Georgetown U. Tackles Grid Security with Shibboleth

Five years ago, Georgetown University — home to numerous leading medical research facilities, such as the Lombardi Comprehensive Cancer Center — did not have a core computational facility, let alone a Grid in place.

But in a short while, their Advanced Research Computing (ARC) team has not only created a shared computing infrastructure for Georgetown researchers — but is also one of the leading contributors to the National Cancer Institute’s caBIG collaborative research Grid project.

Because Georgetown’s Grid so quickly grew from scratch, the administrative pains of scaling the security were pretty immediate.

“Every time we’d stand up a cluster, it would have its own user base,” said Arnie Miles, Systems Architect. “We were using local accounts, and creating tiny administrative domains. And we quickly realized that while (Condor) has functionality to span across these Beowulf clusters — it was all IP or host database security, and it was too labor intensive. And after administrative configurations were complete, it didn’t meet our security requirements.”

Georgetown tackled the security scale issue by hiring an identity management expert to work with the ARC team. Chad La Joie had previously spent years developing and managing an identity management infrastructure at Virginia Tech. With the ARC team, he saw an opportunity to apply Shibboleth in the healthcare arena.

Shibboleth has a trust fabric mechanism based on the SAML 2.0 metadata file.

It’s a public key infrastructure (PKI) that allows for simpler trust negotiation with a service provider. As it goes to connect to the identity provider, certificates get passed and verified. The response that gets sent back is an XML document which is digitally signed, again using the public and private key pairs obtained in the certification process, to sign and verify the data. This metadata describes each service provider, each identity provider, and all of their PKI information. It is really a simple and elegant method to configure the necessary trust.

“We saw Shibboleth’s potential for importing and making available to the Grid the identities, attributes, and credentials of the researchers participating in the Grid at Georgetown,” said La Joie. “Shibboleth is a way to make it easier for them to participate — not having to know about all of the certificates or deal with all of those issues.”