Security for Science Gateways Initial Design Discussions

Slides:

Advertisements

Similar presentations

SearchSearch User Profiles SearchSearchExcelExcelUserProfilesUserProfiles Managed Metadata.

Advertisements

FI-WARE Testbed Access Control temporary solution.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

One Stop Mail Service Bhattacharya, Tonmoy, Bhattacharya, Tonmoy, Hariharan, Rama Krishnan, MS in Engineering Science,

OmStore Cloud API Harshit Agarwal Sohil Habib. About Us ●We are graduate students at CMU ●Currently at CMU Silicon Valley campus ●Working part time with.

SACMAT02-1 Security Prototype Defining a Signature Constraint.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Google App Engine Google APIs OAuth Facebook Graph API

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

© 2012 Autodesk Implementing Cloud-Based Productivity Solutions with the AutoCAD® ObjectARX® API Ravi Krishnaswamy Senior Software Architect.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”

Running List of Comanage Framework Stuff. Parked issues Discussion of how to share the work of domesticating apps - real important to do soon, but the.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

Access Management 2.0: UMA for the #UMAam20 for questions 20 March 2014 tinyurl.com/umawg for slides, recording, and more 1.

ASP.NET Web API – Sigurnosna pitanja i odgovori Ivan Marković Cloud Solutions Program Manager/Technology Evangelist SPAN.

Securing Angular Apps Brian Noyes

Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.

Running List: Comanage Stuff Framework – Services - Appliance.

L Identify the “out-of-the-box” audit settings l Identify recommended minimum audit settings l Configure security event log settings to meet recommendations.

8 Copyright © 2004, Oracle. All rights reserved. Making the Model Secure.

API Auth By Kyle Bradley. Role Definitions  User (Resource Owner)  The resource owner is the person who is giving access to some portion of their account.

Secure Mobile Development with NetIQ Access Manager

Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.

1 Authorization Federation in Multi-Tenant Multi-Cloud IaaS Navid Pustchi Advisor: Prof. Ravi Sandhu.

1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney

Web Application Security + OAuth2 NWEN 304: Advanced Network Applications.

WSO2 Identity Server. Small company (called company A) had few services deployed on one app server.

Ask the Experts – Building Login-Based Sites in AEM

The EGI AAI “CheckIn” Service

WLCG Update Hannah Short, CERN Computer Security.

4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Investigation authentication using AAF for the CVL on NeCTAR

OGF PGI – EDGI Security Use Case and Requirements

EGI Updates Check-in Matthew Viljoen – EGI Foundation

Embed Power BI in your Web application

Build your own Gateway PEARC17, July 10th 2017

AAI … but This talk is about the second 'A': Authorisation.

Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support

CheckIn: the AAI platform for EGI

SIROPE OAuth and OAuth2 Living in SIR

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

THE STEPS TO MANAGE THE GRID

OAuth2, OpenID Connect, and Science Gateways

Science Gateway Security Considerations

Dynamic DNS support for EGI Federated cloud

First-time Login to Business Banking:

IOS SDK v1.0 with NAM 4.2.

KMIP Entity Object and Client Registration

SharePoint Online Hybrid – Configure Outbound Search

Agenda OAuth Concepts Programming OAuth.

Matthew Levy Azure AD B2B vs B2C Matthew Levy

SharePoint Online Authentication Patterns

Office 365 Development.

Community AAI with Check-In

Platform Architecture

CSG, Power BI & Embedded.

What are IAM Key Processes.

Microsoft Ignite NZ October 2016 SKYCITY, Auckland.

JAAS AuthN Tokens in uPortal and Beyond

Building Windows Store Apps with Windows Azure Mobile Services

Una herramienta para la gestión de identidad, el control de acceso y uso compatible con la regulación de identidad europea eIDAS.

D Guidance 26-Jun: Would like to see a refresh of this title slide

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Security for Science Gateways Initial Design Discussions Custos Security for Science Gateways Initial Design Discussions

High-Level Overview

Use case 1: Institutional Login GW Custos CILogon IDP OIDC Custos AuthN Redirect OIDC CILogon AuthN Redirect SAML CILogon AuthN Redirect AuthN AuthN Login SAML AuthN

Use case 1: Institutional Login Kind of doing repetitive work. Validate SAML Token GW Custos CILogon IDP OIDC Response (Redirect) OIDC Response (Redirect) OIDC Response SAML Authn Response OIDC Response SAML Authn Response (Redirect)

Use case 1: Institutional Login Unify. Validate SAML Token GW Custos CILogon IDP OIDC Response (Redirect) OIDC Response (Redirect) OIDC Response SAML Authn Response OIDC Response SAML Authn Response (Redirect)

Use case 1: Institutional Login GW Custos IDP OIDC Custos AuthN Redirect SAML CILogon AuthN Redirect AuthN SAML AuthN Login

Use case 1: Institutional Login Validate SAML Token Keycloak can validate the token. GW Custos IDP OIDC Response (Redirect) SAML Authn Response OIDC Response SAML Authn Response (Redirect)

Resource Authentication Good for having something working Thinking backward This is what I did for a while That is understand the functionalities cloud providers giving for delegated/federated authentication and try to implement our use case. Thinking forward Implement the custos use case and list what we need from cloud providers. Good if we can influence cloud provides

Users Types of users as far as resources are concerned Forward Types of users as far as resources are concerned Users with proper authentication credentials to the resource (resource user) Users without proper authentication credentials but authorize to use credentials of a user who has credentials to a resource.(none resource user) Types of users as far as resource is concerned (AWS): Root User (has a dedicated AWS billing account) IAM User (associated to another root account) Neither root nor IAM (no relationship to AWS at all) Backward

Use Case 2: Adding a resource by a resource user GW Custos Resource (AWS/GCP) Custos AddResource Redirect Oauth Resource Redirect AddResource Authorize Add Resource Oauth Scopes are defined based on what user specified. Specify what retrieving credentials can do. E.g., execute code, access s3

Use Case 2: Adding a resource by a resource user Store Auth code GW Custos Resource (AWS/GCP) Success Redirect Auth Code Auth code, redirect to Custos Resource Added

Use Case 3: Accessing a resource by a resource user Is access token along sufficient? Get Credentials GW Custos Credentials Access Token Auth Code SDK+ Credentials (Access token) Resource (AWS/GCP) Access Resource

Use Case 4: Accessing a resource by a none resource user In order for none resource user to access a resource, he/she must be associated with a resource user. Associate auth codes with different entities: Single user (resource user) A group A role

Use Case 4: Accessing a resource by a none resource user Find associated auth code(s) Get Credentials GW Custos Credentials Access Token Auth Code SDK+ Credentials (Access token) Resource (AWS/GCP) Access Resource

Use Case 4: Accessing a resource by a none resource user Every user in the group has same access privileges. We lose audit logs at the resource but we can maintain audit logs at the custos. If we want functionalities similar to throttling we need to implement them at the custos level.

Custos Components Single server that embeds KeyCloak and other functionalities API KeyCloak User Management CredentialStore/Vault Primary user store Storing auth codes, ssh keys, generate keys Sharing Service Manages resource authentication for a user + throttling, limiting user access to resource. Profile Service Resource Authentication/ Authorization Admin/ Monitoring Registering client ids, client secrets + other admin/monitoring things Secure audits, manages audit queries Auditing