GridShib CIP Seminar December 6th, 2005

1
GridShibCIP SeminarDecember 6th, 2005

• Tom Scavo
• trscavo_at_ncsa.uiuc.edu
• Von Welch
• vwelch_at_ncsa.uiuc.edu
• NCSA

2
What is GridShib

• NSF NMI project to allow the use of
  Shibboleth-issued attributes for authorization in
  NMI Grids built on the Globus Toolkit
• Funded under NSF NMI program
• GridShib team NCSA, U. Chicago, ANL
• Tom Barton, David Champion, Tim Freemon, Kate
  Keahey, Tom Scavo, Frank Siebenlist, Von Welch
• Working in collaboration with Steven Carmody,
  Scott Cantor, Bob Morgan and the rest of the
  Internet2 Shibboleth Design team

3
Outline

• Distributed systems authentication - some history
• Attribute-based access control - why?
• Grid Security Overview
• Shibboleth Overview
• GridShib

4
The single system story
Password
Password
Password
Password
5
Along came more systems
Password
Password
6
And more passwords
Pass-wurd
pAsSwOrD
drowssap
Password
MyDogsName
pAsSwOrD
Pass-wurd
MyDogsName
drowssap
7
Enterprise Authentication

• Central authentication for a number of systems in
  a organization
• Simply put, one central authority at a site for
  your password instead of each computer having its
  own.
• A number of systems exist
• Kerberos, Windows Domains, Radius, NIS, LDAP, etc.

8
Enterprise Auth
Password
Password
9
Ok, the world is good now?

• Well, its better, inside a single organization
  at least.
• But what happens when you want to login somewhere
  else?

10
Along come other sites
SDSC
Other sites
Password
NCSA
11
And more passwords
Sesame
Pa55w0rd
PrettyPlease
Pa55w0rd
KnockKnock
PrettyPlease
Sesame
Password
KnockKnock
NCSA
12
And then came the Web
Amazon
Ebay
travelocity
NYTimes
AA.com
Sesame
Pa55w0rd
mypass
s3cr3t
PrettyPlease
Gmail
Pa55w0rd
KnockKnock
PrettyPlease
Sesame
mypass
MyBank
Password
s3cr3t
KnockKnock
NCSA
13
Inter-site authentication

• All this created a huge usability problem for
  users
• Multiple passwords hard to manage
• Cumbersome to enter passwords over and over
• A number of approaches have been tried to solve
  these problems
• Both in the web and computing worlds
• We present a brief survey here
• Start with computing world

14
Site-to-Site Federations

• Sites agree to couple their authentication
  systems
• E.g., Kerberos, Radius
• Works but is difficult
• Requires interoperable site authentication
  systems
• Requires sites agree at highest-level - since
  some systems like Kerberos are used for most
  trusted assets, this can be hard.

15
SSH Public keys

• SSH allows a user to establish their own keys
  that they can use to log into any computers
• User establishes their own network
• Works well, but
• Requires sites support SSH
• Much easier than Kerberos
• User-managed
• Keys must be everywhere for this to work
• If key is compromised, how do we clean up? How do
  we even know?

16
X509 Certificates

• E.g., Grid
• Each user gets a private key and a global
  identity
• Certificate allows a key to be lost, but for
  identity to persist
• But
• Still user-managed keys as with SSH
• Getting certificates can be a pain

17
Online X509 Certificate Authorities

• Started for the web
• U. Michigan KCA
• Now used in the Grid
• KCA _at_ FNAL, MyProxy
• Turn local authentication into X509 certificate
  that can be used Globally
• Allows site to federate by turning local
  authentication into standard format (X509)

18
Meanwhile, in the web
19
Microsoft Passport

• One authentication server for all users on the
  web that holds their password
• Major sociological issues
• No one wants to trust Microsoft to hold their
  password to everything
• No one wants Microsoft to know what web sites
  they are using
• Probably is no single entity that would be trusted

20
Liberty Alliance

• In response to passport
• Allows users to link their accounts together
• E.g., I can say vwelch_at_Ebay is also
  vonwelch_at_amazon is also vsw_at_paypal
• I log into one site, it can tell others Ive
  logged in and they dont have to re-authenticate
  me
• Was strong motivation for SAML

