The Globus Consortium Journal

New Directions in Attribute-based Authorization for Grids
Tom Scavo
National Center for Supercomputing Applications
Tim Freeman
University of Chicago

GridShib, a Globus Incubator Project, was introduced in an interview with Von Welch and Frank Siebenlist in this Journal in September 2006. Since then, the focus of the Project has evolved and new software components have been developed and released.

Today the GridShib Project distributes four software components:

GridShib for Globus Toolkit
GridShib for Shibboleth
GridShib Certificate Authority
GridShib SAML Tools

These four components can be combined in various ways to support different deployment scenarios. As described in the earlier interview, GridShib for Globus Toolkit and GridShib for Shibboleth together give Globus Toolkit the ability to query for attributes from the Attribute Authority component of a Shibboleth Identity Provider, which allows for attribute-based authorization of users with existing Grid credentials. The GridShib Certificate Authority (CA) is a Shib-enabled online CA that makes it easy for new Grid users to obtain short-term grid credentials using their existing campus authentication. The GridShib SAML Tools provide a new set of capabilities that allow for web portals and other client applications to both produce and pass along SAML attributes.

In the remainder of this article we discuss some of the technical underpinnings of these technologies and their use of attributes of various kinds. We also discuss work to enable greater compatibility with X.509-based attributes from the Virtual Organization Membership Service (VOMS).

GridShib Project Overview

Early on, GridShib for Globus Toolkit based its attribute query on the Subject DN of the client certificate. Classic GridShib (as we like to call it) is well understood and well documented. However, Classic GridShib does not address the so-called "Identity Provider Discovery" problem. Instead, the unique identifier of the identity provider (called an entityID) is configured directly into Globus Toolkit, which is an obvious limitation.

To address this shortcoming, GridShib for Globus Toolkit will formulate an attribute query based on a SAML authentication assertion embedded in an X.509 proxy certificate extension. The SAML Subject of the query and the entityID of the IdP are taken directly from the bound SAML assertion. This functionality is available today.

Over the last six months, we have designed and developed tools that bind an arbitrary SAML assertion to an X.509 certificate. In particular, the tools will issue and bind a SAML AttributeStatement in addition to an AuthenticationStatement. The resulting assertion is self-issued, that is, the issuer of the assertion is the issuer of the certificate. Some possible use cases are given later in this article.

The next version of GridShib for Globus Toolkit (v0.6.0) will consume X.509-bound SAML assertions and will base its access control decision on the authentication context and attributes contained therein. This is an important next step for our project.

VOMS

In the meantime, GridShib for Globus Toolkit v0.5.1 consumes X.509 attribute certificates today. The Virtual Organization Membership Service (VOMS) allows clients to bind X.509 attribute certificates to proxy certificates. These attribute certificates can be used to make access control and local user ID mapping decisions.

Support for VOMS in GridShib gives Globus Toolkit v4.0.x deployments three alternative access control and user ID mapping methods: traditional gridmap files, VOMS, and SAML. In fact, a single service can be configured to support all three methods simultaneously. When one method fails, the processing automatically moves on to the next. In the current development version of Globus Toolkit (v4.1.x) and later in GT 4.2, it will be possible to chain arbitrary authorization methods in this manner, but we are supporting this feature now for particular use cases since we anticipate that grids will continue to use the 4.0 line for some time before upgrading to GT 4.2.

SAML Attribute Push

A future version of GridShib for Globus Toolkit will base its access control decision on both pushed and pulled attributes. If GridShib for Globus Toolkit doesn't find the attributes it needs in the certificate, it will query. Even in the presence of push, GridShib for Globus Toolkit may choose to query for additional attributes. Indeed, a push-pull combination makes it possible to push only benign attributes (and thereby protect privacy), leaving the option to pull critical attributes over a protected back channel.

The success of Shibboleth at campuses around the world has contributed to the proliferation of SAML in the enterprise. Due to the prevalence of SAML, research to bridge X.509 and SAML is well underway. The success of VOMS, coupled with the rise of SAML, leads naturally to a grid architecture that pushes SAML assertions bound to X.509 proxy certificates.

An X.509 Binding for SAML Assertions is emerging. Researchers from OGF, Internet2, NCSA, the University of Chicago, and Argonne National Laboratory are working out the details of binding SAML assertions to X.509 certificates. The result will be an alternative to VOMS that leverages Shib-issued and VO-issued SAML assertions.

GridShib SAML Tools

A new software component called the GridShib SAML Tools issues or requests SAML assertions and optionally binds these assertions to X.509 proxy certificates. GridShib SAML Tools v0.1.3, released in February of this year, consists of the following components:

SAML Assertion Issuer Tool
SAML Attribute Query Client
SAML X.509 Binding Tool
Globus SAML Library

The SAML Assertion Issuer Tool self-issues a SAML assertion and optionally binds this assertion to an X.509 proxy certificate. The assertion can include up to two statements (an AuthenticationStatement and/or AttributeStatement). A significant feature of this tool is its ability to leverage a fully configured Shibboleth attribute resolver (to be bundled with GridShib SAML Tools v0.2.0).

The SAML Attribute Query Client queries a SAML Attribute Authority (AA) for attributes. The Client validates the SAML Response and outputs the attribute assertion. Like the SAML Assertion Issuer Tool, the SAML Attribute Query Client optionally binds this assertion to an X.509 proxy certificate.

Here are two possible use cases for the GridShib SAML Tools:

GridShib CA. The GridShib CA is an online CA protected by a Shibboleth SP. Using a web browser, a grid user presents their Shibboleth credentials to obtain a short-lived X.509 end-entity certificate (EEC). Using the GridShib SAML Tools, the GridShib CA binds the SSO assertion obtained from the Shibboleth IdP to the EEC. This SSO assertion exposes the authentication context and attributes asserted by the IdP, which GridShib for Globus Toolkit can use to make an access control decision. (This functionality will be introduced in GridShib CA v0.4.0 and GridShib for Globus Toolkit v0.6.0.)

TeraGrid Science Gateway. GridShib is involved in a TeraGrid project to deploy an attribute-based authorization testbed at select TeraGrid Science Gateway sites (such as nanoHUB). Using the GridShib SAML Tools, a Science Gateway issues a SAML assertion containing VO attributes and binds this assertion to an X.509 proxy certificate signed by its community credential. The Gateway then requests a Grid Service on behalf of the user, authenticating with this attribute-laden proxy certificate. (This scenario has been deployed by nanoHUB as a functioning prototype.)

Authorization in Globus Toolkit

Significant enhancements to the Globus Toolkit Authorization Framework have made it possible to deploy multiple authorization modules within a single container. Arbitrarily complex policy configurations are now possible, involving logical chains of Policy Decision Points.

To summarize, in addition to traditional identity-based authorization using gridmap files, Globus Toolkit now offers the following authorization alternatives:

OGSA-AuthZ Authorization Service, which defines a query interface for obtaining SAML authorization decisions from a trusted third-party
Community Authorization Service (CAS), which issues a SAML AuthorizationDecisionStatement
GridShib, which issues or requests a SAML AuthenticationStatement and/or an AttributeStatement
VOMS, which issues X.509 attribute certificates

In particular, VOMS and GridShib (leveraging the GT4 Authorization Framework) bring concrete attribute-based authorization deployments to Globus-based grids.

close window