Shibboleth Interoperability - Short-Lived Credential Service (SLCS) - - PowerPoint PPT Presentation

INFSO-RI-031688

Enabling Grids for E-sciencE - II

www.eu-egee.org

Shibboleth Interoperability - Short-Lived Credential Service (SLCS)

Valéry Tschopp, SWITCH JRA1 All Hands Meeting, Abingdon, 9 Nov 2006

EGEE-II JRA1 All Hands Meeting – November 2006 2

Enabling Grids for E-sciencE

INFSO-RI-031688

Presentation Outline

• Introduction

– Shibboleth – Short-Lived Credential Service

• General Architecture
• SLCS Client
• SLCS Server
• Deployment
• Questions & Answers

EGEE-II JRA1 All Hands Meeting – November 2006 3

Enabling Grids for E-sciencE

INFSO-RI-031688

Shibboleth

• Authentication and Authorization Infrastructure (AAI)
• Developed by Internet2
• Single Sign On (SSO)

– When a user access a resource

Identity Provider authenticates the user (independent of the resource) Service Provider (resource) authorizes the access based on the user’s attributes received from the Identity Provider

• SAML: Security Assertion Markup Language

– OASIS Standard

See http://www.switch.ch/aai/demo

EGEE-II JRA1 All Hands Meeting – November 2006 4

Enabling Grids for E-sciencE

INFSO-RI-031688

Shibboleth

EGEE-II JRA1 All Hands Meeting – November 2006 5

Enabling Grids for E-sciencE

INFSO-RI-031688

Short-Lived Credential Service

• IGFT Profile, EUGridPMA, TAGPMA, …
• ‘Real’ personal X.509 certificate
• SLCS requirements
• Leverage your existing user management

infrastructure

‘Traditional’ RA operations (copy of passport, …) Automated generation based

• n the user management

system Revocation list mandatory Revocation list (CRL) optional Lifetime < 1 year + 1 month Lifetime < 1mio seconds

Traditional User Cert SLCS Certificate

EGEE-II JRA1 All Hands Meeting – November 2006 6

Enabling Grids for E-sciencE

INFSO-RI-031688

General Architecture

EGEE-II JRA1 All Hands Meeting – November 2006 7

Enabling Grids for E-sciencE

INFSO-RI-031688

SLCS Client

• User is authenticated by his Identity Provider
• Private key and certificate signing request (CSR) are

generated locally, then CSR is sent to the SLCS server

• SLCS server verifies and signs the CSR, then issues a

short-lived X.509 certificate

• The private key and the X.509 certificate are store

locally in $HOME/.globus

EGEE-II JRA1 All Hands Meeting – November 2006 8

Enabling Grids for E-sciencE

INFSO-RI-031688

SLCS Client Example

tschopp@venus$ slcs-init -v --idp switch.ch Config: slcs-init.xml IdentityProvider: switch.ch Username: tschopp Shibboleth Password: *********** Key Password: Key password is empty, using Shibboleth password. Shibboleth login... SLCS login request... Generate private key (1024 bits)... Generate certificate request... SLCS certificate request... Store private key [/home/tschopp/.globus/userkey.pem]... Store SLCS certificate [/home/tschopp/.globus/usercert.pem]... Done. tschopp@venus$

EGEE-II JRA1 All Hands Meeting – November 2006 9

Enabling Grids for E-sciencE

INFSO-RI-031688

SLCS Server

• Interfaces based on standards

– HTTPS and XML between the user and the SLCS server – PKIX-CMC (RFC 2797) between the SLCS server and the Online CA

• Access authorization to the SLCS based on the user’s attributes
• Certificate subject is built based on the user’s attributes

– Given Name: Valéry – Surname: Tschopp – Home Organization: switch.ch – Subject: DC=CH, DC=SWITCH, DC=SLCS, O=SWITCH - Research and Education Network, CN=Valery Tschopp 9FEE5EE3

• After verification against the policies, the certificate is issued by a

Online CA

• Audit logs are stored on the SLCS server
• Pluggable components

EGEE-II JRA1 All Hands Meeting – November 2006 10

Enabling Grids for E-sciencE

INFSO-RI-031688

SLCS Server

EGEE-II JRA1 All Hands Meeting – November 2006 11

Enabling Grids for E-sciencE

INFSO-RI-031688

Deployment

• Certification of SLCS

(server and online CA) by the EUGripPMA is ongoing

EGEE-II JRA1 All Hands Meeting – November 2006 12

Enabling Grids for E-sciencE

INFSO-RI-031688

Q&A

Questions?