21
Shibboleth

• From higher-education community
• Motivated by university users wanting access to
  databases and online libraries
• Allows site to express local authentication in
  standard format (SAML)
• Also allows site to express attributes about user
  in standard format (eduPerson)
• E.g., student, professor, department
• Growing adoption, federations of sites that
  allows cross-site authentication

22
Summary

• There has been an explosion of passwords as more
  systems and web services have emerged
• Intra-site is largely well controlled with
  various solutions, but intersite is still
  unsolved
• Both the web and computing community have come up
  with solutions

23
Outline

• Distributed systems authentication - some history
• Attribute-based access control - why?
• Grid Security Overview
• Shibboleth Overview
• GridShib

24
Attribute-based authorization

• So far weve talked about identity-based
  authorization
• E.g. vwelch can access this web
  page/computer/bank account/etc.
• Authentication- establishing who you are
• Authorization - establishing you are allowed to
  do something
• This works well when you are providing a service
  to a relatively small number of people

25
Attribute-based authorization

• Often its more scalable to talk about
  authorization based on attributes
• E.g., Any NCSA staff member can access this web
  page
• E.g., Any UIUC staff or student can use the
  library
• So often the process is authentication (who),
  establish attributes (what), and use those
  attributes to decide if something is allowed

26
Outline

• Distributed systems authentication - some history
• Attribute-based access control - why?
• Grid Security Overview
• Shibboleth Overview
• GridShib

27
Grid SecurityThe Grid Security Infrastructure

• The Grid Security Infrastructure (GSI) is a set
  of tools, libraries and protocols used in Globus
  to allow users and applications to securely
  access resources.
• Based on a public key infrastructure, with
  certificate authorities and X509 certificates

28
GSI Credentials

• In the GSI system each user has a set of
  credentials they use to prove their identity on
  the grid
• Consists of a X509 certificate and private key
• Long-term private key is kept encrypted with a
  pass phrase
• Good for security, inconvenient for repeated usage

29
Certificates

• A X.509 certificate binds a public key to a name
• It includes a name and a public key (among other
  things) bundled together and signed by a trusted
  party (Issuer)

30
Certificates

• Similar to passport or drivers license

31
Certificates

• By checking the signature, one can determine that
  a public key belongs to a given user.

Hash
Hash
?
Decrypt
Hash
Public Key from Issuer
32
Certificate Authorities (CAs)

• A Certificate Authority is an entity that exists
  only to sign user certificates
• The CA signs its own certificate, which is
  distributed in a trusted manner

33
Grid CAs

• There are a large number of Grid CAs
• http//www.gridpma.org/
• Currently this is a X509 system that users may
  join by getting a certificate
• This X509 system is independent for the users
  local authentication system

34
Grid Online CAs

• Usability issues with user-managed certificates
  have driven interest in online CAs
• E.g., FNAL, NERSC, KCA, MyProxy
• This may lead to a federated style of
  authentication

35
Outline

• Distributed systems authentication - some history
• Attribute-based access control - why?
• Grid Security Overview
• Shibboleth Overview
• GridShib

36
What is Shibboleth?

• Shibboleth provides cross-domain single sign-on
  and attribute-based authorization while
  preserving user privacy
• Shibboleth is simultaneously
• A project
• A specification
• An implementation

37
Shibboleth Project

• Shibboleth, a project of Internet2-MACE
• Advocates a federated identity management policy
  framework focused on user privacy
• Develops middleware architectures to facilitate
  inter-institutional attribute sharing
• Manages an open source reference implementation
  of the Shibboleth spec
• Shibboleth has made significant contributions to
  the SAML-based identity management space

38
Collaborations
Internet2
E-Auth
OASIS
Shibboleth
Liberty
Educause
Vendors
39
Shibboleth Specification

• Shibboleth is an extension of the SAML 1.1
  browser profiles
• Shibboleth Browser/POST Profile
• Shibboleth Browser/Artifact Profile
• Shibboleth Attribute Exchange Profile
• See the Shibboleth spec for detailsS. Cantor et
  al., Shibboleth Architecture Protocols and
  Profiles. Internet2-MACE, 10 September 2005.

