• Subscribe

iSGTW Feature - Achieving interoperability between Shibboleth and gLite

Feature - Achieving interoperability between Shibboleth and gLite

The Short Lived Credential Service allows users to access the grid with easy-to-use credentials.
Image copyright Marcel Reich

Grid security has long relied on public key infrastructure (PKI) technology, yet in recent years other security models have become widespread, most notably the concept of federated identity.

Can these models achieve interoperability?

Grid users are traditionally authenticated using X.509 certificates, which are issued by accredited Certification Authorities and are valid for one year. When interacting with grid services, these users typically present a short-lived proxy certificate, derived from this longer-lived X.509 certificate.

In an environment based on federated identity, users identify themselves differently. This newer process comprises two clearly decoupled steps: authentication, which takes place at an Identity Provider; and authorization, which occurs at the Service Provider. Each Service Provider is free to decide whether to authenticate a user, based on information obtained from the Identity Provider.

Within the academic and research sector, many European countries have started to deploy national Authentication and Authorization Infrastructures (AAI) based on federated identity.

Often these efforts are initiated and coordinated by the National Research and Education Networks. In Switzerland, for example, the Swiss NREN "SWITCH" and its partners operate one of the most advanced AAIs in Europe, with 75% of all members of the Swiss academic system having an AAI account.

Shibboleth is standards-based open source middleware which provides Web Single SignOn (SSO) across or within organizational boundaries, allowing sites to make informed authorization decisions in a privacy-preserving manner.
Images courtesy of Internet2

AAI in academia and research

The open-source middleware Shibboleth is currently the most favored AAI software implementation and its interoperability with grid middleware offers solid benefits.

First and foremost, many members of the academic and research sectors already have AAI credentials, since AAIs such as Shibboleth have been implemented in many campus identity management systems.

Thus interoperability between AAIs and grid middleware smoothly expands the potential user-base for grids to encompass the entire academic sector.

Secondly, X.509 credentials, while very powerful, are difficult to handle securely and efficiently. Often certificates have to be translated from one format to another, or imported and exported from browsers. In addition, they either have to be installed on every host from which the user accesses grid services, or they have to be stored in central credential stores.

Interoperability SWITCHed on

Within Enabling Grids for E-sciencE, SWITCH has developed two services that enable basic interoperability between Shibboleth and gLite, the EGEE middleware.

The first is the Short Lived Credential Service (SLCS), which issues an X.509 certificate upon successful authentication at a Shibboleth Identity Provider. This certificate is invisible for the average user and can be used to access grid services for one million seconds (approximately eleven days). SLCS was accredited by the International Grid Trust Federation in February 2007 and is now being deployed in Switzerland.

The second service developed by SWITCH is the Shibboleth Service Provider. By accessing this web-based service, users can authorize the release of a subset of their personal AAI attributes to VOMS, the EGEE Virtual Organization Management Service. VOMS in turn will add these attributes to the user's proxy certificate. There is one instance of this Shibboleth Service Provider per virtual organization within a Shibboleth federation.

Within the EGEE collaboration, SWITCH is continuing to implement more advanced features, such as enabling central grid services to act as Shibboleth Service Providers.

- Christoph Witzig, SWITCH

Join the conversation

Do you have story ideas or something to contribute? Let us know!

Copyright © 2023 Science Node ™  |  Privacy Notice  |  Sitemap

Disclaimer: While Science Node ™ does its best to provide complete and up-to-date information, it does not warrant that the information is error-free and disclaims all liability with respect to results from the use of the information.


We encourage you to republish this article online and in print, it’s free under our creative commons attribution license, but please follow some simple guidelines:
  1. You have to credit our authors.
  2. You have to credit ScienceNode.org — where possible include our logo with a link back to the original article.
  3. You can simply run the first few lines of the article and then add: “Read the full article on ScienceNode.org” containing a link back to the original article.
  4. The easiest way to get the article on your site is to embed the code below.