Title Grid-Middleware Workshop
Chair Kento Aida, TITECH [aida@alab.ip.titech.ac.jp]
Putchong Uthayapas, KU [pu@ku.ac.th]
Seishi Ninomiya, NARO-NARC [snino@affrc.go.jp]
Yasuo Okabe, Kyoto U [okabe@i.kyoto-u.ac.jp]
James Sankar, AARNet james.sankar@aarnet.edu.au
Objective This workshop brings together participants from academia, industry and government to learn and to discuss about grid and middleware activities in the APAN countries. The workshop is jointly organized by the middleware WG and the Grid committee
Target Audience researchers/engineers/students
Expected No. of Participants 40
Session Chair & Speakers

Session 1: Chair Kento Aida
14:00 14:05 Welcome Kento Aida (Grid Middleware Chair)


AUTHORS: Panjai Tantatsanawong panjai@su.ac.th, Somkiat Chatchuenyot somkiat@su.ac.th, Pujan Srivastava pujansrt@su.ac.th, Suwachai Sieanoon suwachai@gmail.com, High Performance Computing Laboratory, Department of Computer Science, Silpakorn University, Nakhon Pathom, Thailand

ABSTRACT: Recently, the managing and exchanging patient record data between various medical units have limitations of using different formats, operating systems and database engines. In some necessary cases, to analyze and diagnose patient symptoms might need X-Ray film but because of their large size, normally 100 MB causes inconvenience of transferring these files over the network. With the international medical standard of HL7 v3.0, DICOM (Digital Imaging and Communication in Medicine) and web services technology help solving the managing and exchanging of patient record on the grid system. Since Data Grid is the technology of sharing information securely through the network system, We are using application and information of managing and exchanging Patient Record System as the sample to test on the distributed information management system which is based on the Data Grid. In this research, the Data Agent concept is used to create Grid Services and information management system as an application of Patient Record Management and Exchange System.
This implementation reflects five layer architecture of the Globus Toolkit 4.0, the de facto standard for open source grid computing infrastructure. Data Agent will be in charge of managing and exchanging patient information under the standard meta data HL7 v3.0. Exchanging the patient data from different databases are used in the same format of HL7 and this standard has been designed to support XML that is used in exchanging information in Grid Services. GridFTP technology helps in sending the large X-Ray film images which pass through the network system easier and faster. In the paper, we first review basic terms and discuss the creation of Meta data based on HL7 standard. We would be implementing such system which enables searching and exchanging patients' records between any medical units.
Key Words: Grid Services, OGSA-DAI, Data Agent, Meta data, HL7

Speaker Biography: Suwachai Sieanoon is a Master of Science candidate at Department of Computer Science at Silpakorn University. He received Bachelor of Engineering (Electronics Engineering) from Mahanakorn University of Technology, Bangkok Thailand. Currently he is working on Medicalgrid which in association with Thaigrid.


AUTHORS: Jefferson Tan, David Abramson, Colin Enicott, {Jefferson.tan,david.abramson,colin.enticott}@infotech.monash.edu.au Monash e-Science and Grid Engineering Laboratory, Monash University Caulfield East, VIC 3145, Australia

ABSTRACT: Summary of the Presentation: The presentation will introduce the complete Nimrod toolkit for parametric modeling, including some experiments which made us of Nimrod in the past, the syntax for specifying experiments, the component design of Nimrod as well as a quick demonstration of the Nimrod portal.
To support parametric modeling of highly complex scientific studies, it is necessary to provide sufficient computational resources. However, it is also crucial to provide scientists with the right tools that allow them to concentrate on their science rather than on the tools that they must use. Nimrod is such a tool that supports parameterized simulations over several computational resources while hiding the complexity of the underlying infrastructure. With Nimrod, a user interactively generates a parameterized experiment, using a simple and intuitive programming model. Nimrod controls the scheduling of jobs, and the distribution of files, across the resources, as well as the collection of results. Nimrod is interoperable with resources of various environments. The current version, Nimrod/G, can interact with PBS and with Globus resources, and has recently been made available as a service on the APAC (Australian Partnership for Advanced Computing) Grid. It includes a web-based portal through which users sign on using x.509 certificates loaded into their browser. The portal also makes the management of resources and files used in an experiment convenient for the user.

About Nimrod. More information about Nimrod can be found in this website: http://www.csse.monsh.edu.au/nimrod

Keywords: Grid, middleware, parametric modeling

About the Authors.
* Jefferson Tan is a research fellow at Monash University, and has been working on solutions to firewall issues faced by many Grid applications running on secure networks.
* David Abramson is a professor at Monash University, and is head of the Monash e-Science and Grid Engineering Laboratory. He leads the research in parametric modeling as well as in advanced debugging techniques and workflow models on distributed environments.
* Colin Enticott is a research scientist at Monash University and is the lead developer of the Nimrod portal and the Australian Nimrod Testbed. He is currently developing the web-services version of the Nimrod portal.
* Slavisa Garic is a research scientist at Monash University and the lead developer of the core Nimrod technology.

15:05 15:15 Session 1 Wrap Up & Q&A

15:15 15: 30 Session Break

Session 2: Chair Professor Okabe

15:30 15:35 Shibboleth & eduroam session Professor Okabe (Kyoto University & APAN Middleware Chair)


AUTHOR: Nate Klingenstein, ndk@internet2.edu

ABSTRACT: Presentation Summary: The accompanying presentation will discuss the basics of Shibboleth and federated identity in preparation for an overview of today's grid/Shibboleth integration projects, identification of common architecture features, and discussion of open issues. Relevant standards being developed will be touched upon briefly.

Most grids have users from many different institutions which have different identity management systems. Traditionally, grids have managed their own user credentials through x.509, but interest is growing in leveraging campus identity information for grid access. Federated identity offers a framework for sharing information about users governed by policies that all parties agree upon. In federated identity, the user authenticates to their campus rather than directly to the grid. Then, information about the user from their home organization is sent to the grid, which can use it to authenticate or authorize the user. Aside from no longer needing to authenticate users directly, the grid also gains access to a wide variety of data about users that is updated dynamically.

The Security Assertion Mark-up Language(SAML) standardizes the mechanics of sending federated identity information so all organizations with SAML-compliant identity management infrastructures can participate. A service that straddles the SAML and grid worlds would receive this information in SAML form and bridge these credentials to a form the grid could consume. Shibboleth is a federated identity system with a large global deployment, making it a popular choice for grid/SAML integration. It's an open source implementation which is easy to modify and extend that's fully compliant with SAML standards. The two primary Shibboleth components are the Identity Provider(IdP), which is responsible for gathering authentication and attribute information for users, and the Service Provider(SP), which receives, validates, and passes along data. Institutions would deploy IdP's and the grid would have at least one SP.

The first efforts to tie Shibboleth's authentication and attribute infrastructures to the grid began in 2004 at NCSA. Since then, many other projects have tackled the problem in myriad ways. Thanks to the lessons learned from all these implementations, we can now start identifying sticky points and best practices for Shibboleth/grid integration. The real hurdles to overcome occur once user data arrives at the grid interface. SAML assertions are very different in form and nature from x.509 certificates. While SAML is becoming a dominant credential format in the world today, integration to date has operated on the assumption that x.509 will continue to be used on the Grid for a long time to come. This means that there needs to be a way to map the SAML information into a form that the grid can use. An x.509 certificate uses a distinguished name(DN) to uniquely identify its subject. Many organizations store user information in LDAP directories, which also have DN's for all objects. However, the DN in campus directories has lost its use as an identifier and is now generally only used for internal directory structure. Other identifiers, such as eduPersonPrincipalName from the eduPerson object class, are now preferred for applications. The DN currently placed in a Grid user's certificate rarely matches the one in the directory, and the use of DN's is so different that aligning these is unwise. This means there needs to be a way to translate from campus name to grid name. There are two solutions to this problem being discussed presently: allowing any CA to issue an arbitrary DN which the IdP would map to a local principal name; or encoding the principal name in the DN, such as in the CN field.

