SAML Overview - Grid Computing at NCSA

Download Report

Transcript SAML Overview - Grid Computing at NCSA

GridShib
A Technical Overview
Tom Scavo
[email protected]
NCSA
gridshib-tech-overview-dec05
1
Overview
•
•
•
•
•
•
GridShib project details
GridShib use cases
GridShib implementation
GridShib attribute pull profile
GridShib-MyProxy integration
GridShib browser profile
gridshib-tech-overview-dec05
2
What is GridShib?
• GridShib enables secure attribute
sharing between Grid virtual
organizations and higher-educational
institutions
• The goal of GridShib is to integrate the
Globus Toolkit® with Shibboleth®
• GridShib adds attribute-based
authorization to Globus Toolkit
gridshib-tech-overview-dec05
3
Tale of Two Technologies
Shibboleth Federation
Bridging Grid/X.509
with Shib/SAML
Shibboleth
SAML
Grid Security Infrastructure
Grid
Client
Globus
Toolkit
X.509
gridshib-tech-overview-dec05
4
Motivation
• Large scientific projects have spawned
Virtual Organizations (VOs)
• The cyberinfrastructure and software
systems to support VOs are called grids
• Globus Toolkit is the de facto standard
software solution for grids
• Grid Security Infrastructure provides
basic security services…but does it
scale?
gridshib-tech-overview-dec05
5
Why Shibboleth?
• What does Shibboleth bring to the table?
– A large (and growing) installed base
– A standards-based, open source
implementation
– A standard attribute vocabulary (eduPerson)
• A well-developed, federated identity
management infrastructure has sprung
up around Shibboleth
gridshib-tech-overview-dec05
6
Shibboleth Federations
• A federation
– Provides a common trust and policy framework
– Issues credentials and distributes metadata
– Provides discovery services for SPs
• Shibboleth-based federations:
–
–
–
–
–
InCommon (23 members)
InQueue (157 members)
SDSS (30 members)
SWITCH (23 members)
HAKA (8 members)
gridshib-tech-overview-dec05
7
InCommon Federation
gridshib-tech-overview-dec05
8
Introduction
gridshib-tech-overview-dec05
9
GridShib Project
• GridShib is a project funded by the NSF
Middleware Initiative (NMI awards
0438424 and 0438385)
• GridShib is a joint project of NCSA,
University of Chicago, and Argonne
National Laboratory
• Project web site
http://gridshib.globus.org/
gridshib-tech-overview-dec05
10
Milestones
•
•
•
•
•
•
•
Dec 2004, GridShib project commences
Feb 2005, Developers onboard
Apr 2005, Globus Toolkit 4.0 released
May 2005, GridShib Alpha released
Jul 2005, Shibboleth 1.3 released
Sep 2005, GridShib Beta released
GridShib-MyProxy integration TBA
gridshib-tech-overview-dec05
11
Related Projects
• Globus Toolkit
http://www.globus.org/toolkit/
• Shibboleth
http://shibboleth.internet2.edu/
• LionShare
http://lionshare.its.psu.edu/
• eSP-grid
http://escience.ox.ac.uk/oesc/projects/index.xml.ID=
body.1_div.1#esp
gridshib-tech-overview-dec05
12
Leveraged Standards
• X.509 Public Key Infrastructure (RFC 3280)
• Proxy certificates (RFC 3820)
• OASIS SAML 1.1
http://www.oasisopen.org/committees/tc_home.php?wg_abbrev
=security#samlv11
• Internet2 Shibboleth
http://shibboleth.internet2.edu/docs/internet2mace-shibboleth-arch-protocols-latest.pdf
gridshib-tech-overview-dec05
13
Use Cases
•
There are three use cases under
consideration:
1. Established grid user (non-browser)
2. New grid user (non-browser)
3. Portal grid user (browser)
 Initial efforts have concentrated on the
established grid user (i.e., user with
existing long-term X.509 credentials )
gridshib-tech-overview-dec05
14
Established Grid User
• User possesses an X.509 end entity
certificate
• User may or may not use MyProxy
Server to manage X.509 credentials
• User authenticates to Grid SP with
proxy certificate (grid-proxy-init)
• The current GridShib implementation
