GridShib for Globus Admin Guide (version 0.5.1)

1. Introduction

This guide contains information for system administrators working with Globus and Shibboleth and in particular GridShib for GT. It provides references to information on procedures typically performed by system administrators, including installing, configuring, deploying, and testing the installation.

Note:: There are other, independent GridShib components that are separate from GridShib for GT and may be needed to support certain attribute based authorization profiles.

For established grid deployments using typical grid certificates, we supply a plugin, GridShib for Shibboleth, that allows for attribute queries on any arbitrary grid DN.
For some deployments it may be best to integrate another GridShib component, the GridShib CA, that creates certificates that have more predictable DNs which allows for a "vanilla" Shibboleth installation to be used.
And for some other deployments it may be best to integrate our SAML authentication assertion embedding tool which allows for grid credentials to contain the information needed for an attribute query in a certificate extension.
For deployments wanting to combine GridShib and VOMS authorization policies, make sure the VOMS modules are installed to your Globus installation and see the "VOMS" section for more information. For installation, configuration, and general information about the VOMS authorization modules, see the VOMS page.

We provide many ways to bridge the gap between Shibboleth attributes and grid identities because each of the methods is intended to fit constraints on certain common grid deployments (i.e., one can not always control every aspect of every deployment across a federation).

Important

This information is in addition to the basic Globus Toolkit prerequisite, overview, installation, security configuration instructions in the GT 4.0 System Administrator's Guide. Please read through this guide before continuing. This GT authorization plugin only requires the Java core portion of the toolkit.

If you need clarifications or have problems, do not hesitate to email the gridshib-beta mailing list, see instructions for subscribing here.

2. Building and Installing

The GridShib modules are not currently distributed with either the Globus Toolkit 4.0 or Shibboleth 1.3 default installations. However, the necessary plugins for both GT and Shibboleth can be deployed seamlessly on top of each application.

The Globus Toolkit 4.1 development release is also supported.

GridShib for Shibboleth (IdP) installation is covered in a separate set of documents. See the README and the installation guide.

Installing the GridShib for Globus GT4 plugin:

For most purposes, installing from the source is not necessary. If you would like to run the unit tests, you need to install from source. The user testing option (the echo service) does not require an installation from source, as outlined here.

Important

As of 0.4.0, the installation of the GT4 plugin overwrites xml-api.jar, xercesImpl.jar, and xalan.jar in $GLOBUS_LOCATION/lib and $GLOBUS_LOCATION/endorsed. This is in order to support the added metadata consumption functionality (see: Using SAML2 metadata to configure GridShib for GT). They are backwards compatible to the libraries distributed with GT4.0.x.

If you uninstall the plugin, these jars will also be uninstalled. This can be avoided by running "ant deploy-oldlibs" after uninstalling the plugin or by simply copying the three jars from $GLOBUS_LOCATION/endorsed back into $GLOBUS_LOCATION/lib

When using the plugin with the new GT4.1 development release, these jars are omitted and the overwrite does not occur. This is because the libraries are already included with GT4.1+.

2.1. Binary installation of the GT4 plugin

Download the most recent GAR files from the download page, expanding the tarball if necessary.
Set the GLOBUS_LOCATION environment variable as your environment requires (bourne shell shown):
```
export GLOBUS_LOCATION=/path/to/globus
```
Set the ANT_HOME environment variable as your environment requires (bourne shell shown):
```
export ANT_HOME=/path/to/ant/home
```
Deploy the three core GAR files. When using these binaries you must make sure to use the compatible GAR files for your GT installation (GT4.0.x. or GT4.1+):
```
cd $GLOBUS_LOCATION
./bin/globus-deploy-gar gridshib-gt-schemas-0_5_1.gar
./bin/globus-deploy-gar gridshib-gt-stubs-0_5_1.gar
./bin/globus-deploy-gar gridshib-gt-0_5_1.gar
```
Detailed instructions are available for globus-deploy-gar and globus-undeploy-gar

Note

This is only necessary once per GT installation, not per service using the GridShib authorization functionality.

2.2. Source installation of the GT4 plugin.

NOTE: The source can also be viewed online via the Globus viewcvs server here.

- Download the compressed source directory and unpack it. The source tarball is available from the download page.
- OR check out the code from CVS:
  Set the CVSROOT environment variable as your environment requires (bourne shell shown):
```
export CVSROOT=:pserver:anonymous@cvs.globus.org:/home/globdev/CVS/globus-packages
```
  Check out the code:
```
cvs co -P -d gridshib-gt-source gridshib/gt
```
  Note
  You most likely want to check out a specific version instead of the current CVS HEAD. The tag for each version changes with the version number, and is similar to the GAR files' names. For example: gridshib-gt-0_5_1
```
cvs co -P -r gridshib-gt-0_5_1 -d gridshib-gt-source gridshib/gt
```
Enter the directory you created:
```
cd gridshib-gt-source
```
Set the GLOBUS_LOCATION environment variable as your environment requires (bourne shell shown):
```
export GLOBUS_LOCATION=/path/to/globus
```
To build and deploy, run:
```
ant deploy
```
Other ant targets are available. For example, to deploy the echo service and unit tests from the source tree, see the instructions here.
This will autodetect your Globus installation and deploy the appropriate code. If you are switching between building against GT4.0.x and GT4.1+ installation, you must run "ant clean" before switching the GLOBUS_LOCATION and building again.

Note

This is only necessary once per GT installation, not per service using the GridShib authorization functionality.

3. Configuring

3.1. Configuration overview

GridShib for Shibboleth (IdP) configuration is covered in a separate set of documents. See the README and the installation guide.

Note: If you have not done so, first experiment with the provided echo service and client (see Section 5, “Testing”): it allows you to test the GT/IdP SAML exchange and is set up with default demo configurations. The echo service and client section walks you through typical pitfalls and ensures there are no problems with your installation. It is recommended to use that first and then consult this section for exhaustive documentation.

Configuration Contents:

3.2. Typical Configuration

Note: If you have not done so, first experiment with the provided echo service and client (see Section 5, “Testing”): it allows you to test the GT/IdP SAML exchange and is set up with default demo configurations. The echo service and client section walks you through typical pitfalls and ensures there are no problems with your installation. It is recommended to use that first and then consult this section for exhaustive documentation.

Also note: IdP/Attribute Authority information can now be set up by pointing the GridShib for GT module at a directory of SAML2 metadata files to use for trust configurations and GT certificate setup. If you are in possession of SAML2 metadata from one or several IdP's (or a federation), see Using SAML2 metadata to configure GridShib for GT.

Configure the appropriate security descriptor to use the GridShib PDP as the sole module in the authorization chain.
As explained in the WS A&A security descriptor documentation, a security descriptor can be configured for the entire container or a particular service. Also explained here, each chain is configured with a scope that allows for related configurations to be associated with the chain. A scope allows you to have many instances of the authorization module with different configurations, even if the configurations are in the same deployment descriptor
The authorization sections of the security descriptors for GT4.0.x and GT4.1 are much different. In GT4.0.x, it configures the modules to use for authorization. In GT4.1+, it configures the modules to use as well as all supporting configurations for each module (in GT4.0.x the supporting configurations are usually in the deploy-server.wsdd).
For GT4.0.x installations, the security descriptor's <authz> tag's value attribute must contain the format [scope]:[classname] where [classname] is org.globus.gridshib.PDP and [scope] is a random string.
This example shows a counter service's security descriptor with the correct authorization chain configured. In the example, the (random) value chosen for the scope is 'counter':
```
<securityConfig xmlns="http://www.globus.org">
    <method name="createCounter">
        <auth-method>
            <GSISecureConversation/>
        </auth-method>
    </method>
    <method name="destroy">
        <auth-method>
            <GSISecureConversation/>
        </auth-method>
    </method>
    <method name="add">
        <auth-method>
            <GSISecureConversation/>
        </auth-method>
    </method>
    <auth-method>
        <none/>
    </auth-method>
    <authz value="counter:org.globus.gridshib.PDP"/>
</securityConfig>
```
For GT4.1+ installations, the security descriptor is much larger, refer to the sample GT4.1+ service security descriptor included with the GridShib echo service.
Once a service or container security descriptor is configured with an authorization chain, you must configure the chain with the proper parameters by editing the service or container WSDD for GT4.0.x and the service or container security descriptor for GT4.1+.
At minimum, you should to configure these parameters:
- AAUrl - The URL of attribute authority (AA).
- AAIdentity - The identity of the AA's certificate for https (do not include this for initial testing).
- IdPproviderId - The providerId of the identity provider (IdP).
- SPproviderId - The providerId of the grid service.
- shibAuthzAttrFile - The attribute ACL to be used for an authorization decision.
Note: If you are using SAML2 metadata to configure the authorization module, it is not necessary to configure AAUrl, AAIdentity, and IdPproviderId. Instead, configure the necessary metadata parameter, see Using SAML2 metadata to configure GridShib for GT for an overview as well as configurations.
Important
For GT4.0.x deployments, the scope in the relvant WSDD <parameter> elements' name attributes must be the same as in the authorization chain configuration in the security descriptor. We are using 'counter' as the scope in these examples, note the use of 'counter:' in the example from the previous step and 'counter-' in the example below.

Example:
$GLOBUS_LOCATION/etc/globus_wsrf_core_samples_counter/server-config.wsdd is the counter service's WSDD file, here shown configured with values compatible with the Shibboleth demo configuration. These <parameter> elements are only included in the SecureCounterService section because authorization is not possible on an insecure operation.
```
<service name="SecureCounterService" provider="Handler" use="literal" style="document">
    <parameter name="allowedMethodsClass" value="com.counter.CounterPortType"/>
    <parameter name="handlerClass" value="org.globus.axis.providers.RPCProvider"/>
    <parameter name="className" value="org.globus.wsrf.samples.counter.CounterService"/>
    <wsdlFile>share/schema/core/samples/counter/counter_service.wsdl</wsdlFile>
    <parameter name="scope" value="Application"/>
    <parameter name="providers" value="DestroyProvider SetTerminationTimeProvider 
                                       GetRPProvider QueryRPProvider GetMRPProvider 
                                       SubscribeProvider GetCurrentMessageProvider"/>
    
    <parameter name="securityDescriptor" value="@config.dir@/security-config.xml"/>
    
    
    <parameter name="counter-authzAttrFile" value="@config.dir@/attr-authz.xml"/>
    <parameter name="counter-AAUrl" value="https://idp.example.org:8443/shibboleth-idp/AA"/>
    <parameter name="counter-AAIdentity" value="/C=US/O=example.org/CN=idp.example.org"/>
    <parameter name="counter-IdPproviderId" value="https://idp.example.org/shibboleth"/>
    <parameter name="counter-SPproviderId" value="https://globus.org/gridshib"/>
</service>
```
For GT4.1+ deployments, the same configurations are used but they are configured in the security descriptor. For examples refer to the sample GT4.1+ service security descriptor included with the GridShib echo service
Create a simple authorization policy file and include attributes that will be returned about clients in order to permit them access.
Create a file at the location specified by the shibAuthzAttrFile parameter in the deployment descriptor. If you are using the example configuration from the last step, this needs to be located at: $GLOBUS_LOCATION/etc/globus_wsrf_core_samples_counter/attr-authz.xml
In an initial testing environment, if a Shibboleth AA is set up and configured with the demo properties and your client is in the gridmap file, this example will allow access:
```
<AttributePolicy
    xmlns="http://gridshib.globus.org/namespaces/2005/08/policy"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <entry>
      <listOfAttributes>
        <saml:Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
                  AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
            <saml:AttributeValue>member</saml:AttributeValue>
        </saml:Attribute>
      </listOfAttributes>
    </entry>
</AttributePolicy>
```
See Simple attribute ACL policy syntax for more information about the syntax of this file and Simple attribute ACL authorization semantics for more information about how this attribute is matched to Shibboleth attributes.
Restart the container. This registers the interceptors to be used with the configured service.
Call a protected operation.
See the Section 7, “Troubleshooting” for $GLOBUS_LOCATION/container-log4j.properties settings to add in order to see more output on the server side.
If the ACL files are changed at any time, the module will reload them (based on system modification time), so there is no need to restart the container for that. It is only necessary to restart if you've changed the WSDD or security descriptor.

3.3. Other Configurations

3.3.1. Attribute caching

The PDP can optionally store received attributes from call to call, which allows many operations to be performed by the same client without the need for a remote callout to an attribute authority for each operation invocation (only the first).

Note: This feature is turned OFF by default

The attributes themselves are stored, not the authorization decision. If caching is enabled, the attributes are stored until the same expiration time as the SAML time conditions on the attribute assertion dictate.

Note: Attributes are only relevant within the scope of the PDP. For example, a PDP instance "P1" authorizing invocations on a service "S1" would not see any attributes stored by a PDP instance "P2" protecting service "S2".

The steps of authorization algorithm with caching can be viewed here.

To enable caching, set the relevant configuration parameter to "true": cacheAttr

Performance

We compared caching performance to non-caching performance of the GridShib authorization module with a localhost IdP using around 20 invocations with each type (it was not an exhaustive or automated study).
An authorization decision including SAML attribute exchange to the localhost IdP averaged 110ms. An authorization decision based on a cached attribute averaged 7-10ms. For reference, if a decision is based on DN only (bypassing attribute processing altogether), the average is close to 4ms.
Statistical rigor aside, this shows that using attribute caching in subsequent operation invocations results in an order of magnitude time savings over the first operation invocation (and this comparison is not even including any additional latency in the first operation that would be incurred by using a non-localhost IdP).

Caveat: in a forthcoming version, when multiple Attribute Authorities in the SAML2 metadata may be queried based on an SAML authentication assertion in the caller's proxy certificate, the contacted Attribute Authority must be considered as part of the cache lookup key. We have not fully considered our strategy on combining attributes in the cache from an AA formerly used by the caller when the same caller invokes the service pointing to a new AA (probably a rare event anyhow). Policy on this will likely be configurable by the administrator.

3.3.2. Determining a credential's IdP identity

If you have a pre-existing credential and you want to add that to an IdP gridmap.txt file, the DN needs to be in a specific format. The Globus style DN is not used in the SAML attribute exchange. Instead, a more standard RFC2253 compliant DN is used and that is what keys the attribute lookup in the name mapping plugin at the IdP.

Installed with the GridShib authorization modules is a small commandline program: rfc2253dn

This program is intended for testing situations and is NOT intended as a scalable solution for identity management.

Commands:

cd $GLOBUS_LOCATION
source etc/globus-devel-env.sh
grid-proxy-init
./bin/rfc2253dn

Sample output, either of the RFC 2253 DNs can be used when populating etc/gridshib-idp/mappings/gridshib-name-mapping.txt at the test IdP:

X.509 Subject DN (Globus):

/O=Grid/OU=GlobusTest/OU=simpleCA-prnb/CN=Tim Freeman

X.509 Subject DN (RFC 2253):

CN=Tim Freeman,OU=simpleCA-prnb,OU=GlobusTest,O=Grid

X.509 Subject DN (Canonical RFC 2253):

cn=tim freeman,ou=simpleca-prnb,ou=globustest,o=grid

3.3.3. Using SAML2 metadata to configure GridShib for GT

3.3.3.1. Overview and configuration

As of GridShib for GT 0.4.0, the ShibbolethPIP attribute requester can be configured by supplying SAML2 metadata instead of explicitly configuring an IdP's URL, providerId, and certificate information. An optional service WSDD configuration of a directory of metadata files will cause the ShibbolethPIP to scan this directory for valid metadata files, configuring itself with an array of Attribute Authorities that are considered valid to contact. Further, we've supplied a commandline utility (gridshib-cert-setup) for configuring your Globus installation with the proper trusted certificates for the attribute query made to the IdP(s).

