Thursday, 20 January 2011

Single Sign On - The Movie

Ladies and Gentlemen, take a seat, grab some popcorn and don't forget to turn off your mobile phone - because the NGS is going to the movies....

In our feature presentation, we join an intrepid explorer as he connects to the Grid using only his institutional credentials and some slightly-annoying background music.

At 3 minutes and 44 seconds, it is considerably shorter than Avatar, but if you can't wait (spoiler alert!), the plot is:

  • Our hero visits the NGS SARoNGS service.
  • He authenticates himself using Shibboleth and his institutional username and password.
  • He clicks a button or two and is rewarded with credentials that allow him ssh command line access to a grid enabled machine.
  • And they all live happily every after.
In the future as seen by Project Moonshot, we will be able to use institutional credentials anywhere. We can already make it most of the way using existing technology - a sort of Project Apollo 13?

The Making Of...

No modern movie is complete without a 'The Making Of...' documentary to fill those extra bytes at the end of the DVD. So we will also let you see behind the movie magic...

When you click on 'Login' on the 'SARoNGS' service provider - - your web browser does the Shibboleth Shuffle: passing you via the 'Where Are Your From' (WAYF) service to your home institutions 'Identity Provider' (idP) and then back to

In the last step of the shuffle, a blob of XML is delivered that means `we at the University of Nether Wallop do solemnly swear that this is one of our users'.

Now that it knows that you are a reasonable member of society, the SARoNGS service and your local Identify Provider immediately start talking about you behind your back. In the chatter, your Identity Provider passes on one or more Shibboleth Attributes that describe who you are and what you do.

Shibboleth Attributes can be nearly-anonymous or as personal as names, email addresses or even photos so the UK Access Management Federation has strong recommendations for what can be revealed. Unless legal agreements are in place, an idP only need reveal your unique pseudonymous identifier and your role.

The Shibboleth Assertions are passed from the to a separate authentication service based around a modified MyProxy server.

The authentication service only cares about the unique pseudonymous identifier - or eduPersonTargetedId - and creates and manages short-lived certificates on its behalf. These certificates have a distinguished name that looks like
/DC=uk/DC=ac/DC=ngs/DC=sarongs/CN=(a very long string of hexadecimal digits)
The very long string of hexadecimal numbers is a cryptographic hash of the eduPersonTargetedId.

The authorisation service sends the certificate back to where it is associated with one or more Virtual Organisations (VO).

The default VO, '', represents anyone from an institution within the UK Access Management Federation. You can also sign up for an NGS account with a SARoNGS credential, at which point you will be eligible for membership of the '' VO.

The certificate and VO information is stored on the NGS's official MyProxy server under a unique username and a random password.

The SARoNGS service has done its duty. Now the MyProxy enabled Gsisshd (MEG) takes over.

MEG allows an ordinary ssh client to be used to access a grid-enabled service. It accepts a username, a myproxy server and a password - uses these to download a (proxy) certificate and uses that certificate to authenticate you. has a version of MEG running on port 2223. We have made some changes - described in technical detail in the bonfire-night R+D posting - to allow certificates with only membership to log on without being given full command line acccess.

The Out-takes...

The MEG service at Leeds has been running, and accepting SARoNGS and certificates, since early December 2010.

We have kept quiet about it not because we are naturally modest and unassuming, but because we would have looked like a bunch of bumbling idiots.

There were some places where the SARoNGS service resolutely refused to work. If you were based at one of the unfortunate institutions and tried to reproduce what you saw in the movie, you would have got to the end of the Shibboleth Shuffle and been rudely informed that:
MyProxy didn't like me
We have known why MyProxy is being so unfriendly since November. The XML representing the Shibboleth Attributes is digitally signed and, at some point on its journey, it is corrupted so the signature is no longer invalid.

The fault seemed independent on the version of the idP software deployed but did depend on which attributes were released.

Earlier this week, we worked out why.

It is very subtle, very Shibboleth and another magnificent example of XML biting back.

Before it is signed at the idP the XML the Shibboleth Assertions is first converted to a canonical form, a process that needs to take XML namespaces into account

When the attributes were reconstituted on ready to be passed to the authorization service, additional namespace declarations were inserted, scrambling the signature.

We are still not clear where or why this happens. It might be related to typos in the Shibboleth configuration which left certain Attributes missing a default XML namespace.

The typos are fixed in version 2.2.1 of the idP and, thanks to NeSC Glasgow, we can confirm that this version can send all the attributes it wants with no repercussions.

Working around the problem was trivial. The additional declarations always appeared in the same place - at the very end of a saml1p:Response tag - so we simply removed them again.

The Embarrassing thank-you speech...

Like an Oscar winner, we have a large number of people to thank for their contributions.

These include the people at the NGS partner sites at RAL and Manchester and those people at Glasgow, UCL and Sussex that helped identify and debug the SARoNGS problems.

We would particularly like to thank John Watt from what used to be NeSC Glasgow for taking the time at last weeks NeISS meeting to help generate test cases.

The inevitable sequel...?

SARoNGS is built around an elderly and currently unsupported versions of Shibboleth and Myproxy.

The web user interface is seen as confusing by less experienced users.

If it is to continue running, it will need further development.

SARoNGS is unique in that it make the Grid available to people who cannot or will not use browser-based certificates - and that makes it the real star of the movie.

No comments: