Grid Shib and My Proxy Grid Credential Management
Grid. Shib and My. Proxy Grid Credential Management and Identity Federation Von Welch NCSA vwelch@ncsa. uiuc. edu
Plug - Longer Talks Wed @ 2 -3: 30 pm Grid. Shib, My. Proxy, GAARDS Mountain Laurel OGF 19 http: //myproxy. ncsa. uiuc. edu/ 2
Grid. Shib l dev. Globus Incubator Project l Collaborative between NCSA and U. Chicago l Grid. Shib is a project funded by the NSF Middleware Initiative u u l OGF 19 NMI awards 0438424 and 0438385 Opinions and recommendations are those of the authors and do not necessarily reflect the views of the National Science Foundation. Also many thanks to Internet 2 Shibboleth Project http: //myproxy. ncsa. uiuc. edu/ 3
What is Grid. Shib? OGF 19 l Allows Shibboleth interoperability and SAML functionality in the Globus Toolkit l Allows GT to parse SAML attributes and use for authorization l Allows portals to embed Shibboleth attributes in Grid credentials l Allows conversion of Shibboleth authentication to Grid credentials http: //myproxy. ncsa. uiuc. edu/ 4
Software Components l Grid. Shib for Globus Toolkit l Grid. Shib for Shibboleth u Includes Grid. Shib Certificate Registry l Grid. Shib Certificate Authority l Grid. Shib SAML Tools OGF 19 http: //myproxy. ncsa. uiuc. edu/ 5
Grid. Shib for GT 0. 5 l Grid. Shib for GT 0. 5 announced Nov 30 u u Compatible with both GT 4. 0 and GT 4. 1 l GT 4. 1 introduces powerful authz framework l Separate binaries for each GT version l Source build auto-senses target GT platform New identity-based authorization feature l OGF 19 Uses grid-mapfile instead of DN ACLs u Logging enhancements u Bug fixes http: //myproxy. ncsa. uiuc. edu/ 7
Grid. Shib for GT 0. 5. 1 l Grid. Shib for GT 0. 5. 1 (expected any day now) u OGF 19 Combined VOMS/SAML attribute to account mapping l As with the current gridmap situation, GT 4. 0. x deployments cannot take advantage of permit overrides and arbitrarily configure fallbacks l To accommodate this we’ll allow for a name mapping scheme that checks in this order and continues to fall back if no match/authz is granted: gridmap, VOMS, Shibboleth/SAML http: //myproxy. ncsa. uiuc. edu/ 8
Grid. Shib for GT 0. 6 l Grid. Shib for GT 0. 6 (expected March 2007) u Full-featured attribute push PIP l u More powerful attribute-based authz policies l OGF 19 Compatible with current Grid. Shib Attribute Tools Allow unique issuer in authz policy rules http: //myproxy. ncsa. uiuc. edu/ 9
Grid. Shib SAML Tools l Current version 0. 1. 2 l Self-issues a SAML assertion with up to two statements l Optionally binds this assertion to an X. 509 proxy certificate l Supports both SAML Authentication. Statement and Attribute. Statement l Separates the issuing of the SAML from the binding of the SAML OGF 19 http: //myproxy. ncsa. uiuc. edu/ 10
Grid. Shib SAML Tools 0. 2. 0 l l l OGF 19 Target release date: February 2007 Same command-line interface as v 0. 1. x (but with more options) Leverages Shibboleth Attribute Resolver to support more complicated attribute requirements Support for nested SSO Response Enhanced logging Java API for Portal developers http: //myproxy. ncsa. uiuc. edu/ 11
Grid. Shib for Shib Versions l Grid. Shib for Shib 0. 5. 1 u l Grid. Shib for Shib 0. 6 u u OGF 19 Announced Aug 8, 2006 Expected Jan 2007 Will include SAML Issuer Tool (derived from Shib resolvertest tool) http: //myproxy. ncsa. uiuc. edu/ 12
Grid. Shib for Shib 0. 6 l Grid. Shib for Shib 0. 6 (expected April 2007) u u u OGF 19 Core (already included in 0. 5) l Requires Shib Id. P l Includes basic plugins and handlers Certificate Registry (already included in 0. 5) l Requires Grid. Shib for Shib Core l Includes Derby embedded database SAML Tools (new in 0. 6) l Requires Grid. Shib for Shib Core l Includes SAML Issuer Tool and SAML X. 509 Binding Tool http: //myproxy. ncsa. uiuc. edu/ 13
Grid. Shib CA 0. 3 l Substantial improvement over version 0. 2 l More robust protocol l Installation of trusted CAs at the client l Pluggable back-end CAs l u Uses an openssl-based CA by default u A module to use a My. Proxy CA is included Certificate registry functionality u OGF 19 A module that auto-registers DNs with my. Vocs http: //myproxy. ncsa. uiuc. edu/ 14
