Federated access to Grid resources

Transcription

1 Federated access to Grid resources Keith Hazelton Internet2 Middleware Architecture Comm. for Ed. APAN, Singapore, 19-July-06

2 Topics Grid authentication and authorization: The scaling problem Federations Governance/risk management solutions PKI + SAML Technical solutions 2

3 Coming manageability crisis in Grids in R&E User management & resource management: from minor annoyance to major obstacle to growth In Australia, APAC is issuing <200 PKI certificates per year Expecting that to quickly grow to 2,500 per year annually as Grid usage expands, 5X their capacity One example among countless others 3

4 Addressing two sides of the manageability crisis Governance and trust/risk management Federations: sectoral, national, regional, global: IGTF; M.Williams at APAN: IPsphere.org Reliance on campus identity and access management infrastructures VOs layered over these organizational bases Technical management tools Supporting an appropriate division of problem space between SAML and PKI Others: managing roles and privileges... 4

5 Feds & X-feds in trust/risk mgmt. Federations as a big tent under which fed. member organizations and partners can negotiate additional community of interest policies and deals Federations as parties that negotiate Interfederation X-Fed agreements In US: R&E: InCommon; Fed. govt: E-Auth D. Lopez on edugain in Europe: Federation of Federations (confederation) 5

6 InCommon Federation Mission Create and support a common framework for trustworthy shared management of access to online resources in support of education and research in the United States. How? A community-based common trust fabric sufficient to enable participants to make appropriate decisions about access control information provided to them by other participants. 6

7 US E-Authentication Mission Public trust in the security of information exchanged over the Internet plays a vital role in the E-Gov transformation. E-Authentication makes that trust possible. How? Set the standards for the identity proofing of individuals and businesses, based on risk of online services used. The initiative will focus on meeting the authentication business needs of the E-Gov initiatives, building the necessary infrastructure to support common, unified processes and systems. 7

8 X-Federation: FPKI to E-Authentication Federal Common Policy CA Citizen and Commerce Class Policy CA E-Authentication Level 4 Level 3 Level 2 High MediumHW MediumHW-CBP Medium Medium-CBP Basic Rudimentary Federal Bridge CA Level 1 E-Authentication Governance CAs and InCommon member CSPs 2005 Cybertrust. All rights reserved.

9 The technical piece, GridShib: SAML plus PKI an emerging win SAML: OASIS Std.: Security Assertion Markup Language 9

10 Identity Providers Multi-federation PIDP Service Providers 10

11 GridShib Background GridShib Tom Barton, David Champion, Tim Freeman, Kate Keahey, Tom Scavo, Frank Siebenlist, Von Welch NSF NMI project to allow the use of Shibboleth-issued attributes for authorization in NMI Grids built on the Globus Toolkit MyProxy Jim Basney, Bill Baker, Patrick Duda, Von Welch Current support from NCSA Core project, TeraGrid Tom Barton, Jim Basney, Tim Freeman, Tom Scavo, Frank Siebenlist, Von Welch, Rachana Ananthakrishnan, Bill Baker, Monte Goode, and Kate Keahey. Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Gridshib, and MyProxy. In 5th Annual PKI R&D Workshop (To appear), April

12 New to MyProxy On-line CA functionality Create short-lived certificates in response to user authentication Short-Lived Certificate Service Thanks to LBNL Number of authentication mechanisms supported Webiso pubcookie tokens PAM, OTP, Kerberos Funded by Grids Center 12

13 Prototype CA as SAML SP Shibboleth-protected MyProxy on-line CA Issues short-lived credentials to anyone who can authenticate via InQueue e.g. OpenIdP Uses Java Web Start to get certificate from the web to the desktop Installs in the right place for GT to use Try it out: 13

14 Prototype CA as SAML SP Shibboleth-protected MyProxy on-line CA What does it mean for the Grid scaling problem? No need to wait for universal end-entity PKI deployment gives path to exchange attributes info, too, via Shibboleth/SAML protocols 14

15 Other Grid - SAML/Shibboleth integration projects JISC (funding body for IT in R&E in UK) funding many integration efforts ShibGrid SHEBANG Nat l e-science Centre, Glasgow, BRIDGES/ ESP-Grid, DyVOSE, GLASS, VOTES MAMS in Australia: Erik Vullings et al. Meta Access Management System SWITCH (Swiss R&E Net) integrating Shibboleth & glite 15

16 Q & A hazelton@wisc.edu 16