GridShib A Technical Overview

1
GridShibA Technical Overview

• Tom Scavotrscavo_at_ncsa.uiuc.edu
• NCSA

2
Overview

• GridShib project details
• GridShib use cases
• GridShib implementation
• GridShib attribute pull profile
• GridShib-MyProxy integration
• GridShib browser profile

3
What is GridShib?

• GridShib enables secure attribute sharing among
  Grid virtual organizations and higher-educational
  institutions
• The goal of GridShib is to integrate the Globus
  Toolkit with Shibboleth
• GridShib adds attribute-based authorization to
  Globus Toolkit

4
Some Background

• Large scientific projects have spawned Virtual
  Organizations (VOs)
• The cyberinfrastructure and software systems to
  support VOs are called grids
• Globus Toolkit is the de facto standard software
  solution for grids
• Grid Security Infrastructure (GSI) provides basic
  security services for grids

5
Grid Authentication

• Globus Toolkit provides authentication services
  via X.509 credentials
• When requesting a service, the user presents an
  X.509 certificate, usually a proxy certificate
• GridShib leverages the existing authentication
  mechanisms in GT

6
Grid Authorization

• Today, Globus Toolkit provides identity-based
  authorization mechanisms
• Access control lists (called grid-mapfiles) map
  DNs to local identity (e.g., Unix logins)
• Community Authorization Service (CAS)
• PERMIS and VOMS
• GridShib provides attribute-based authorization
  based on Shibboleth

7
GridShib Project Motivation

• VOs are difficult to manage
• Goal Leverage existing identity management
  infrastructure
• Identity-based access control methods are
  inflexible and do not scale
• Goal Use attribute-based access control
• Solution Integrate GT and Shibboleth!

8
Tale of Two Technologies
Existing GSI basedon X.509
Grid Security Infrastructure
Grid Client
Globus Toolkit
X.509
9
Tale of Two Technologies
Shibboleth Federation
Shibboleth
Graft Shib/SAMLonto GSI/X.509
SAML
Grid Security Infrastructure
Grid Client
Globus Toolkit
X.509
10
Why Shibboleth?

• What does Shibboleth bring to the table?
• A large (and growing) installed base on campuses
  around the world
• A standards-based, open source implementation
• A standard attribute vocabulary (eduPerson)
• A well-developed, federated identity management
  infrastructure has sprung up around Shibboleth!

11
Shibboleth Federations

• A federation
• Provides a common trust and policy framework
• Issues credentials and distributes metadata
• Provides discovery services for SPs
• Shibboleth-based federations
• InCommon (23 members) in U.S.
• InQueue (157 members) in U.S.
• SDSS (30 members) in U.K.
• SWITCH (23 members) in Switzerland
• HAKA (8 members) in Finland

12
InCommon Federation
13
Introduction
14
GridShib Project

• GridShib is a project funded by the NSF
  Middleware Initiative (NMI awards 0438424 and
  0438385)
• GridShib is a joint project of NCSA, University
  of Chicago, and Argonne National Laboratory
• Project web sitehttp//gridshib.globus.org/

15
Milestones

• Dec 2004, GridShib project commences
• Feb 2005, Developers onboard
• Apr 2005, Globus Toolkit 4.0 released
• May 2005, GridShib Alpha released
• Jul 2005, Shibboleth 1.3 released
• Sep 2005, GridShib Beta released
• Apr 2006, GridShib-myVocs integration

16
Related Projects

• Globus Toolkithttp//www.globus.org/toolkit/
• Shibbolethhttp//shibboleth.internet2.edu/
• MyProxyhttp//grid.ncsa.uiuc.edu/myproxy/
• SHEBANGShttp//www.sve.man.ac.uk/Research/AtoZ/SH
  EBANGS

17
Leveraged Standards

• X.509 Public Key Infrastructure (RFC 3280)
• Proxy certificates (RFC 3820)
• OASIS SAML 1.1 http//www.oasis-open.org/committe
  es/tc_home.php?wg_abbrevsecuritysamlv11
• Internet2 Shibbolethhttp//shibboleth.internet2.e
  du/docs/internet2-mace-shibboleth-arch-protocols-l
  atest.pdf

18
GridShib Use Cases

• Three use cases under consideration
• Established grid user (non-browser)
• New grid user (non-browser)
• Portal grid user (browser)
• Initial efforts concentrated on the established
  grid user
• Current efforts are focused on the new grid user

19
Established Grid User

• User possesses an X.509 end entity certificate
• User may or may not use MyProxy Server to manage
  X.509 credentials
• User authenticates to Grid SP with proxy
  certificate obtained from MyProxy
• The current GridShib implementation addresses
  this use case