40
Shibboleth Implementation

• The Shibboleth implementation consists of two
  components
• Shibboleth Identity Provider
• Shibboleth Service Provider
• The Identity Provider is a J2EE webapp
• The Service Provider is a C Apache module
• A pure Java Service Provider is in beta

41
The Shibboleth Wiki

• For example, the Shibboleth wiki (hosted at
  ohio-state.edu) is shibbolizedhttps//authdev.
  it.ohio-state.edu/twiki/bin/view/GridShib/WebHome
  
• To edit wiki pages, a user must be known to the
  wiki
• Users have wikiNames but do not have wiki
  passwords
• Users log into their home institution, which
  asserts user identity to the wiki

42
(No Transcript)
43
Shib Browser Profile

• The user clicks the link Login via InQueue IdP
• This initiates a sequence of steps known as the
  Shibboleth Browser Profile

3
UIUC
C L I E N T
4
1
InQueue
7
6
2
5
OSU
8
44
(No Transcript)
45
Shib Browser Profile

• InQueue provides a Where Are You From? service
• The user chooses their preferred identity
  provider from a menu

3
UIUC
C L I E N T
4
1
InQueue
7
6
2
5
OSU
8
46
(No Transcript)
47
Shib Browser Profile

• The user is redirected to UIUC login page
• After login, the user is issued a SAML assertion
  and redirected back to the wiki

3
UIUC
C L I E N T
4
1
InQueue
7
6
2
5
OSU
8
48
(No Transcript)
49
Shib Browser Profile

• After validating the assertion, the wiki_at_OSU
  retrieves user attributes via back-channel Shib
  attribute exchange

3
UIUC
C L I E N T
4
1
InQueue
7
6
2
5
OSU
8
50
Asserting Identity

• Initially, the user is unknown to the wiki
• After querying the home institution, the wiki
  knows the users identity
• trscavo-uiuc.edu is wiki-speak for
  trscavo_at_uiuc.edu
• The latter is eduPersonPrincipalName, an identity
  attribute asserted by the users home institution

51
OpenIdP.org

• By design, a user with an account at an
  institution belonging to InCommon, InQueue, or
  SDSS can log into the wikihttps//authdev.it.ohi
  o-state.edu/twiki/bin/view/GridShib/WebHome
• Other users can register at openidp.org, which is
  a zero-admin Shibboleth IdP
• The openidp asserts an alternate form of identity
  (email addresses as opposed to eduPersonPrincipalN
  ame)

52
The Actors
Identity Provider

• Identity Provider
• The Identity Provider (IdP) creates, maintains,
  and manages user identity
• A Shibboleth IdP produces SAML assertions
• Service Provider
• The Service Provider (SP) controls access to
  services and resources
• A Shibboleth SP consumes SAML assertions

Authentication Authority
Attribute Authority
SSO Service
Artifact Resolution Service
Assertion Consumer Service
Attribute Requester
Resource
Service Provider
53
Shib SSO Profiles

• Shibboleth SSO profiles are SP-first
• Shibboleth specifies an Authentication Request
  Profile
• Shibboleth Browser/POST Profile Shib Authn
  Request Profile SAML Browser/POST Profile
• Shibboleth Browser/Artifact Profile Shib
  Authn Request Profile SAML
  Browser/Artifact Profile

54
Shib AuthN Request Profile

• A Shibboleth authentication request is an
  ordinary GET requesthttps//idp.org/shibboleth/S
  SO? providerIdhttps//sp.org/shibboleth/
  shirehttps//sp.org/shibboleth/SSO
  targethttps//sp.org/myresource
  time1102260120
• The client is redirected to this location after
  requesting a protected resource at the SP without
  a security context

55
Shib Browser/POST Profile
Identity Provider

• Browser/POST is an SP-first profile
• The IdP produces an assertion at step 4, which
  the SP consumes at step 5

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
Assertion Consumer Service
6
5
8
Resource
7
2
1
Service Provider
56
Shib Attribute Exchange

• A Shibboleth SP often queries an IdP for
  attributes after validating an authN assertion
• An opaque, transient identifier called a handle
  is embedded in the authN assertion
• The SP sends a SAML AttributeQuery message with
  handle attached

57
Browser/POST Profile
Identity Provider

• The first 5 steps of this profile are identical
  to ordinary Browser/POST
• Before redirecting the Client to the Resource
  Manager, the SP queries for attributes via a
  back-channel exchange

