Shibboleth Enabled Bridge to Access the National Grid Service (SHEBANGS)
The SHEBANGS project is funded by the JISC, in response to the call for projects to provide Shibboleth Based Authentication for Grid Infrastructures. The JISC has defined a strategy hereby Shibboleth may be adopted to provide a common authentication structure across British academic institutes and research establishments. We believe that this will provide an infrastructure in which researchers will be able to use existing Grid Resources without first having to buy into the complexities of today's Grid Security requirements.
We recognise that there exists a large proportion of the academic community that as yet has not bought into the grid technologies and believe that this is due to the complex nature of the tools provided.
During the lifetime of this project we aim to produce, pilot and ultimately provide a method of using Shibboleth to gain access to the National Grid Service (NGS). Shibboleth provides a way of linking home-institute dependent authentication to site independent assertions of that individual's identity. The NGS on the other hand requires Grid Security (X509/GSI) credentials and the membership of at least one Virtual Organisation.
We aim to place a keystone between the Shibboleth world and the grid, translating the credentials obtained by the former into those understood by the latter keeping the complexities hidden from the individuals.
The community we are primarily catering for will not have grid middleware installed and as such will need to use existing portal technologies. The NGS has two recognised portals available the NGS Portal and the P-Grade NGS Portal. The SHEBANGS project will enable users, having already identified themselves to their own institution, to access the NGS through one or both of these portals. The necessary grid credentials being generated on-the-fly.
The grid-savvy community who already possess the means to use the NGS will also benefit. They will be able to pre-register their grid credentials. Using the same interfaces as the non-grid-savvy user, they will be able to access the NGS via the portals through a web browser.
The project is divided loosely into three parts:
The first part of the project will see the development of the basic Credential Translation Service (CTS). This CTS will create GSI credentials which will be delegated to a trusted MyProxy server for the consumption (upon authentic demand) of the portal.
- The second part will be to incorporate VOMS assertions created at the CTS into these GSI credentials.
Shibboleth provides the first link for an individual trying to gain access to a service hosted on the internet. It mediates between the community at large and the individual's institution. It allows the individual the opportunity to log into a service based on an assertion from their home institution, which they gain by logging into that institution. SHEBANGS will use these assertions to generate short lived credentials which it will then upload to a MyProxy server. Both the NGS portals use MyProxy servers as the means by which grid credentials are obtained.
The figure below shows the movement of authentication data in the scenario where the user contacts the Credential Translation Service (CTS) first.
- A user, perhaps referred by an HTML link from the portal, points their browser at the CTS.
- The user's browser is redirected to a trusted Where Are You From (WAYF) service.
- The WAYF server presents a form which the client completes and posts back to the server.
- The user's browser is now redirected to the appropriate institutions IdP.
- Out of bands authentication takes place between the user and the IdP.
The IdP redirects the browser back to the CTS (passing Shibboleth artifacts in the URL1)
- The CTS uses the artifacts to obtain SAML Assertions from the IdP on a secure back channel. The CTS evaluates the SAML Assertions and issues a GSI Credential.
The CTS delegates this credential to a MyProxy Server.
The CTS returns a web page over HTTPS to the client which contains a MyProxy username:password:server triplet.
The user logs into the portal using the MyProxy triplet, and is now able to use the Grid.
- The portal obtains a GSI credential (out of bands).
- The Portal access the NGS (out of bands).
The alpha quality VOMS::Lite Library is available now (comments welcome!)
The SHEBANGS project has set up a mock CTS service a test MyProxy service, a MockPortal and a gLite Compute Element. The CTS resides within the shibboleth InQueue Federation N.B. The InQueue WAYF will shutdown 1 June 2007 (Details).
The CTS will translate a client's valid shibboleth SAML assertions into a proxy certificate with VOMS credentials which it will then delegate to a MyProxy service. The MockPortal consumes the username and password for the MyProxy service, obtains a proxy from that MyProxy service, checks it and checks the grid host is accepting connections. If successful it submits the requested job.
- CTS first:
- Portal first:
Once at the portal you'll be able to use the it to submit compute jobs to a Globus server. The Globus server is configured to recognise the SHEBANGS CTS Certificate Authority. It is also configured to recognise the SHEBANGS CTS VOMS-AC Service.
Two mailing lists have been set up firstname.lastname@example.org and email@example.com. The SHEBANGS mailing list which is for general queries about the SHEBANGS project (click here to subscribe). The VOMS::Lite mailing list for queries relating to the lightweight perl code developed to manufacture of VOMS credentials which is used by the SHEBANGS project's CTS component (click here to subscribe).