy credential

SAML

Key

AuthzPolicy

BlacklistPolicy

The service combines the information in the security

context with its access control policy, allowing access if and

only if policy is satisfied.



WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

proxy certificate

GridShib SAML Tools

GridShib SAML Tools


Key

SAML

WS GRAM Service

WS GRAM Service

Logs


Security Context


Web Interface

Web Browser

username

proxy credential

SAML

Key

AuthzPolicy

BlacklistPolicy

As before, after the service executes the job, the result is returned to the browser user

via the gateway web interface.


GridShib-enabled Science Gateway

Simple installation and configuration of GridShib SAML Tools at the gateway

Includes GridShib Security Framework Exposes both a command-line interface and a Java

API End user identity and contact information (e.g.,

e-mail) transmitted to RP Push much of the responsibility for auditing and

incident response back onto the RP Big Advantage: No need to shut down the

entire gateway in the event of an incident!


User Attributes

Gateway entityID: https://gridshib.gisolve.org/idp

Subject name identifier: [email protected]

Authentication statement authentication method: urn:oasis:names:tc:SAML:1.0:am:password

authentication instant: 2007-08-02T12:10:34-0400 IP address: 10.81.193.244

Attribute statement isMemberOf attribute: group://gisolve.org/gisolve mail attribute: [email protected]


GridShib-enabled Resource Provider

The end user and the end user’s contact information (and other attributes) are logged

Effective auditing and incident response Blacklist an IP address or name identifier on

demand Exposes a SAML security context Fine-grained, attribute-based access control


Comparison with VOMS

Virtual Organization Membership Service The most successful grid authorization model today

VOMS binds X.509 attribute certificates (instead of SAML) to proxy certificates

VOMS requires the requester to be the subject; VOMS will not issue an AC to a requester acting on behalf of the subject

Therefore, a gateway can not call out to a VOMS server to obtain attributes for a user

Conclusion: VOMS can not be used as a basis for gateway security


Integration with TeraGrid Central Database

Resource Provider

GridShibSAML PIP

GridShibSAML PIP

WS GRAM Service

WS GRAM Service

PolicyLogs


Security Context

Security table

GRAM audit table

TGCDB

AMIEupload

The GridShib-enhanced community account model

permits fine-grained access control and effective incident

response at the resource.



Resource Provider

GridShibSAML PIP

GridShibSAML PIP

WS GRAM Service

WS GRAM Service

PolicyLogs


Security Context

Security table

GRAM audit table

TGCDB

AMIEupload

Since each request is now associated with a unique end

user, we push job info to TeraGrid Central for

improved auditing and accounting.



Resource Provider

GridShibSAML PIP

GridShibSAML PIP

WS GRAM Service

WS GRAM Service

PolicyLogs


Security Context

Security table

GRAM audit table

TGCDB

AMIEupload

First, the security context associated with each

incoming request is captured in a security table.



Resource Provider

GridShibSAML PIP

GridShibSAML PIP

WS GRAM Service

WS GRAM Service

PolicyLogs


Security Context

Security table

GRAM audit table

TGCDB

AMIEupload

Likewise the disposition of every job request is captured in an enhanced GRAM audit

table.



Resource Provider

GridShibSAML PIP

GridShibSAML PIP

WS GRAM Service

WS GRAM Service

PolicyLogs


Security Context

Security table

GRAM audit table

TGCDB

AMIEupload

An AMIE process joins these two tables and pushes an information packet to the

TeraGrid Central Database.



Resource Provider

GridShibSAML PIP

GridShibSAML PIP

WS GRAM Service

WS GRAM Service

PolicyLogs


Security Context

Security table

GRAM audit table

TGCDB

AMIEupload

A gateway can query the TGCDB for individual accounting records,

permitting fine-grained accounting at the gateway.



Resource Provider

GridShibSAML PIP

GridShibSAML PIP

WS GRAM Service

WS GRAM Service

PolicyLogs


Security Context

Security table

GRAM audit table

TGCDB

AMIEupload

TeraGrid adminstrators can query the TGCDB for

aggregate accounting data for the purposes of NSF reporting and planning.


GT4 Java Container

Delegation

ResourceManager

UserJob(s)

sud

o

RMadapter

RM logMEJS **

MJFS

RFT

SEG

RMAccounting

Create JobGet EPR

Control Jobwith EPR

Client /Gateway

**

- Query Using Grid JID

TeraGrid Resource Provider (RP)

- Reply withAccounting record

Local AMIEAccounting

Central TGAccounting

DB

CoreCore Audit

Table

RFT AuditTable

Deleg AuditTable

GRAM AuditTable

AMIE upload

OGSA DAI

** Locally convert EPR to Grid JID

-No Changes required to AMIE-DAI provides virtualization for audit and accounting DBs

GET UNIQUEUSER ID +

Diagram courtesyof Stu Martin

Gateway Job Accounting


Benefits of TGCDB Integration

The gateway can query the TGCDB (via OGSA-DAI) and implement local, fine-grained accounting mechanisms

TeraGrid administrators can obtain aggregate accounting data for NSF reporting and planning


TeraGrid Deployment Strategy

1. GridShib SAML Tools at the Gateway• http://www.teragridforum.org/mediawiki/index.php?title=Scienc

e_Gateway_Credential_with_Attributes

2. GridShib for GT at the RP• Integrate GS4GT into CTSS4

3. Integrate with TeraGrid Central Database• Retrofit GRAM 4.0 Audit with end user identity• Assist with the design and implementation of GRAM

4.2 Audit (in particular, the security table)


A Federated Identity Model for Science Gateways


Federated Identity

The long term vision is to introduce federated identity at the science gateway

Shibboleth, an open-source implementation of the SAML Browser Profiles, provides: Ubiquity Manageability Usability Security

Since Shibboleth is based on SAML, our model complements existing campus infrastructure


WebAuthn

WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools


Key

WS GRAM Service

WS GRAM Service



Web Interface

Web Browser

username

It is well-known that password management at the gateway is

a significant administrative burden for both the gateway

and the end user.



WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools

WS GRAM Service

WS GRAM Service



username

SAML Service Provider

SAML Identity Provider

Web Interface

Web Browser

To avoid having to manage passwords at the gateway, we propose a federated identity solution on the browser-facing

side of the gateway.


WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools

WS GRAM Service

WS GRAM Service



username



Web Interface

Web Browser

A third-party Identity Provider on each campus manages user

identity and credentials.


WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools

WS GRAM Service

WS GRAM Service



username



Web Interface

Web Browser

The gateway, which is protected by a Service

Provider, trusts the Identity Provider to authenticate the

browser user.


WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools

WS GRAM Service

WS GRAM Service



username



Web Interface

Web Browser

Since we’re already invested in SAML on the back end, we

prefer an implementation of the standard SAML browser

profiles (such as Shibboleth).


WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools

WS GRAM Service

WS GRAM Service



username



Web Interface

Web Browser

A browser user authenticates to their preferred campus

Identity Provider instead of the science gateway.


WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools

WS GRAM Service

WS GRAM Service



username



Web Interface

Web Browser

SAMLAssertion The SAML Identity Provider

issues a SAML token that the user transmits to the gateway

via the browser.


WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools

WS GRAM Service

WS GRAM Service



username



Web Interface

Web Browser

SAMLAssertion

SAMLAssertion

The SAML Service Provider protecting the gateway

consumes the SAML token in lieu of a username/password.


WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

GridShib SAML Tools

GridShib SAML Tools


Key

WS GRAM Service

WS GRAM Service



username

proxy credential

SAML+

Key



Web Interface

Web Browser

SAMLAssertion

SAMLAssertion

The gateway issues a combined SAML token containing both campus

attributes and local attributes.


WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

proxy certificate

GridShib SAML Tools

GridShib SAML Tools


Key

SAML+

WS GRAM Service

WS GRAM Service



username

proxy credential

SAML+

Key



Web Interface

Web Browser

SAMLAssertion

SAMLAssertion

The gateway authenticates as itself to the resource provider,

presenting the combined X.509-bound SAML token.


WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

proxy certificate

GridShib SAML Tools

GridShib SAML Tools


Key

SAML+

WS GRAM Service

WS GRAM Service

Logs


Security Context


username

proxy credential

SAML+

Key



Web Interface

Web Browser

SAMLAssertion

SAMLAssertion

Since the gateway did not authenticate the end user

directly, the resource provider must decide if it trusts the combined SAML token.


WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

proxy certificate

GridShib SAML Tools

GridShib SAML Tools


Key

SAML+

WS GRAM Service

WS GRAM Service

Logs


Security Context


username

proxy credential

SAML+

Key

AuthzPolicy

BlacklistPolicy



Web Interface

Web Browser

SAMLAssertion

SAMLAssertion

In the case of federated identity, access control policy

at the resource provider is more complex since a third

security domain is involved.


WebAuthn


WS GRAM Client

WS GRAM Client

GridShibSAML PIP

GridShibSAML PIP

proxy certificate

GridShib SAML Tools

GridShib SAML Tools


Key

SAML+

WS GRAM Service

WS GRAM Service

Logs


Security Context


username

proxy credential

SAML+

Key

AuthzPolicy

BlacklistPolicy



Web Interface

Web Browser

SAMLAssertion

SAMLAssertion

SAML Web Browser SSO closes the loop for complete end-to-end flow of security

information


Federated Identity Model for Gateways

Shib-enabledGrid Portal

GridShib-enabled Grid Client

ShibbolethSSO Service

GridShib-enabled Attribute Service

GridShib-enabled Grid SP

Browser

X.509proxy certificate

SAML

response response

C

DA

BX.509proxy credential

SAML

Key

X.509end entity credential Key

Shibboleth Identity Provider

TeraGrid Science Gateway

SAMLAssertion

SAMLAssertion

SAMLAssertion

SAMLRequest

X.509

SAMLRequest


Birds-of-a-Feather Session


Is your gateway infrastructure built on a JEE portal framework?

If so, which one? If not, what application server do you use?


Is your gateway security framework built on the community credential model?

If not, describe your security framework.


Do you use MyProxy? If not, is the community credential stored in the

file system?


In your application server environment, how easy is it to obtain the following information: Username Authentication instant IP address E-mail address

Does your portal framework provide an API to obtain this information or do you have to query a database?


Does your gateway control its own DNS domain?

If not, what is the URL of your gateway? [relate this to "scope"]


Acknowledgments

Original Project PIs Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist

Developers Rachana Ananthakrishnan, Jim Basney, Tim Freeman,

Raj Kettimuthu, Terry Fleury, Tom Scavo

The GridShib work was funded by the NSF National Middleware Initiative (NMI awards 0438424 and 0438385). Opinions and recommendations in this paper are those of the authors and do not necessarily reflect the views of NSF.

The Science Gateway integration work is funded by the NSF TeraGrid Grid Integration Group through a sub-award to NCSA.


Thank you!

GridShib


Documents

TeraGrid 08 The Third Annual TeraGrid Conference