Contrail and Federated Identity Management Philip Kershaw RAL

  • Slides: 22
Download presentation
Contrail and Federated Identity Management Philip Kershaw, RAL Space, STFC Jensen, e-Science, STFC (and

Contrail and Federated Identity Management Philip Kershaw, RAL Space, STFC Jensen, e-Science, STFC (and others: XLab, CNR, INRIA …) contrail is co-funded by the EC 7 th Framework Programme 1

Outline • Contrail overview and goals • Architecture • Single sign-on • Delegation requirements

Outline • Contrail overview and goals • Architecture • Single sign-on • Delegation requirements • Delegation solutions • OAuth flow • Conclusions • Collaborations 2 contrail-project. eu

Contrail Overview and Goals • EC FP 7 Project, led by INRIA, 36 month,

Contrail Overview and Goals • EC FP 7 Project, led by INRIA, 36 month, completes Sept 2013 • Federation of cloud providers • Federation with external Id. Ps • “Elastic” CAs for dynamically created services • Autonomous SLA management from SLA@SOI project • Iaa. S and Paa. S integration • Reuse of existing open standards: OVF OCCI CDMI WS-Security SLA@SOI models 3 contrail-project. eu

Contrail Overview and Goals+ • EC FP 7 Project, led by INRIA, 36 month,

Contrail Overview and Goals+ • EC FP 7 Project, led by INRIA, 36 month, completes Sept 2013 • Federation of cloud providers • Federation with external Id. Ps Federated access to resources, building on existing identity federations • “Elastic” CAs for dynamically created services • Autonomous SLA management from SLA@SOI project • Iaa. S and Paa. S integration • Reuse of existing open standards: OVF OCCI CDMI WS-Security SLA@SOI models 4 contrail-project. eu

Architecture Federation CLI Browser and rich client access Federation Web Portal REST API Online

Architecture Federation CLI Browser and rich client access Federation Web Portal REST API Online CA Federation core Federation Identity Provider Federation of Cloud Providers 5 contrail-project. eu

Architecture – Single Sign-on Federation CLI Browser Single Sign-on Federation Web Portal Credentials mapping

Architecture – Single Sign-on Federation CLI Browser Single Sign-on Federation Web Portal Credentials mapping REST API Online CA Federation core Federation Identity Provider Single Sign-on Cloud Providers 6 contrail-project. eu

Architecture - Delegation Federation CLI Browser Multiple delegation hops Federation Web Portal REST API

Architecture - Delegation Federation CLI Browser Multiple delegation hops Federation Web Portal REST API Online CA Federation core Federation Identity Provider Cloud Providers 7 contrail-project. eu

Delegation … but how? • Delegator, delegates authority to another, a delegatee • Rights

Delegation … but how? • Delegator, delegates authority to another, a delegatee • Rights that the delegatee inherits can vary e. g. • Identity-based – inherits all the rights of the user • Inherit rights to access a single resource • Some technology options: • GSI Proxy certificates • OAuth 1. 0 (CILogon), OAuth 2. 0? • Others… 8 contrail-project. eu

Delegation: technology options • GSI Proxy certificates • Delegatee inherits all the rights of

Delegation: technology options • GSI Proxy certificates • Delegatee inherits all the rights of the user • Custom SSL extensions needed to support verification • OAuth 1. 0 • Gained traction in commercial environment: Twitter etc… • Digital signature of HTTP header artifacts – canonicalisation can be problematic • OAuth 2. 0 • Simplified flow • Use SSL: no digital signature implementation necessary • CILogon • Use OAuth to protect a short-lived credential service (SLCS) but based on OAuth 1. 0 • Delegatees obtain a standard Entity Certificate • SLCS + OAuth 2. 0 ✔ 9 contrail-project. eu

OAuth Flow (1) Browser Objective: get delegated credential for portal to make onward requests

OAuth Flow (1) Browser Objective: get delegated credential for portal to make onward requests to the federation core [OAuthorisation Server] 1. User request Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation Identity Provider Federation core Cloud Providers 10 contrail-project. eu

OAuth Flow (2 3) Browser 2. Portal requests authorisation for delegation from user 3.

OAuth Flow (2 3) Browser 2. Portal requests authorisation for delegation from user 3. User is redirected to authorisation server [OAuthorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation Identity Provider Federation core Cloud Providers 11 contrail-project. eu

OAuth Flow (4) Browser 4. User authenticates and approves the delegation request [OAuthorisation Server]

OAuth Flow (4) Browser 4. User authenticates and approves the delegation request [OAuthorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation Identity Provider Federation core Cloud Providers 12 contrail-project. eu

OAuth Flow (5) Browser 5. Return authorisation grant to portal via a redirect [OAuthorisation

OAuth Flow (5) Browser 5. Return authorisation grant to portal via a redirect [OAuthorisation Server] … redirect back to portal Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation Identity Provider Federation core Cloud Providers 13 contrail-project. eu

OAuth Flow (6) Browser 6. Portal requests certificate (oauth access token) passing authorisation grant

OAuth Flow (6) Browser 6. Portal requests certificate (oauth access token) passing authorisation grant as proof of user approval [OAuthorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation Identity Provider Federation core Cloud Providers 14 contrail-project. eu

OAuth Flow (7) Browser [OAuthorisation Server] Federation Web Portal [OAuth Client] 7. Online CA

