GridShib and MyProxyGrid Credential Management and

Identity Federation

Von WelchNCSA

vwelch@ncsa.uiuc.edu

OGF19 http://myproxy.ncsa.uiuc.edu/ 2

Plug - Longer Talks

Wed @ 2-3:30pm

GridShib, MyProxy, GAARDS

Mountain Laurel

OGF19 http://myproxy.ncsa.uiuc.edu/ 3

GridShib

dev.Globus Incubator Project Collaborative between NCSA and U. Chicago GridShib is a project funded by the NSF

Middleware Initiative NMI awards 0438424 and 0438385 Opinions and recommendations are those of the

authors and do not necessarily reflect the views of the National Science Foundation.

Also many thanks to Internet2 Shibboleth Project

OGF19 http://myproxy.ncsa.uiuc.edu/ 4

What is GridShib?

Allows Shibboleth interoperability and SAML functionality in the Globus Toolkit

Allows GT to parse SAML attributes and use for authorization

Allows portals to embed Shibboleth attributes in Grid credentials

Allows conversion of Shibboleth authentication to Grid credentials

OGF19 http://myproxy.ncsa.uiuc.edu/ 5

Software Components

GridShib for Globus Toolkit GridShib for Shibboleth

Includes GridShib Certificate Registry GridShib Certificate Authority GridShib SAML Tools

OGF19 http://myproxy.ncsa.uiuc.edu/ 7

GridShib for GT 0.5

GridShib for GT 0.5 announced Nov 30 Compatible with both GT4.0 and GT4.1

GT4.1 introduces powerful authz framework Separate binaries for each GT version Source build auto-senses target GT platform

New identity-based authorization feature Uses grid-mapfile instead of DN ACLs

Logging enhancements Bug fixes

OGF19 http://myproxy.ncsa.uiuc.edu/ 8

GridShib for GT 0.5.1

GridShib for GT 0.5.1 (expected any day now) Combined VOMS/SAML attribute to account

mapping As with the current gridmap situation, GT4.0.x deployments

cannot take advantage of permit overrides and arbitrarily configure fallbacks

To accommodate this we’ll allow for a name mapping scheme that checks in this order and continues to fall back if no match/authz is granted: gridmap, VOMS, Shibboleth/SAML

OGF19 http://myproxy.ncsa.uiuc.edu/ 9

GridShib for GT 0.6

GridShib for GT 0.6 (expected March 2007) Full-featured attribute push PIP

Compatible with current GridShib Attribute Tools

More powerful attribute-based authz policies Allow unique issuer in authz policy rules

OGF19 http://myproxy.ncsa.uiuc.edu/ 10

GridShib SAML Tools

Current version 0.1.2 Self-issues a SAML assertion with up to two

statements Optionally binds this assertion to an X.509 proxy

certificate Supports both SAML AuthenticationStatement and

AttributeStatement Separates the issuing of the SAML from the binding

of the SAML

OGF19 http://myproxy.ncsa.uiuc.edu/ 11

GridShib SAML Tools 0.2.0

Target release date: February 2007 Same command-line interface as v0.1.x

(but with more options) Leverages Shibboleth Attribute Resolver to

support more complicated attribute requirements

Support for nested SSO Response Enhanced logging Java API for Portal developers

OGF19 http://myproxy.ncsa.uiuc.edu/ 12

GridShib for Shib Versions

GridShib for Shib 0.5.1 Announced Aug 8, 2006

GridShib for Shib 0.6 Expected Jan 2007 Will include SAML Issuer Tool (derived from

Shib resolvertest tool)

OGF19 http://myproxy.ncsa.uiuc.edu/ 13

GridShib for Shib 0.6

GridShib for Shib 0.6 (expected April 2007) Core (already included in 0.5)

Requires Shib IdP Includes basic plugins and handlers

Certificate Registry (already included in 0.5) Requires GridShib for Shib Core Includes Derby embedded database

SAML Tools (new in 0.6) Requires GridShib for Shib Core Includes SAML Issuer Tool and SAML X.509 Binding Tool

OGF19 http://myproxy.ncsa.uiuc.edu/ 14

GridShib CA 0.3

Substantial improvement over version 0.2 More robust protocol Installation of trusted CAs at the client Pluggable back-end CAs

