Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Slides:



Advertisements
Similar presentations
IEEE Automated Meeting Attendance Tool Attendee Enrollment Process Michael Kipness Christina Sahr
Advertisements

IEEE Automated Meeting Attendance Tool Attendee Enrollment Process Michael Kipness Christina Sahr
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
FIM-ig Federated Identity Management Interest Group.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.
Design for Senior Project December 05, 2007 Raytheon_Design_Review.ppt 1 of 19 Raytheon – Google Earth Roy Daniels, Marc Maciel, Rifina Pierre Department.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
Identity on Force.com & Benefits of SSO Nick Simha.
Researcher ID September Presented by Terry Smith - AAF Technical Manager.
Shibboleth 2.0 IdP Training: Authentication January, 2009.
Introduction Moonshot workshop
An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.
Shibboleth Update Fall Ch-ch-changes Chad moving on to new job opportunity, requires realigning product responsibilities and reviewing roadmap Tom.
Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
The Application and the Ecosystem. Acknowledgments Home and Scott Cantorhttps://spaces.internet2.edu/display/fedapp/
Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.
SAML to LDAP bridging developments Marcus Hardt Marcus kit.eduSteinbuch Centre for Computing (SCC) Motivation Allow linux logins,
Federating non-web services with LDAP-Façade
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
Networks ∙ Services ∙ People Thomas Bärecke Journée Fédération, Paris Collaboration européenne GÉANT SA5 03/07/2015 SA5 T5 team
Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.
B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.
Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht.
Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.
Authentication and Authorisation for Research and Collaboration Marcus Hardt AARC AHM, Milan Current Status of Non Web (via LDAP.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.
PRACE user authentication and vetting Vincent RIBAILLIER, 29 th EUGridPMA meeting, Bucharest, September 9 th, 2013.
IT Services Shibboleth Single Sign-On overview. Overview What/where/why? The UK-Federation/Registration Terminology Configuration Protecting Content Benefits.
Access Policy - Federation March 23, 2016
Basharat Institute of Higher Education
Digital Account Verification Services Through Encompass
Secure Single Sign-On Across Security Domains
CALIPSOplus JRA2 Kickoff: Task 6 – Authentication + Identity
eduroam Managed IdP - Roadmap
Bring the Umbrella system into production
Mechanisms of Interfederation
Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd
Authentication Interact Cloud.
Federation made simple
Federation Systems, ADFS, & Shibboleth 2.0
SAML New Features and Standardization Status
AIM/education directory (Ed dir)
7th Umbrella Harmonisation Meeting
Identity Management and Authorization
Géant-TrustBroker Dynamic inter-federation identity management
Umbrella Update Björn Abt.
User Authentication and Metrics Parallel Session 4b - Friday, May 4 at 09:00 in Room 4 - Session Leaders: Steve Browdy, Lucia Lovison AIP-5 Kickoff.
Identity Management and Authorization
2018 Real Cisco Dumps IT-Dumps
ESA Single Sign On (SSO) and Federated Identity Management
Integrating non web-based services with identity federations
Mechanisms for Distributed Global Authentication David R Newman.
Community AAI with Check-In
Process flow Kindly note: This presentation is automated – please do not click any of your mouse buttons or keyboard keys.
On the off chance that your business utilizes Roadrunner as your Internet specialist organization, you will have at least one accounts. While you.
Security for Science Gateways Initial Design Discussions
Employee Self-Service (ESS) Portal
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Employee Self-Service (ESS) Portal
Umbrella ID Federated Identity for PaN facilities
Presentation transcript:

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015 Non Web access Technical session 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015 Why? Currently Umbrella can only be used for web browser based access. That’s perfect for WUO type access! We aim to extend it to: Data access (webdav ?, S3 ? Need your imput) Analyses workstation access (PaNDaS like project) SSH Remote display … These new usages are often not inside web browser. 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015 Our needs Simple to use at least for the users Federation – SP should never get access to pwd. 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Many solutions exists … Modifications Readiness Scope Moonshot Client Server IdP Yes SSH NFSv4 Owncloud SSH Keys SP Prototype ? Ldap facade Any LDAP compatible service (where pwd field sufficiently long) SASL-SAML Client (?) Prototype (2012) IMAP Oauth2 Prototypes WebDav … 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015 SSH Keys Basic Workflow: Users register their public key on their account on umbrellaid.org The IdPs distribute the Key as part of the SAML metadata (other mechanism possible). The SPs collect the keys (like for EAAHash) and populate authorized_keys (user home dir, ldap, …) Users could connect with their umbrella username and private key 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

More details/constraints Provisioning: need to have usernames (from umbrellaid.org) in SP ldap probably with the same uidNumber and homeDirectory than the local user account to benefit from local account authorization). Need for uid uniqueness in the case we also accept local login – Need to identify that accounts belongs to Umbrella. Attributes update - Deprovisioning: SP need to validate that the account is still valid (automated asynchronous check on the IdP, SAML AssertionQuery profile) ? 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015 Pros/Cons Pros: Very simple for the users Pragmatic solution – Mostly ready Development cost very small Cons: Need to check asynchronously that user is still valid. Potential uid collision in case local and umbrella account could login – need differentiator Only valid for SSH authentication 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015 LDAP facade In production at the bwIDM - Föderatives Identity Management Baden-Württemberg (KIT is part of it) Slides from Marcus Hardt (KIT) 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015 LDAP Facade Basic Workflow (Enhanced client) Users authenticates with their web browser (websso profile) to SP Users download the SAML assertion. They use this assertion as password in their ssh client The SSH server send the usename/password (assertion) to the LDAP façade. The LDAP façade checks/accepts the username + assertion as valid login credentials and allows the user to log in 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015 Pros/Cons Pros: Relatively simple for the users Pragmatic solution – Mostly ready Development cost relatively small (Availability of the code for the LDAP façade?) Could work with all services based on LDAP Cons: Potential uid collision in case local and umbrella account could login – could need differentiator 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015 Technical team Possible task and actions : Refine the needs (SSH, RDP ? which one, Data Access ? which one) – action All Setup 3rd/ /4th IdP – Action DESY/STFC+ Geo DNS and IdP session sharing Prototype Non Browser Access : Moonshot – Proposal to the Steering Committee for voting SSH Keys - Prototype LDAP Facade – Doris to get in touch with Marcus Hardt Attribute management and release / attribute authority Check email addresses validity Level Of Assurance – prototyping Indico 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.