OAuth Flow (7) Browser [OAuthorisation Server] Federation Web Portal [OAuth Client] 7. Online CA authenticates portal and returns certificate Online CA [OAuth Resource Server] Federation Identity Provider Federation core Cloud Providers 15 contrail-project. eu

OAuth Flow (8) Browser [OAuthorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth

OAuth Flow (8) Browser [OAuthorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] 8. Portal uses certificate to authenticate with core services Federation Identity Provider Federation core Cloud Providers 16 contrail-project. eu

OAuth Flow (9) Browser [OAuthorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth

OAuth Flow (9) Browser [OAuthorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation Identity Provider Federation core 9. Further delegation needed: ‘ 2 -legged’ OAuth Cloud Providers 17 contrail-project. eu

Development Status • Web portal and federation SSO demonstrated with support for: • SAML

Development Status • Web portal and federation SSO demonstrated with support for: • SAML • Open. ID • Command line SSO with shell script client to Short-Lived Credential Service (X. 509 EECs) • Delegation with 2 -legged OAuth-like interface, full OAuth to be integrated 18 contrail-project. eu

Technology used Federation Web User interface: Python 2. 7+ / Django 1. 4 /

Technology used Federation Web User interface: Python 2. 7+ / Django 1. 4 / buildout / Apache 2 SAML 2: Djangosaml 2 v 0. 5 Open. ID: Django-authopenid Federation Id. P: Simple. SAMLphp 1. 9 rc 2 User DB: Java 6 / JPA subclipse / Tomcat contrail-project. eu

Conclusion Single sign-on support with: Browser: SAML 2 and Open. ID Other client: X.

Conclusion Single sign-on support with: Browser: SAML 2 and Open. ID Other client: X. 509 short-lived entity certificates Delegation with OAuth 2. 0 protected Short-Lived Credential Service Can we offer Federation-in-a-box or federation-as-aservice ? => Federated access to resources, building on existing identity federations. contrail-project. eu

Contrail collaborations • Contrail evaluation with: • EUDAT, CLARIN, ENES • EGI federated cloud

Contrail collaborations • Contrail evaluation with: • EUDAT, CLARIN, ENES • EGI federated cloud task force • Climate science and Earth Observation communities: OAuth solution for workflows • OGF groups • FEDSEC-CG: federated identity for grids and clouds • IDEL-WG: working group on identity delegation • Cloud security activities • . . . Moonshot contrail-project. eu

contrail is co-funded by the EC 7 th Framework Programme Funded under: FP 7

contrail is co-funded by the EC 7 th Framework Programme Funded under: FP 7 (Seventh Framework Programme) Area: Internet of Services, Software & virtualization (ICT 2009. 1. 2) Project reference: 257438 Total cost: 11, 29 million euro EU contribution: 8, 3 million euro Execution: From 2010 -10 -01 till 2013 -09 -30 Duration: 36 months Contract type: Collaborative project (generic) 22 contrail-project. eu

The Basics of Federated Identity Overview of FederatedThe Basics of Federated Identity Overview of Federated
Beyond Federated Identity Federated Access Marc Stiegler HPBeyond Federated Identity Federated Access Marc Stiegler HP
Identity Management In A Federated Environment Identity ProtectionIdentity Management In A Federated Environment Identity Protection
Identity Management in DEISAPRACE Vincent RIBAILLIER Federated IdentityIdentity Management in DEISAPRACE Vincent RIBAILLIER Federated Identity
External Identity and Authorization in GENI Federated identityExternal Identity and Authorization in GENI Federated identity
Federated Identity and Open Stack Cloud Services IdentityFederated Identity and Open Stack Cloud Services Identity
Federated Authentication Who am I Aaron Anderson FederatedFederated Authentication Who am I Aaron Anderson Federated
Acumos Three Federated Marketplaces XiAN2Nanjing1 Athena Rel FederatedAcumos Three Federated Marketplaces XiAN2Nanjing1 Athena Rel Federated
Federated Search at Green Gables Federated Search TheFederated Search at Green Gables Federated Search The
NMIEDIT and Rice University Federated Identity Management ManagingNMIEDIT and Rice University Federated Identity Management Managing
Fi Xs Federated and Secure Identity Management inFi Xs Federated and Secure Identity Management in
Trusted Federated Identity and Access Management to provideTrusted Federated Identity and Access Management to provide
Collective Identity and Citizenship Collective Identity Shared identityCollective Identity and Citizenship Collective Identity Shared identity
Culture and Identity What is Identity Identity isCulture and Identity What is Identity Identity is
Integrating Open Contrail into Neutron Stadium Sukhdev KapurIntegrating Open Contrail into Neutron Stadium Sukhdev Kapur
Infrastructure Clouds Outsourcing Ecosystem for Science CONTRAIL SummerInfrastructure Clouds Outsourcing Ecosystem for Science CONTRAIL Summer
Open Contrail Quickstart Proposed Project for OPNFV StuartOpen Contrail Quickstart Proposed Project for OPNFV Stuart
Contrail Virtual Networking QUICK TUTORIAL OPENCONTRAIL QUICK TUTORIALContrail Virtual Networking QUICK TUTORIAL OPENCONTRAIL QUICK TUTORIAL
Identity Management Practical Issues Associated with Sharing FederatedIdentity Management Practical Issues Associated with Sharing Federated
Implementing Federated Identity Management across a Multicampus StatewideImplementing Federated Identity Management across a Multicampus Statewide
Federated Identity Management for HEP David Kelsey HEPiFederated Identity Management for HEP David Kelsey HEPi