Drawbacks are associated with each approach, but dynamic generation is strongly preferred. If any DN is allowed, the IdP must maintain a list of DN's and the principal names they map to. Aside from an unreasonable management burden, this mandates a close relationship between the CA's and IdP. However, if information is encoded in the DN, it acquires semantics and can no longer considered an opaque identifier. A standard would be needed so IdP's would always be able to interpret requests from grid components.
The detailed authentication and attribute information in the SAML assertion is useful for grid services too. The AuthnContext can supply information about how the user was authenticated for LoA purposes. SAML attributes within the assertion convey detailed information about users. While x.509 does support the idea of extensions and attribute certificates, it would be difficult to map SAML attributes directly to these forms. There don't seem to be many use cases that need user attributes right now, but we anticipate there will be. Unexplored to date is how to discover the proper IdP for a user that's already on the Grid, which may also be encoded into certificates. Integration projects are now evaluating the merits of encoding the entire SAML assertion as an extension to the x.509 certificate, allowing SAML-enabled grid services to utilize the SAML assertion itself. Backward compatibility would help the transition toward a grid that utilizes WS-Security tokens. Deployment of Shibboleth alongside x.509 will give grid applications greater ability to authenticate, audit, and authorize their users. However, a lack of convention in integrating SAML and x.509 could quickly lead to non-interoperability.


Shibboleth: http://shibboleth.internet2.edu/
WS-Security: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss
SAML: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security
x.509-subject SAML profile: http://www.oasis-open.org/committees/document.php?
GLASS: http://labserv.nesc.gla.ac.uk/projects/glass/index.html
GridShib: http://gridshib.globus.org/
MAMS Shibbolized GridSphere: http://mams.melcoe.mq.edu.au/wiki/display/MAMS/Virtual+Organization
SHEBANGS: http://www.sve.man.ac.uk/Research/AtoZ/SHEBANGS