addresses this use case
gridshib-tech-overview-dec05
15
New Grid User
• User does not possess an X.509 end
entity certificate
• User relies on MyProxy Online CA to
issue short-lived X.509 certificates
• User authenticates to Grid SP using
short-lived X.509 credential
• Emerging GridShib Non-Browser
Profiles address this use case
gridshib-tech-overview-dec05
16
Portal Grid User
• User does not possess an X.509 cert
• User accesses Grid SP via a browser
interface, that is, the client delegates a
web application to request a service at
the Grid SP
• MyProxy issues a short-lived X.509
certificate via a back-channel exchange
• GridShib Browser Profiles apply
gridshib-tech-overview-dec05
17
GridShib Implementation
gridshib-tech-overview-dec05
18
Software Components
• GridShib for Globus Toolkit
– A plugin for GT 4.0
• GridShib for Shibboleth
– A plugin for Shibboleth 1.3 IdP
• Shibboleth IdP Tester
– A test application for Shibboleth 1.3 IdP
• Visit the GridShib Download page:
http://gridshib.globus.org/download.html
gridshib-tech-overview-dec05
19
The Actors
• Standard (non-browser)
Grid Client
• Globus Toolkit with GridShib
installed (which we call a
“Grid SP”)
• Shibboleth IdP with
GridShib installed
IdP
C
L
I
E
N
T
Grid SP
gridshib-tech-overview-dec05
20
GridShib Attribute Pull Profile
• In the current
implementation, a Grid SP
“pulls” attributes from a Shib
IdP
• The Client is assumed to
have an account (i.e., local
principal name) at the IdP
• The Grid SP and the IdP
have been assigned a
unique identifier (providerId)
gridshib-tech-overview-dec05
IdP
C
L
I
E
N
T
2
3
1
Grid SP
4
21
GridShib Attribute Pull Step 1
• The Grid Client requests a
service at the Grid SP
• The Client presents a
standard proxy certificate
to the Grid SP
• The Client also provides a
pointer to its preferred IdP
IdP
C
L
I
E
N
T
1
Grid SP
gridshib-tech-overview-dec05
22
IdP Discovery
• The Grid SP needs to know the Client’s
preferred IdP
• One approach is to embed the IdP
providerId in the proxy certificate
• This requires modifications to the
MyProxy client software, however
• Currently the IdP providerId is
configured into the Grid SP
gridshib-tech-overview-dec05
23
GridShib Attribute Pull Step 2
• The Grid SP
authenticates the Client
and extracts the DN
from the proxy cert
• The Grid SP queries
the Attribute Authority
(AA) at the IdP
gridshib-tech-overview-dec05
IdP
C
L
I
E
N
T
2
1
Grid SP
24
Attribute Query
• The Grid SP formulates a SAML attribute query:
<samlp:AttributeQuery
Resource="https://globus.org/gridshib">
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameidformat:X509SubjectName"
NameQualifier="http://idp.uchicago.edu/shibboleth">
CN=GridShib,OU=NCSA,O=UIUC
</saml:NameIdentifier>
</saml:Subject>
<!-- AttributeDesignator here -->
</samlp:AttributeQuery>
•
•
•
•
The Resource attribute is the Grid SP providerId
The NameQualifier attribute is the IdP providerId
The NameIdentifier is the DN from the proxy cert
Zero or more AttributeDesignator elements call out the
desired attributes
gridshib-tech-overview-dec05
25
GridShib Attribute Pull Step 3
• The AA authenticates
the requester and
returns an attribute
assertion to the Grid SP
• The assertion is subject
to Attribute Release
Policy (ARP)
gridshib-tech-overview-dec05
IdP
C
L
I
E
N
T
2
3
1
Grid SP
26
Attribute Assertion
• The assertion contains an attribute statement:
<saml:AttributeStatement>
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName"
NameQualifier="http://idp.uchicago.edu/shibboleth">
CN=GridShib,OU=NCSA,O=UIUC
</saml:NameIdentifier>
</saml:Subject>
<saml:Attribute
AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
<saml:AttributeValue>
member
</saml:AttributeValue>
<saml:AttributeValue>
student
