JISC

The aim of SHEBANGS was to develop a bridge to enable a user authenticated by a trusted Shibboleth IdP to acquire (or delegate) temporary credentials to access resources on the National Grid Service.

Executive Summary

As a result of the JISC’s strategic investment in Shibboleth, we look forward to an environment in which a growing wealth of UK services will support Shibboleth protocols to refer users to their home institutions for authentication. The JISC also provides funding to the National Grid Service (NGS). The NGS relies on the Grid Security Infrastructure (GSI – essentially a Public Key Infrastructure with extensions to support delegation), as do most production Grids today. These two security infrastructures are disjoint. Bridging the gap is a matter of urgency.

The earlier U.S. project GridShib addressed the problem of allowing Grid services to obtain attributes from (modified) Shibboleth servers in order to facilitate authorization decisions. SHEBANGS, and our sister project ShibGrid,1 seek to bridge the gap in the opposite direction, i.e. to allow Shibboleth-authenticated users to access the Grid. The specific, high-level scenario that SHEBANGS addresses is as follows. An end-user, belonging to an organisation that operates a Shibboleth IdP, wishes to access some NGS resources or services provisioned using NGS resources. Moreover, the end-user is assumed (a) not to possess a digital certificate of the kind normally required to access the NGS, (b) to have no training in Grid computing, (c) not to have installed any Grid client software, and (d) to belong to a Virtual Organisation (VO) that is recognised by the NGS and whose members inherit a right to use NGS resources. We believe that a solution to this problem will have high impact.

Our overall approach and architecture are essentially unchanged from the original proposal. At the risk of over-simplification, SHEBANGS has developed a Credential Translation Service (CTS) that translates Shibboleth credentials (which cannot be understood by the NGS) to (VOMS-extended) short-lived GSI credentials (which can), in a manner which enables the NGS to make a subsequent authorisation decision. We envisage a community model in which a VO is sufficiently well-founded to offer (for example, via a web portal) to its members services that are themselves enabled by the NGS. Hence the deliverables of SHEBANGS are aimed primarily at developers of community portals.

SHEBANGS has delivered a full implementation of the CTS, including inter alia a re-usable Perl module VOMS::Lite (which gives access to the essential – for our purposes – capabilities of VOMS2 with a much reduced set of dependencies), and an on-line demonstrator. The source of all the SHEBANGS software is available from the SHEBANGS project web site under a dual license scheme (either the Perl Artistic License or FreeBSD at the user’s discretion). SHEBANGS has been disseminated at numerous workshops, and a paper [AHM07] has been accepted by the UK e-Science All Hands Meeting 2007.

Although SHEBANGS has proven that its approach is technically feasible, further work is still required in this area. Limited deployments are likely to occur in the context of normal NGS activities. However, a holistic rationalisation and integration of the outputs of SHEBANGS and ShibGrid is required to address a broader range of use cases than either can address alone; a preliminary analysis undertaken by SHEBANGS and ShibGrid participants informed the FUSINGS proposal, but this was unsuccessful. More discussion is needed to establish community consensus on the general topic of deployment scenarios (especially establishment of trust) in the context of the policy of both Identity Management federations (on the Shibboleth side) and Certification Authorities (on the Grid side).

Report available electronically only. Read the final report below.