Upload
jayden-york
View
257
Download
6
Embed Size (px)
Citation preview
Combining the strengths of UMIST andThe Victoria University of Manchester
Adapting to Federated Identity
SHEBANGS
Shibboleth Enabled Bridge to Access the National Grid Servicehttp://www.mc.manchester.ac.uk/research/shebangs
Mike Jones
Federated Identity 2/4 OGF19
Combining the strengths of UMIST andThe Victoria University of Manchester
Introduction
• SHEBANGS is all about getting a federation of users onto the UK National Grid
• Roadmap for shibboleth within UK academia via the SDSS Federation
– http://www.sdss.ac.uk/
• Requirement for GSI credentials to login to and use NGS
• Experimental shibboleth usage for Levels of Assurance via the FAME IdP
– http://www.fame-permis.org/
Combining the strengths of UMIST andThe Victoria University of Manchester
Credential Translation
• Shibboleth IdP provides a signed assertion to a SP about the identity of a client (plus whistles and bells)
– The NGS takes authentic X.509 / GSI-proxies
– The NGS allows usage based upon attributes within the X.509 / GSI-proxy
• Shibboleth is browser based
– Can't use command lines BUT can use portals (NGS has portals)
• SHEBANGS makes a Credential Translation service which is both
– A shibboleth SP
– A GSI root of trust
Combining the strengths of UMIST andThe Victoria University of Manchester
Notes
• Change to root of trust
• Not passing assertions through ( IdP -> CTS -> Grid ) – (NGS can't handle it yet)
• CTS is an on-line entity
– Implications with IGTF CA profiles
• How to construct the X.509 certificate?
– Depending upon LoA :- choose a CA certificate
– Some kind of DN based upon
• the ID of the CTS (e.g. C=UK, O=ThisCTS)
• the ID of the IdP (e.g. OU=$HTTP_SHIB_IDENTITY_PROVIDER)
• CN ~= EduPersonTargetedID (BUT not all IdPs give us this)
• How to do the grid authorisation step?
– We add bespoke VOMS AC credentials
Combining the strengths of UMIST andThe Victoria University of Manchester
Addressing some of Ken's questions
• Federated info plugged into the X.509 / GSI creds. VOMS creds
– Need to inject certificates into trusted CA stores and SOAs.
• Nothing for NGS is really being refactored that isn't already in the pipe line,
– except we hope-to-make/foresee use of MyProxy extensions from our sister project: ShibGrid: http://www.oerc.ox.ac.uk/activities/projects/index.xml.ID=ShibGrid
• No other choices of system given that the UK SDSS and NGS.
• LoA is being conveyed to the grid along with bespoke VO membership assertions.
– Initially by the CA certificate used to sign X509 credentials
– Maybe by an LoA X509v3 extension
• How much of this is AuthN and how much is AuthZ depends on your perspective!
– We think that the CTS is a representation of a VO,
– we'd like someone else to do the AuthN out (see ShibGrid)
• We expect the Portal that consumes the GSI cred and the subsequent grid to not treat these credentials differently to how it treats other GSI creds
Combining the strengths of UMIST andThe Victoria University of Manchester
fin
Combining the strengths of UMIST andThe Victoria University of Manchester
Basic Access to the National Grid Service Today
NGS is a Globus 2 based Grid• Users need the means to authenticate themselves: GSI credentials
• The NGS needs the means to make authorization decisions:Grid-map +...
• Users need heavyweight tools and network access
We target users without these.
Combining the strengths of UMIST andThe Victoria University of Manchester
Portal Access to the National Grid Service Today
• Clients no longer need heavyweight tools.
Combining the strengths of UMIST andThe Victoria University of Manchester
Portal Access to the National Grid Service Today
1 Client delegates their credential to MyProxy
2 Client uses a browser to access the Portal
3 Portal obtains the client's credential
4 Portal access the Grid
Combining the strengths of UMIST andThe Victoria University of Manchester
Portal Access to the NGS through SHEBANGS
• Clients no longer need heavyweight tools.
• Clients no longer need GSI Credentials
Combining the strengths of UMIST andThe Victoria University of Manchester
Portal Access to the National Grid Service Today1-7 Client logs into CTS via Shibboleth Mechanisms
7.5 CTS creates an X509 Certificate based upon SAML Assertions
8 CTS delegates a GSI Proxy certificate to MyProxy
9-12 Client uses username/password/MyProxy triplet to access the Grid via the Portal
Combining the strengths of UMIST andThe Victoria University of Manchester
Portal Access to the NGS through SHEBANGS
• Issues
– The system covers only authentication
– The identity will be authentic but not recognized
– Need/want to use VOMS credentials
– Need to maintain decisions
• Outcomes
– Clients no longer need GSI Credentials
– Shibbolized VOMS service and Online CA