JISC

 As a result of the JISC’s strategic investment in federated access management, we look forward to an environment in which a growing wealth of UK services will support Shibboleth protocols to refer users to their home institutions for authentication. The JISC also provides funding to the National Grid Service (NGS), in the form of hardware and personnel at the four core nodes CLRC (RAL), and the Universities of Leeds, Oxford and Manchester. The NGS relies on the Grid Security Infrastructure (GSI – essentially a Public Key Infrastructure with extensions to support delegation through proxy certificates), as do most production Grids today. Whereas the size of the NGS user community is measured in hundreds, the potential size of the community supported by Shibboleth Identity Providers (IdP) can be estimated by the number of Athens usernames today (more than three million). While it is reasonable to expect that the number of direct users of the NGS (people prepared to care for their own UK e-Science certificates) will grow to thousands, it is likely that this will be orders of magnitude smaller than the number of Shibboleth users. Therefore it is strategically urgent for the NGS to gain leverage from JISC’s investment in a federated infrastructure. We address this issue by proposing a method, and implementation plan, to make the NGS, and services provisioned using NGS resources, accessible to end users without UK e-Science certificates.

Aims and Objectives

We aim to develop a bridge enabling a user authenticated by a trusted Shibboleth IdP to acquire (or delegate) temporary credentials to access resources on the National Grid Service. Our method assumes a user equipped with a standard Web browser. It makes use of a standard MyProxy server, requires no modifications to Shibboleth or Globus middleware, but may necessitate minor modifications to a Web portal such as the NGS portal.  

Outputs

The deliverables of the project will be:

1. “VOMS::Lite”: Lightweight tools (Perl modules) for manufacturing GSI credentials with VOMS extensions, with embedded documentation (pod).
2. A fully functional Credential Translation Service as described above (software).
3. Documentation: CTS Installation Guide.
4. Documentation: CTS Developers Guide (Guidelines for Grid Portal Developers on Using SHEBANGS CTS).
5. Final report.

In addition, we will produce a demonstrator and testbed comprising CTS, sample WAYF service, mock portal, IdP’s from MIMAS and the FAME-Permis component, a MyProxy server and NGS-compatible Grid resources. We also intend to prepare a paper for submission to a suitable journal or conference.

Project Outcomes

Middleware will be developed to allow a large community of potential users to access grid resources on the National Grid Service without having to possess, or manage, their own digital certificates. The complex nature of grid authentication and authorisation will be hidden from users accessing grids and replaced by the familiar access mechanisms provided by their institutions through Shibboleth.

The CTS developed in this project we will demonstrate how membership to Virtual Organisations in today's grids need not be restricted to the set of users which already possess grid credentials.  The service produced will be simple to install and deployable at any emerging or established VO which runs a web server.

SHEBANGS, through its final report and other dissemination mechanisms, will provide feedback:

• to the Internet2 community, as it further develops Shibboleth;
• to JISC, as is explores the details of Shibboleth GSI and VOMS integration;
• to the grid community;
• to the authentication authorities in the UK and elsewhere, where the concepts of security of online credential management is still a difficult subject, and;
• to authorisation authorities which are still searching for good methods of distributing authority.