The innovations in Grid security will focus on improvements in usability and transparency for users and a transition to a common security solution based on industry standards.
The services that provide short-lived credentials will integrate the ability to issue Grid credentials based on a user‘s national or institutional authentication system. This will enable a user to use their familiar authentication system in a single sign-on manner
to create and receive or delegate Grid credentials to services, easing access and removing the need for complicated key and certificate handling.
Short Lived Credential Service (SLCS)
Issues short-lived X.509 certificates based on authentication at a Shibboleth Identity Provider – thus linking AAI and Grid infrastructures X.509 certificate issuing process automated and invisible to the end-user Will be extended within EMI into a Security Token Service, capable of handling multiple security token types (X.509, SAML, Kerberos, ...
Common SAML Profile
Security Assertion Markup Language (SAML) is a standard way to pass security information in a token. The middleware stacks currently have some form of SAML capability but will be made interoperable by using a common SAML profile. This common profile will be used by a service soon-to-be-common to throughout the middleware stack, SAML-enabled VOMS (VOMS-SAML). In a harmonization step, UNICORE will phase out their VO management system, UVOS. The middleware will also converge to using a standard SAML library, openSAML2. Use will be made of previous collaborative work in that the OMII-Chemomentum (UNICORE) profile document is used as a starting point for the common SAML profile.
Common Authentication Libraries
It is given that a common set of authentication libraries used by all the services in the middleware. This will provide a consistent set of authentication decisions throughout the middleware. Another consideration is the reduction in the amount of authentication code present and the increased ease of maintenance. These libraries will support standard methods such as TLS/SSLv3 with standard X.509 certificates and should extend to other standard methods such as HTTP authentication (username & password). This last point may be important for Grid communities that work via web access only.
Compute Area Authorization
Currently there are different Authorization mechanisms used throughout the middleware. As Harmonization and Evolution steps within the middleware a single Authorization service that provides user-friendly features will be integrated throughout. This is Argus, a site central service that can administer and enforce authorization policies in a hierarchical manner.
From the use-ability point of view, Argus provides users a means to create and administer XACML policies with a simplified language. In order to integrate this service, a common XACML profile is being created and introduced. Argus is compatible within the middleware by virtue of its standards adherence.
Contact: John White