GridShib and PERMIS Integration

This paper describes the results of our recent GridShibPERMIS project to provide policy-driven role-based access control decision making to Grid jobs, in which the users attributes are provided by a Shibboleth Identity Provider (IdP). The goal of the project is to integrate the identity-federation and attribute-assignment functions of Shibboleth with the policy- based enforcement function of PERMIS, in order to provide a flexible fine-grained authorisation system for Grid jobs running under Globus Toolkit v4. This was done by taking the GT4-Shibboleth integration performed in the United States with the PERMIS infrastructure built in the United Kingdom, and developing a GridShibPERMIS Context Handler. This allows for interoperability between GridShib and PERMIS by providing the required attribute extraction, conversion and transfer functions. As a result, the GridShibPERMIS project integrates the advantages of both Shibboleth cross-organisation identity federation and PERMIS policy-driven role-based access control and represents a new avenue of policy-based authorisation for Grids. The paper provides a brief overview of the technologies involved: GT4, Shibboleth and PERMIS, and presents how the three are combined to provide an efficient and simple fine- grained authorisation mechanism, having low implementation costs. The paper concludes with the lessons learned and plans for the future.