Grid Authentication and Authorization with Reliably Distributed Services

Grid Authentication and Authorization with Reliably Distributed Services (GAARDS) Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University langella@bmi. osu. edu

Agenda • • ca. BIG ca. Grid Security Overview (GAARDS) • Dorian • Authentication Service • Grid Trust Service (GTS) • Grid Grouper • Authz / Common Security Module (CSM) Additional Information www. cagrid. org

National Cancer Institute 2015 Goal Relieve suffering and death due to cancer by the year 2015 www. cagrid. org

Cancer Biomedical Informatics Grid (ca. BIGTM) • Need: Enable investigators and research teams nationwide to combine and leverage their findings and expertise in order to meet NCI 2015 Goal. • Strategy: Create scalable, actively managed organization that will connect members of the NCI-supported cancer enterprise by building a biomedical informatics network • • National Cancer Institute Initiative Over 800 Participants Over 80 Organizations Over 70 Projects www. cagrid. org

ca. BIG Community Organization www. cagrid. org

ca. Grid • Grid Infrastructure for ca. BIG • Enterprise Level Grid Components • ca. Grid Components • • • Grid Service Graphical Development Toolkit (Introduce) Metadata Advertisement and Discovery Semantic Services Data Service Infrastructure Analytical Service Infrastructure Identifiers Workflow Security www. cagrid. org

GAARDS Overview • Grid Authentication and Authorization with Reliably Distributed Services (GAARDS) • GAARDS provides services and tools for the administration and enforcement of security policy in an enterprise Grid. • Developed on top of the Globus Toolkit • Extends the Grid Security Infrastructure (GSI) • Provide enterprise services and administrative tools for: • • • Grid User Management Identity Federation Trust management Group/VO management Access Control Policy management and enforcement Integration between existing security domains and the grid security domain. www. cagrid. org

GAARDS Components • Dorian • Grid User Account Management • Integration point between external security domains and the grid. • Allows accounts managed in external domains to be federated and managed in the grid. • Dorian allows users to use their existing credentials (external to the grid) to authenticate to the grid • Grid Trust Service (GTS) • Creation and Management of a federated trust fabric. • Supports applications and services in deciding whether or not signers of digital credentials/user attributes can be trusted. • Supports the provisioning of trusted certificate authorities and corresponding CRLS. • Grid Grouper • Group management service for the grid • Provides a group-based authorization solution for the Grid • Enforce authorization policy based on membership to groups www. cagrid. org

GAARDS Components • • • Authentication Service • Integrates existing credentials providers into the grid. • Provides a uniform grid interface for authenticating to existing credential providers. • Applications can communicate with any credential provider. Authz/Common Security Module (CSM) • Provides a centralize approach to managing and enforcing access control policy authorization. Security Metadata • Ensures communication interoperability between grid services www. cagrid. org

GAARDS in Action www. cagrid. org

GAARDS in Action Authenticate with Local Credential Provider SAML Assertion www. cagrid. org User authenticates to local credential provider using your everyday user credentials

GAARDS in Action SA ML A ss ert ion Cr Gri ed d en tia ls www. cagrid. org Application obtains grid credentials from Dorian using SAML provided by the local provider.

GAARDS in Action Application uses grid credentials to invoke secure grid services. www. cagrid. org Grid Credentials

GAARDS in Action Should I trust the credential signer? Grid Service authenticates the user by asking the GTS whether or not the signer of the credential should be trusted. www. cagrid. org

GAARDS in Action Authorization Grid Service asks CSM or their access control policy enforcer whether or not the user can perform X and resource Y. www. cagrid. org Is Authorized?

GAARDS in Action Is member of? Authorization Alternative Grid Service can enforce local policy based on user membership to groups maintained in Grid Grouper. www. cagrid. org

Dorian

Grid Account Management is Difficult • User required to manage long term certificate and private key. • How are they obtained? • Traditionally user generate a key pair and certificate request locally, then contact (email) a CA administrator to get a signed certificate. • Mobility Issues • User generally work on more that one computer • • Certificate and private key need to be available to users on each machine. Traditionally users need to copy around certificate and private key. Hassle for the users, some of which don’t have the expertise to accomplish Security Concerns. • Difficult to administrate • Few tools for administrate provisioning of user accounts. • Difficult to revoke accounts • Limited information available to administrators for making decisions • Why cant they leverage their existing accounts to access the grid? www. cagrid. org

Dorian • Grid User Account Management • Administrative interface for account provisioning and management. • Built in Certificate Authority • Manages Grid Credentials for each user. • Enables users to authenticate and create grid proxies, which they may use to access the grid. • Identity Management and Federation • Integration point between external security domains and the grid. • User may use existing credentials to obtain a grid proxy. • User’s authenticate to Id. P, obtain a SAML assertion (proof) which is then given to Dorian to facilitate the creation of a grid proxy. • Automated Account Creation and Provisioning • Built in Identity Provider • Comprehensive Administrative UI www. cagrid. org

Dorian • Proxy Creation • • • User’s authenticate to Id. P. Obtain a SAML assertion (proof) from Id. P. Send SAML Assertion to Dorian in exchange for a grid proxy. • Proxy Creation (Detailed) • • User Authenticates to Local Id. P Issues Signed SAML Assertion to user. User Authenticates to Dorian with SAML Assertion Dorian verifies the signature of the SAML Assertion. • Signing Id. P must be registered with Dorian is a trusted provider Dorian locates user’s grid account or creates one if does not exist. Dorian ensures user’s has rights to create a proxy Client and Dorian negotiate to create a www. cagrid. org proxy.