Keywords: Shibboleth, GridShib, SHEBANGS, Globus, Grid, Federated Identity, SAML

AUTHOR: Nate Klingenstein, ndk@internet2.edu

ABSTRACT: Presentation Summary: A fairly technical discussion of the attribute aggregation problem will be framed in terms of common deployments. Specific flow diagrams will be used to show attendees how these models work. Relevant standards and the Shibboleth community's implementation plans will be discussed. Attribute aggregation is the ability to collect information from multiple authorities that are all true about a user and provide them in aggregate to an application or PDP. It's one of the most challenging federated identity use cases, and very few implementations exist that attempt any form of attribute aggregation today. The canonical expression of attribute aggregation supposes a researcher would like to purchase a computer using his federated bank account from an online store that offers discounts to the R&E sector. The researcher must provide one assertion stating that they're a member of an educational organization, and a second from the bank describing their account. Granting access requires information from both organizations, but standard flows restrict the user to one IdP. Attribute aggregation decomposes into two distinct problems: the association or linking of primary identifiers at the individual identity providers; and the construction of flows that allow for the collection of data from multiple sources in a single set of transactions. We know of many ways to solve both of these issues with varying degrees of complexity and security. There really is no optimal solution, and deployers will have to choose between these options. This paper breaks down the problem into three commonly encountered trust structures. The first requires the additional source of information to be in the same trust domain as the SP. The second places the additional information at an intermediary between an IdP and an SP. The third stores information at two distinct IdP's that have separate trust relationships with the SP. These trust structures can be chained together to address all currently known scenarios. Service-Side Information For some federated applications, the information that the IdP is able or willing to provide is not sufficient. The SP can extend the user's identity with additional information. SP Database: Attaching a database to the SP which stores primary identifiers received and application-specific information allows for retrieval of additional information about a user on any given request. Ghost Accounts: A ghost account is a representation of a user held at a SP. The information asserted by the remote IdP is used to select which SP-local identity to use. This is useful where a community of applications is expecting local user attributes or interfaces. Intermediary Scenario There are communities of individuals whose primary affiliations are scattered throughout a number of distinct home organizations, yet they operate together through an intermediary. The intermediary may extend the identities hosted by the home organizations with its own information. Because the information about the end user passes directly through the intermediary, this arrangement is more vulnerable to numerous attacks than standard transactions due to the nature of bearer credentials. Assertion Proxying: An authentication request from the SP is sent to an SSO handler at the intermediary, which recognizes that it can't handle it. The user is routed back to its home IdP to authenticate and transports authentication and attribute data to the intermediary. The intermediary then forwards the assertions, optionally including additional assertions it creates, to the SP. Attribute Caching: The intermediary makes an authentication request to the home IdP. The user authenticates and transports authentication and attribute data to the intermediary, which caches this information alongside other information it maintains. When remote SP's make requests, the intermediary either authenticates the user itself or asks the IdP to authenticate the user again. The intermediary then packages stored attributes and releases them to the SP. Multiple Identity Provider Scenario The most complex identity aggregation problems involve multiple distinct representations of an individual that each have their own authentication and attribute information, e.g. two full identity providers. Denial of privacy and usability are important considerations in flow selection. Client-Mediated Assertion Collection: The client separately authenticates to both IdP's and requests assertions be prepared for the SP, storing these assertions internally. The client then accesses the SP and provides all assertions it possesses. IdP-Mediated Account Linking: The user establishes a link between accounts at each IdP, either in the flows or prior to a transaction. When the user accesses the SP, they select one IdP. The assertions from this IdP express its own attributes as well as information about the link to the second IdP. The SP then requests assertions from the second IdP using this link. SP-Mediated Account Linking: The user informs the SP of the multiple IdP's that store their information. The SP requires the user to retrieve assertions from each IdP in series, maintaining one session throughout the process.

ID-WSF: http://www.radicchio.org/resources/specifications.php
I AM Suite: http://www.middleware.edu.au/docs/forum/Vullings_CAMP_Aug06.pdf
myVocs: http://www.myvocs.org/

Keywords: Attribute Aggregation, n-tier, Virtual Organizations, Proxying, Delegation, Shibboleth, Federated Identity, ID-WSF, SAML

Speaker Biography: Nate Klingenstein, Technical Analyst at Internet2, has worked with the Shibboleth project since 2001 as documentation and support lead. His other duties with MACE extend into projects such as Signet, Grouper, and eduPerson. He frequently presents on Shibboleth's architecture, implementation, deployment, and future development. He serves as a technical liaison for the Shibboleth Core Team to the user community. Dynamic metadata and attribute resolution, virtual organizations, n-tier scenarios and delegation, PKI/Shibboleth integration, and modeling the ideal federated domain interface are current research interests.


Authors: Shoichirou FUJIWARA Takaaki KOMURA Yasuo OKABE

ABSTRACT: In frameworks for inter-domain authentication and authorization such as SAML, Shibboleth, and Liberty, a Service Provider (SP) can request an Identity Provider (IdP) to authenticate a user and return a corresponding assertion. In addition, the SP can exchange the users attributes by attribute-value pair with the IdP to authorize the one, and this is the only way to exchange the attributes without any extensions. It is often unnecessarily detailed that the information deduced from such attribute-value pairs. This increases the risk that those who collect the attributes may identity their holder, or the user. To lessen the risk, the information provided by the IdP should be conformed to that required by the SP. We focus on Shibboleth, and propose an extension of attribute exchange between an IdP and an SP as a solution to the issue. In our extension, the SP transmit conditions of users attributes as well as conventional attribute requests to the users IdP. Any users who access resources protected by the SP must fulfill the corresponding conditions. The IdP checks the conditions conveyed by the SP. All conditions are evaluated as either true, false, or unanswerable with an extended Attribute Release Policy (ARP). The result is returned to the SP by the IdP. The SP receives the result and make authorization decision. We specify how to describe the conditions, which is XACML-like, to apply our extension without any other special extensions. In this presentation, we will report on our activities for implementing our extension. We extend the components involved with attribute exchange, such as the Attribute Authority, the ARP, the Attribute Requester, the Assertion Consumer Service, the Attribute Acceptance Policy, and so forth. While the functions that our extension provides should be available in any situations, we utilize extension points in conventional Shibboleth to implement the extended protocols. We specify an attribute that indicates true/false/unanswerable. The SP responds with the attribute to the conditions presented from the IdP.

