Identity Federations - Overview

Slides:

Advertisements

Similar presentations

WSO2 Identity Server Road Map

Advertisements

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

WebFTS as a first WLCG/HEP FIM pilot

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

NASA NEX & OpenID -- Observations -- Andreas Matheus Secure Dimensions.

Survey of Identity Repository Security Models JSR 351, Sep 2012.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Shibboleth: An Introduction

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

EduGain Federation – Web SSO

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.

Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

INDIGO – DataCloud WP5 introduction INFN-Bari CYFRONET RIA

INDIGO – DataCloud Security and Authorization in WP5 INFN RIA

Connected Identity & the role of the Identity Bus Prabath Siriwardena Director of Security Architecture WSO2.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.

Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Security in the wider world David Kelsey (STFC-RAL) GridPP37 – Ambleside 2 Sep 2016.

Web SSO with Cloud Resources using AD Federation Services

Access Policy - Federation March 23, 2016

GEOSS Federated Single Sign-On

WLCG Update Hannah Short, CERN Computer Security.

Applying eduGAIN to network operations The perfSONAR case

EthERNet Research & Education Repository

Consuming OAuth Services in Alfresco Share

Mechanisms of Interfederation

EGI Updates Check-in Matthew Viljoen – EGI Foundation

Introduction to Windows Azure AppFabric

Analyn Policarpio Andrew Jazon Gupaal

Federation made simple

User Community Driven Development in Trust and Identity

eduTEAMS platform for collaboration Niels Van Dijk

Extending Authentication to Members of Social Networks

Géant-TrustBroker Dynamic inter-federation identity management

CheckIn: the AAI platform for EGI

AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)

Scalability of trust and metadata exchange across federations

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

THE STEPS TO MANAGE THE GRID

Identity Federations - Installation and operation

GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –

ESA Single Sign On (SSO) and Federated Identity Management

AARC Blueprint Architecture and Pilots

AAI Architectures – current and future

Single Sign-On (SSO) Authentication

Community AAI with Check-In

Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.

Computer Network Information Center, Chinese Academy of Sciences

Una herramienta para la gestión de identidad, el control de acceso y uso compatible con la regulación de identidad europea eIDAS.

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Identity Federations - Overview Marco Fargetta - INFN – Italy (marco.fargetta@ct.infn.it) EthERNet e-Research Hackfest – Addis Ababa (Ethiopia)

Identity Management

Authorisation

Remote Identity

Single Sign-On

SAML distinguish two main resources SAML Federation SAML distinguish two main resources Identity Provider (IdP) Service Provider (SP) Federation is a group of resources They sharing a common policy Are managed as a single entity The authentication is always between an IdP and a SP The federation establish only the initial trust among the resources

A user want to access an SP SAML Authentication A user want to access an SP The user is redirect to a Discovery Service It can be an external service or embedded in the SP Allow the user to choose the IdP The user goes back to the SP with the ID of the own IdP The user is redirect to the IdP Authentication is performed The user goes back to the SP with the authentication All the steps above are associated with a SAML assertion (it is an XML)

SAML Authentication

SAML Authentication was mainly designed for WebServices Authentication flow SAML Authentication was mainly designed for WebServices It is possible to implement other type of resources Either web based or native application Resources can support multiple SAML profiles The profile identifies the exchange protocol and the message format Most used profile for web application is redirect The browser show a page with a javascript performing the redirect

IdP keeps tracks of user authentications Single Sign-On IdP keeps tracks of user authentications Multiple requests from different services require to authenticate only once Although services can require different information Attribute release has to be confirmed and authorised by the user This is not implemented in all the IdP software Discovery service could store the user selection If this is the case users could have problem to change the IdP in the future

Each SP is responsible for the authorization of the accessing users SAML Authorisation Each SP is responsible for the authorization of the accessing users Authorisation is not federated The federation is responsible to uniform the attributes used by the resources and create the trust among the entities The user authentication is point-to-point between the two involved resources

An SP can apply the authorisation in different ways SAML Authorisation An SP can apply the authorisation in different ways Accept all the federated users Accept federated user according to some filters User of a subset of IdPs User with some specific value in the attribute Perform an authorisation request step in the SP Some tools are emerging to perform federated authorisation but not widely adopted Not needed for many SPs

A federation is not needed to use SAML Using SAML A federation is not needed to use SAML Authentication is point-to-point in any case IdPs can be deployed to test new SPs services Many public IdPs available for test Simple SPs can be deployed to test IdPs It can be a single web page GrIDP federation provide a test federation where new services can be tested together with some production services

The resource will be tested to identify technical problem, e.g.: Join a federation To join a federation the service should be properly configured to use SAML The resource will be tested to identify technical problem, e.g.: Misconfiguration with some attributes Missed information on the SAML description The organisation has to sign an agreement with the federation Could require to define a policy for the user complying with the federation rules

Resources can be aggregated into a federation Inter-Federation SAML authentication can be used among a bunch of resources by configuring all the connections Resources can be aggregated into a federation Can be either a national federation or a federation with trans-national scope Federation can be aggregated into a inter-federation eduGAIN is the biggest inter-federation

Delegation to multiple service and REST APIs Delegation is possible but over complicated The delegation allows to demand a service to operate on behalf of the user A profile for native application is available and could be used to access REST APIs but has many limitation If APIs are stateless the authentication has to be performed at every request Too computational and network demanding

AARC blueprint architecture AARC is a EU project aiming at define authentication and authorisation for research collaboration Propose to integrate the SAML federation with other technologies best fitting for the problem SAML used to authenticate in a proxy A proxy can release a token for the access to the other services, e. g. SAML <-> OpenID-Connect conversion

Implementation example: the INDIGO-DataCloud IAM service INDIGO-DataCloud is a EU project implementing cloud service for the research communities IAM is the component implementing the SAML to OpenID-Connect proxy Source: Andrea Ceccanti (INFN)

Summary and conclusions Identity Federation allows to connect services with Identities separating the Identity manager from the service manager Many possibility to integrate with SAML federations For specific problems other protocols could be integrated

Thank you! sci-gaia.eu info@sci-gaia.eu