About GridShib
The GridShib Project was created with support from the NSF Middleware Initiative (award numbers 0438424 and 0438385). Support to integrate GridShib with Science Gateways to enable attribute-based authorization is provided by the NSF TeraGrid Grid Infrastructure Group through a sub-award to NCSA at the University of Illinois.
Continued support for the GridShib project is provided through the NSF Strategic Technologies for Cyberinfrastructure Program (STCI) (award number 0850557).
Opinions and recommendations expressed on this web site (gridshib.globus.org) are those of the authors and do not necessarily reflect the views of NSF or the TeraGrid.
Key Facts
GridShib is a project to allow Globus Tookit and Shibboleth to interoperate
Globus Tookit is an open-source toolkit for grid computing
Shibboleth is an open-source implementation of the SAML browser profiles
GridShib was created with support from the NSF Middleware Initiative
Original GridShib NSF Proposal:
NMI DEVELOPMENT: Policy Controlled Attribute Framework.
http://grid.ncsa.uiuc.edu/GridShib/GlobusShibNMI04-Public.pdf
GridShib First Year Project Report:
http://gridshib.globus.org/reports/project-report-20051206.html
GridShib Second Year Project Report:
http://gridshib.globus.org/reports/gridshib-year2-report.pdf
GridShib Technical Report:
Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Gridshib, and MyProxy.
http://grid.ncsa.uiuc.edu/papers/gridshib-pki06-final.pdf
GridShib for TeraGrid Science Gateways:
A Grid Authorization Model for Science Gateways.
http://gridfarm007.ucs.indiana.edu/gce07/images/e/e4/Scavo.pdf
CILogon Proposal for Continued GridShib Support
CILogon: Secure Access to National-Scale CyberInfrastructure.
http://www.cilogon.org/docs/0850557.pdf
Please visit our Documents page
for a complete list of GridShib publications.
Motivation
Project Goals
Integrate X.509 and SAML to provide enhanced Grid Security Infrastructure (GSI)
Enable attribute sharing between virtual organizations and higher-educational institutions
Develop and implement profiles to securely share attributes across administrative domains
Investigate attribute-based access policy enforcement for grids
Generalize attribute-based authorization policies in the GT runtime environment
Large scientific projects are increasingly becoming collaborative
with members and resources from multiple institutions forming
"virtual organizations" to accomplish tasks beyond the ability
of any single institution. These virtual organizations are
structured, with different members having various privileges.
For example, some members might only have the right to develop
and run software, while others might serve as community
administrators. Using roles such as these, virtual organizations
are better able to maintain the integrity of their processes
and data.
The cyberinfrastructure and software systems used to support
virtual organizations are called Grids, and the Globus Toolkit
is a commonly deployed foundation for Grids. While today's Grids
have basic security services to support virtual organizations,
the size and complexity of the virtual organizations they can
support is limited by the burden placed on resource managers
to manage privileges based on the identity of each user in the
virtual organization. To address this scaling issue, virtual
organizations want to use access control methods based on user
attributes instead of identity. As a result,
resource managers need not know all of the users in
the virtual organization, just their attributes (for example,
Data Analyst or Software Developer).
What is GridShib?
Benefits
Leverages existing Globus Toolkit and Shibboleth IdP deployments
Builds on existing technologies, primarily Shibboleth and Globus Toolkit
Based on published standards (X.509, SAML, XACML)
GridShib allows Globus Toolkit and Shibboleth to interoperate. For example, a pair of software plugins, one for Globus Toolkit and another for Shibboleth, enable a GT Grid Service Provider (SP) to securely request user attributes from a Shibboleth Identity Provider (IdP). Additional GridShib software components address other use cases.
We distinguish two basic modes of operation, which we call "pull" and "push". In the pull mode of operation, after the client has been authenticated, the Grid SP requests attributes from the client's own administrative domain via a back-channel exchange. In the push mode of operation, the client provides the attributes up front, obtaining and pushing those attributes to the Grid SP at the time of initial request. In both cases, the Grid SP obtains the user attributes it needs to make an informed access control decision (authorization).
GridShib distributes four software components:
- GridShib for Globus Toolkit (GS4GT)
- GridShib for Shibboleth (GS4Shib)
- GridShib Certificate Authority (GS-CA)
- GridShib SAML Tools (GS-ST)
These software components enable deployment scenarios such as those shown in the following diagram:
In the above diagram, various deployment scenarios have been identified. These are discussed more fully in a separate GridShib Deployment Scenarios document.
Project Staff
GridShib is is a project of the Cybersecurity Directorate at the National Center for Supercomputing Applications, University of Illinois. Visit the GridShib dev.globus wiki for the current list of GridShib committers.
For more information about the GridShib project, contact:
Von Welch <vwelch@ncsa.uiuc.edu>
