SAML to LDAP bridging for nonweb access Marcus
SAML to LDAP bridging for non-web access Marcus Hardt
Motivation • Allow linux logins, using SAML • i. e. non-web => ECP • Harmonise our existing Auth. N infrastructure at KIT • Give same (UID, [GID]) to user with SAML and X. 509 Auth • Easy to use solutions • Goal: Map to same (UID, [GID]) regardless of Auth. N method • Use case: • Provide access via [ssh|gsi-ssh|globus-ftp|. . . ] to same filesystem • Have credential translation available (DFN-SLCS) • Pilot: ssh-login for users from state of Baden-Württemberg https: //aarc-project. eu
Approach • Provide an LDAP interface for legacy services • Supports many linux services • LDAP authentication: • (username, password) are handed from service to LDAP interface (via PAM module) • PAM module tries to guess home-Id. P from username (ka_lo 0018@<host>) • Try to obtain an assertion from selected home-Id. P • Return (UID, [GID]) based on attributes found inside assertion • Extensible: • Smart processing of tokens, transported via password field • e. g. : SAML assertion, URL to an encrypted assertion, . . . https: //aarc-project. eu
Status • Works very well in production for Id. Ps that support ECP • Several installations in Baden Wuerttemberg • bw. HPC, bw. Sync&Share, bw. File. Store • Used in production for more and more services of KIT computing centre • Large Scale Storge Facility • Several HPC clusters • However • Currently requires SAML/ECP on the Id. P • Workarounds possible. . . https: //aarc-project. eu
5 23. 04 2014 Marcus Hardt @ kit. edu Slide courtesy of Steinbuch Centre for Computing (SCC) KIT Sebastian Labitzke,
Authentication Scenarios • (a) Enhanced Proxy (ECP) • • Client sends password to LDAP Facade Login at home-Id. P on your behalf ; ) • (b) Enhanced Client (ECP) • • Local client handles creation of assertion Assertion passed to LDAP Facade • (c) Local authentication • • https: //aarc-project. eu Login via other means (e. g. ssh-keys) LDAP Facade runs Assertion query to verify user is still active Image courtesy of Jens Köhler, KIT
Summary • We can now use non-web based SAML via ECP • e. g. authenticate SSH with home-Id. P • Unmodified client and server (thanks to LDAP) • Future work • Integration with • grid-security-infrastructure (i. e. globus-ftpd uses LDAP-Facade for (UID, [GID]) • Extend LDAP Facade to support external AA for group management • Tools for easier usage (as a proof of concept): • saml-init => download the SAML assertion to /tmp/samlup_u 1234 • sshpass => read password from file and pipe it into ssh https: //aarc-project. eu
https: //aarc-project. eu 8
9 23. 04 2014 Marcus Hardt @ kit. edu Slide courtesy of Steinbuch Centre for Computing (SCC) KIT Sebastian Labitzke,
- Slides: 9