Contrail and Federated Identity Management

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

© 2006 Open Grid Forum Federated Identity in the Cloud OGF 32, Salt Lake City.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
CLARIN AAI, Web Services Security Requirements
Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Implementing Federated Security with ConSec Jens Jensen, STFC OGF40, Oxford, 16 Jan 2014.
Case Studies in Identity Management for Scientific Collaboration 2014 Technology Exchange Jim Basney CILogon This material is.
EUDAT FIM4R at TNC 2014 Jens Jensen, STFC, on behalf of EUDAT AAI task force.
WSO2 Identity Server Road Map
MTA SZTAKI Hungarian Academy of Sciences Grid Computing Course Porto, January Introduction to Grid portals Gergely Sipos
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
H The MashMyData Project MashMyData [1] is a NERC (Natural Environment Research Council) funded Technology Proof of Concept project whose aim is to enable.
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
WebFTS as a first WLCG/HEP FIM pilot
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
SIM205. (On-Premises) Storage Servers Networking O/S Middleware Virtualization Data Applications Runtime You manage Infrastructure (as a Service)
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Jens G Jensen CCLRC e-Science Single Sign-on to the Grid Federated Access and Integrated Identity Management.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
Here Come the Feds Federated identity management: the consumer’s perspective Jens Jensen, STFC On behalf of EUDAT AAI TF EGI CF Manchester April 2013.
Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor
SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.
Tweaking the Certificate Lifecycle for the UK eScience CA John Kewley NGS Support Centre Manager & Service Manager for the UK e-Science CA
Towards a Javascript CoG Kit Gregor von Laszewski Fugang Wang Marlon Pierce Gerald Guo
Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
EMI AAI Strategy & Plans John White / Helsinki Institute of Physics Federated Identity Systems for Scientific Collaborations Workshop , CERN,
JASMIN and CEMS: The Need for Secure Data Access in a Virtual Environment Cloud Workshop 23 July 2013 Philip Kershaw Centre for Environmental Data Archival.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Federated Identity in the Earth Science Domain: the Earth System Grid Federation, EGI-Inspire and GENESI-DEC Federated Identity System for Scientific Collaborations.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
EGEE User Forum Data Management session Development of gLite Web Service Based Security Components for the ATLAS Metadata Interface Thomas Doherty GridPP.
Authorisation Jens Jensen, Phil Kershaw (STFC) et al. contrail is co-funded by the EC 7th Framework Programme under Grant Agreement nr contrail-project.eu.
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.
Lightweight construction of rich scientific applications Daniel Harężlak(1), Marek Kasztelnik(1), Maciej Pawlik(1), Bartosz Wilk(1) and Marian Bubak(1,
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Cloud Service Provisioning Jens Jensen (STFC), Piyush Harsh (INRIA) et al contrail is co-funded by the EC 7th Framework Programme under Grant Agreement.
Example Use Case for Attribute Authorities and Token Translation Services Jens Jensen, EUDAT/AARC/STFC.
1 - Genias and Contrail - WP14 Communication and Dissemination Ad Emmen, Genias Benelux bv contrail is co-funded by the EC 7th Framework Programme under.
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
INFN OCCI implementation on Grid Infrastructure Michele Orrù INFN-CNAF OGF27, 13/10/ M.Orrù (INFN-CNAF) INFN OCCI implementation on Grid Infrastructure.
AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics
#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson
Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.
REST API to develop application for mobile devices Mario Torrisi Dipartimento di Fisica e Astronomia – Università degli Studi.
Web SSO with Cloud Resources using AD Federation Services
PaaS services for Computing and Storage
WLCG Update Hannah Short, CERN Computer Security.
Consuming OAuth Services in Alfresco Share
AAI for a Collaborative Data Infrastructure
HMA Identity Management Status
Identity Federations - Overview
Grid accounting system
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Tweaking the Certificate Lifecycle for the UK eScience CA
ESA Single Sign On (SSO) and Federated Identity Management
Community AAI with Check-In
Computer Network Information Center, Chinese Academy of Sciences
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Contrail and Federated Identity Management 03/06/12 Contrail and Federated Identity Management Philip Kershaw, RAL Space, STFC Jens Jensen, e-Science, STFC (and others: XLab, CNR, INRIA …) contrail is co-funded by the EC 7th Framework Programme 1

Outline Contrail overview and goals Architecture Single sign-on 03/06/12 Outline Contrail overview and goals Architecture Single sign-on Delegation requirements Delegation solutions OAuth flow Conclusions Collaborations 2

Contrail Overview and Goals 03/06/12 Contrail Overview and Goals EC FP7 Project, led by INRIA, 36 month, completes Sept 2013 Federation of cloud providers Federation with external IdPs “Elastic” CAs for dynamically created services Autonomous SLA management from SLA@SOI project IaaS and PaaS integration Reuse of existing open standards: OVF OCCI CDMI WS-Security SLA@SOI models 3