Keywords: SAML, Shibboleth, Liberty, Attribute Exchange, XACML, Privacy

Speaker Biography: Shoichirou FUJIWARA (fuji-sho@net.ist.i.kyoto-u.ac.jp) received his Bachelor of Engineering at Kyoto University in Japan, and he is currently a second-year masters degree student in the Graduate School of Informatics at Kyoto University. He studies middilewares for inter-site authentication and authorization.


AUTHOR: Jerremeo Raynier Gabas, ASTI

ABSTRACT: Presentation Summary: resentation Summary PNGP aims to enhance research, development and delivery of products and services that require massive computational resources. It is positioned to become the umbrella program for grid computing projects in the Philippines. Bioinformatics and numerical earth modeling have been identified as the most immediate beneficiaries of this program, and are the applications that will have the most significant and visible impact for the program. Among the current stakeholders of this program include Advanced Science and Technology Institute (ASTI), Ateneo de Manila University (ADMU), University of the Philippines (UP), Philippine Atmospheric, Geophysical and Astronomical Services Administration (PAGASA), and Philippine Institute of Volcanology and Seismology (PHIVOLCS). PNGP is still being proposed to the Department of Science and Technology (DOST) in order to receive funding, but the stakeholders already have activities as well as projects that are running on their respective computing facilities.

Speaker Biography: Jerremeo Raynier Gabas, ASTI. Ren Gabas is a research specialist with the Advanced Science and Technology Institute. He has built clusters for use in operational weather forecasting of the Philippine weather bureau. He is currently involved in building the Philippine national grid infrastructure. He worked with the PREGINET, the local research and education network. His research interests include digital signal processing, web programming, software systems and distributed processing. Mr. Gabas took his Bachelor's degree in Computer Engineering at the University of the Philippines in Diliman, where he is also currently taking up his graduate studies.

17:00 17:30
Eduroam-JP update

AUTHOR: Tetsuo IMAI. (imai@isc.tohoku.ac.jp)

ABSTRACT: It reports on the situation about the introduction of Eduroam in Japan. In Tohoku University, it was made to prepare the JP server for Eduroam-JP and to cooperate with a superordinate server, and experimental operation was begun. It provides an almost standard Eduroam function, furthermore to take security into consideration, the port restriction to the outside should be usable and R&D of the operation method should be studied. Now, the development of the test run is advanced in five academic organizations. This is a part of the UPKI project that the university in Japan is cooperating, and it is scheduled to develop with more organizations in the future. Useful links to further information: Keywords: Eduroam-JP, roaming, security, UPKI Summary of the presentation:

Speaker Biography: Tetsuo Imai was born in Tokyo, Japan in 1977. He received his M.E. degree from Graduate School of Engineering, Hokkaido University, Japan, in 2002. He joined NEC Corporation in 2002 and was engaged in research on communication network. He has been a researcher at Information Synergy Center, Tohoku University to research a network roaming systems. He is a member of the Institute of Electronics, Information and Communication Engineers.

17:30-17:40 Session 2 Wrap Up & Q&A

BoF Session-- Chair: James Sankar

17:40- 18:00 General discussion about talks from the day and any other issues that the audience want to discuss about GRID Middleware.

Remarks(including Special arrangements if Any) 1. Room set up in classroom style with two Projectors
2. Room with wireless internet access.
3. SIP/H.323 Video Conferencing Facility for remote participation and remote speakers

Last Updated 2 Feb 2007