GridShib and PERMIS integration

Purpose – The paper aims to describe the results of a recent GridShibPERMIS project whose purpose was to provide policy‐driven role‐based access control decision‐making to grid jobs, in which the user's attributes are provided by an external Shibboleth Identity Provider (IdP).Design/methodology/approach – This was achieved by integrating the identity‐federation and attribute‐assignment functions of Shibboleth and the policy‐based enforcement functions of PERMIS with the Grid job management functions of Globus Toolkit v4.Findings – Combining the three technologies proved to be relatively easy due to the Policy Information Point (PIP) and Policy Decision Point (PDP) Java interfaces recently introduced into Globus Toolkit v4.Practical implications – However, a number of limitations in the current Grid‐Shib implementation were revealed, namely: the lack of support for pseudonymous access to grid resources; scalability problems because only one issuer scope domain is supported and because name mappings have to...

[1]  Jim Basney,et al.  Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, Grid , 2006 .

[2]  Ken Klingenstein,et al.  Federated Security: The Shibboleth Approach , 2004 .

[3]  Steven Tuecke,et al.  X.509 Proxy Certificates for Dynamic Delegation , 2004 .

[4]  Ian T. Foster,et al.  The Anatomy of the Grid: Enabling Scalable Virtual Organizations , 2001, Int. J. High Perform. Comput. Appl..

[5]  David W. Chadwick,et al.  Authorisation Using Attributes from Multiple Authorities , 2006, 15th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE'06).

[6]  Ian T. Foster Globus Toolkit Version 4: Software for Service-Oriented Systems , 2005, NPC.

[7]  Von Welch Globus toolkit version 4 grid security infras-tructur: A standards perspective , 2004 .

[8]  William E. Johnston,et al.  Certificate-based Access Control for Widely Distributed Resources , 1999, USENIX Security Symposium.

[9]  Tim Howes,et al.  Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions , 1997, RFC.

[10]  Ian Foster,et al.  The Grid 2 - Blueprint for a New Computing Infrastructure, Second Edition , 1998, The Grid 2, 2nd Edition.

[11]  David W. Chadwick,et al.  RBAC Policies in XML for X.509 Based Privilege Management , 2002, SEC.

[12]  Scott B. Cantor,et al.  Shibboleth architecture draft v05 , 2002 .

[13]  David W. Chadwick,et al.  The PERMIS X.509 role based privilege management infrastructure , 2003, Future Gener. Comput. Syst..

[14]  Ian T. Foster,et al.  Security for Grid services , 2003, High Performance Distributed Computing, 2003. Proceedings. 12th IEEE International Symposium on.

[15]  Ákos Frohner,et al.  VOMS, an Authorization System for Virtual Organizations , 2003, European Across Grids Conference.

[16]  Sumitra Mitra Reddy Proceedings, 15th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises : WET ICE 2006 : 26-28 June 2006, Manchester, United Kingdom , 2006 .

[17]  Jeff Hodges,et al.  Lightweight Directory Access Protocol (v3): Technical Specification , 2002, RFC.

[18]  V. Welch,et al.  Attributes , Anonymity , and Access : Shibboleth and Globus Integration to Facilitate Grid Collaboration , 2005 .

[19]  M. Wahl,et al.  Lightweight Directory Access Protocol , 1997 .

[20]  Punya Mishra,et al.  Bindings and Profiles for the OASIS Security Assertion Markup Language (SAML) v1. 1 , 2003 .

[21]  Steven Tuecke,et al.  Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile , 2004, RFC.

[22]  David W. Chadwick An X.509 Role Based Privilege Management Infrastructure , 2001 .