Note: In future releases of the Globus toolkit, we will be able to dynamically adjust the trusted certificates to use per exchange with the IdP (meaning that an administrator will be able to just configure the PIP with SAML2 metadata and be done). This is not technically possible now and the container's trusted certificate directory needs to be updated out-of-band. The commandline utility mentioned above attempts to make this step as automatic as possible.

If the metadata configuration is given, the ShibbolethPIP inspects a configured directory of metadata files at initializaton time (only at initialization, restarting the container is required to refresh the information). Processing considers files with root elements of EntityDescriptor or EntitiesDescriptor. Only AttributeAuthorityDescriptor and KeyAuthority elements are inspected. For each AA found in the metadata files, an entry is created that the PIP can reference.

To configure your ShibbolethPIP instance to look for and use metadata, use the metadata-dir configuration in your service's WSDD file and put metadata files in this directory that contain either a EntityDescriptor or EntitiesDescriptor root element.

After the Echo Service is installed to your Globus installation (for more information, see the testing section, in particular: Testing the installation with an existing Shibboleth AA using the EchoService), you can view a sample metadata file at $GLOBUS_LOCATION/etc/gridshib-gt-echo-0_5_1/idp-metadata/metadata.xml

3.3.3.2. Using the gridshib-cert-setup tool

Trusted authority credentials are a component of metadata files, but the current 4.0.x Globus Toolkit does not allow trusted certificates to be configured programmatically (it will in the next version). Thus, one needs to create certificate files to place in the Globus trusted certificate directory in order for the SSL exchange to work correctly. We have made this as automatic as possible by writing a commandline utility program called gridshib-cert-setup.

After the interceptors are installed to your Globus installation, $GLOBUS_LOCATION/bin/gridshib-cert-setup can be invoked at any time as long as the $GLOBUS_LOCATION environment variable is set. It is recommended that you do not run this untested while a production container is processing requests since it could affect GT operation.

IMPORTANT: Run this utility with the "status" subcommand (which is also the default subcommand so it is not necessary to specify it). This will provide you with information about exactly what it would have done for both of the other main subcommands: "install" and "remove." It is highly recommended you run this first so that nothing unexpected happens.

To view a list of all options, run the help subcommand:

cd $GLOBUS_LOCATION
./bin/gridshib-cert-setup -h

Output:

Set either metadata file or metadata directory to read in the AA certificates:
    Either file:      [-f <path>]
    Or directory:     [-d <directory>]

Pick an action:
    Either status [-s], install [-i], or remove [-r <dir>]
__

Options:
 -d,--mdDir <directory>      A directory with many metadata files in it
 -f,--mdFile <file>          A metadata file
 -h,--help                   Displays help
 -i,--install                Install certificates
 -o,--override <directory>   Manually set trusted certificate directory
 -r,--remove <directory>     Remove certificates, moving them to specified
                             directory
 -s,--status                 Print status and exit (default action)
 -z,--debug                  Enables debug mode

Below we will run some test commands to get a feel for the tool and the metadata files you are working with.

With GLOBUS_LOCATION set in your environment, choose a directory with metadata files in it (or use the '-f' flag for one specific file) and point gridshib-cert-setup to it. The default subcommand is 'status' and this will print out information without changing anything on the filesystem:
```
$GLOBUS_LOCATION/bin/gridshib-cert-setup -d $GLOBUS_LOCATION/etc/gridshib-gt-echo-0_5_1/idp-metadata/
```
Note the last two sections of the output: "Dryrun of the install subcommand" and "Dryrun of the remove subcommand". Here the tool outlines what would have happened if you were to use those subcommands instead of status.
In the examples that follow, we will create a fake trusted certificate directory and also use the sample metadata file supplied with the Echo Service. This is to ensure your first filesystem-modifying use of the tool does not operate on the real trusted certificate directory.
Make the fake trusted certificate directory:
```
cd $GLOBUS_LOCATION
mkdir testing
```
Now we use the "-o" parameter to override the normal Globus trusted certificate directory. If you run the status subcommand without the "-o" parameter as we did above, you will see what directory the tool will normally operate on. Note that this is typically /etc/grid-security/certificates which typically has restricted write permissions (i.e., you may need to run as root). But first, use a fake directory for testing. Here we run the status command.
```
./bin/gridshib-cert-setup -o testing -d etc/gridshib-gt-echo-0_5_1/idp-metadata/
```
You will see some text about what attribute authorities were found in the metadata file(s) and information about what the tool would have done for the install and remove subcommands. Because we just created this empty directory, the dryrun install command will report every certficate in the metadata is a candidate for adding to the directory (since it does not see any duplicates in the directory) and the dryrun remove command will report that it would not remove any of the AA certificates from the directory (because there are none).
Now install the certificates to our fake directory. The actual install command will install what the dryrun said it would:
```
./bin/gridshib-cert-setup --install -o testing -d etc/gridshib-gt-echo-0_5_1/idp-metadata/
```
The tool will report the paths to all of the certificates it has written out. You can run standard Globus/OpenSSL commands on these files now to inspect them, e.g.,
```
grid-cert-info -f testing/6e76113c.0
```
Now try the remove subcommand, which will remove any of the certificates in the given metadata file(s) from the trusted certificates directory and move them to a backup directory.
First, run status to make a dryrun. Since you are using the same metadata file(s) that you used to add the certs, you should see the opposite situation from before: there are no certificates that the tool would install and it will remove all of the matching certificates in the metadata (which coincidentally will be all of the certificates in the directory: since we just created this testing directory, there will be no others).
```
./bin/gridshib-cert-setup -o testing -d etc/gridshib-gt-echo-0_5_1/idp-metadata/
```
Now make the changes. The remove subcommand requires a directory argument for the backup directory (it will never just delete files). Here we make a new directory to demonstrate:
```
mkdir testing-remove
./bin/gridshib-cert-setup --remove testing-remove -o testing -d etc/gridshib-gt-echo-0_5_1/idp-metadata/
```
That's it. The tool output will provide you with all relevant information, if it does not, use the debug option. Now that you see how it works, remove the '-o testing' and the tool will use the real trusted certificates directory.

3.3.3.3. Updating metadata

If you are using metadata and receive an updated metadata file from the federation: to update both the authorization module and the certificates in the trusted certificate directory, take the following steps:

In the following we assume you are dealing with just one metadata file, but you could easily replace the file with a directory of metadata files and the same concepts will apply.

Stop the container.
Move the old metadata file from the PIP's metadata directory (the one that the metadata-dir WSDD configuration points to) to a new location, but do not delete it. We will refer to the old file as old.xml.
Move the new metadata file to the PIP's metadata directory (the one that the metadata-dir WSDD configuration points to) to a new location. We will refer to the new file as new.xml.
That completes the authorization module update.
Now to update the trusted certificates we will use the remove subcommand with the old metadata file to remove any trusted certificates that were installed.
For more information about gridshib-cert-setup, see Using the gridshib-cert-setup tool.
First run the status subcommand for a sanity check:
```
cd $GLOBUS_LOCATION
./bin/gridshib-cert-setup --status -f old.xml
```
Then run the remove subcommand, pointing it to a backup directory (in the example below called '/tmp/oldcerts'):
```
cd $GLOBUS_LOCATION
./bin/gridshib-cert-setup --remove /tmp/oldcerts -f old.xml
```
Now run the install subcommand with the new metadata file:
```
cd $GLOBUS_LOCATION
./bin/gridshib-cert-setup --install -f new.xml
```
At this point the trusted certificates will match the updated metadata file that you have configured the authorization module with.
Start the container.

