SLCS and VASH Service Interoperability of Shibboleth and gLite - - PowerPoint PPT Presentation

slcs and vash service
SMART_READER_LITE
LIVE PREVIEW

SLCS and VASH Service Interoperability of Shibboleth and gLite - - PowerPoint PPT Presentation

Feb 27, 2023 22 likes •272 views

Enabling Grids for E-sciencE SLCS and VASH Service Interoperability of Shibboleth and gLite Christoph Witzig, SWITCH (witzig@switch.ch) NREN Grid Workshop Nov 30th, 2007 - Malaga www.eu-egee.org EGEE-II INFSO-RI-031688 EGEE and gLite are

slide-1
SLIDE 1

EGEE-II INFSO-RI-031688

Enabling Grids for E-sciencE

www.eu-egee.org

EGEE and gLite are registered trademarks

SLCS and VASH Service

Interoperability of Shibboleth and gLite

Christoph Witzig, SWITCH (witzig@switch.ch) NREN Grid Workshop Nov 30th, 2007 - Malaga

slide-2
SLIDE 2

NREN Grid Workshop - Nov 30th, 2007 2

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Content

  • Introduction

– Interoperability Shibboleth - gLite

  • Short-Lived Credential Service (SLCS) (Phase 1)
  • VOMS Attributes for SHibboleth (VASH) (Phase 2)
  • Outlook: SAML Support in Grids (Phase 3)
  • Summary
slide-3
SLIDE 3

NREN Grid Workshop - Nov 30th, 2007 3

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Federated Identity

  • Identity Providers (IdP) authenticate their users
  • Service Providers (SP) trust the Identity Providers (IdP)

and authorize the users

  • Cross domain authentication and authorization based
  • n trust relation
slide-4
SLIDE 4

NREN Grid Workshop - Nov 30th, 2007 4

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Real and Virtual Organizations

  • Real organizations have built AAIs
  • Grids are being built around Virtual Organizations (VO)
  • How do you relate the member of the “real” organi-

zation to the member of the organization?

Dora as member of University of Malaga Dora as member of the VO “Woman In Art”

?

Username password X.509 CA

slide-5
SLIDE 5

NREN Grid Workshop - Nov 30th, 2007 5

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Interoperability Shibboleth - gLite

  • Interoperability Shibboleth - gLite by SWITCH

– Part of EGEE-II

  • Focus is on

– Interoperability (NO replacement for X.509) – Specific for EGEE II infrastructure (VOMS etc) – Integrate, re-use, re-engineer existing code, write new code only as needed

  • Key Concepts:

– Home institution of the user should be the Identity Provider – Home institution provides some attributes – But VO is needed for (grid specific) attributes

slide-6
SLIDE 6

NREN Grid Workshop - Nov 30th, 2007 6

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Overview of SLCS and VASH

SLCS = Short Lived Credential Service VASH = VOMS attributes from Shibboleth

gLite UI

slide-7
SLIDE 7

NREN Grid Workshop - Nov 30th, 2007 7

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Short Lived Credential Service (SLCS)

slide-8
SLIDE 8

NREN Grid Workshop - Nov 30th, 2007 8

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

SLCS Profile

  • SLCS = Short Lived Credential Service
  • International Grid Trust Federation (IGTF) Profile
  • Minimum requirements:

SLCS X.509 Certificate Certificate is generated based on Identity Management system “traditional” Registration Authority (e.g. passport) Lifetime < 1mio sec Lifetime < 1 year + 1 month Revocation handling

  • ptional

Revocation handling mandatory

slide-9
SLIDE 9

NREN Grid Workshop - Nov 30th, 2007 9

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

SLCS Design

  • Private key is never transferred
  • Use commercial CA and only standard

protocols

  • Modular design such that other people

can use their own components

  • Shibboleth attributes determine DN
slide-10
SLIDE 10

NREN Grid Workshop - Nov 30th, 2007 10

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

SLCS Operation

  • For the user:
  • Command line: slcs-init --idp <providerId>
  • Part of gLite User Interface (gLite-UI 3.1)

(can also be installed independently)

  • For the RA from web-based admin tool:
  • Can enable or disable individual users (only for his institution)
  • Requirements formulated in CP/CPS
  • Can obtain log information (audit)
  • SWITCH:
  • Operates the service for the SWITCHaai federation
slide-11
SLIDE 11

NREN Grid Workshop - Nov 30th, 2007 11

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

SWITCH SLCS Setup

  • 3 separate servers in increasingly secure environment

(network and physical access)

  • Front End

– Shibboleth SP

  • SLCS Server

– Tomcat web app

  • Online CA

– Microsoft Certificate Server – Hardware Security Module (HSM)

  • Offline CA

– Sign the Online CA – Stored in a bank safe

slide-12
SLIDE 12

NREN Grid Workshop - Nov 30th, 2007 12

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Status SLCS

  • Software development finished in 2006
  • SWITCH SLCS Root CA accredited by EuGridPMA in