Uses an openssl-based CA by default A module to use a MyProxy CA is included

Certificate registry functionality A module that auto-registers DNs with myVocs

OGF19 http://myproxy.ncsa.uiuc.edu/ 15

GridShib CA 0.4 Target release: March 2007 Fall back to default SSLSocketFactory on error (Bug

4875) [1] Create CA with domain name componements (Bug

4887) [2] Register certificate on the front channel with

GridShib for Shibboleth Certificate Registry Integrate GridShib SAML Tools to bind simple

attribute assertion to EEC Bind IdP entityID to SIA extension Handle creating DN from mix of atttributes (Bug

4889) [3]

OGF19 http://myproxy.ncsa.uiuc.edu/ 16

What is MyProxy? An Online Certificate Authority

Issues short-lived X.509 End Entity Certificates Avoid need for long-lived user keys

An Online Credential Repository Issues short-lived X.509 Proxy Certificates Long-lived private keys never leave the server

Supporting multiple authentication methods Passphrase, Certificate, PAM, SASL, Kerberos, Pubcookie, VOMS

Open Source Software Included in Globus Toolkit, UGE, NMI, VDT, and CoG Kits C, Java, Python, and Perl clients available Contributions from EDG, UVA, LBL, and others

Protocol specified in GFD-E.54

OGF19 http://myproxy.ncsa.uiuc.edu/ 17

Topics for Discussion

Credential Renewal

High Availability Attribute Support Web Services Web SSO

Security Context Provisioning

User Registration HSM Support Audit Logging Others?

OGF19 http://myproxy.ncsa.uiuc.edu/ 18

Credential Renewal

Existing MyProxy-based renewal support EGEE Renewal Service Condor-G

Future Work MyProxy-based GT4 Renewal Service

Integrated with GT4 Delegation Service Support for GRAM, WS-GRAM, RFT

OGF19 http://myproxy.ncsa.uiuc.edu/ 19

High Availability

Existing support Clients retry when server is unreachable Documentation for MyProxy CA replication Primary-backup replication of MyProxy

repository Future Work

Robust client retry Peer-to-peer repository replication

OGF19 http://myproxy.ncsa.uiuc.edu/ 20

Attribute Support

Existing support VOMS authentication to MyProxy server GridShib CA integration with MyProxy

Future Work Issue credentials with VOMS assertions SAML authentication to MyProxy server

OGF19 http://myproxy.ncsa.uiuc.edu/ 21

Web Services

Currently MyProxy does not provide a Web Services interface C, Java, Perl, Python APIs

Standard Delegation Service interface is needed For MyProxy, GT4, and EGEE delegation

services

OGF19 http://myproxy.ncsa.uiuc.edu/ 22

Web Single Sign-on

Existing Support MyProxy server accepts Pubcookie tokens

Future Work Shibboleth/SAML support Other web SSO methods?

OGF19 http://myproxy.ncsa.uiuc.edu/ 23

Security Context Provisioning

Existing Support MyProxy can provision user certificates, CA

certificates, and CRLs Requires MyProxy server CA certificate to be

installed Future Work

Java client support Zero configuration bootstrap

OGF19 http://myproxy.ncsa.uiuc.edu/ 24

User Registration

Existing Support Provided by PURSE and GAMA GridShib CA and OpenIDP

Future Work Integration with MyProxy CA Integration with attribute and authorization

services

OGF19 http://myproxy.ncsa.uiuc.edu/ 25

HSM Support

Existing Prototypes MyProxy repository using IBM 4738 MyProxy CA using Aladdin eToken

Future Work Full support for OpenSSL hardware engines

in MyProxy CA

OGF19 http://myproxy.ncsa.uiuc.edu/ 26

Audit Logging

Existing Support All MyProxy server operations are logged to

syslog Recent improvements to MyProxy CA

logging to meet IGTF guidelines Future Work

Include auditing information in issued credentials

Support standard grid logging interfaces

OGF19 http://myproxy.ncsa.uiuc.edu/ 27

Thank you

Reminder:Wed @ 2-3:30pmGridShib, MyProxy, GAARDSMountain Laurel

For more information:vwelch@ncsa.uiuc.eduhttp://myproxy.ncsa.uiuc.edu/http://gridshib.globus.org