identity management, pki and grids jill gemmill, phd university of alabama at birmingham
Post on 19-Dec-2015
216 views
TRANSCRIPT
![Page 1: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/1.jpg)
Identity Management, PKI and Grids
Jill Gemmill, PhD
University of Alabama at Birmingham
![Page 2: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/2.jpg)
Acknowledgments
NSF ANI-0330543 “NMI Enabled Open Source Collaboration Tools for Virtual Organizations” (Jill Gemmill, John-Paul Robinson)
N01-LM-3-3513 Advanced Network Infrastructure for Health & Disaster Management (Orthner, Terndrup, Grimes, Gemmill)
Office of the VPIT and IT Academic Computing
Von Welch, Tom Scavo- NCSA/UIUC Internet2 MACE and MLIST Working Group members Serge Aumont, Olivier Salaun, CRU Members of MACE-MLIST Working Group
![Page 3: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/3.jpg)
A little background
UAB history in centralized identity management & early interest in PKI but is today LDAP-based username/password
UAB participation in NMI Testbed Met Shibboleth and Globus Toolkit What would it take to integrate these tools
with applications in a manner useful to research collaborations? (ie, VO’s)
UAB entering High-Performance Computing community via faculty acquisitions: an application focused group and a computing research group.
![Page 4: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/4.jpg)
What’s a Virtual Organization?
A set of collaborators bound together by a project of common interest very large scale science projects eg: Teragrid Half a dozen or so collaborators in a funded
multidisciplinary project Physicians at 60 cancer centers wanting to share
clinical data to increase N or focus on special sub-populations
An Internet2 Working Group; a conference planning committee.
In general, VO members are from different institutions
![Page 5: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/5.jpg)
About Grid Security Infrastructure (GSI) Grids (Foster, Kesselman)
Purpose: to support research VO’s Implementation: NMI GRIDS Globus Toolkit
• Keys distributed to each end user; client-server, non-web requirements
PKI based security infrastructure uses X.509 Certificate
• Surely global PKI is almost here• Authorization to be dealt with later
KEY INSIGHT: separation of identity from system-specific account.
![Page 6: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/6.jpg)
Grid Authorization
Today, Globus Toolkit provides identity-based authorization mechanisms:Access control lists (called grid-
mapfiles) map DNs to local identity (e.g., Unix logins)
Community Authorization Service (CAS)
PERMIS and VOMS
![Page 7: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/7.jpg)
Early UAB NMI Testbed work: Using pubcookie (web-enabled single sign
on) for grid authentication – similar to UVa Components:
Web-based grid portal (OGCE) Web-based CA (PHPKI) Secure end-user certificate repository
Details: Robinson, J.-P., Gemmill, J., et al. (2005). Web-Enabled Grid Authentication in a Non-Kerberos Environment. In 6th IEEE/ACM International Workshop on Grid Computing. 6th IEEE/ACM International Workshop on Grid Computing.
![Page 8: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/8.jpg)
Central Challenges:
Authorization based on VO-membership requires: Cross-domain authentication (leverage
distributed identity management) Certainly “member of VO XYZ” attribute
central for access control VO is authoritative for its own membership
assignment & roles Should work for both web and non-web
applications
![Page 9: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/9.jpg)
What Cross-Domain Security Architectures Exist?
GRIDS Digital Certificates (X.509 / PKI) Cross-domain trust can be managed scalably
thru Bridged CA’s Carry only a user identifier (DN)
FEDERATIONS (SAML, Shibboleth, WS-Security) Digitally signed security assertions Carry Identity, AuthN method, other attributes
![Page 10: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/10.jpg)
Don’t Existing Solutions Provide What Is Needed by VO’s? (No!) Single Domain solutions inadequate End-user certificate distribution and
management has proven to be troublesome and non-scalable
Essential VO (Group) Membership information not provided consistently by either one
Most collaboration tools accessed by web browser (not client software w. certificate)
![Page 11: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/11.jpg)
Observation 1
The size and vast number of VOs makes it difficult for administrators to manage the identity of each user in the VO (and VO members don’t want more passwords to remember)Goal: Leverage existing identity
management infrastructure eduPerson/Shibboleth infrastructure
appeared promising for identity management
![Page 12: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/12.jpg)
Observation 2
Identity-based access control methods are inflexible and do not scaleGoal: Use attribute-based access
control Shibboleth, an attribute transport
mechanism linked to identity management, appeared promising
![Page 13: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/13.jpg)
Observation 3
The most important attribute for VOs is: “member of VO-XYZ”
Who is authoritative for VO attributes?The enterprise? (No)The VO? (Yes!)
How are VO attributes created? Where are VO attributes stored?
