Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access

Combining the strengths of UMIST andThe Victoria University of Manchester

Adapting to Federated Identity

SHEBANGS

Shibboleth Enabled Bridge to Access the National Grid Servicehttp://www.mc.manchester.ac.uk/research/shebangs

Mike Jones

Federated Identity 2/4 OGF19


Introduction

• SHEBANGS is all about getting a federation of users onto the UK National Grid

• Roadmap for shibboleth within UK academia via the SDSS Federation

– http://www.sdss.ac.uk/

• Requirement for GSI credentials to login to and use NGS

• Experimental shibboleth usage for Levels of Assurance via the FAME IdP

– http://www.fame-permis.org/


Credential Translation

• Shibboleth IdP provides a signed assertion to a SP about the identity of a client (plus whistles and bells)

– The NGS takes authentic X.509 / GSI-proxies

– The NGS allows usage based upon attributes within the X.509 / GSI-proxy

• Shibboleth is browser based

– Can't use command lines BUT can use portals (NGS has portals)

• SHEBANGS makes a Credential Translation service which is both

– A shibboleth SP

– A GSI root of trust


Notes

• Change to root of trust

• Not passing assertions through ( IdP -> CTS -> Grid ) – (NGS can't handle it yet)

• CTS is an on-line entity

– Implications with IGTF CA profiles

• How to construct the X.509 certificate?

– Depending upon LoA :- choose a CA certificate

– Some kind of DN based upon

• the ID of the CTS (e.g. C=UK, O=ThisCTS)

• the ID of the IdP (e.g. OU=$HTTP_SHIB_IDENTITY_PROVIDER)

• CN ~= EduPersonTargetedID (BUT not all IdPs give us this)

• How to do the grid authorisation step?

– We add bespoke VOMS AC credentials


Addressing some of Ken's questions

• Federated info plugged into the X.509 / GSI creds. VOMS creds

– Need to inject certificates into trusted CA stores and SOAs.

• Nothing for NGS is really being refactored that isn't already in the pipe line,

– except we hope-to-make/foresee use of MyProxy extensions from our sister project: ShibGrid: http://www.oerc.ox.ac.uk/activities/projects/index.xml.ID=ShibGrid

• No other choices of system given that the UK SDSS and NGS.

• LoA is being conveyed to the grid along with bespoke VO membership assertions.

– Initially by the CA certificate used to sign X509 credentials

– Maybe by an LoA X509v3 extension

• How much of this is AuthN and how much is AuthZ depends on your perspective!

– We think that the CTS is a representation of a VO,

– we'd like someone else to do the AuthN out (see ShibGrid)

• We expect the Portal that consumes the GSI cred and the subsequent grid to not treat these credentials differently to how it treats other GSI creds


fin


Basic Access to the National Grid Service Today

NGS is a Globus 2 based Grid• Users need the means to authenticate themselves: GSI credentials

• The NGS needs the means to make authorization decisions:Grid-map +...

• Users need heavyweight tools and network access

We target users without these.


Portal Access to the National Grid Service Today

• Clients no longer need heavyweight tools.


Portal Access to the National Grid Service Today

1 Client delegates their credential to MyProxy

2 Client uses a browser to access the Portal

3 Portal obtains the client's credential

4 Portal access the Grid


Portal Access to the NGS through SHEBANGS

• Clients no longer need heavyweight tools.

• Clients no longer need GSI Credentials


Portal Access to the National Grid Service Today1-7 Client logs into CTS via Shibboleth Mechanisms

7.5 CTS creates an X509 Certificate based upon SAML Assertions

8 CTS delegates a GSI Proxy certificate to MyProxy

9-12 Client uses username/password/MyProxy triplet to access the Grid via the Portal


Portal Access to the NGS through SHEBANGS

• Issues

– The system covers only authentication

– The identity will be authentic but not recognized

– Need/want to use VOMS credentials

– Need to maintain decisions

• Outcomes

– Clients no longer need GSI Credentials

– Shibbolized VOMS service and Online CA

Documents

Combining the strengths of UMIST and The Victoria University of Manchester Adapting to Federated Identity SHEBANGS Shibboleth Enabled Bridge to Access