Moonshot, in a nutshell SAML IdP Client Server AAA EAP RADIUS.

Slides:

Advertisements

Similar presentations

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.

Advertisements

Central Authentication Service Roadmap JA-SIG Winter 2004.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Project Moonshot February Background Project Moonshot 2.

SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation

MyProxy: A Multi-Purpose Grid Authentication Service

Access Control Chapter 3 Part 3 Pages 209 to 227.

Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.

James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.

Authentication & Kerberos

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

The EC PERMIS Project David Chadwick

Kerberos Authentication for Multi-organization Cross-Realm Kerberos Authentication User sent request to local Authentication Server Local AS shares cross-realm.

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

Introduction to Kerberos Kerberos and Domain Authentication.

Project Moonshot TF-MNM. Use cases Project Moonshot 2.

Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.

Smart Card Single Sign On with Access Gateway Enterprise Edition

AFS & Kerberos Best Practices Workshop 2008 Design Goals Functions that require authentication Solution Space Kerberos, GSSAPI or SASL (Decide on your.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.

Mastering Windows Network Forensics and Investigation Chapter 13: Logon and Account Logon Events.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Shibboleth 2.0 IdP Training: Authentication January, 2009.

Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

Shibboleth Update Fall Ch-ch-changes Chad moving on to new job opportunity, requires realigning product responsibilities and reviewing roadmap Tom.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.

UMBC’s WebAuth Robert Banz – UMBC

Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

Image © Viatour Luc ( Project Moonshot TNC 2010 Vilnius, 1 June 2010 Josh Howlett, JANET(UK)

Kerberos in an ISP environment

Doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies.

Advanced Authentication Campus-Booster ID: Copyright © SUPINFO. All rights reserved Kerberos.

User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.

This Lecture’s Topics Authentication and Authorization Authentication and Authorization in UNIX Name Service Switch PAM SASL GSSAPI Kerberos.

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.

#SummitNow Alfresco Authentication and Synchronization Nov 2013 Mark Rogers.

Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.

Kerberos OLC Training What is it? ● A three-headed dog that guards the entrance to Hades. ● A network authentication protocol that also.

Overview SPIRE project: Looking at the feasibility of P2P in UK higher education Focused on Penn States open source P2P system ‘LionShare’ which is a heavily.

Alain Bethuyne Web Security Architect BNPParibas Fortis

ITIS 3110 IT INFRASTRUCTURE II

What is new in security in Windows 2012 or Dynamic Access Control

Using Umbrella with other technologies at Diamond

LIGO Identity and Access Management

Federation made simple

HMA Identity Management Status

Active Directory Fundamentals

Radius, LDAP, Radius used in Authenticating Users

CSCE 715: Network Systems Security

Kerberos Kerberos is a network authentication protocol and it is designed to provide strong authentication for client server applications. It uses secret.

CSCE 715: Network Systems Security

Kerberos: An Authentication Service for Open Network Systems

Security Vulnerabilities in RPC (csci5931)

Chandler and Higher Education

A Private Key System KERBEROS.

Kerberos in an ISP environment

Kerberos Kerberos Ticket.

+ Attach service request

GOPAS TechEd 2012 Kerberos Delegation

Presentation transcript:

Moonshot, in a nutshell SAML IdP Client Server AAA EAP RADIUS

Moonshot with SSH SAML IdP OpenSSH client OpenSSH server FreeRADIUS AAA server GSS EAP over SSH RADIUS gss_authorize_localname() to authorise user gss_pname_to_uid() if user is empty

Windows Domain Controller Moonshot with CIFS Windows Domain Controller Protocol Transition (S4U2Self) Samba4 client Samba4 file server FreeRADIUS AAA server GSS EAP over CIFS (SPNEGO) RADIUS (+PAC) gss_get_name_attribute(“urn:mspac:”) gss_inquire_sec_context_by_oid(GSS_C_INQ_SSPI_SESSION_KEY)

Moonshot with LDAP SAML IdP OpenLDAP client OpenLDAP server FreeRADIUS access to attrs=eduPersonEntitlement by dynacl/gss/eduPersonAffiliation=faculty write by * read OpenLDAP client OpenLDAP server FreeRADIUS AAA server GSS EAP Over LDAP (SASL) RADIUS (+SAML) Shibboleth gss_get_name_attribute(“eduPersonEntitlement”)

Kerberos with SAML Kerberos KDC SAML IdP OpenLDAP client OpenLDAP TGS-REQ OpenLDAP client OpenLDAP server Kerberos over LDAP (SASL) Shibboleth

signs assertion with Kidp Moonshot with Kerberos delegation FreeRADIUS AAA server SAML IdP signs assertion with Kidp RADIUS Firefox Apache server Kerberos (SASL) IMAP server GSS EAP over HTTP Negotiate Protocol Transition (S4U2Self) Kerberos KDC verifies assertion and re-signs with ticket session key

Moonshot with Kerberos delegation: The gory details C authenticates to S1 using GSS EAP S1 makes PT request with SAML assertion in authorization data KDC verifies assertion signed with Kidp KDC re-signs assertion with Ksession, and authorization data with Ktgs KDC issues ticket (C, S1) S1 makes constrained delegation request for S2 using (C, S1) KDC verifies assertion signature KDC issues ticket (C, S2) containing re-signed assertion (Ksession) S1 authenticates using Kerberos to S2 (AP-REQ) S2 verifies assertion signature with Ksession S2 retrieves assertion from authorization data S2 performs attribute-based authorization of C

Patches Cyrus SASL MIT Kerberos Heimdal Samba OpenSSH GS2 plugin integrated (apparently) MIT Kerberos In master but not shipped MIT 1.8 and 1.9 should work with some features missing Heimdal In master but not reviewed/shipped Probably no shipped versions will work because mechglue loader is broken Samba In progress OpenSSH In Moonshot repository but not integrated upstream OpenLDAP, Jabber server, Adium, etc Use SASL, no changes required ACL plugin in contrib/ in master

MIT S4U GSS APIs gss_acquire_cred_impersonate_name Allows a service to get a ticket to itself for an arbitrary user S4U2Self gss_accept_sec_context Always returns a delegated handle If the client did not provide a TGT, will do “constrained delegation”