20
New Grid User

• User does not possess an X.509 end entity
  certificate
• User relies on GridShib CA to issue short-lived
  X.509 certificates
• User authenticates to Grid SP using short-lived
  X.509 credential
• The myVocs-GridShib integration addresses this
  use case

21
Portal Grid User

• User does not possess an X.509 cert
• User accesses Grid SP via a browser interface,
  that is, the client delegates a web application
  to request a service at the Grid SP
• MyProxy issues a short-lived X.509 certificate
  via a back-channel exchange
• GridShib Browser Profiles apply

22
GridShib Implementation
23
Software Components

• GridShib for Globus Toolkit
• A plugin for Globus Toolkit 4.0
• GridShib for Shibboleth
• A plugin for Shibboleth 1.3 IdP
• GridShib Certificate Authority
• A web-based CA for new grid users
• Visit the GridShib Downloads pagehttp//gridshib
  .globus.org/download.html

24
GridShib for Globus Toolkit

• GridShib for Globus Toolkit is a plugin for GT4
• Features
• Standalone attribute requester
• SAML attribute consumption
• Attribute-based access control
• Attribute-based local account mapping
• SAML metadata consumption

25
Standalone Attribute Requester

• A standalone attribute requester will query a
  Shib AA for attributes
• By standalone we mean a query separate from a
  Shib browser profile
• The attribute query is based on
• The Subject DN of the proxy cert or
• A SAML authn assertion embedded in an end-entity
  certificate

26
Attribute-based Access Control

• Access control based on authorization policy with
  respect to attributes
• DN-based access control
• Attribute caching for efficiency

27
GridShib for Shibboleth

• GridShib for Shibboleth is a plugin for a
  Shibboleth IdP v1.3 (or later)
• Features
• Name Mapper
• SAML name identifier implementations
• X509SubjectName, emailAddress, etc.
• Certificate Registry

28
GridShib Name Mapper

• The Name Mapper is a container for name mappings
• Multiple name mappings are supported
• File-based name mappings
• DB-based name mappings

29
GridShib Certificate Registry

• A Certificate Registry is integrated into
  GridShib for Shibboleth 0.5https//authdev.it.oh
  io-state.edu/twiki/bin/view/GridShib/GridShibCerti
  ficateRegistry
• An established grid user authenticates and
  registers an X.509 end-entity cert
• The Registry binds the cert to the principal name
  and persists the binding in a database
• On the backend, GridShib maps the DN in a query
  to a principal name in the DB

30
(No Transcript)
31
GridShib CA

• The GridShib Certificate Authority is a web-based
  CA for new grid usershttps//authdev.it.ohio-sta
  te.edu/twiki/bin/view/GridShib/GridShibCertificate
  Authority
• The GridShib CA is protected by a Shib SP and
  backended by the MyProxy Online CA
• The CA issues short-term credentials suitable for
  authentication to a Grid SP
• Credentials are downloaded to the desktop via
  Java Web Start

32
(No Transcript)
33
Future Work

• Solve IdP discovery problem for grids
• Provide name mapping maintenance tools (for
  administrators)
• Implement a profile for attribute push
• Produce SAML metadata
• Design metadata repositories and tools

34
GT Authorization Framework

• Work is underway to develop and enhance the
  authorization framework in Globus Toolkit
• Siebenlist et al. at Argonne
• Pluggable modules for processing authentication,
  gathering and processing attributes and rendering
  decisions
• Work in OGSA-Authz WG to allow for callouts to
  third-party authorization services
• E.g., PERMIS
• Convert Attributes (SAML or X.509) into common
  format for policy evaluation
• XACML-based

35
Classic GridShibProfile
36
The GridShib Actors

• Standard (non-browser) Grid Client
• Globus Toolkit with GridShib installed (called a
  Grid SP)
• Shibboleth IdP with GridShib installed

IdP
C L I E N T
Grid SP
37
GridShib Attribute Pull Profile

• In the Classic GridShib profile, a Grid SP
  pulls attributes from a Shib IdP
• The Client is assumed to have an account (i.e.,
  local principal name) at the IdP
• The Grid SP and the IdP have been assigned a
  unique identifier (providerId)

IdP
C L I E N T
3
2
1
Grid SP
4
38
GridShib Attribute Pull Step 1

• The Grid Client requests a service at the Grid SP
• The Client presents an X.509 certificate to the
  Grid SP
• The Client also provides a pointer to its
  preferred IdP
• This is the so-called IdP Discovery problem

IdP
C L I E N T
1
Grid SP
39
IdP Discovery

• The Grid SP needs to know the Clients preferred
  IdP
• One approach is to embed the IdP providerId in
  the proxy certificate
• Another approach is to use an IdP proxy (such as
  myVocs)
• Currently the IdP providerId is configured into
  the Grid SP