February 2007

  • SWITCH SLCS in production since April 2007
  • http://www.switch.ch/grid/slcs
slide-13
SLIDE 13

NREN Grid Workshop - Nov 30th, 2007 13

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

VOMS attributes from Shibboleth (VASH)

slide-14
SLIDE 14

NREN Grid Workshop - Nov 30th, 2007 14

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Problem

  • SLCS ties

– AAI authentication to issuance of X.509 certificate – AAI attributes are used to construct the DN

  • SLCS intends to make AAI attributes available to grid

resources for authorization decisions

– Which AAI attributes are of interest to grid resource? – How does resource obtain attributes? (pull vs push) – Relation to VO attributes – Deployment issues

slide-15
SLIDE 15

NREN Grid Workshop - Nov 30th, 2007 15

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

VASH Design (1)

  • VASH:

– VOMS Attributes from Shibboleth

  • Shibboleth SP

– Browser-based – Specific for

Federation VO

  • “lightweight” SP

– No administrator duties – No management

  • f attributes

– Simply transfers attributes upon user request

slide-16
SLIDE 16

NREN Grid Workshop - Nov 30th, 2007 16

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

VASH Design (2)

  • X.509 and proxy X.509 with VOMS AC unchanged
  • No change in VOMS

– Requires VOMS version 1.7.10 or higher

  • VO registration not changed
  • Administrative domain between Shibboleth federation

and VOMS fully decoupled

  • User manages mapping between DN in VOMS and

Shibboleth user id

(for classic X.509 and SLCS X.509)

slide-17
SLIDE 17

NREN Grid Workshop - Nov 30th, 2007 17

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Web Interface VASH Service

slide-18
SLIDE 18

NREN Grid Workshop - Nov 30th, 2007 18

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Deployment Options

  • Option 1:

– As an add-on to an existing VOMS-based VO

  • Option 2:

– As a registration tool which allows the member of a Shibboleth IdP become a member of a VOMS-based VO

Suitable for production VOs as well as temporary VOs (e.g. summer schools, grid classes)

slide-19
SLIDE 19

NREN Grid Workshop - Nov 30th, 2007 19

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Status VASH

  • Software implementation done
  • MJRA1.5 document:

https://edms.cern.ch/document/807849/1

  • Plug-ins and mechanisms to evaluate the Shibboleth

attributes at the grid resource available

– Access to VOMS AC – LCAS/LCMAPS plugin

slide-20
SLIDE 20

NREN Grid Workshop - Nov 30th, 2007 20

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Outlook: SAML Support in Grids

slide-21
SLIDE 21

NREN Grid Workshop - Nov 30th, 2007 21

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Phase 3: SAML Support

  • Goal of phase 3: Extend use of SAML in grids beyond what is

already provided by phase 1 and 2

  • SAML-enable those services, with which the user interacts directly

– WMS – File access

  • Benefits:

– (Average) User has no certificates anymore – Introduce SAML gently beyond phase 1 and 2, gain experience – Compatible with Shibboleth roadmap (2.0, 2.1) and WS-Trust STS implementation – Options open for future

  • Requires: A mean for service to transform a security tokens it has

into a security token it needs

slide-22
SLIDE 22

NREN Grid Workshop - Nov 30th, 2007 22

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Security Token Service (STS)

  • Based on OASIS WS-Trust Standard
  • Converts one security token into another

– Initial focus on

username/password SAML SAML X.509

  • Supports token request, renewal, validity check,

destruction

  • Capable of obtaining attributes from different sources

(e.g. Shibboleth IdP, VOMS)

slide-23
SLIDE 23

NREN Grid Workshop - Nov 30th, 2007 23

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Use Cases

  • Grid:

– A central Grid resource (e.g. resource broker) obtains a user job with a SAML assertion as credential – Conversion into a security token that the other Grid services understand (X.509)

  • Non-browser based Shibboleth applications:

– User agent contacts Shibboleth IdP with credential (e.g. username, password) – User agent receives SAML assertion to be sent to a Shibboleth SP

slide-24
SLIDE 24

NREN Grid Workshop - Nov 30th, 2007 24

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Summary

  • Interoperability Shibboleth - gLite

– Phase 1: SLCS

Online CA issuing short-lived X.509 certificates based upon authentication at Shibboleth IdP Operative and in production

– Phase 2: VASH

Transfers Shibboleth attributes into VOMS Shib attributes are available to grid resources as part of VOMS AC Software development finished

– Phase 3: SAML

Actual phase: design of a WS-Trust STS for SAML and proxy X.509 Idea to SAML-enable a selected (small) number of grid services (those close to the user: WMS, …)

  • Leverage the existing SWITCHaai Shibboleth federation
slide-25
SLIDE 25

NREN Grid Workshop - Nov 30th, 2007 25

Enabling Grids for E-sciencE

EGEE-II INFSO-RI-031688

Q & A