Post on 03-Jan-2016
Motivation
• We want to encourage more users on the NGS– Need to cover all areas of research– From the single researcher to large projects– Security infrastructure must enable this
• PKI often a barrier• Generalised not specific • Straightforward to use
• Community is adopting Shibboleth
Requirements
• User/Project– Don’t want to know about certificates (or any other security
mechanism!).– Transparent access to eScience facilities, consistent with other
SSO-enabled components.– Access to components at home or away (even Internet Café).– Fit in with local authentication schemes.– Want to use own project portal.
• NGS– Must be compatible with GT2 and registration system.
• VOMS in the future.
Use cases• Access to the Grid solely with Shibboleth • Use standard Grid certificates when something
extra is required – still many advantages
• Access to the Grid through a Portal– NGS portal/project portals
• Access to the Grid through other access methods– Globus, Java GSI-SSH Terminal, CoG, etc.,
• Registration (for NGS) using Shibboleth
Shibboleth Overview
• Web-based federated access management system based on SAML
• Based on separation of authentication and authorisation– Authentication: Identity Provider (IdP) at user’s home
institution– Authorisation: Service Provider (SP) based on
attributes from the IdP – Discovery: Where Are You From (WAYF) service
• User can remain anonymous at the SP
Architectural Design
• Don’t change the user– Prevent extra logical steps: portal first– Easy to deploy in project portals– Support other access methods
• Don’t change other services– Work within Shibboleth and GSI frameworks
ShibGrid access to the NGS (via Portal)
(Thanks to Kang Tang)
Shibboleth Authentication and Authorisation
ShibGrid MyProxy Checks• IdP (trusted) authentication/authorisation
– Standard Shibboleth• Portal (not trusted):
– Standard MyProxy checks– + check the attribute assertion was created for the portal
• Users:– Authentication: at IdP– Authorisation:
• Is user registered?• username attribute = username used?
– Attributes used to construct low-assurance certificate DNs
More than just portal access…
• Registration service– Data Protection Act/Acceptable Use Policy?– Supported IdP?– Correct configuration?– Link to NGS user registration
• Grid proxy download tool– For non portal Grid access methods
• Grid proxy upload tool
Certificate Download Tool
Download a stored digital certificate from the MyProxy certificate store for use in other environments
Certificate Upload Tool
Upload a standard UK e-Science certificate into the ShibGrid enabled MyProxy Server - enables download using Shib tools for those users who already have a digital certificate
Conclusion• Succeeded in providing Shibboleth access to the Grid.• Enabling NGS to grant access to users who do not have, and
do not want, an e-Science certificate– lowering the barrier for beginners– widening the user base.
• Use of standard components and protocols ensures the product is easily deployable, maintainable, and interoperable. – Prototype was deployed in the NGS portal (both uPortal and
StringBeans-based versions)– Software available through the OMII catalogue
• Led to some extra functionality being requested of the UK Shib federation