3.3.3.4. Metadata attribute optimization

SAML2 metadata <AttributeAuthorityDescriptor> elements can contain a list of samle:<Attribute> elements that advertise the set of attributes and attribute values the IdP may return.

If you wish, in your GridShib for GT deployment you can turn on an optimization (it is off by default) where this list will be respected. Respecting this list means that the PDP (the module that makes the authorization decision) will assume that these are the ONLY attributes that can be returned by a query to that attribute authority.

If we assume that those are the only attributes a query to that AA AND the currently configured authorization policy does not have any of these attributes then a (possibly expensive) query does not need to be made. In that case, a DENY will be returned immediately.

To enable this optimization, add the respect-md-attributes configuration to your service's WSDD.

3.3.4. SAML authentication assertion PIP

This feature has been supported since GridShib for GT 0.4.1.

This PIP parses out SAML authentication assertion in the caller's level 1 proxy or EEC and provides it to the Shibboleth PIP to determine what attribute authority to query. See IdP discovery based on embedded SAML authentication assertion for more details.

Important

This approach to IdP discovery is DEPRECATED and will be replaced by an alternative approach in the next version of GridShib for GT. See the above wiki page for details.

If the credential presented is an EEC, this PIP looks for the authentication assertion in the EEC.

If the credential presented is a level 1 proxy, this PIP looks for an authentication assertion in the proxy. If the proxy does not have an assertion and it is an impersonation proxy, the PIP looks for an authentication assertion in EEC.

If the credential presented is a level '1+x' proxy and all the proxies (upto level 2 proxy) in the chain are impersonation proxies, this PIP looks for an authentication assertion in the level 1 proxy. If the level 1 proxy does not have an assertion and it is an impersonation proxy, the PIP looks for authentication assertion in the EEC.

If it finds an authentication assertion, it checks whether the issuer of the assertion is same as the issuer of the certificate in which the assertion is present. i.e., if the assertion is in the level 1 proxy, the issuer of the assertion must be the DN of the EEC that issued the proxy. And if the assertion is in the EEC, the issuer of the assertion must be the DN of the CA that issued the EEC.

The DN of the issuer of the assertion must be on the list of trusted SAML authentication authorities. See trusted-authn-authorities-file for details about WSDD configuration (pointing the module to the file) and below for an example file:

/O=Grid/OU=GlobusTest/OU=someOU/CN=someCN
/O=Grid/OU=GlobusTest/OU=anotherOU/CN=anotherCN

Note that quotes are not necessary, just one DN per line.

To configure this PIP, you need to add the module's class name to your service's security descriptor's authorization chain configuration. This must be configured before the ShibbolethPDP.

For example, in a GT4.0.x deployment, the echo service's file $GLOBUS_LOCATION/etc/gridshib-gt-echo-0_5_1/echo-service-security-descriptor.xml would contain this (all one line):

<authz
    value="shibecho:org.globus.gridshib.SAMLAuthnPIP shibecho:org.globus.gridshib.PDP"/>

3.3.5. Using VOMS alongside GridShib

It is possible to direct the GridShib PDP to consult an embedded VOMS certificate. The VOMS consultation will happen after the optional DN check and before any decision is made based on SAML/Shibboleth. If the VOMS PDP returns ACCEPT, all processing stops. Otherwise, processing continues on with SAML attribute processing (and potentially a Shibboleth query).

See the useVOMS configuration explanation below.

If you enable VOMS, be sure that the VOMS package is installed to your Globus installation. See the VOMS page for installation and configuration information. GridShib was tested with the 0.2 version (previous version are not compatible).

Note that when using VOMS in conjunction with the GridShib PDP (particularly useful for GT4.0.x installations), the VOMS configurations will be included directly alongside the GridShib PDP, not in a separate section.

For an example, see the GridShib echo service's WSDD file (only in GT4.0.x). The useVOMS configuration is set to false but if it were set to true the example VOMS configurations below it would take effect (passed to the VOMS module directly from the GridShib PDP).

3.3.6. Configuration Parameters

This table lists all possible Configuration parameters for controlling the behavior of the GridShib authorization. The class that needs the parameter is listed for developers or if you want to use one of the PIP classes by itself [developer's guide does not exist yet]. Configuration examples are listed separately below this table.

Important

In GT4.0.x deployments these are WSDD configurations. In GT4.1+ deployments these are security descriptor configurations.

Table 1. Configuration Parameters

Parameter	Required	Used by	Explanation
AAHostAuthz	No	PIP	A value of "true" triggers GT4 host authorization for the attribute query. If this is included, the https connection to the AA will only be established with a certificate CN matching "host/" plus the reverse DNS lookup name of the AA IP address. This is not a required configuration only in order to ease testing, if either this or AAIdentity is not configured, your solution will not be secure. Also, if the AAUrl configuration is not `https`, this configuration will be ignored. An AAIdentity configuration takes precedence over this configuration if both are configured. Note: if the value is not "true" (case insensitive), this will result in an initialization exception (resulting in a `DENY` decision no matter what). The reason being that the default is to not use authorization, and a typo could result in an insecure configuration. So for non-ambiguity, either configure to be equal to true, or do not add this parameter at all. See the AAHostAuthz configuration example. This configuration is only applicable when using the IdPproviderId and AAUrl configurations (see note).
AAIdentity	No	PIP	This value is the certificate identity of the Shib AA. If this is included, the https connection to the AA will only be authorized if the AA's certificate matches. This is not a required configuration only in order to ease testing, if either this or AAHostAuthz is not configured, your solution will not be secure. Also, if the AAUrl configuration is not `https`, this configuration will be ignored. This configuration takes precedence over a AAHostAuthz configuration if both are configured. See the AAIdentity configuration example. This configuration is only applicable when using the IdPproviderId and AAUrl configurations (see note).
AAUrl	Yes (*note)	PIP	This value is the network address of the Shib AA to use for all attribute queries. The only allowed schemes are `http` and `https`. See the AAUrl configuration example. NOTE: This configuration can not be used at the same time as the metadata-dir configuration. See note.
authzMap	No	PDP	This triggers the PDP to require at least one username mapping for a successful authorization. It is OFF by default. See the authzMap configuration example. For more information about username mapping, see: Username mappings
cacheAttr	No	PDP	A value of "true" directs the PDP to cache received attributes and consult these attributes on subsequent operation invocations by the same client. See the Attribute caching section. Also see the cacheAttr configuration example.
IdPproviderId	Yes (*note)	PIP	This value is used for two (related) purposes: It is included in the attribute query as the value of the `NameQualifier` attribute of the `<NameIdentifer>` element of the SAML `<AttributeQuery>`. If the response returned from the Shib AA contains an assertion, the issuer attribute of the SAML `<Assertion>` element must be equal to this value in order for the assertion to be considered valid. See the IdPproviderId configuration example. NOTE: This configuration can not be used at the same time as the metadata-dir configuration. See note.
trusted-authn-authorities-file	No	PIP	This configuration is used to provide a list of DNs of the trusted authentication authorities to the SAML authentication assertion PIP. If the issuer of the authentication assertion in the credential is not in this list, the authentication assertion will be ignored. This must be an absolute path. See the Section 3.3.4, “SAML authentication assertion PIP”. Also see an example file above.
metadata-dir	Yes (*note)	PIP	This configuration is used to trigger the PIP to use metadata file(s) for obtaining AA information instead of the explicit configuration listed in this table (IdPproviderId and AAUrl). See the metadata-dir configuration example. NOTE: This configuration can not be used at the same time as the IdPproviderId and AAUrl configurations. See note.
respect-md-attributes	No	PIP	When using metadata, this configuration indicates whether or not attributes in IdP metadata should be "respected." If they are, a query to a particular IdP will not be initiated if the authorization module determines that no attribute in authorization policy would possibly match any of the IdP's advertised attributes. For an example, see the respect-md-attributes configuration example Also see the documentation on this optimization: Metadata attribute optimization This configuration defaults to OFF.
shibAuthzAttrFile	Yes	PDP	This lists the path to an access control list file used for attribute based authorization. If one attribute obtained from the IdP is in this file, the authorization module returns a `PERMIT` decision. If this file can not be read or found, the authorization module will throw an exception (always resulting in a `DENY` decision). See the shibAuthzAttrFile configuration example, attribute ACL file syntax and attribute matching rules.
consultDefaultGridmap	No	PDP	Setting this to "true" directs the PDP to use the default grid-mapfile for identity based authorization. If the caller's DN is in this file, the authorization module stops processing and returns a `PERMIT` decision. No attributes are collected, which saves time. If this file can not be read or found, the authorization module will log the error and continue. Note that this is only applicable for GT4.0.x deployments. For GT4.1+ deployments you can get this same behavior by configuring a gridmap authorization module ahead of the GridShib modules to short-circuit the authorization processing if there is a PERMIT.
useVOMS	No	PDP	Setting this to "true" directs the PDP to consult an embedded VOMS certificate. Install the GT4 VOMS modules (see the current VOMS page) and configure the VOMS parameters in your WSDD (GT4.0.x) or security descriptor (GT4.1.x) alongside the GridShib configurations. The VOMS consultation will happen after the optional DN check and before any decision is made based on SAML/Shibboleth. If the VOMS PDP returns ACCEPT, all processing stops. Otherwise, processing continues on with SAML attribute processing (and potentially a Shibboleth query). Note that this is really only applicable for GT4.0.x deployments (but will still work with GT4.1+). For GT4.1+ deployments you can get this same behavior by configuring a VOMS authorization module ahead of the GridShib modules to short-circuit the authorization processing if there is a PERMIT. See the "VOMS" section for more information
shibAuthzMapFile	No	SAMLMapPIP	This lists the path to a username mappings file used for attribute based authorization. If this is not configured, the SAMLMapPIP will use the file in the shibAuthzAttrFile configuration. This configuration will let you keep access policy and username mappings separate if you so desire. It also allows the SAMLMapPIP to be used on its in conjunction with other PDP implementations. See the shibAuthzMapFile configuration example. For more information about username mapping, see: Username mappings
SPproviderId	Yes	PIP	This value is used for the value of the `resource` attribute of the SAML `<AttributeQuery>` element in the attribute query sent to the Shib AA. See the SPproviderId configuration example.