Dorian – Proxy Creation • Proxy Creation Workflow • Client authenticates with Local Id. P • Client creates public/private key pair to use for grid proxy. • Client requests Dorian to create a grid proxy. • Dorian verifies that the SAML assertion provided by the user is signed by a Trusted Id. P and that the user has a valid account. • Dorian locates the user’s grid credentials, private key and certificate • Dorian uses the public key provided to create a proxy certificate and signs it with the user’s private key • Dorian returns the proxy certificate to the user. • The user may now use the proxy to authenticate to grid services SAML Assertion Username / Password SAML Assertion www. cagrid. org Signed

Grid User Account Creation • A grid account is created the first time a user accesses Dorian with a SAML Assertion signed by a registered Trusted Identity Provider • Each grid account has a status associated with it. • Active, Pending, Suspended, Expired………… • Only users with an Active Status will be given access to the grid. • The initial status of a user account upon creation depends on the user policy configured with their Id. P. • A User Policy is applied to a user’s account every time they request that a proxy is created. • User Policies enable the administration of Dorian to be as hands on/off as the administrators wish. www. cagrid. org

Grid User Accounts • Grid User Account Managed through Grid Service Interface using Admin UI • Grid User Account • Id. P Local User Id • Uniquely Identifies a user within the context of an Id. P • First Name • Last Name • Email • User’s role with respect to Dorian • User Account Status • Grid Credentials • Private Key • Long term Certificate • Grid Identity • Dorian CA Metadata • Trusted Id. P Id /O=OSU/OU=BMI/OU=ca. Grid/OU=Dorian/OU=localhost/OU=Id. P [1]/CN=jdoe • Local User Id Dorian CA Metadata www. cagrid. org Id. P Id Local User Id

Managing Trusted Identity Providers • Trusted Identity Provider – An Identity Provider in which Dorian is configured to trust and manage grid user accounts. • Id - Dorian assigned Identifier for the Id. P. • Name – Human Readable Name for easy identification • Status – Active / Suspended • User Policy – Executed when users authenticate, dictates a policy to apply to a user’s account • Authentication Method • Id. P Certificate - Certificate whose corresponding private key will be used in signing SAML assertions. www. cagrid. org

Dorian Identity Provider • Dorian Identity Provider (Dorian Id. P)- Enables developers, smaller groups, research labs, unaffiliated users, and other groups without an Id. P to use Dorian as their Id. P, such that they may leverage Dorian for creating grid credentials. • Registration- Provides a registration mechanism through the grid service interface. • Authentication- Username/Password Authentication over grid service interface, successful authentication returns a SAML assertion which can later be consume by Dorian in exchange for a grid proxy. • Account Management – Provides administrative operations for managing Dorian Id. P accounts. www. cagrid. org

Dorian Id. P – Registration / Authentication • Potential Users obtain and account on the Dorian Id. P by registering. • Grid Service Interface provides a mechanism for registering with the Dorian Id. P account. • Dorian GUI provides graphical interface for registering with the Dorian Id. P • Account creation depends on how the Dorian Id. P is configured • Auto Creation • Manual Creation • Once Approved, registered users can authenticate (username, password) to the Dorian Id. P to obtain a SAML Assertion which can then be used to create a proxy. www. cagrid. org

Dorian Id. P User Management • Dorian Id. P User Management • Manage User Account Information • Manage Account Status • Grant Id. P Admin Rights • Account Management done through grid service interface, only users with admin rights may manage accounts. • Full Account Management Support through the Dorian GUI. www. cagrid. org

Authentication Service

Authentication Service • The role of the Authentication. Service is to provide a uniform grid interface for authenticating to existing credential providers. • Leveraged as a Integration point between local identity management and Grid identify federation. • To achieve this goal, we define a framework as a set of interfaces that can be implemented by a credential provider • ca. Grid provides an default implementation that exposes the Common Security Module (CSM) as an Id. P. Dorian Authentication Service www. cagrid. org Supported Credential Providers • LDAP • RDBMS Local Identity management

Authentication Service - Design Authentication Service Grid Service Authentication Provider Framework Credential Providers can be integrated by implementing this interface Authentication. Provider Created Using Introduce Toolkit Subject. Provider SAMLProvider www. cagrid. org