GridShib:HowTo:Community Accounts

This page is a work in progress and not complete at this time.

This page describes how to GridShib to create a community account, that is an account used by a number of users whose access is authorized by their attributes as served by myVocs.

Create the account

This depends on the details of your specific system and how you create accounts. A standard Unix account should work fine. or the purposed of this documentation we will assume your account name is 'commacct'.

Install GridShib for GT

As described at [1]

Configure GridShib for GT

• ToDo: Need to describe how to come up with SP configuration

• Edit $GLOBUS_LOCATION/etc/globus_wsrf_core/server-config.wsdd and insert the following inside the <globalConfiguration> element (replace '/usr/local/globus/' with your $GLOBUS_LOCATION):

XXX Update SPproviderId in the following

       <parameter name="counter-shibAuthzAttrFile"
         value="/usr/local/globus/etc/globus_wsrf_core/attr-authz.xml"/>
       <parameter name="counter-AAUrl"
         value="https://aa.myvocs.org:443/shibboleth-idp/AA"/>
       <parameter name="counter-AAIdentity"         value="/C=US/ST=Alabama/L=Birmingham/O=myVocs/CN=aa.myvocs.org/E=root@myvocs.org"/>
       <parameter name="counter-IdPproviderId"
         value="https://idp.myvocs.org/shibboleth"/>
       <parameter name="counter-SPproviderId"
         value="https://gridshib-sp.ncsa.uiuc.edu/gridshib"/>

• Edit $GLOBUS_LOCATION/etc/globus_wsrf_core/global_security_descriptor.xml and add the following line in the <securityConfig> element:

<authz  value="counter:org.globus.wsrf.impl.security.authorization.ShibbolethPDP"/>

• Create $GLOBUS_LOCATION/etc/globus_wsrf_core/attr-authz.xml with the following contents. Replace 'urn:mace:dir:attribute-def:role' and 'urn:mace:shibboleth:1.0:attributeNamespace:uri'with the name and namespace of the attribute you want to use for mapping. Replace 'owner@teragrid-test-one' with the attribute value you want to use for mapping. You can have multiple saml:Attribute elements to map multiple values to the same community account. If you want to map other values to another account, you can create mutliple <entry> elements.

<AttributePolicy
   xmlns="http://gridshib.globus.org/namespaces/2005/08/policy"
   xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion">
     <entry>
       <listOfAttributes>
         <saml:Attribute AttributeName="urn:mace:dir:attribute-def:role"                               AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri">
           <saml:AttributeValue>member@teragrid-test-one</saml:AttributeValue>
         </saml:Attribute>
       </listOfAttributes>
       <listOfUsernames>
         <username>commacct</username>
       </listOfUsernames>
     </entry>
</AttributePolicy>

• Edit $GLOBUS_LOCATION/etc/gram-service/managed-job-factory-security-config.xml and change the following line:

<authz value="gridmap"/>

to match this:

<authz  value="gridmap counter:org.globus.wsrf.impl.security.authorization.ShibbolethPDP"/>

Testing

XXX This is all still just rough notes.

Create an account in www.myvocs.org by going to the web site and 'join teragrid-test-one'

Then bind your DN to the myvocs account at: https://sso.myvocs.org/shibboleth-idp/CertificateRegistry

Then you when you do the 'shibecho' command to container you should see the member@teragrid-test-one attribute listed.