Footnote: In general, there are two ways to configure the query module with attribute authority information to use for the query: a) provide the module with specific information via the IdPproviderId and AAUrl configurations (which limits you to one, hardcoded AA) or b) use the metadata-dir configuration to configure an array of AAs from SAML metadata. For more information about using SAML2 metadata, see: Using SAML2 metadata to configure GridShib for GT

Table 2. WSDD Parameter Example Configurations

This table shows examples of authorization module configurations in a deployment descriptor.

Important

These examples are for GT4.0.x deployments, these are WSDD configurations. In GT4.1+ deployments these configurations are security descriptor configurations (but the values of each configuration are the same).

Parameter	Example
AAHostAuthz	<parameter name="counter-AAHostAuthz" value="true"/>
AAIdentity	<parameter name="counter-AAIdentity" value="/C=US/O=example.org/CN=idp.example.org"/>
AAUrl	This example shows the default AA URL used by the Shibboleth demo AA/SSL configuration. To use this particular URL (for testing only), you would need to preempt your DNS server, e.g., by editing your `hosts` file: <parameter name="counter-AAUrl" value="https://idp.example.org:8443/shibboleth-idp/AA"/>
authzMap	<parameter name="counter-authzMap" value="true"/>
cacheAttr	<parameter name="counter-cacheAttr" value="true"/>
IdPproviderId	This example shows the IdP providerId used by the Shibboleth demo configuration: <parameter name="counter-IdPproviderId" value="https://idp.example.org/shibboleth"/>
trusted-authn-authorities-file	<parameter name="counter-trusted-authn-authorities" value="/ABSOLUTE/PATH/TO/trust_authn_authorities.txt"/>
metadata-dir	A good place for this directory is your service's subdirectory in `$GLOBUS_LOCATION/etc`; for that, the `@config.dir@` shortcut can be used. Otherwise, a relative or absolute path is required. <parameter name="counter-metadata-dir" value="@config.dir@/idp-metadata"/>
respect-md-attributes	<parameter name="counter-respect-md-attributes" value="true"/>
shibAuthzAttrFile	A good place for this file is your service's subdirectory in `$GLOBUS_LOCATION/etc`; for that, the `@config.dir@` shortcut can be used. Otherwise, a relative or absolute path is required. <parameter name="counter-shibAuthzAttrFile" value="@config.dir@/attr-authz.xml"/>
shibAuthzMapFile	A good place for this file is your service's subdirectory in `$GLOBUS_LOCATION/etc`; for that, the `@config.dir@` shortcut can be used. Otherwise, a relative or absolute path is required. <parameter name="counter-shibAuthzMapFile" value="@config.dir@/username-mappings.xml"/>
SPproviderId	This example shows the SP providerId used in the GridShib for Shibboleth demo configuration (you can see the demo SP providerId configuration for GridShib in this file after a new GridShib for Shibboleth installation: `$IDP_HOME/etc/gridshib-idp/gridshib-sp-metadata-unsigned.xml`): <parameter name="counter-SPproviderId" value="https://globus.org/gridshib"/>

3.3.7. Policy Syntax and Authorization Semantics

3.3.7.1. Authorization algorithm overview

If not caching, the steps of the authorization module:

If the policy files have changed, the code will reload them (based on file modification time).
If this is a GT4.0.x deployment and gridmap authorization is configured, the PDP first checks if the caller's DN is in the ACL. If so, it returns PERMIT to the container and the PDP is done.
If VOMS support is configured, the PDP calls the VOMS PIP and PDP. If a PERMIT is returned, the overall decision is PERMIT and the PDP is done.
Call the PIP. The PIP performs the SAML attribute query to the Shibboleth AA. If successful and valid assertions are returned, parse out the attributes.
Call the SAMLMapPIP to retrieve username mappings if they are present. If (optionally) configured to do so, here require at least one username mapping (this check is OFF by default).
Compare the valid attributes to the attribute ACL and return PERMIT or DENY accordingly, as outlined in Simple attribute ACL authorization semantics.

If caching, the steps of the authorization module:

If the policy files have changed, the code will reload them (based on file modification time).
If this is a GT4.0.x deployment and gridmap authorization is configured, the PDP first checks if the caller's DN is in the ACL. If so, it returns PERMIT to the container and the PDP is done.
If VOMS support is configured, the PDP calls the VOMS PIP and PDP. If a PERMIT is returned, the overall decision is PERMIT and the PDP is done.
The cache flag is checked. If the cache flag is set to TRUE (the default is FALSE), assertions previously obtained about the caller are consulted.
If there are previously obtained assertions, a validity check is made on all assertions. If any single one is invalid, they are all discarded.
If they were not discarded (all are valid), use these attributes instead of calling the PIP.
If calling the PIP, do it now. If successful and valid assertions come back, parse out the attributes.
Call the SAMLMapPIP as above. It will try to map whatever attributes are present (whether they came from the attribute cache or from a fresh query).
Compare the valid attributes to the attribute ACL and return PERMIT or DENY accordingly, as outlined in Simple attribute ACL authorization semantics.

