GridShib for Globus Toolkit

What is GridShib for Globus Toolkit?

GridShib for Globus Toolkit is a plugin for Globus Toolkit 4.0 (and later). GridShib for Globus Toolkit (GT) will consume X.509-bound SAML assertions issued by the GridShib CA or the GridShib SAML Tools. GridShib for GT will also issue SAML attribute queries to a Shibboleth Identity Provider with GridShib for Shibboleth installed. All of these SAML attributes are combined and used by the authorization framework to make local access control decisions.

What exactly is an authorization framework?

The GT authorization framework is responsible for maintaining and enforcing access control policy in the GT runtime. The architecture employed by the framework relies a chain of PDPs to make its access control decision.

What is a PDP?

A Policy Decision Point (PDP) decides whether or not a request should be serviced. In other words, a PDP is responsible for enforcing local access control policy. To help make its decision, a PDP obtains information from one or more PIPs.

What is a PIP?

A Policy Information Point (PIP) gathers information about the authenticated subject and stores this information in the GT runtime for subsequent use by other PIPs or PDPs. Two important PIPs distributed with GridShib for GT are the SAMLAssertionPushPIP and the SAMLQueryPIP.

What is the SAMLAssertionPushPIP?

The SAMLAssertionPushPIP consumes SAML assertions bound to X.509 certificates. The security information in these pushed SAML assertions (including attributes and authentication context) is used to make a local access control decision.

What is the SAMLQueryPIP?

The SAMLQueryPIP queries a Shibboleth Identity Provider with GridShib for Shibboleth installed. The resulting attributes are used to make a local access control decision.

My GridShib for GT deployment is configured to use the SAMLQueryPIP. Do each of the identity providers in our grid federation need to install GridShib for Shibboleth?

That depends. If your users are new grid users that use the GridShib CA to obtain short-term credentials, then no, GridShib for Shibboleth is not required. However, if your users are established grid users who possess long-lived grid credentials, then yes, GridShib for Shibboleth is required. In either case, some configuration at the identity provider is necessary.

GridShib for Shibboleth

What is GridShib for Shibboleth?

GridShib for Shibboleth is a plugin for a Shibboleth 1.3 Identity Provider (IdP). After installing GridShib for Shibboleth, the Attribute Authority (AA) component of the IdP will respond to attribute queries from GridShib for Globus Toolkit.

My grid deployment consists primarily of new grid users who obtain short-lived credentials from the GridShib CA. Do each of the identity providers in our grid federation need to install GridShib for Shibboleth?

No, GridShib for Shibboleth is not needed in this case. You can configure the identity provider to use X509SubjectNameNameIdentifierMapping, a name mapping plugin distributed with Shibboleth 1.3.

We have a traditional grid deployment where each user has been issued a long-lived X.509 credential. Do each of the identity providers in our grid federation need to install GridShib for Shibboleth?

Yes, in this case GridShib for Shibboleth is used to manage name mappings at the identity provider. Each user's distinguished name (DN) is stored in a file or table so that the attribute authority can map the DN to a local principal name.

To avoid having to install GridShib for Shibboleth at each IdP, an IdP Proxy may be used. IdP Proxy implementations include myVocs (a service) and myVocs box (an appliance).

Does an administrator at the identity provider need to maintain a name mapping for each user in the grid federation?

An administrator may manually insert a name mapping into a file but a simpler approach is to let users self-manage their own certificates. The GridShib Certificate Registry may be used for this purpose.

What is the GridShib Certificate Registry?

The GridShib Certificate Registry stores name mappings at the identity provider (IdP). A user uploads an X.509 public key certificate to the IdP (via a web interface), the IdP extracts the Subject DN from the certificate, and then the DN is stored in a table along with the user's local principal name.

I've heard the term "name mapping" a few times but I'm not sure what that means?

By definition, a name mapping is an ordered pair. In this case, the x-coordinate of a name mapping is a distinguished name (DN) while the y-coordinate is the corresponding principal name. The attribute authority consults the GridShib Name Mapper when it needs to map a DN to a principal name.

What is the GridShib Name Mapper?

The GridShib Name Mapper is a container for name mappings. A name mapping may be stored in a file or a table. The GridShib Certificate Registry, for example, stores name mappings in a table.

Does the GridShib Certificate Registry require a third-party relational database?

By default, the GridShib Certificate Registry uses an embedded database called Derby. Very little setup is required to use Derby out-of-the-box.

Do I have to use Derby?

Of course not! You may use any relational database for which there is a suitable JDBC driver (such as MySQL). The database requirements of the Certificate Registry are, in fact, quite minimal.

GridShib Certification Authority

What is the GridShib Certification Authority?

The GridShib Certification Authority (CA) issues short-lived X.509 credentials to individuals who do not already have them. These credentials may be used to authenticate to Grid resources. Since the online GridShib CA is shib-enabled, an individual authenticates to the GridShib CA using their institutional username and password.

What is this umask thing?

On Unix systems each file has a set of permissions that controls who can read and write the file. The umask setting determines the default permissions on new files that you create (or applications that you run).

Why does the GridShib CA care about the umask?

