Start date: 21 November 2006
End date: 21 February 2007
Funding programme: Core Middleware: Technology Development programme
Project website:
http://www.mc.manchester.ac.uk/research/projects/
As a result of the JISC’s strategic investment in
federated access management, we look forward to an environment in which a
growing wealth of UK services will support Shibboleth protocols to refer
users to their home institutions for authentication. The JISC also provides
funding to the National Grid Service (NGS), in the form of hardware and
personnel at the four core nodes CLRC (RAL), and the Universities of Leeds,
Oxford and Manchester. The NGS relies on the Grid Security Infrastructure
(GSI – essentially a Public Key Infrastructure with extensions to support
delegation through proxy certificates), as do most production Grids today.
Whereas the size of the NGS user community is measured in hundreds, the
potential size of the community supported by Shibboleth Identity Providers
(IdP) can be estimated by the number of Athens usernames today (more than
three million). While it is reasonable to expect that the number of direct
users of the NGS (people prepared to care for their own UK e-Science
certificates) will grow to thousands, it is likely that this will be orders
of magnitude smaller than the number of Shibboleth users. Therefore it is
strategically urgent for the NGS to gain leverage from JISC’s investment in
a federated infrastructure. We address this issue by proposing a
method, and implementation plan, to make the NGS, and services provisioned
using NGS resources, accessible to end users without UK e-Science
certificates.
Aims and Objectives
We aim to develop a bridge enabling a user authenticated by a trusted
Shibboleth IdP to acquire (or delegate) temporary credentials to access
resources on the National Grid Service. Our method assumes a user equipped
with a standard Web browser. It makes use of a standard MyProxy server,
requires no modifications to Shibboleth or Globus middleware, but may
necessitate minor modifications to a Web portal such as the NGS
portal.
Outputs
The deliverables of the project will be:
-
“VOMS::Lite”: Lightweight tools (Perl modules) for manufacturing GSI
credentials with VOMS extensions, with embedded documentation (pod).
-
A fully functional Credential Translation Service as described above
(software).
-
Documentation: CTS Installation Guide.
-
Documentation: CTS Developers Guide (Guidelines for Grid Portal
Developers on Using SHEBANGS CTS).
-
Final report.
In addition, we will produce a demonstrator and testbed comprising CTS,
sample WAYF service, mock portal, IdP’s from MIMAS and the FAME-Permis
component, a MyProxy server and NGS-compatible Grid resources. We also
intend to prepare a paper for submission to a suitable journal or
conference.
Project Outcomes
Middleware will be developed to allow a large community of potential
users to access grid resources on the National Grid Service without having
to possess, or manage, their own digital certificates. The complex nature
of grid authentication and authorisation will be hidden from users
accessing grids and replaced by the familiar access mechanisms provided by
their institutions through Shibboleth.
The CTS developed in this project we will demonstrate how membership to
Virtual Organisations in today's grids need not be restricted to the
set of users which already possess grid credentials. The service
produced will be simple to install and deployable at any emerging or
established VO which runs a web server.
SHEBANGS, through its final report and other dissemination mechanisms, will
provide feedback:
-
to the Internet2 community, as it further develops Shibboleth;
-
to JISC, as is explores the details of Shibboleth GSI and VOMS
integration;
-
to the grid community;
-
to the authentication authorities in the UK and elsewhere, where the
concepts of security of online credential management is still a difficult
subject, and;
-
to authorisation authorities which are still searching for good methods
of distributing authority.