Feature - Achieving interoperability between Shibboleth and gLite
Grid security has long relied on public key infrastructure (PKI) technology, yet in recent years other security models have become widespread, most notably the concept of federated identity.
Can these models achieve interoperability?
Grid users are traditionally authenticated using X.509 certificates, which are issued by accredited Certification Authorities and are valid for one year. When interacting with grid services, these users typically present a short-lived proxy certificate, derived from this longer-lived X.509 certificate.
In an environment based on federated identity, users identify themselves differently. This newer process comprises two clearly decoupled steps: authentication, which takes place at an Identity Provider; and authorization, which occurs at the Service Provider. Each Service Provider is free to decide whether to authenticate a user, based on information obtained from the Identity Provider.
Within the academic and research sector, many European countries have started to deploy national Authentication and Authorization Infrastructures (AAI) based on federated identity.
Often these efforts are initiated and coordinated by the National Research and Education Networks. In Switzerland, for example, the Swiss NREN "SWITCH" and its partners operate one of the most advanced AAIs in Europe, with 75% of all members of the Swiss academic system having an AAI account.
AAI in academia and research
The open-source middleware Shibboleth is currently the most favored AAI software implementation and its interoperability with grid middleware offers solid benefits.
First and foremost, many members of the academic and research sectors already have AAI credentials, since AAIs such as Shibboleth have been implemented in many campus identity management systems.
Thus interoperability between AAIs and grid middleware smoothly expands the potential user-base for grids to encompass the entire academic sector.
Secondly, X.509 credentials, while very powerful, are difficult to handle securely and efficiently. Often certificates have to be translated from one format to another, or imported and exported from browsers. In addition, they either have to be installed on every host from which the user accesses grid services, or they have to be stored in central credential stores.
Interoperability SWITCHed on
The first is the Short Lived Credential Service (SLCS), which issues an X.509 certificate upon successful authentication at a Shibboleth Identity Provider. This certificate is invisible for the average user and can be used to access grid services for one million seconds (approximately eleven days). SLCS was accredited by the International Grid Trust Federation in February 2007 and is now being deployed in Switzerland.
The second service developed by SWITCH is the Shibboleth Service Provider. By accessing this web-based service, users can authorize the release of a subset of their personal AAI attributes to VOMS, the EGEE Virtual Organization Management Service. VOMS in turn will add these attributes to the user's proxy certificate. There is one instance of this Shibboleth Service Provider per virtual organization within a Shibboleth federation.
Within the EGEE collaboration, SWITCH is continuing to implement more advanced features, such as enabling central grid services to act as Shibboleth Service Providers.
- Christoph Witzig, SWITCH