When your web browser launches the Java Web Start file used by the GridShib CA to download your credentials, the browser writes a file to the temporary directory used by Java Web Start. This file contains a secret value (detail: the Shibboleth session id) used by the Java Web Start application. If your umask is set insecurely this temporary file could be read by other users on your system and used to impersonate you and get a copy of your Grid credential from the GridShib CA.

How do I set the umask under Unix?

Use the umask command to set the umask under windows, and then launch your web browser from the same shell. For example:

  % umask 077
  % netscape &

You can also put the umask 077 command into your ~/.cshrc file.

How do I set the umask under Mac OS X?

For Tiger: While you can use the same method for setting the umask as described for Unix above, if you want to set the umask for applications launched via the Dock or through the GUI under Mac OS X, you need to edit the file /Library/Preferences/.GlobalPreferences.plist (Note: If you don't have root access, you can do this for just yourself by editing ~/Library/Preferences/.GlobalPreferences.plist instead.)

Basically you need to add the following lines to the .GlobalPreferences.plist file and then log out and log back in:

  <key>NSUmask</key>
  <integer>63</integer>

A couple of things to note:

• The value is in decimal instead of octal, hence value 63 instead of 077.
• The .GlobalPreferences.plist file might be in binary instead of ascii. In this case use the plutil utility to convert it to ascii, edit it and then use plutil again to convert it back to binary. For example:

    % plutil -convert xml1 .GlobalPreferences.plist
    % vi .GlobalPreferences.plist
    % plutil -convert binary1 .GlobalPreferences.plist

For Leopard: As root, edit (or create if it does not exist) /etc/launchd.conf and add the line:

umask 077

Then restart your system.

Note: Under Leopard, this causes problems with CarbonEmacs and file locking, I'm working on a solution.

What about umask under Windows?

Windows systems are typically single-user sytems with more complicated file permission settings. At this time there do not appear to be any concerns under Windows.

GridShib SAML Tools

What are the GridShib SAML Tools?

The GridShib SAML Tools issue or request SAML assertions and optionally bind these assertions to X.509 proxy certificates.

What is a proxy certificate?

A proxy certificate is a kind of X.509 certificate. Proxy certificates are short-lived certificates signed by a user's end entity certificate.

Why would I want to bind SAML to X.509 proxy certificates? Can't I just use VOMS?

Sure, VOMS is a well-established approach to attribute-based authorization for grids, especially in Europe. The advantage of SAML over VOMS attribute certificates is that SAML can be readily obtained from campuses (thanks to Shibboleth), so the GridShib approach is easier to integrate into existing campus identity management infrastructure.

What are the technical requirements of the GridShib SAML Tools?

The GridShib SAML Tools are a complete, standalone software package. The only software requirements are Java 1.4 (or later) and Ant 1.5 (or later). If you want to run the optional unit tests, junit is also required.

What is the relationship between the Globus SAML Library and OpenSAML (from the OpenSAML Project)?

The Globus SAML Library is derived from OpenSAML 1.1. Since development of OpenSAML 1.1 has stopped, Globus forked OpenSAML and enhanced it.

What enhancements have been added to the Globus SAML Library?

The Globus SAML Library includes some classes and unit tests not included in the original OpenSAML distribution. Most importantly, the Globus SAML Library includes an implementation of the SAML V2.0 Metadata schema (ported from Shibboleth 1.3).

Are the GridShib SAML Tools designed for end users?

Yes, you can use the SAML Tools to self-assert SAML attributes (using the SAML Assertion Issuer Tool) or to obtain SAML attributes from a Shibboleth AA (using the SAML Attribute Query Client). You can also use the GridShib SAML Tools to help GridShib for GT discover your preferred identity provider (by pushing the unique identifier of your IdP).

So the GridShib SAML Tools are exclusively client tools?

No, middleware architects and portal developers can use the SAML Tools to issue community-based proxy certificates on behalf of their users. In fact, this is probably the most important use of the GridShib SAML Tools.

Can GridShib SAML Tools resolve attributes from arbitrary data sources?

GridShib SAML Tools v0.3.0 (and later) include a fully functional Shibboleth Attribute Resolver. Thus the SAML Tools can resolve attributes from many sources including LDAP, SQL databases, and so forth.

Are the GridShib SAML Tools compatible with GridShib for GT?

Yes, the GridShib SAML Tools are compatible with GridShib for GT. In fact, both the GridShib SAML Tools and GridShib for GT rely on the GridShib Security Framework, which is bundled and distributed as a single JAR file (gridshib-common.jar).

What is the GridShib Security Framework?

The GridShib Security Framework is a Java API for producing and consuming X.509-bound SAML assertions. The GridShib SAML Tools and GridShib for GT use the Security Framework to produce and consume (resp.) X.509-bound SAML assertions. Portal developers (e.g.) can use the GridShib Security Framework to introduce SAML into their grid security infrastructure.

What happened to the GridShib Authentication Assertion Client?

The GridShib Authentication Assertion Client was the precursor to the SAML Assertion Issuer Tool, a powerful tool for binding SAML to X.509 proxy certificates.

What happened to the Shibboleth IdP Tester?

The Shibboleth IdP Tester was refactored and incorporated into the GridShib SAML Tools as the SAML Attribute Query Client. The latter is a generalized client that queries a standard SAML Attribute Authority (AA) such as a Shibboleth AA.