Missing from the steps above is the optimization that is possible outlined here: Metadata attribute optimization (that is OFF by default).

3.3.7.2. Attribute validity

An attribute is considered "valid" if the SAML assertion the attribute was obtained from is considered "accepted." If the query results in a response containing assertions, the assertion must be from the expected issuer and for the expected audience.

Also, the time conditions of the SAML assertion are respected. If caching, the time conditions of the assertion in which the attribute was delivered are stored with each attribute. If the cache is consulted and the time range does not include the current time anymore, the attribute is considered invalid.

See the Attribute caching section and the with-caching authorization algorithm section for details on caching.

3.3.7.3. Simple attribute ACL authorization semantics

The file pointed to by the shibAuthzAttrFile WSDD parameter contains a list of SAML attributes that direct a PERMIT decision if the caller's identity has one of the attributes associated with it.

For example, if we:

include eduPersonAffiliation:member in this policy file (see the example in the syntax section below)
and the client invokes an operation configured with Shibboleth based authorization
and the attribute query to the Shibboleth AA results in an assertion with this attribute

then the client is allowed to invoke the operation.

There are several things to note about how the attributes in the ACL are matched to attributes coming over the wire from the AA:

The attributes returned from the Shibboleth AA are not regular SAML attributes, the urn:mace:shibboleth:1.0 namespace is used for the <AttributeValueType> element instead of the normal SAML namespace urn:oasis:names:tc:SAML:1.0:assertion.
In the authorization module, the received attributes are normalized to the SAML assertion namespace for user convenience. The policy looks nicer and the Shibboleth developers are moving towards removing the Shibboleth namespace, so this ensures forward compatibility of the policy file.
In the next example, the first attribute is equivalent to the second attribute for authorization purposes:
```




<Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
          AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
    <AttributeValue>member</AttributeValue>
</Attribute>



<Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonPrincipalName"
      AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"
      xmlns:typens="urn:mace:shibboleth:1.0">
    <AttributeValue xsi:type="typens:AttributeValueType">member</AttributeValue>
</Attribute>
```
Multi-valued attributes in the policy do not signal that the attribute from the AA must have each value, only that one must be present.
Consider the multi-valued policy entry example in the syntax section below, if an attribute from the AA was eduPersonAffiliation:faculty only, the authorization decision would return a PERMIT decision. A logical OR is performed: even though both eduPersonAffiliation:faculty and eduPersonAffiliation:employee are in the policy, a eduPersonAffiliation:faculty attribute from the AA is sufficient to authorize the operation
Likewise for the reverse case. If a multi-valued attribute is returned from the Shibboleth AA, only one of the values needs to match an entry in the policy in order for authorization to evalute to PERMIT.
Currently only xsd:string is supported for the content of an <AttributeValue> element.

3.3.7.4. Simple attribute ACL policy syntax

The attribute policy must conform to the simple policy schema, found here in the source tree (element: AttributePolicy): interceptors/java/source/policy/compact/gridshib_policy/gridshib_policy_port_type.wsdl

The form is a list of entries:

<AttributePolicy>
  [<entry> 0 -> unbounded ]
     <listOfAttributes> 1 -> unbounded
        <saml:Attribute> 1 -> unbounded
     [<listOfUsernames> 0 -> unbounded ]
        [<username> 0 -> unbounded ]
  [</entry>]
</AttributePolicy>

The outer element <AttributePolicy> and its entry format is in a custom namespace, the attributes contained in <listOfAttributes> are SAML <Attribute> elements. The schemas used in Shibboleth slightly alter the SAML attribute definition -- this policy does NOT use attributes with that altered namespace, it uses regular SAML attributes.

Examples:

This example shows a policy with one valid attribute, any client without this attribute will be denied (unless DN based authorization is being used).

<AttributePolicy
    xmlns="http://gridshib.globus.org/namespaces/2005/08/policy"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <entry>
      <listOfAttributes>
        <saml:Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
                  AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
            <saml:AttributeValue>member</saml:AttributeValue>
        </saml:Attribute>
      </listOfAttributes>
    </entry>
</AttributePolicy>

An attribute with multiple values can be entered in the policy, see this explanation for how this is treated in the authorization processing.

<AttributePolicy
    xmlns="http://gridshib.globus.org/namespaces/2005/08/policy"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <entry>
      <listOfAttributes>
        <saml:Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
                  AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
            <saml:AttributeValue>faculty</saml:AttributeValue>
            <saml:AttributeValue>employee</saml:AttributeValue>
        </saml:Attribute>
      </listOfAttributes>
    </entry>
</AttributePolicy>

To signal an empty policy, you may not erase all information in the file, you must use an empty list. Otherwise, a parsing exception will be thrown -- while this results in a DENY decision anyhow, there is a slight difference: because the parsing exception is triggereds before a DN ACL check, if you have an empty file you can not use DN based authorization. If this file is empty (or missing or unreadable), the authorization decisions will be DENY no matter what. Instead, use an empty list.
Example:
```
<AttributePolicy
    xmlns="http://gridshib.globus.org/namespaces/2005/08/policy"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
</AttributePolicy>
```
Of course, this is an odd configuration: if you want identity based authorization only, gridmap authorization is recommended instead. This would only be for temporary attribute based authorization disabling.

3.3.7.5. Username mappings

A list of attributes can have system accounts associated with it that will allow clients bearing the attributes access to the accounts, just like a grid-mapfile can map DNs to system accounts.

If the <listOfUsernames> element is present, the SAMLMapPIP will add the usernames to the client's information for the life of the operation invocation.

Example:

<AttributePolicy
    xmlns="http://gridshib.globus.org/namespaces/2005/08/policy"
    xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
    <entry>
      <listOfAttributes>
        <saml:Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
                  AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
            <saml:AttributeValue>faculty</saml:AttributeValue>
        </saml:Attribute>
      </listOfAttributes>
      <listOfUsernames>
        <username>manager</username>
      </listOfUsernames>
    </entry>
    <entry>
      <listOfAttributes>
        <saml:Attribute AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
                  AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
            <saml:AttributeValue>member</saml:AttributeValue>
        </saml:Attribute>
      </listOfAttributes>
      <listOfUsernames>
          <username>john</username>
          <username>lily</username>
      </listOfUsernames>
    </entry>
</AttributePolicy>

NOTE: An attribute may map to multiple usernames (as seen in the second example above), multiple attributes may map to multiple usernames, or one attribute may map to one username only (as seen in the first example above). As with the grid-mapfile, if multiple usernames are present a service such as GRAM can decide for itself which is appropriate (in GRAM's case, this is accomplished by the client supplied <localUserId> RSL element present in the <job> RSL element).

The username mappings are retrieved by a service using the same exact code that the gridmap aware service should:

String[] usernames = SecurityManager.getManager().getLocalUsernames();

Thus, this can be used to replace the grid-mapfile's username mapping aspect.

The SAMLMapPIP uses the ACL file set by the shibAuthzAttrFile configuration. But if the optional shibAuthzMapFile configuration is present, it will use that instead. Thus username mapping information can be separated from authorization policy if you so desire. It also allows the SAMLMapPIP to be used on its in conjunction with other PDP implementations.

If the optional authzMap configuration is present, the ShibbolethPDP will require that the caller has at least one username mapping in order for authorization to succeed.

NOTE: If using username mappings with GRAM, you must make sure the sudoers policy is correct. The typical GRAM entry in the sudoers policy looks like so:

globus ALL=(billy) NOPASSWD: /globuslocation/libexec/globus-gridmap-and-execute -g /etc/grid-security/grid-mapfile /globuslocation/libexec/globus-job-manager-script.pl *

The call to "globus-gridmap-and-execute -g /path/to/grid-mapfile" should be removed from the line (or a separate copy of the line added that excludes this). When GRAM detects that gridmap authorization is not being used it omits these arguments. Thus, the original sudo policy would fail unless the arguments were removed. This is a working entry:

globus ALL=(billy) NOPASSWD: /globuslocation/libexec/globus-job-manager-script.pl *

For more information about GRAM and sudo, see the Configuring Sudo section of the GRAM documentation.