![Page 14: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/14.jpg)
myVocs Overview(my Virtual Organization Collaboration System)
myVocs Manages Attributes
![Page 15: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/15.jpg)
A look inside myVocs
Attributes
Users VORoles
VOMembersVOs
![Page 16: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/16.jpg)
A Look Inside myVocs
VO Attribute Authority
Users VORoles
VOMembe
rsVOs
AppMailList
YourAppCMSWiki
VO IdP
VO SPVO SP VO SPVO SP
![Page 17: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/17.jpg)
A Look Inside myVocs
VO Attribute Authority
AppMailList
YourAppCMSWiki
VO IdP
VO SPVO SP VO SPVO SP
VO Space
![Page 18: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/18.jpg)
A Look Inside myVocs
VO Attribute Authority
AppMailList
YourAppCMSWiki
VO IdP
VO SPVO SP VO SPVO SP
VO Space
Shibboleth SP
![Page 19: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/19.jpg)
myVocs
A Look Inside myVocs
VO Attribute Authority
AppMailList
YourAppCMSWiki
VO IdP
VO SPVO SP VO SPVO SP
VO Space
Shibboleth SP
UABIdP
UIUCIdP
openidp.orgIdP
U. ChicagoIdP
![Page 20: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/20.jpg)
myVocs Membership Management Tool: Sympa
Mailing lists are central to Collaborations
• Specify a collection of individuals• Define useful member roles• Generally autonomous
Sympa mailing list software supports Shibboleth
Sympa has an excellent web-based user interface
Sympa developers were active collaborators
![Page 21: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/21.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS Some IdP
VOAttribs
WAYFVO SP VO IdP
ID SP
![Page 22: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/22.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib
![Page 23: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/23.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
![Page 24: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/24.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
![Page 25: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/25.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
![Page 26: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/26.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
![Page 27: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/27.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
![Page 28: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/28.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
![Page 29: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/29.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
![Page 30: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/30.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
![Page 31: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/31.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
IdentityAttributes
![Page 32: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/32.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
![Page 33: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/33.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
VOAttribs
![Page 34: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/34.jpg)
Shibboleth Drives myVocs
Client Web Browser
CMS openidp.org
VOAttribs
WAYFVO SP VO IdP
ID SP
myVocs Shib Identity Federation Shib
![Page 35: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/35.jpg)
myVocs automatically provisons
Application Instances (one set per VO)
Accounts Based on VO membership and roles
![Page 36: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/36.jpg)
What is GridShib?
Authentication: GridShib leverages the existing authentication mechanisms in GT
GridShib provides attribute-based authorization based on Shibboleth
GridShib adds attribute-based authorization to Globus Toolkit
![Page 37: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/37.jpg)
Software Components
GridShib for Globus Toolkit A plugin for GT 4.0
GridShib for Shibboleth A plugin for Shibboleth 1.3 IdP
GridShib CA A web-based CA for new grid users
Visit the GridShib Downloads page:http://gridshib.globus.org/download.html
![Page 38: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/38.jpg)
GridShib CA
The GridShib Certificate Authority is a web-based CA for new grid users:https://authdev.it.ohio-state.edu/twiki/bin/view/GridShib/GridShibCertificateAuthority
The GridShib CA is protected by a Shib SP and backended by the MyProxy Online CA
The CA issues short-term credentials suitable for authentication to a Grid SP
Credentials are downloaded to the desktop via Java Web Start
![Page 39: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/39.jpg)
Results of Integration
![Page 40: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/40.jpg)
What we have enabled
Turn-key Grid VO creation through the integration of GridShib and myVocs
myVocs used to create and manage VOs GridShib allows myVocs users to create
Grid credentials and access Grid resources Grid resources obtains, and allows access,
based on attributes from myVocs
![Page 41: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/41.jpg)
![Page 42: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/42.jpg)
User Registers with myVocs
Identity
Auth
![Page 43: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/43.jpg)
VO Admin Adds User to VO
![Page 44: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/44.jpg)
Grid Logon
Identity
Auth
Identity
Grid Creds.
Grid Id
![Page 45: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/45.jpg)
Grid Service Invocation
VOAttributes
Grid Creds.
Grid Id
![Page 46: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/46.jpg)
Remaining Challenges
Name binding on global scale Attribute Aggregation Defining VO membership, roles and
attributes Group and role management
UAB Currently working on Shibbolized, GridShibCA integrated version of GridSphere Portal (also in Australia)
![Page 47: Identity Management, PKI and Grids Jill Gemmill, PhD University of Alabama at Birmingham](https://reader035.vdocuments.site/reader035/viewer/2022062515/56649d2b5503460f94a00c33/html5/thumbnails/47.jpg)
Questions?
For more information: GridShib: http://gridshib.globus.org/ myVocs: http://www.myvocs.org/ Email: