Contrail and Federated Identity Management Philip Kershaw RAL
- Slides: 22
Contrail and Federated Identity Management Philip Kershaw, RAL Space, STFC Jensen, e-Science, STFC (and others: XLab, CNR, INRIA …) contrail is co-funded by the EC 7 th Framework Programme 1
Outline • Contrail overview and goals • Architecture • Single sign-on • Delegation requirements • Delegation solutions • OAuth flow • Conclusions • Collaborations 2 contrail-project. eu
Contrail Overview and Goals • EC FP 7 Project, led by INRIA, 36 month, completes Sept 2013 • Federation of cloud providers • Federation with external Id. Ps • “Elastic” CAs for dynamically created services • Autonomous SLA management from SLA@SOI project • Iaa. S and Paa. S integration • Reuse of existing open standards: OVF OCCI CDMI WS-Security SLA@SOI models 3 contrail-project. eu
Contrail Overview and Goals+ • EC FP 7 Project, led by INRIA, 36 month, completes Sept 2013 • Federation of cloud providers • Federation with external Id. Ps Federated access to resources, building on existing identity federations • “Elastic” CAs for dynamically created services • Autonomous SLA management from SLA@SOI project • Iaa. S and Paa. S integration • Reuse of existing open standards: OVF OCCI CDMI WS-Security SLA@SOI models 4 contrail-project. eu
Architecture Federation CLI Browser and rich client access Federation Web Portal REST API Online CA Federation core Federation Identity Provider Federation of Cloud Providers 5 contrail-project. eu
Architecture – Single Sign-on Federation CLI Browser Single Sign-on Federation Web Portal Credentials mapping REST API Online CA Federation core Federation Identity Provider Single Sign-on Cloud Providers 6 contrail-project. eu
Architecture - Delegation Federation CLI Browser Multiple delegation hops Federation Web Portal REST API Online CA Federation core Federation Identity Provider Cloud Providers 7 contrail-project. eu
Delegation … but how? • Delegator, delegates authority to another, a delegatee • Rights that the delegatee inherits can vary e. g. • Identity-based – inherits all the rights of the user • Inherit rights to access a single resource • Some technology options: • GSI Proxy certificates • OAuth 1. 0 (CILogon), OAuth 2. 0? • Others… 8 contrail-project. eu
Delegation: technology options • GSI Proxy certificates • Delegatee inherits all the rights of the user • Custom SSL extensions needed to support verification • OAuth 1. 0 • Gained traction in commercial environment: Twitter etc… • Digital signature of HTTP header artifacts – canonicalisation can be problematic • OAuth 2. 0 • Simplified flow • Use SSL: no digital signature implementation necessary • CILogon • Use OAuth to protect a short-lived credential service (SLCS) but based on OAuth 1. 0 • Delegatees obtain a standard Entity Certificate • SLCS + OAuth 2. 0 ✔ 9 contrail-project. eu
OAuth Flow (1) Browser Objective: get delegated credential for portal to make onward requests to the federation core [OAuthorisation Server] 1. User request Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation Identity Provider Federation core Cloud Providers 10 contrail-project. eu
OAuth Flow (2 3) Browser 2. Portal requests authorisation for delegation from user 3. User is redirected to authorisation server [OAuthorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation Identity Provider Federation core Cloud Providers 11 contrail-project. eu
OAuth Flow (4) Browser 4. User authenticates and approves the delegation request [OAuthorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation Identity Provider Federation core Cloud Providers 12 contrail-project. eu
OAuth Flow (5) Browser 5. Return authorisation grant to portal via a redirect [OAuthorisation Server] … redirect back to portal Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation Identity Provider Federation core Cloud Providers 13 contrail-project. eu
OAuth Flow (6) Browser 6. Portal requests certificate (oauth access token) passing authorisation grant as proof of user approval [OAuthorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation Identity Provider Federation core Cloud Providers 14 contrail-project. eu
OAuth Flow (7) Browser [OAuthorisation Server] Federation Web Portal [OAuth Client] 7. Online CA authenticates portal and returns certificate Online CA [OAuth Resource Server] Federation Identity Provider Federation core Cloud Providers 15 contrail-project. eu
OAuth Flow (8) Browser [OAuthorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] 8. Portal uses certificate to authenticate with core services Federation Identity Provider Federation core Cloud Providers 16 contrail-project. eu
OAuth Flow (9) Browser [OAuthorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation Identity Provider Federation core 9. Further delegation needed: ‘ 2 -legged’ OAuth Cloud Providers 17 contrail-project. eu
Development Status • Web portal and federation SSO demonstrated with support for: • SAML • Open. ID • Command line SSO with shell script client to Short-Lived Credential Service (X. 509 EECs) • Delegation with 2 -legged OAuth-like interface, full OAuth to be integrated 18 contrail-project. eu
Technology used Federation Web User interface: Python 2. 7+ / Django 1. 4 / buildout / Apache 2 SAML 2: Djangosaml 2 v 0. 5 Open. ID: Django-authopenid Federation Id. P: Simple. SAMLphp 1. 9 rc 2 User DB: Java 6 / JPA subclipse / Tomcat contrail-project. eu
Conclusion Single sign-on support with: Browser: SAML 2 and Open. ID Other client: X. 509 short-lived entity certificates Delegation with OAuth 2. 0 protected Short-Lived Credential Service Can we offer Federation-in-a-box or federation-as-aservice ? => Federated access to resources, building on existing identity federations. contrail-project. eu
Contrail collaborations • Contrail evaluation with: • EUDAT, CLARIN, ENES • EGI federated cloud task force • Climate science and Earth Observation communities: OAuth solution for workflows • OGF groups • FEDSEC-CG: federated identity for grids and clouds • IDEL-WG: working group on identity delegation • Cloud security activities • . . . Moonshot contrail-project. eu
contrail is co-funded by the EC 7 th Framework Programme Funded under: FP 7 (Seventh Framework Programme) Area: Internet of Services, Software & virtualization (ICT 2009. 1. 2) Project reference: 257438 Total cost: 11, 29 million euro EU contribution: 8, 3 million euro Execution: From 2010 -10 -01 till 2013 -09 -30 Duration: 36 months Contract type: Collaborative project (generic) 22 contrail-project. eu
- Tivoli single sign on
- Ucf federated identity
- Kershaw wi-fi
- Clare kershaw
- Paul kershaw
- Nicola kershaw
- Kershaw v nicoll
- Federated metadata management
- Social identity map
- Federated search ui
- Unified search vs federated search
- Federated search vs distributed search
- Centralized vs distributed database
- Types of avionics architecture
- Dbms definition
- Federated search connectors
- Federated search examples
- Federated data mart
- Federated discovery
- Tolga bakkaloğlu
- Robert hanisch
- Federated learning
- Federated esb