40
GridShib Attribute Pull Step 2

• The Grid SP authenticates the Client and extracts
  the DN from the proxy cert
• The Grid SP queries the Attribute Authority (AA)
  at the IdP using the DN as a SAML name identifier

IdP
C L I E N T
2
1
Grid SP
41
Attribute Query

• The Grid SP formulates a SAML attribute
  queryltsamlpAttributeQuery
  Resource"https//globus.org/gridshib"gt
  ltsamlSubjectgt ltsamlNameIdentifier
  Format"urnoasisnamestcSAML1.1nameid-format
  X509SubjectName" NameQualifier"http//idp.u
  chicago.edu/shibboleth"gt CNGridShib,OUNCSA
  ,OUIUC lt/samlNameIdentifiergt
  lt/samlSubjectgt lt!-- AttributeDesignator here
  --gt lt/samlpAttributeQuerygt
• The Resource attribute is the Grid SP providerId
• The NameQualifier attribute is the IdP providerId
• The NameIdentifier is the DN from the proxy cert
• Zero or more AttributeDesignator elements call
  out the desired attributes (but empty queries are
  the norm today)

42
GridShib Attribute Pull Step 3

• The AA authenticates the requester and maps the
  DN to a local principal name
• The AA returns an attribute assertion to the Grid
  SP
• The assertion is subject to Attribute Release
  Policy (ARP) at the IdP

IdP
C L I E N T
3
2
1
Grid SP
43
Attribute Assertion

• The assertion contains an attribute
  statementltsamlAttributeStatementgt
  ltsamlSubjectgt ltsamlNameIdentifier
  Format"urnoasisnamestcSAML1.1nameid-format
  X509SubjectName" NameQualifier"http//idp.
  uchicago.edu/shibboleth"gt
  CNGridShib,OUNCSA,OUIUC lt/samlNameIdentifi
  ergt lt/samlSubjectgt ltsamlAttribute
  AttributeName"urnmacedirattribute-defeduPerso
  nAffiliation" AttributeNamespace"urnmaceshi
  bboleth1.0attributeNamespaceuri"gt
  ltsamlAttributeValuegt member
  lt/samlAttributeValuegt ltsamlAttributeValuegt
  student lt/samlAttributeValuegt
  lt/samlAttributegtlt/samlAttributeStatementgt
• The Subject is identical to the Subject of the
  query
• Attributes may be single-valued or multi-valued
• Attributes may be scoped (e.g.,
  member_at_uchicago.edu)

44
Name Mapping File

• An IdP does not issue X.509 certs so it has no
  prior knowledge of the DN
• Solution Create a name mapping file at the IdP
  (similar to the grid-mapfile at the Grid SP)
  Default name mapping fileCNGridShib,OUNCSA,OUI
  UC gridshib"CNsome user,OUPeople,DCdoegrids"
  test
• The DN must conform to RFC 2253

45
Name Mapping Table

• The Name Mapper supports table-based name
  mappings (in addition to files)
• Define a JDBC source in a config file (JDBC
  driver, JDBC URL, etc.)
• Relational scripts and tools are provided

46
GridShib Attribute Pull Step 4

• The Grid SP parses the attribute assertion and
  performs the requested service
• The attributes are cached as necessary
• A response is returned to the Grid Client

IdP
C L I E N T
3
2
1
Grid SP
4
47
GridShib-MyProxyIntegration
48
Shib Browser Profile

• Consider a Shib browser profile stripped to its
  bare essentials
• Authentication and attribute assertions are
  produced at steps 2 and 5, resp.
• The SAML Subject in the authentication assertion
  becomes the Subject of the attribute query at
  step 4

1
IdP
C L I E N T
2
5
4
3
SP
6
49
GridShib Non-Browser Profile

• Replace the SP with a Grid SP and the browser
  client with a non-browser client
• Three problems arise
• Client must possess X.509 credential to
  authenticate to Grid SP
• Grid SP needs to know what IdP to query (IdP
  Discovery)
• The IdP must map the SAML Subject to a local
  principal

IdP
C L I E N T
Grid SP
50
The Role of MyProxy

• Consider a new grid user instead of the
  established grid user
• For a new grid user, we are led to a
  significantly different solution
• Obviously, we must issue an X.509 credential to a
  new grid user
• A short-lived credential is preferred
• Enter MyProxy Online CA

51
MyProxy-first Attribute Pull

• MyProxy with Online CA
• MyProxy inserts a SAML authN assertion into a
  short-lived, reusable EEC
• IdP collocated with MyProxy

IdP
C L I E N T
1
MyProxy
5
4
2
3
Grid SP
6
52
MyProxy-first Attribute Pull Step 1

• A MyProxy Client sends a MyProxy Protocol request
  to a MyProxy Server
• Any authentication method supported by MyProxy
  may be used