C L I E N T
Authentication Authority
Attribute Authority
SSO Service
4
3
7
6
Assertion Consumer Service
Attribute Requester
8
5
10
Resource
9
2
1
Service Provider
58
Directory Schema

• Neither Shibboleth nor SAML define any attributes
  per se
• It is left to individual deployments to define
  their own attributes
• A standard approach to user attributes is crucial
• Without such standards, interoperability is
  impossible

59
eduPerson

• Internet2 and EDUCAUSE have jointly developed a
  set of attributes and associated bindings called
  eduPerson
• The LDAP binding of eduPerson is derived from the
  standard LDAP object class called inetOrgPerson
  RFC 2798
• Approximately 40 attributes have been defined by
  InCommon as common identity attributes

60
InCommon Attributes

• InCommons 6 highly recommended attributes

Attribute Name Attribute Value
givenName Mary
sn (surname) Smith
cn (common name) Mary Smith
eduPersonScopedAffiliation student_at_example.org
eduPersonPrincipalName mary.smith_at_example.org
eduPersonTargetedID ?
(eduPersonTargetedID does not have a precise
value syntax)
61
Outline

• Distributed systems authentication - some history
• Attribute-based access control - why?
• Grid Security Overview
• Shibboleth Overview
• GridShib

62
What is GridShib?

• GridShib enables secure attribute sharing between
  Grid virtual organizations and higher-educational
  institutions
• The goal of GridShib is to integrate the Globus
  Toolkit with Shibboleth
• GridShib adds attribute-based authorization to
  Globus Toolkit

63
Motivation

• Large scientific projects have spawned Virtual
  Organizations (VOs)
• The cyberinfrastructure and software systems to
  support VOs are called grids
• Globus Toolkit is the de facto standard software
  solution for grids
• Grid Security Infrastructure provides basic
  security servicesbut does it scale?

64
Tale of Two Technologies
Shibboleth Federation
Shibboleth
Bridging Grid/X.509 with Shib/SAML
SAML
Grid Security Infrastructure
Grid Client
Globus Toolkit
X.509
65
Grid Authentication

• Globus Toolkit provides authentication services
  via X.509
• When requesting a service, the user presents an
  X.509 certificate, usually a proxy certificate
• GridShib leverages the existing authentication
  mechanisms in GT

66
Grid Authorization

• Today, Globus Toolkit provides identity-based
  authorization mechanisms
• List of attributes required to use service or
  container
• Mapping of attributes to local identity (in
  grid-mapfiles) for job submission
• GridShib hopes to augment identity-based
  authorization with attribute-based authorization

67
GT Authorization Framework

• Work is underway to develop and enhance the
  authorization framework in Globus Toolkit
• Siebenlist et al. at Argonne
• Pluggable modules for processing authentication,
  gathering and processing attributes and rendering
  decisions
• Work in OGSA-Authz WG to allow for callouts to
  third-party authorization services
• E.g., PERMIS
• Convert Attributes (SAML or X.509) into common
  format for policy evaluation
• XACML-based

68
Why Shibboleth?

• What does Shibboleth bring to the table?
• A large (and growing) installed base
• A standards-based, open source implementation
• A standard attribute vocabulary (eduPerson)
• A well-developed, federated identity management
  infrastructure has sprung up around Shibboleth

69
Shibboleth Federations

• A federation
• Provides a common trust and policy framework
• Issues credentials and distributes metadata
• Provides discovery services for SPs
• Shibboleth-based federations
• InCommon (23 members)
• InQueue (157 members)
• SDSS (30 members)
• SWITCH (23 members)
• HAKA (8 members)

70
InCommon Federation
71
Use Cases

• There are three use cases under consideration
• Established grid user (non-browser)
• New grid user (non-browser)
• Portal grid user (browser)
• Initial efforts have concentrated on the
  established grid user (i.e., user with existing
  long-term X.509 credentials )

72
Established Grid User

• User possesses an X.509 end entity certificate
• User may or may not use MyProxy Server to manage
  X.509 credentials
• User authenticates to Grid SP with proxy
  certificate (grid-proxy-init)
• The current GridShib implementation addresses
  this use case