4. Deploying

Other than steps described in the above installation and configuration guides, the following are needed to deploy a GridShib enabled service.

4.1. Obtaining credentials for the GridShib service

The protected service can run with its own service specific credentials. Instructions for obtaining service credentials may be found here. If the PIP is configured to contact an AA over SSL, this credential will be used for the SSL handshake. If a service's security descriptor does not list a credential to use, the container's will be used instead.

Instructions for obtaining and configuring certificates can be found here. Also, see the GT4 security section for more information.

For information on using SAML2 metadata to configure GridShib for GT with AA information (including automatically configuring trusted certificates), see Using SAML2 metadata to configure GridShib for GT.

5. Testing

There are two types of tests.

Testing the installation with an existing Shibboleth AA using the EchoService
Manual tests of service level and container level Shibboleth attribute based authorization with your own certificates and an already setup Shibboleth attribute authority (AA) with GridShib name mapping plugin. The instructions will take you through installing and using the echo service and client supplied in the tests package.
Running the GridShib unit tests
Automatic unit tests that can be run on any GT4 Java core installation with valid certificates (it does not require a Shibboleth AA; instead, a test AA is automatically deployed in the container itself). Unit tests are typically for developer use.

5.1. Installing the testing packages

You can either install an echo service GAR file or install from the source to install the unit test and/or echo packages.

5.1.1. Binary installation of the echo service

Download the most recent echo service GAR file from the download page.
Set the GLOBUS_LOCATION environment variable as your environment requires (bourne shell shown):
```
export GLOBUS_LOCATION=/path/to/globus
```
Deploy the GAR file:
```
cd $GLOBUS_LOCATION
./bin/globus-deploy-gar gridshib-gt-echo-0_5_1.gar
```
Detailed instructions are available for globus-deploy-gar and globus-undeploy-gar

5.1.2. Source installation

Obtain the source tree and install the authorization module with ant deploy (as outlined in Section 2.2, “Source installation of the GT4 plugin.”).
Set the GLOBUS_LOCATION environment variable as your environment requires (bourne shell shown):
```
export GLOBUS_LOCATION=/path/to/globus
```
To install the echo service, use the top level build file:
```
cd gridshib-gt-source
ant deploy-echoservice
```
To install the unit tests, use the top level build file:
```
cd gridshib-gt-source
ant deploy-tests
```

5.2. Testing the installation with an existing Shibboleth AA using the EchoService

This guide will take you step by step through setting up a testing environment for the GT GridShib authorization installation, assuming a Shibboleth IdP with GridShib name mapping plugin is available.

The echo service is a grid service with one operation called "echo". Authorization for this operation is configured to use the GridShib GT plugin. When the echo client makes a call to this operation, a SAML attribute request about the caller is made to the IdP. The attributes are returned and an authorization decision is made. If the decision is PERMIT, the client will receive back a printout about what attributes were found. If something is not working as expected, the echo client will be DENIED authorization for the echo operation and not print out any attributes. If that happens, the instructions below will guide you through a few troubleshooting steps.

5.2.1. Running the ShibEchoService client

Add your DN to the IdP namemapper plugin's gridmap.txt file. This step will be handled by someone else for your test configuration, or refer to the IdP GridShib name mapping plugin's documentation to learn what file to edit if you have access to the Shibboleth IdP you are using for this test. The DN in that gridmap.txt file is not the normal Globus style DN. To determine exactly what to send to the administrator that manages identites at the IdP you are testing with, you can run the rfc2253dn program. See Determining a credential's IdP identity
Make sure both the authorization module and testing packages are installed, see Installing the testing packages.
The testing package installation installs a program, verify it is there: $GLOBUS_LOCATION/bin/shibecho
The testing package installation installs a service, after booting the container, it should be listed:
```
https://127.0.0.1:8443/wsrf/services/ShibEchoService
```
Note the exact URL that is printed, you will need it later (preferably cut and paste it so that you know it is the same).
Once you've verified these are there, examine the ShibEchoService's web services deployment descriptor (WSDD) to view the default demo configurations. The descriptor is located at $GLOBUS_LOCATION/etc/gridshib-gt-echo-0_5_1/server-config.wsdd
NOTE: if you are using GridShib with the Globus Toolkit 4.1 release or higher, these configurations will be in the security descriptor, not the server-config.wsdd

Important
Note that the trusted authentication authorities configuration must be an absolute path and this is not configured by default for you. See trusted-authn-authorities-file for details. Alternatively, you can disable the SAMLAuthnPIP in the security descriptor for your initial tests.

Examine the "ShibEchoService" section. Above each of the relevant parameters are comments that go into detail about each parameter. Also, further information is provided in the ??? section.
At the very least you will need to think about the AAUrl configuration. If you've set up a localhost demo IdP, you will need to adjust the hosts file to resolve idp.example.org to 127.0.0.1. Otherwise, if you are not involved in setting up the IdP, the URL will be provided to you by an administrator or federation.
If you changed anything in the WSDD, you need to restart the container. Also, if you want to see more information server-side, follow the directions below for enabling DEBUG output and restart the container for the change to take effect.
Now, with the container running, in another shell, make a call to the ShibEchoService. Replace the URL below with the exact URL output by the container when you tested for the presence of ShibEchoService.
```
cd $GLOBUS_LOCATION
source etc/globus-devel-env.sh
grid-proxy-init
./bin/shibecho -s https://127.0.0.1:8443/wsrf/services/ShibEchoService
```

If everything went well, you will get a printout about what attributes the authorization module connects with your DN.

---------
Response:
---------

SAMLAttribute
{
 name='urn:mace:dir:attribute-def:eduPersonAffiliation'
 namespace='urn:mace:shibboleth:1.0:attributeNamespace:uri'
 value #1 ='member'
 notBefore='2005-07-28T01:58:31Z'
 notOnOrAfter='2005-07-28T02:28:31Z'
}

If you received an authorization DENIED error (or experienced any other error), see below.

5.2.2. Troubleshooting the ShibEchoService client

There are many possible things that could be wrong if you did not get a list of attributes back from the ShibEchoService client.

5.2.2.1. Defective credential errors

You may have received this a "defective credential" error. For example:

Error: ; nested exception is:
GSSException: Defective credential detected [Caused by: Proxy file
(/tmp/x509up_u1000) not found.]

In this case, the defective credential error is that your proxy certificate is not found in the first place: you need to run grid-proxy-init. Documentation for grid-proxy-init can be found here or run:

cd $GLOBUS_LOCATION
source etc/globus-devel-env.sh
grid-proxy-init -help

If you do not know what a proxy certificate is, consult the GT4 security documentation key concepts section.

For other types of defective credential errors, see the general troubleshooting section.

5.2.2.2. Connection refused, client side

If the client-side reports connection refused, for example:

./bin/shibecho -s https://127.0.0.1:8443/wsrf/services/ShibEchoService
Error: ; nested exception is:
        java.net.ConnectException: Connection refused

... then you have the wrong URL after the -s argument or the container is not started. To ensure it is the correct URL, cut and paste the ShibEchoService URL from the container startup message. If that does not work, it may be a DNS (or hosts file) problem.

5.2.2.3. Authorization denied

If you did not receive a credential or connection refused error, you probably received an authorization denied error.

Important

If you are receiving an authorization denied error, there are different things that could be wrong with your configuration, but all specific information is kept server-side (for security reasons): the client only sees an authorization denial.