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
• The Subject is identical to the Subject of the query
• Attributes may be single-valued or multi-valued
• Attributes may be scoped (e.g., [email protected])
gridshib-tech-overview-dec05
27
Name Mapping
• An IdP does not issue X.509 certs so it
has no prior knowledge of the DN
• Solution: Create a name mapping file at
the IdP (similar to the grid-mapfile at the
Grid SP)
# Default name mapping file
CN=GridShib,OU=NCSA,O=UIUC gridshib
"CN=some user,OU=People,DC=doegrids" test
• The DN must conform to RFC 2253
gridshib-tech-overview-dec05
28
GridShib Attribute Pull Step 4
• The Grid SP parses the
attribute assertion and
performs the requested
service
• A generalized attribute
framework is being
developed for GT
• A response is returned to
the Grid Client
gridshib-tech-overview-dec05
IdP
C
L
I
E
N
T
2
3
1
Grid SP
4
29
Future Work
• Solve the IdP Discovery problem
– Implement shib-proxy-init
• Implement DB-based name mapping
• Provide name mapping maintenance
tools (for administrators)
• Design an interactive name registry
service (for users)
• Devise metadata repositories and tools
gridshib-tech-overview-dec05
30
GridShib-MyProxy
Integration
gridshib-tech-overview-dec05
31
Shib Browser Profile
• Consider a Shib browser
profile stripped to its bare
essentials
• Authentication and attribute
assertions are produced at
steps 2 and 5, resp.
• The SAML Subject in the
authentication assertion
becomes the Subject of the
attribute query at step 4
gridshib-tech-overview-dec05
1
IdP
2
C
L
I
E
N
T
4
5
3
SP
6
32
GridShib Non-Browser Profile
• Replace the SP with a Grid
SP and the browser client
with a non-browser client
• Three problems arise:
– Client must possess X.509
credential to authenticate to
Grid SP
– Grid SP needs to know what
IdP to query (IdP Discovery)
– The IdP must map the SAML
Subject to a local principal
gridshib-tech-overview-dec05
IdP
C
L
I
E
N
T
Grid SP
33
The Role of MyProxy
• Consider a new grid user instead of the
established grid user
• For a new grid user, we are led to a
significantly different solution
• Obviously, we must issue an X.509
credential to a new grid user
• A short-lived credential is preferred
• Enter MyProxy Online CA…
gridshib-tech-overview-dec05
34
MyProxy-first Attribute Pull
• MyProxy with
Online CA
• MyProxy inserts
a SAML authN
assertion into a
short-lived,
reusable EEC
• IdP collocated
with MyProxy
gridshib-tech-overview-dec05
IdP
1
MyProxy
2
C
L
I
E
N
T
4
5
3
Grid SP
6
35
MyProxy-first Attribute Pull Step 1
• A MyProxy Client
sends a MyProxy
Protocol request
to a MyProxy
Server
• Any
authentication
method
supported by
MyProxy may be
used
gridshib-tech-overview-dec05
IdP
1
MyProxy
C
L
I
E
N
T
Grid SP
36
MyProxy-first Attribute Pull Step 2
• The MyProxy Server
authenticates the
requester
• MyProxy issues an
X.509 credential
with embedded
authN assertion
• The credential is
returned in a
MyProxy Protocol
response
gridshib-tech-overview-dec05
IdP
1
MyProxy
2
C
L
I
E
N
T
Grid SP
37
Authentication Assertion
• MyProxy inserts an assertion containing a minimal
authentication statement into the certificate:
<saml:AuthenticationStatement
AuthenticationInstant="2004-12-05T09:22:00Z"
AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password">
<saml:Subject>
<saml:NameIdentifier
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
NameQualifier="https://idp.example.org/shibboleth">
[email protected]
</saml:NameIdentifier>
</saml:Subject>
</saml:AuthenticationStatement>
• AuthenticationMethod may be used by Grid SP
• The NameQualifier attribute is the IdP providerId
• The IdP easily maps the NameIdentifier to the
desired local principal
gridshib-tech-overview-dec05
38
MyProxy-first Attribute Pull Step 3
• A Grid Client
requests a
service at a Grid
SP
• The client
presents the
decorated X.509
certificate
obtained from
MyProxy
gridshib-tech-overview-dec05
IdP
1
MyProxy
2
C
L
I
E
N
T
3
Grid SP
39
MyProxy-first Attribute Pull Step 4
• The Grid SP
authenticates the
Client and
processes the
assertion
• The Grid SP
queries the Shib
Attribute Authority
(AA) referred to
in the assertion
gridshib-tech-overview-dec05
IdP
1
MyProxy
2
C
L
I
E
N
T
4
3
Grid SP
40
MyProxy-first Attribute Pull Step 5
• The AA
authenticates the
requester and
returns an
attribute
assertion to the
Grid SP
• The assertion is
subject to policy
gridshib-tech-overview-dec05
IdP
1
MyProxy
2
C
L
I
E
N
T
4
5
3
Grid SP
41
MyProxy-first Attribute Pull Step 6
• The Grid SP
parses the
attribute
assertion and
makes an access
control decision
• A response is
returned to the
Client
IdP
1
MyProxy
2
C
L
I
E
N
T
4
3
Grid SP
6
gridshib-tech-overview-dec05
5
42
MyProxy-first Advantages
•
•
•
•
•
Relatively easy to implement
Requires only one round trip by the client
Requires no modifications to the Shib IdP
Requires no modifications to the Client
Supports multiple authentication mechanisms
out-of-the-box
• Uses transparent, persistent identifiers:
– No coordination of timeouts necessary
– Mapping to local principal is straightforward
gridshib-tech-overview-dec05
43
IdP-first Non-Browser Profiles
• The IdP-first profiles require no shared
state between MyProxy and the IdP
• Supports separate security domains
• Leverages existing name identifier
mappings at the IdP
• IdP-first profiles may be used with either
Attribute Pull or Attribute Push
gridshib-tech-overview-dec05
44
Attribute Pull or Push?
Pull
Push
user
user
request
Grid SP
request
attributes
attributes
AA
gridshib-tech-overview-dec05
AA
45
IdP-first Attribute Pull
• MyProxy with
Online CA
• MyProxy
consumes and
produces SAML
authN assertions
• The Client
authenticates to
MyProxy with a
SAML authN
assertion
gridshib-tech-overview-dec05
1
IdP
2
3
MyProxy
4
C
L
I
E
N
T
6
7
5
Grid SP
8
46
IdP-first Attribute Push
• The IdP “pushes” an
attribute assertion to the
Client
• The Client authenticates
to MyProxy with a SAML
authN assertion
• MyProxy consumes
both SAML authN and
attribute assertions
gridshib-tech-overview-dec05
1
IdP
2
C
L
I
E
N
T
3
MyProxy
4
5
Grid SP
6
47
IdP-first Advantages
• Since IdP controls both ends of the flow:
– Mapping NameIdentifier to a local
principal is straightforward
– Choice of NameIdentifier format is left
to the IdP
• Attribute push simplifies IdP config and
trust relationships
• Reusable by grid portal use case
gridshib-tech-overview-dec05
48
GridShib
Browser Profiles
gridshib-tech-overview-dec05
49
IdP-first Browser Profiles
• As a consequence of the IdP-first NonBrowser profiles, MyProxy gains the
ability to consumes SAML assertions
• If we replace the non-browser client with
a web component, we can reuse that
functionality in the following GridShib
Browser Profile
gridshib-tech-overview-dec05
50
IdP-first Attribute Pull
• The first three
steps are
normal Shib
Browser/POST
• A Shib SP is
protecting a
web version of
MyProxy Client
gridshib-tech-overview-dec05
1
IdP
2
C
L
I
E
N
T
7
MyProxy
4
5
3
6
SP
10
8
Grid SP
9
51
The 3-tier Problem
• How does the browser user delegate
authority to the web component to
retrieve an X.509 credential on its
behalf?
• This problem is an instance of the socalled n-tier problem
gridshib-tech-overview-dec05
52
Delegation Profile
• No widely accepted solution to this
problem exists today
• The Shib dev team has proposed a
SAML2-based solution:
http://shibboleth.internet2.edu/docs/draf
t-cantor-saml-sso-delegation-01.pdf
• The implications for GridShib are not
clear at this point
gridshib-tech-overview-dec05
53