73
New Grid User

• User does not possess an X.509 end entity
  certificate
• User relies on MyProxy Online CA to issue
  short-lived X.509 certificates
• User authenticates to Grid SP using short-lived
  X.509 credential
• Emerging GridShib Non-Browser Profiles address
  this use case

74
Portal Grid User

• User does not possess an X.509 cert
• User accesses Grid SP via a browser interface,
  that is, the client delegates a web application
  to request a service at the Grid SP
• MyProxy issues a short-lived X.509 certificate
  via a back-channel exchange
• GridShib Browser Profiles apply

75
Software Components

• GridShib for Globus Toolkit
• A plugin for GT 4.0
• GridShib for Shibboleth
• A plugin for Shibboleth 1.3 IdP
• Shibboleth IdP Tester
• A test application for Shibboleth 1.3 IdP
• Visit the GridShib Download pagehttp//gridshib.
  globus.org/download.html

76
The Actors

• Standard (non-browser) Grid Client
• Globus Toolkit with GridShib installed (which we
  call a Grid SP)
• Shibboleth IdP with GridShib installed

IdP
C L I E N T
Grid SP
77
GridShib Attribute Pull Profile

• In the current implementation, a Grid SP pulls
  attributes from a Shib IdP
• The Client is assumed to have an account (i.e.,
  local principal name) at the IdP
• The Grid SP and the IdP have been assigned a
  unique identifier (providerId)

IdP
C L I E N T
3
2
1
Grid SP
4
78
GridShib Attribute Pull Step 1

• The Grid Client requests a service at the Grid SP
• The Client presents a standard proxy certificate
  to the Grid SP
• The Client also provides a pointer to its
  preferred IdP

IdP
C L I E N T
1
Grid SP
79
IdP Discovery

• The Grid SP needs to know the Clients preferred
  IdP
• One approach is to embed the IdP providerId in
  the proxy certificate
• This requires modifications to the MyProxy client
  software, however
• Currently the IdP providerId is configured into
  the Grid SP

80
GridShib Attribute Pull Step 2

• The Grid SP authenticates the Client and extracts
  the DN from the proxy cert
• The Grid SP queries the Attribute Authority (AA)
  at the IdP

IdP
C L I E N T
2
1
Grid SP
81
Attribute Query

• The Grid SP formulates a SAML attribute
  queryltsamlpAttributeQuery
  Resource"https//globus.org/gridshib"gt
  ltsamlSubjectgt ltsamlNameIdentifier
  Format"urnoasisnamestcSAML1.1nameid-format
  X509SubjectName" NameQualifier"http//idp.u
  chicago.edu/shibboleth"gt CNGridShib,OUNCSA
  ,OUIUC lt/samlNameIdentifiergt
  lt/samlSubjectgt lt!-- AttributeDesignator here
  --gt lt/samlpAttributeQuerygt
• The Resource attribute is the Grid SP providerId
• The NameQualifier attribute is the IdP providerId
• The NameIdentifier is the DN from the proxy cert
• Zero or more AttributeDesignator elements call
  out the desired attributes

82
GridShib Attribute Pull Step 3

• The AA authenticates the requester and returns an
  attribute assertion to the Grid SP
• The assertion is subject to Attribute Release
  Policy (ARP)

IdP
C L I E N T
3
2
1
Grid SP
83
Attribute Assertion

• The assertion contains an attribute
  statementltsamlAttributeStatementgt
  ltsamlSubjectgt ltsamlNameIdentifier
  Format"urnoasisnamestcSAML1.1nameid-format
  X509SubjectName" NameQualifier"http//idp.
  uchicago.edu/shibboleth"gt
  CNGridShib,OUNCSA,OUIUC lt/samlNameIdentifi
  ergt lt/samlSubjectgt ltsamlAttribute
  AttributeName"urnmacedirattribute-defeduPerso
  nAffiliation" AttributeNamespace"urnmaceshi
  bboleth1.0attributeNamespaceuri"gt
  ltsamlAttributeValuegt member
  lt/samlAttributeValuegt ltsamlAttributeValuegt
  student lt/samlAttributeValuegt
  lt/samlAttributegtlt/samlAttributeStatementgt
• The Subject is identical to the Subject of the
  query
• Attributes may be single-valued or multi-valued
• Attributes may be scoped (e.g.,
  member_at_uchicago.edu)

84
Name Mapping

• An IdP does not issue X.509 certs so it has no
  prior knowledge of the DN
• Solution Create a name mapping file at the IdP
  (similar to the grid-mapfile at the Grid SP)
  Default name mapping fileCNGridShib,OUNCSA,OUI
  UC gridshib"CNsome user,OUPeople,DCdoegrids"
  test
• The DN must conform to RFC 2253

85
GridShib Attribute Pull Step 4

• The Grid SP parses the attribute assertion and
  performs the requested service
• A generalized attribute framework is being
  developed for GT
• A response is returned to the Grid Client

IdP
C L I E N T
3
2
1
Grid SP
4
86
Future Work

• Solve the IdP Discovery problem
• Implement shib-proxy-init
• Implement DB-based name mapping
• Provide name mapping maintenance tools (for
  administrators)
• Design an interactive name registry service (for
  users)
• Devise metadata repositories and tools

87
Shib Browser Profile

• Consider a Shib browser profile stripped to its
  bare essentials
• Authentication and attribute assertions are
  produced at steps 2 and 5, resp.
• The SAML Subject in the authentication assertion
  becomes the Subject of the attribute query at
  step 4

1
IdP
C L I E N T
2
5
4
3
SP
6
88
GridShib Non-Browser Profile

• Replace the SP with a Grid SP and the browser
  client with a non-browser client
• Three problems arise
• Client must possess X.509 credential to
  authenticate to Grid SP
• Grid SP needs to know what IdP to query (IdP
  Discovery)
• The IdP must map the SAML Subject to a local
  principal

IdP
C L I E N T
Grid SP
89
The Role of MyProxy

• Consider a new grid user instead of the
  established grid user
• For a new grid user, we are led to a
  significantly different solution
• Obviously, we must issue an X.509 credential to a
  new grid user
• A short-lived credential is preferred
• Enter MyProxy Online CA

90
MyProxy-first Attribute Pull

• MyProxy with Online CA
• MyProxy inserts a SAML authN assertion into a
  short-lived, reusable EEC
• IdP collocated with MyProxy

IdP
C L I E N T
1
MyProxy
5
4
2
3
Grid SP
6
91
MyProxy-first Advantages

• Relatively easy to implement
• Requires only one round trip by the client
• Requires no modifications to the Shib IdP
• Requires no modifications to the Client
• Supports multiple authentication mechanisms
  out-of-the-box
• Uses transparent, persistent identifiers
• No coordination of timeouts necessary
• Mapping to local principal is straightforward

92
IdP-first Non-Browser Profiles

• The IdP-first profiles require no shared state
  between MyProxy and the IdP
• Supports separate security domains
• Leverages existing name identifier mappings at
  the IdP
• IdP-first profiles may be used with either
  Attribute Pull or Attribute Push

93
Attribute Pull or Push?
Pull
Push
user
user
Grid SP
request
request
attributes
attributes
AA
AA
94
IdP-first Attribute Pull

• MyProxy with Online CA
• MyProxy consumes and produces SAML authN
  assertions
• The Client authenticates to MyProxy with a SAML
  authN assertion

1
IdP
C L I E N T
2
3
MyProxy
7
6
4
5
Grid SP
8
95
IdP-first Attribute Push

• The IdP pushes an attribute assertion to the
  Client
• The Client authenticates to MyProxy with a SAML
  authN assertion
• MyProxy consumes both SAML authN and attribute
  assertions

1
IdP
C L I E N T
2
3
MyProxy
4
5
Grid SP
6
96
IdP-first Advantages

• Since IdP controls both ends of the flow
• Mapping NameIdentifier to a local principal is
  straightforward
• Choice of NameIdentifier format is left to the
  IdP
• Attribute push simplifies IdP config and trust
  relationships
• Reusable by grid portal use case

97
Conclusion

• Globus Toolkit is the de facto standard software
  solution for grids
• Shibboleth is a popular approach to federated
  identity management
• GridShib leverages existing Shibboleth
  deployments to add attribute-based authorization
  to Globus Toolkit

98
Questions?

• GridShib web sitehttp//gridshib.globus.org/
• Tom Scavotrscavo_at_ncsa.uiuc.edu
• Von Welchvwelch_at_ncsa.uiuc.edu

Thank You!