CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

RadSec – A better RADIUS protocol

Identity Network Ideals – Heterogeneity & Co-existence

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

SINGLE SIGN-ON. Definition - SSO Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password in order.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Project Moonshot update TF-EMC2 & TF-MNM 14 & 16 February 2011.

Lecture 23 Internet Authentication Applications

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

802.1x EAP Authentication Protocols

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23,

ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Multihop Federations & Trust Router draft-mrw-abfab-multihop-fed-02.txt draft-mrw-abfab-trust-router-01.txt Margaret Wasserman

Project Moonshot TF-MNM. Use cases Project Moonshot 2.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Dynamic Symmetric Key Provisioning Protocol (DSKPP) Mingliang Pei Salah Machani IETF68 KeyProv WG Prague.

(Preliminary) Gap Analysis Hannes Tschofenig. Goal of this Presentation The IETF has developed a number of security technologies that are applicable to.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Introduction Moonshot workshop

Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.

Draft-ietf-abfab-aaa-saml Josh Howlett IETF 90. Remaining issues (recap from IETF 89) SAML naming of AAA entities The focus of this presentation Alejandro.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

November 2005IETF 64, Vancouver, Canada1 EAP-POTP The Protected One-Time Password EAP Method Magnus Nystrom, David Mitton RSA Security, Inc.

Support of fragmentation of RADIUS packets in authorization exchanges draft-perez-radext-radius-fragmentation IETF87 – RADEXT Diego R. Lopez - Telefónica.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Workshop roaming services: eduroam / govroam

1 The Cryptographic Token Key Initialization Protocol (CT-KIP) KEYPROV WG IETF-68 Prague March 2007 Andrea Doherty.

Image © Viatour Luc ( Project Moonshot TNC 2010 Vilnius, 1 June 2010 Josh Howlett, JANET(UK)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

Connect communicate collaborate An Infocard-based proposal for unified SSO to eduroam Enrique de la Hoz, Antonio García, Diego López, Samuel Muñoz University.

Moonshot-enabled Federated Access to Cloud Infrastructure Terena Networking Conference, Reykjavik. May 2012 David Orrell, Eduserv.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Project Moonshot Daniel Kouřil EGI Technical Forum

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht.

Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.

Copyright © 2009 Trusted Computing Group An Introduction to Federated TNC Josh Howlett, JANET(UK) 11 June, 2009.

Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.

Richard EAP-WAI Authentication Protocol Stockholm, IETF 75th draft-richard-emu-wai-00.

Web SSO with Cloud Resources using AD Federation Services

Access Policy - Federation March 23, 2016

Identity Federations - Overview

Data and Applications Security Developments and Directions

Federated IdM Across Heterogeneous Clouding Environment

European AFS & Kerberos Conference 2010

Discussions on FILS Authentication

S/MIME T ANANDHAN.

Cisco Real Exam Dumps IT-Dumps

Presentation transcript:

CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López TNC 2015, Porto June 17 th,

Introduction 2 CLASSe (Cloud-ABFAB Federation Services in eduroam) Objectives: 1.Enabling GÉANT users to access cloud services (OpenStack) using ABFAB technologies 2.Improving the SSO user experience 3.Designing solutions to support Virtual Organizations (VOs)

ABFAB 3 IETF WG –Application Bridging for Federated Access Beyond web Federated identity for Internet protocols not based on HTTP –E.g: SMTP, SSH or NFS

ABFAB 4 Key components: –EU  Wants to access a service –RP  Provides the service –IdP  Authenticates the EU and provides authorization information to the RP

ABFAB 5 Core technology  GSS-EAP (RFC 7055): –GSS-API  Access control to the service –EAP  User authentication –RADIUS  Federation –SAML  Authorization information Moonshot  Reference implementation

CLASSe 6 Allowing GÉANT users to access cloud services using ABFAB technologies –Modified OpenStack to support for ABFAB authentication (using Moonshot) –And to translate SAML attributes to OpenStack attributes Benefits: –Any member of the GÉANT community can access the cloud service without requiring the creation of a new account As a result of the project, official support for Moonshot is being included in OpenStack