Grid. Shib CA 0. 4 l l l l OGF 19 Target release: March 2007 Fall back to default SSLSocket. Factory on error (Bug 4875) [1] Create CA with domain name componements (Bug 4887) [2] Register certificate on the front channel with Grid. Shib for Shibboleth Certificate Registry Integrate Grid. Shib SAML Tools to bind simple attribute assertion to EEC Bind Id. P entity. ID to SIA extension Handle creating DN from mix of atttributes (Bug 4889) [3] http: //myproxy. ncsa. uiuc. edu/ 15
What is My. Proxy? l An Online Certificate Authority u u l An Online Credential Repository u u l u u OGF 19 Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS Open Source Software u l Issues short-lived X. 509 Proxy Certificates Long-lived private keys never leave the server Supporting multiple authentication methods u l Issues short-lived X. 509 End Entity Certificates Avoid need for long-lived user keys Included in Globus Toolkit, UGE, NMI, VDT, and Co. G Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBL, and others Protocol specified in GFD-E. 54 http: //myproxy. ncsa. uiuc. edu/ 16
Topics for Discussion l Credential Renewal l Security Context Provisioning l High Availability l User Registration l Attribute Support l HSM Support l Web Services l Audit Logging l Web SSO l Others? OGF 19 http: //myproxy. ncsa. uiuc. edu/ 17
Credential Renewal l l Existing My. Proxy-based renewal support u EGEE Renewal Service u Condor-G Future Work u OGF 19 My. Proxy-based GT 4 Renewal Service l Integrated with GT 4 Delegation Service l Support for GRAM, WS-GRAM, RFT http: //myproxy. ncsa. uiuc. edu/ 18
High Availability l Existing support u Clients retry when server is unreachable u Documentation for My. Proxy CA replication u l OGF 19 Primary-backup replication of My. Proxy repository Future Work u Robust client retry u Peer-to-peer repository replication http: //myproxy. ncsa. uiuc. edu/ 19
Attribute Support l l OGF 19 Existing support u VOMS authentication to My. Proxy server u Grid. Shib CA integration with My. Proxy Future Work u Issue credentials with VOMS assertions u SAML authentication to My. Proxy server http: //myproxy. ncsa. uiuc. edu/ 20
Web Services l Currently My. Proxy does not provide a Web Services interface u l Standard Delegation Service interface is needed u OGF 19 C, Java, Perl, Python APIs For My. Proxy, GT 4, and EGEE delegation services http: //myproxy. ncsa. uiuc. edu/ 21
Web Single Sign-on l Existing Support u l OGF 19 My. Proxy server accepts Pubcookie tokens Future Work u Shibboleth/SAML support u Other web SSO methods? http: //myproxy. ncsa. uiuc. edu/ 22
Security Context Provisioning l Existing Support u u l OGF 19 My. Proxy can provision user certificates, CA certificates, and CRLs Requires My. Proxy server CA certificate to be installed Future Work u Java client support u Zero configuration bootstrap http: //myproxy. ncsa. uiuc. edu/ 23
User Registration l l Existing Support u Provided by PURSE and GAMA u Grid. Shib CA and Open. IDP Future Work u u OGF 19 Integration with My. Proxy CA Integration with attribute and authorization services http: //myproxy. ncsa. uiuc. edu/ 24
HSM Support l l Existing Prototypes u My. Proxy repository using IBM 4738 u My. Proxy CA using Aladdin e. Token Future Work u OGF 19 Full support for Open. SSL hardware engines in My. Proxy CA http: //myproxy. ncsa. uiuc. edu/ 25
Audit Logging l Existing Support u u l Recent improvements to My. Proxy CA logging to meet IGTF guidelines Future Work u u OGF 19 All My. Proxy server operations are logged to syslog Include auditing information in issued credentials Support standard grid logging interfaces http: //myproxy. ncsa. uiuc. edu/ 26
Thank you Reminder: Wed @ 2 -3: 30 pm Grid. Shib, My. Proxy, GAARDS Mountain Laurel For more information: vwelch@ncsa. uiuc. edu http: //myproxy. ncsa. uiuc. edu/ http: //gridshib. globus. org OGF 19 http: //myproxy. ncsa. uiuc. edu/ 27
- Slides: 26