The first thing to do is make sure you have DEBUG output for the authorization module enabled. See the instructions below.

5.2.2.4. Connection refused, server side

If the container log's ERROR output notes a connection refused error:

ERROR authorization.ShibbolethPDP [ServiceThread-3,callPIP:555] error calling
PIP: Error contacting configured attribute authority
"https://idp.example.org:8443/shibboleth-idp/AA" [Caused by: ; nested
exception is:         java.net.ConnectException: Connection refused]

... then the Shibboleth AA endpoint is not valid. This could be a DNS problem or it could be that the IdP is just not up. More can be determined by typical means (for example, telnet). See above for the location of the ShibEchoService WSDD file which contains the AAUrl setting: Running the ShibEchoService client.

5.2.2.5. 404

If the container log's ERROR output notes a 404 error:

error calling PIP: Error contacting configured attribute
authority "https://idp.example.org:8443/shibboleth-idp/AA" [Caused by:
(404)/shibboleth/AA]

... then the Shibboleth AA endpoint is not valid. This means some server is running at this endpoint, but that the Shibboleth IdP is not installed. The endpoint is configured in the AAUrl WSDD parameter of the echo service. See above for the location of the ShibEchoService WSDD file: Running the ShibEchoService client.

NOTE: if you are using GridShib with the Globus Toolkit 4.1 release or higher, this configuration will be in the security descriptor, not the server-config.wsdd

5.2.2.6. Invalid identity

If the DN is not a valid identity at the IdP, the container will log this INFO level message:

INFO  authorization.ShibbolethPIP [ServiceThread-3,collectAttributes:409]
Received response from Attribute Authority:
The supplied Subject was unrecognized.

To remedy this situation, the IdP needs to be populated with the caller's DN, which can be found in the DEBUG output:

DEBUG authorization.ShibbolethPIP [ServiceThread-3,getX509Subject:875] x500
subjectName: cn=timothy freeman 964650,ou=people,dc=doegrids,dc=org

It can also be found by running the rfc2253dn program (see Determining a credential's IdP identity).

5.2.2.7. Invalid ACL

It's possible that the AA is returning an attribute about the caller, but the attribute is not in the ACL. The container's DEBUG log output will show an attribute returned:

DEBUG authorization.ShibbolethPIP [ServiceThread-2,collectAttributes:571] found
an attribute

attribute name  = urn:mace:dir:attribute-def:eduPersonAffiliation
attribute namespace  = urn:mace:shibboleth:1.0:attributeNamespace:uri


DEBUG authorization.ShibbolethPIP [ServiceThread-2,collectAttributes:600]
attribute value = member

... but later will reveal that it is not in the authorization policy (the attribute ACL):

DEBUG authorization.ShibbolethPDPUtil [ServiceThread-2,isAttributePermitted:176]
found one caller attribute

DEBUG authorization.ShibbolethPDPUtil [ServiceThread-2,isAttributePermitted:207]
no attributes passed

To solve the problem, look at the attribute returned from the AA and change the policy file to match.

Note: the attribute ACL file to edit will be whatever the value of the ShibEchoService's WSDD parameter "shibAuthzAttrFile" is. By default this value resolves to $GLOBUS_LOCATION/etc/gridshib-gt-echo-0_5_1/echo-service-security-descriptor.xml

NOTE: if you are using GridShib with the Globus Toolkit 4.1 release or higher, this configuration will be in the security descriptor, not the server-config.wsdd

Details on the ACL's contents can be found here.

5.3. Running the GridShib unit tests

To run the unit tests, you need to download the source tree or check it out from CVS. Both sets of instructions are available: Section 2.2, “Source installation of the GT4 plugin.”. Using an installation of the tests GAR file instead of the source tree is not supported.

After running 'ant deploy-tests' as outlined at Section 5.1.2, “Source installation”, you need to start the container at $GLOBUS_LOCATION
If https://localhost:8443/wsrf/services/... does not correspond to the URLs advertised by the container at startup (it can correspond either by extension if it gives an IP address or host corresponding to localhost) you will need to override the testing URL. A way to test for the correct URL is to run the counter client or just try to run the tests and note any host credential problems in the test ouput XML file.
If you want to override the URL, run the tests like so:
```
ant -Dtest.server.url=https://host:8443/wsrf/services/ test
```
Note: the tests will fail if you do not use https, since one of the tests confirms that GridShib and transport security work.
Note: the URL does need to end with "wsrf/services/" as in the example. It is not supposed to be a specific service endpoint, it is the "base" URL of the server.

To run the tests:

export GLOBUS_LOCATION=/path/to/globus
grid-proxy-init
cd gridshib-gt-source
ant test

The results will print out. To look at details of successes or errors consult gridshib-gt-source/service/java/test/tests/test-reports/ TEST-org.globus.gridshib.gt.authorization.attributes.tests.ShibbolethTests.xml
If you turn on DEBUG output on the container as outlined below, a lot of information is also output via the container logging mechanism.

6. Security Considerations

[security considerations]

7. Troubleshooting

7.1. Troubleshooting GT4 GridShib related problems

7.1.1. Enabling DEBUG logging

The best way to begin troubleshooting is to enable the log4j DEBUG output for the server-side GridShib libraries.

In your $GLOBUS_LOCATION/container-log4j.properties, add this line and then restart the container:

log4j.category.org.globus.gridshib=DEBUG

7.1.2. java.lang.Exception: trusted authorities file is invalid

This error indicates you have deployed the gridshib plugin successfully but did not replace "/GLOBUS_LOCATION" with the actual absolute path to your GT installation. For GT4.0.x installations, this can be fixed by adding the absolute path to the "trusted-authn-authorities-file" configuration of the relevant service's deploy-server.wsdd file. For GT4.1+ this can be fixed by adding the absolute path to the "trusted-authn-authorities-file" configuration of the relevant service's security descriptor file.

For exmaple, for the provided echo service, the relevant files are $GLOBUS_LOCATION/etc/gridshib-gt-echo-0_5_1/server-config.wsdd for GT4.0.x installations and $GLOBUS_LOCATION/etc/gridshib-gt-echo-0_5_1/echo-service-security-descriptor.xml for GT4.1+ installations.

7.1.3. Exception in thread "main" java.lang.NoClassDefFoundError: org/apache/xerces/impl/xs/XSComplexTypeDecl

This error indicates you have undeployed the gridshib plugin from a GT4.0.x installation and are now attempting to deploy it from source. Running "ant deploy-oldlibs" fixes the problem.

7.1.4. Failed to start container: [Caused by: java.lang.reflect.InvocationTargetException]

This error likely indicates that you are using the metadata processing libraries without having updated the container with the necessary dependencies for OpenSAML 1.1. For GT4.0.x installations, these jars are supplied in the GridShib for GT GAR files and should be installed automatically when you installed gridshib-gt-[version].gar.

7.1.5. For more information

The Troubleshooting the ShibEchoService client section has useful advice applicable to any service.

Also do not hesitate to post questions to the gridshib-beta mailing list, see instructions for subscribing here.

7.2. Credential Errors

The following are some common problems that may cause clients or servers to report that credentials are invalid:

7.2.1. Your proxy credential may have expired

Use grid-proxy-infoto check whether the proxy has actually expired. If it has, generate a new proxy with grid-proxy-init.

7.2.2. The system clock on either the local or remote system is wrong

This may cause the server or client to conclude that a credential has expired.

7.2.3. Your end-user certificate may have expired

Use grid-cert-infoto check your certificate's expiration date. If it has expired, follow your CA's procedures to get a new one.

7.2.4. The permissions may be wrong on your proxy file

If the permissions on your proxy file are too lax (for example, if others can read your proxy file), Globus Toolkit clients will not use that file to authenticate. You can "fix" this problem by changing the permissions on the file