ShibGrid
This project has developed prototype software that allows the integration of the standard X509 certificates with Shibboleth a system that allows authorization decisions to be made when a user from an organization requests access to online resources, not necessarily solely as a result of who the person is, but possibly based on other information about the person, such as their role in their organization.
Executive Summary
The NGS relies upon X509 digital certificates for user authentication. Users obtain a certificate from a centralised UK certificate authority that allows users access to all core and partner sites, and the services provided by these sites, unless a separate application procedure is required by a site (this is the case with HPCx). This mechanism for secure authentication is tied to the individual and does not allow project or organizationally managed access. This may prove a serious shortcoming for NGS as it develops and the size of the user base increases.
This project has developed prototype software that allows the integration of the standard X509 certificates with Shibboleth a system that allows authorization decisions to be made when a user from an organization requests access to online resources, not necessarily solely as a result of who the person is, but possibly based on other information about the person, such as their role in their organization. Such attributes are maintained by the user’s organization and are only disclosed with the user’s knowledge, so privacy is preserved. In this way authentication is devolved from the single national entities of the Grid CAs to users’ home institutions – this also creates a far more scalable infrastructure where the number of users can increase dramatically.
The project was subdivided into four key stages. The first stage was to complete a user requirements gathering exercise, primarily through our stakeholder users in DIAMOND and Integrative Biology (IB). From these requirements the ShibGrid system was developed with users providing input to the system architecture while the OMII provided guidance for the software development cycle. The software development consisted of taking the existing NGS portal (web interface) and developing key components that enabled the capabilities of both Shibboleth and the certificate based authentication to be provided through a user-friendly interface. This required tools for uploading and downloading certificates, pluggable security modules to allow the transfer of Shibboleth attributes, and portlets to manage user’s Shibboleth attributes based low assurance certificate. In order to provide a broader scope for adoption by other projects two versions of the NGS portal were ShibGrid-enabled, one built in Stringbeans and the other in uPortal.
Documentation was developed consisting of a quick-start guide, user guide, administrator guide (containing pre-requisites and full installation instructions) and maintenance documentation, mostly in the form of code comments but also a detailed description of the protocols involved. Users were engaged in testing, including the stakeholder user groups who would test the system against their own user cases. The feed-back provided was then used to improve the code and documentation. The resulting software has been deposited with the OMII code repository.
More information about ShibGrid project is available.