CLASSe 7 Objectives: 1.Enabling GÉANT users to access cloud services (OpenStack) using ABFAB technologies 2.Improving the SSO user experience 3.Designing solutions to support Virtual Organizations (VOs)

Single Sign-On (SSO) 8 Objectives: –Prompt the EU for credentials once at the beginning of the session –The rest of accesses to different RPs do not require introducing the credentials again Two different models, that we have called: –Traditional SSO –Real SSO

Single Sign-On (SSO) 9 Traditional SSO –Secure storage of credentials on the EU’s device E.g.: Gnome-keyring, Window’s credential manager, Firefox credential manager... –Software agent takes care of the automatic selection and provision of credentials  Does not require any specific SSO mechanism at protocol level  A complete authentication process is performed for each different access  high resource utilization Moonshot uses this model  Identity Selector

Single Sign-On (SSO) 10 Real SSO –Provides the EU with some sort of authentication token –The token is used to speed up subsequent authentication processes E.g.: Kerberos, SAML, OpenID…  The authentication processes typically consists on a single round trip  low resource utilization  Requires support at protocol level

CLASSe 11 Improving the SSO user experience –Optimize how traditional SSO is performed in Moonshot –Introduce real SSO in ABFAB

Optimizing traditional SSO in Moonshot 12 Typical Moonshot EAP methods are TTLS and PEAP –~7 round-trips to complete –Several asymmetric cryptography operations (e.g.: DH exchange) We have implemented support for TLS-resumption –Store TLS session state in the EU’s device after first authentication –Use it to speed up authentication in subsequent accesses –Authentication is reduced to 3 round-trips with no DH

Performance analysis 13 We have measured: –Total amount of time to complete the access to the cloud service (including authentication, authorization, OpenStack operations…) –Total amount of data exchanged between the entities during the whole access process –Amount of time spent in the AAA infrastructure –Amount of data exchanged in the AAA infrastructure

Performance analysis 14 MoonshotTTLS-resumption Total time2727 ms2056 ms (-24%) AAA time567 ms231 ms (-59%) Total data (bytes)64395 bytes47958 bytes (-25%) AAA data (bytes)6450 bytes2420 bytes (-62%)

Introducing real SSO in ABFAB 15 ERP (EAP Re-authentication Protocol) –Standard mechanism for fast re- authentication in EAP –Needs minor adaptations in GSS-EAP Documented in draft-perez-abfab-wg-arch-erp-00 –Reduces the number of round-trips to 1 Less amount of traffic and time spent in the AAA infrastructure –Avoid contacting the IdP for intra-domain SSO

Performance analysis 16 MoonshotERP (inter-domain)ERP (intra-domain) Total time2727 ms1779 ms (-34%)1659 ms (-39%) AAA time567 ms76 ms (-86%)0 ms (-100%) Total data (bytes)64395 bytes43682 bytes (-32%)41929 bytes (-35%) AAA data (bytes)6450 bytes1645 bytes (-75%)0 bytes (-100%)

Main contributions to the IETF 17 ERP extensions for GSS-EAP –Describes how to support ERP in the GSS-EAP mechanism (RFC 7055) –Personal draft: draft-perez-abfab-wg-arch-erp-00 Fragmentation support for RADIUS –Defines how to send RADIUS packets over the 4096 limit –Recently published as RFC 7499 A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and Confirmation Methods for SAML –Defines how to transport SAML over RADIUS –Active collaboration and editorship –WG document: draft-ietf-abfab-aaa-saml

Summary 18 Improving traditional SSO in Moonshot with TLS- resumption –Solution at implementation level  Moonshot –Provides substantial reductions on the overload on the AAA infrastructure (59%) Introducing real SSO in ABFAB with ERP –Solution at specification level  ABFAB –Provides further reductions on the overload on the AAA infrastructure (86%-100%) ABFAB-enabled applications do not need of any change

Next steps 19 Continue moving forward our ERP proposal for real SSO on the ABFAB WG Try to push ERP support into FreeRADIUS

20 Thank you for your attention