IdP
C L I E N T
1
MyProxy
Grid SP
53
MyProxy-first Attribute Pull Step 2

• The MyProxy Server authenticates the requester
• MyProxy issues an X.509 credential with embedded
  authN assertion
• The credential is returned in a MyProxy Protocol
  response

IdP
C L I E N T
1
MyProxy
2
Grid SP
54
Authentication Assertion

• MyProxy inserts an assertion containing a minimal
  authentication statement into the
  certificateltsamlAuthenticationStatement
  AuthenticationInstant"2004-12-05T092200Z"
  AuthenticationMethod"urnoasisnamestcSAML1.0
  ampassword"gt ltsamlSubjectgt
  ltsamlNameIdentifier Format"urnoasisname
  stcSAML1.1nameid-formatemailAddress"
  NameQualifier"https//idp.example.org/shibboleth"
  gt user_at_idp.example.org
  lt/samlNameIdentifiergt lt/samlSubjectgtlt/samlAut
  henticationStatementgt
• AuthenticationMethod may be used by Grid SP
• The NameQualifier attribute is the IdP providerId
• The IdP easily maps the NameIdentifier to the
  desired local principal

55
MyProxy-first Attribute Pull Step 3

• A Grid Client requests a service at a Grid SP
• The client presents the decorated X.509
  certificate obtained from MyProxy

IdP
C L I E N T
1
MyProxy
2
3
Grid SP
56
MyProxy-first Attribute Pull Step 4

• The Grid SP authenticates the Client and
  processes the assertion
• The Grid SP queries the Shib Attribute Authority
  (AA) referred to in the assertion

IdP
C L I E N T
1
MyProxy
4
2
3
Grid SP
57
MyProxy-first Attribute Pull Step 5

• The AA authenticates the requester and returns an
  attribute assertion to the Grid SP
• The assertion is subject to policy

IdP
C L I E N T
1
MyProxy
5
4
2
3
Grid SP
58
MyProxy-first Attribute Pull Step 6

• The Grid SP parses the attribute assertion and
  makes an access control decision
• A response is returned to the Client

IdP
C L I E N T
1
MyProxy
5
4
2
3
Grid SP
6
59
MyProxy-first Advantages

• Relatively easy to implement
• Requires only one round trip by the client
• Requires no modifications to the Shib IdP
• Requires no modifications to the Client
• Supports multiple authentication mechanisms
  out-of-the-box
• Uses transparent, persistent identifiers
• No coordination of timeouts necessary
• Mapping to local principal is straightforward

60
IdP-first Non-Browser Profiles

• The IdP-first profiles require no shared state
  between MyProxy and the IdP
• Supports separate security domains
• Leverages existing name identifier mappings at
  the IdP
• IdP-first profiles may be used with either
  Attribute Pull or Attribute Push

61
Attribute Pull or Push?
Pull
Push
user
user
Grid SP
request
request
attributes
attributes
AA
AA
62
IdP-first Attribute Pull

• MyProxy with Online CA
• MyProxy consumes and produces SAML authN
  assertions
• The Client authenticates to MyProxy with a SAML
  authN assertion

1
IdP
C L I E N T
2
3
MyProxy
7
6
4
5
Grid SP
8
63
IdP-first Attribute Push

• The IdP pushes an attribute assertion to the
  Client
• The Client authenticates to MyProxy with a SAML
  authN assertion
• MyProxy consumes both SAML authN and attribute
  assertions

1
IdP
C L I E N T
2
3
MyProxy
4
5
Grid SP
6
64
IdP-first Advantages

• Since IdP controls both ends of the flow
• Mapping NameIdentifier to a local principal is
  straightforward
• Choice of NameIdentifier format is left to the
  IdP
• Attribute push simplifies IdP config and trust
  relationships
• Reusable by grid portal use case

65
GridShib Browser Profiles
66
IdP-first Browser Profiles

• As a consequence of the IdP-first Non-Browser
  profiles, MyProxy gains the ability to consume
  SAML assertions
• If we replace the non-browser client with a web
  component, we can reuse that functionality in the
  following GridShib Browser Profile

67
IdP-first Attribute Pull

• The first three steps are normal Shib
  Browser/POST
• A Shib SP is protecting a web version of MyProxy
  Client

1
IdP
C L I E N T
2
MyProxy
7
8
5
4
6
3
SP
Grid SP
9
10
68
The 3-tier Problem

• How does the browser user delegate authority to
  the web component to retrieve an X.509 credential
  on its behalf?
• This problem is an instance of the so-called
  n-tier problem (n 3)

69
Delegation Profile

• No widely accepted solution to this problem
  exists today
• The Shib Project is proposing Liberty WSF
  2.0https//authdev.it.ohio-state.edu/twiki/bin/v
  iew/Shibboleth/LibertyAllianceProject
• The implications for GridShib are not clear at
  this point