Embed Size (px)
DESCRIPTION
SWITCH Plans for Shibboleth and Grid. GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH. First an important reminder…. Happy Valentine’s Day. SWITCHaai. SWITCH built up and operates now SWITCHaai - a national Shibboleth-based AAI - PowerPoint PPT Presentation
Citation preview
2006 © SWITCH
SWITCH Plans for
Shibboleth and Grid
GGF16 Feb 14, 2006Christoph Witzig
(Thomas Lenggenhager, Valery Tschopp, Placi Flury)SWITCH
2006 © SWITCH 2GGF16 - Feb 14, 2006
Happy Valentine’s Day
First an important reminder….
2006 © SWITCH 3GGF16 - Feb 14, 2006
SWITCHaai
• SWITCH built up and operates now SWITCHaai - a national Shibboleth-based AAI
• AAI efforts started in 2002, since last summer in production mode
• Current Status:– Approx. 133’000 members of the Swiss higher education sector have
AAI-enabled accounts – Approx. 10’000 use SWITCHaai on a regular basis
• So far SWITCH has not been active in grids
• Among other things SWITCH also operates SWITCHpki
2006 © SWITCH 4GGF16 - Feb 14, 2006
SWITCH and EGEE-2
• SWITCH work on interoperability of Shibboleth and gLite is part of EGEE-2 proposal (by SWITCH in EGEE NREN Federation)
• Focus is on – Interoperability (NO replacement for X.509) – Specific for EGEE-2 infrastructure (VOMS etc)– Integrate, re-use, re-engineer existing code, write new code only as needed
• Key Concepts: – Home institution of the user should be the Identity Provider– Home institution provides some attributes– But VO is needed for (grid specific) attributes
2006 © SWITCH 5GGF16 - Feb 14, 2006
Plan
• Work will start in April 2006 and last for 2 years
• Our plan consists of three phases– Two initial, shorter phases with the goal
Start small and hook up Shibboleth AAI to a gLite grid with minimum amount of changes (in particular no change at the CE)
Build up knowledge and expertise April 06 --> summer/fall
– A longer third phase SAML support at the resource end Design during phase 1 and 2 (summer 06) Implementation fall 06 --> spring 08
2006 © SWITCH 6GGF16 - Feb 14, 2006
Phase 1 and 2
2006 © SWITCH 7GGF16 - Feb 14, 2006
Phase 1: Integration with SWITCHpki
Generation of X.509 by Shib Resource based on AuthN at IdP
Admin. Proceduresare key for quality ofuser management System (EUGRIDPMAcompliant)Different kinds of assurance levels
User generates key pair and submits certificate signing request
2006 © SWITCH 8GGF16 - Feb 14, 2006
Phase 3: SAML Support at the Resource• Goal: Support for SAML for authentication and authorization without relying on X.509 (on a
configurable basis)• Should be based on SAML2 and Shibboleth2
– Supports ECP Profile (constrained delegation)– Detailed Design to be done in summer 2006 (depends on Shib2)
2006 © SWITCH 9GGF16 - Feb 14, 2006
Access for Grid Users to Shib SPIntention: add “symmetry” between enabling access for Shib and grid users
Test-bed SWITCH INFN in 2006
2006 © SWITCH 10GGF16 - Feb 14, 2006
Q & A
