iSGTW - International Science Grid This Week
iSGTW - International Science Grid This Week

Home > iSGTW 28 November 2007 > iSGTW Feature - Achieving interoperability between Shibboleth and gLite


Feature - Achieving interoperability between Shibboleth and gLite

The Short Lived Credential Service allows users to access the grid with easy-to-use credentials.
Image copyright Marcel Reich

Grid security has long relied on public key infrastructure (PKI) technology, yet in recent years other security models have become widespread, most notably the concept of federated identity.

Can these models achieve interoperability?

Grid users are traditionally authenticated using X.509 certificates, which are issued by accredited Certification Authorities and are valid for one year. When interacting with grid services, these users typically present a short-lived proxy certificate, derived from this longer-lived X.509 certificate.

In an environment based on federated identity, users identify themselves differently. This newer process comprises two clearly decoupled steps: authentication, which takes place at an Identity Provider; and authorization, which occurs at the Service Provider. Each Service Provider is free to decide whether to authenticate a user, based on information obtained from the Identity Provider.

Within the academic and research sector, many European countries have started to deploy national Authentication and Authorization Infrastructures (AAI) based on federated identity.

Often these efforts are initiated and coordinated by the National Research and Education Networks. In Switzerland, for example, the Swiss NREN “SWITCH” and its partners operate one of the most advanced AAIs in Europe, with 75% of all members of the Swiss academic system having an AAI account.

Shibboleth is standards-based open source middleware which provides Web Single SignOn (SSO) across or within organizational boundaries, allowing sites to make informed authorization decisions in a privacy-preserving manner.
Images courtesy of Internet2
AAI in academia and research

The open-source middleware Shibboleth is currently the most favored AAI software implementation and its interoperability with grid middleware offers solid benefits.

First and foremost, many members of the academic and research sectors already have AAI credentials, since AAIs such as Shibboleth have been implemented in many campus identity management systems.

Thus interoperability between AAIs and grid middleware smoothly expands the potential user-base for grids to encompass the entire academic sector.

Secondly, X.509 credentials, while very powerful, are difficult to handle securely and efficiently. Often certificates have to be translated from one format to another, or imported and exported from browsers. In addition, they either have to be installed on every host from which the user accesses grid services, or they have to be stored in central credential stores.

Interoperability SWITCHed on

Within Enabling Grids for E-sciencE, SWITCH has developed two services that enable basic interoperability between Shibboleth and gLite, the EGEE middleware.

The first is the Short Lived Credential Service (SLCS), which issues an X.509 certificate upon successful authentication at a Shibboleth Identity Provider. This certificate is invisible for the average user and can be used to access grid services for one million seconds (approximately eleven days). SLCS was accredited by the International Grid Trust Federation in February 2007 and is now being deployed in Switzerland.

The second service developed by SWITCH is the Shibboleth Service Provider. By accessing this web-based service, users can authorize the release of a subset of their personal AAI attributes to VOMS, the EGEE Virtual Organization Management Service. VOMS in turn will add these attributes to the user’s proxy certificate. There is one instance of this Shibboleth Service Provider per virtual organization within a Shibboleth federation.

Within the EGEE collaboration, SWITCH is continuing to implement more advanced features, such as enabling central grid services to act as Shibboleth Service Providers.

- Christoph Witzig, SWITCH



 iSGTW 22 December 2010

Feature – Army of Women allies with CaBIG for online longitudinal studies

Special Announcement - iSGTW on Holiday

Video of the Week - Learn about LiDAR


NeHC launches social media

PRACE announces third Tier-0 machine

iRODS 2011 User Group Meeting

Jobs in distributed computing


Enter your email address to subscribe to iSGTW.


 iSGTW Blog Watch

Keep up with the grid’s blogosphere

 Mark your calendar

December 2010

13-18, AGU Fall Meeting

14-16, UCC 2010

17, ICETI 2011 and ICSIT 2011

24, Abstract Submission deadline, EGI User Forum


January 2011

11, HPCS 2011 Submission Deadline

11, SPCloud 2011

22, ALENEX11

30 Jan – 3 Feb, ESCC/Internet2


February 2011

1 - 4, GlobusWorld '11

2, Lift 11

15 - 16, Cloudscape III

More calendar items . . .


FooterINFSOMEuropean CommissionDepartment of EnergyNational¬†Science¬†Foundation RSSHeadlines | Site Map