Contrail Overview and Goals+ 03/06/12 Contrail Overview and Goals+ EC FP7 Project, led by INRIA, 36 month, completes Sept 2013 Federation of cloud providers Federation with external IdPs “Elastic” CAs for dynamically created services Autonomous SLA management from SLA@SOI project IaaS and PaaS integration Reuse of existing open standards: OVF OCCI CDMI WS-Security SLA@SOI models Federated access to resources, building on existing identity federations 4

Architecture Federation of Cloud Providers Federation CLI Browser 03/06/12 Architecture Federation CLI Browser Browser and rich client access Federation Web Portal Online CA  REST API  Federation core Federation Identity Provider Federation of Cloud Providers 5

Architecture – Single Sign-on 03/06/12 Architecture – Single Sign-on Federation CLI Browser Single Sign-on Single Sign-on Federation Web Portal Credentials mapping Online CA  REST API  Federation core Federation Identity Provider Single Sign-on Cloud Providers 6

Architecture - Delegation 03/06/12 Architecture - Delegation Federation CLI Browser Multiple delegation hops Federation Web Portal Online CA  REST API  Federation core Federation Identity Provider Cloud Providers 7

Delegation … but how? Delegator, delegates authority to another, a delegatee Rights that the delegatee inherits can vary e.g. Identity-based – inherits all the rights of the user Inherit rights to access a single resource Some technology options: GSI Proxy certificates OAuth 1.0 (CILogon), OAuth 2.0? Others…

Delegation: technology options 03/06/12 Delegation: technology options GSI Proxy certificates Delegatee inherits all the rights of the user Custom SSL extensions needed to support verification OAuth 1.0 Gained traction in commercial environment: Twitter etc… Digital signature of HTTP header artifacts – canonicalisation can be problematic OAuth 2.0 Simplified flow Use SSL: no digital signature implementation necessary CILogon Use OAuth to protect a short-lived credential service (SLCS) but based on OAuth 1.0 Delegatees obtain a standard End Entity Certificate SLCS + OAuth 2.0 ✔ 9

OAuth Flow (1) Cloud Providers Browser 03/06/12 OAuth Flow (1) Browser Objective: get delegated credential for portal to make onward requests to the federation core [OAuth Authorisation Server] 1. User request Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 10

OAuth Flow (2  3) Cloud Providers Browser 03/06/12 OAuth Flow (2  3) Browser 2. Portal requests authorisation for delegation from user 3. User is redirected to authorisation server [OAuth Authorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 11

OAuth Flow (4) Cloud Providers Browser [OAuth Authorisation Server] 03/06/12 OAuth Flow (4) Browser 4. User authenticates and approves the delegation request [OAuth Authorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 12

OAuth Flow (5) Cloud Providers Browser [OAuth Authorisation Server] 03/06/12 OAuth Flow (5) Browser 5. Return authorisation grant to portal via a redirect [OAuth Authorisation Server] … redirect back to portal Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 13

OAuth Flow (6) Cloud Providers Browser [OAuth Authorisation Server] 03/06/12 OAuth Flow (6) Browser [OAuth Authorisation Server] 6. Portal requests certificate (oauth access token) passing authorisation grant as proof of user approval Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 14

OAuth Flow (7) Cloud Providers Browser [OAuth Authorisation Server] 03/06/12 OAuth Flow (7) Browser [OAuth Authorisation Server] Federation Web Portal [OAuth Client] 7. Online CA authenticates portal and returns certificate Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 15

OAuth Flow (8) Cloud Providers Browser [OAuth Authorisation Server] 03/06/12 OAuth Flow (8) Browser [OAuth Authorisation Server] Federation Web Portal [OAuth Client] 8. Portal uses certificate to authenticate with core services Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 16

OAuth Flow (9) Cloud Providers Browser [OAuth Authorisation Server] 03/06/12 OAuth Flow (9) Browser [OAuth Authorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation core Federation Identity Provider 9. Further delegation needed: ‘2-legged’ OAuth Cloud Providers 17

03/06/12 Development Status Web portal and federation SSO demonstrated with support for: SAML OpenID Command line SSO with shell script client to Short-Lived Credential Service (X.509 EECs) Delegation with 2-legged OAuth-like interface, full OAuth to be integrated 18

Technology used Federation Web 03/06/12 Technology used Federation Web User interface: Python 2.7+ / Django 1.4 / buildout / Apache2 SAML2: Djangosaml2 v0.5 OpenID: Django-authopenid Federation IdP IdP: SimpleSAMLphp 1.9 rc2 User DB: Java 6 / JPA subclipse / Tomcat

Conclusion Single sign-on support with: Browser: SAML2 and OpenID 03/06/12 Conclusion Single sign-on support with: Browser: SAML2 and OpenID Other client: X.509 short-lived end entity certificates Delegation with OAuth 2.0 protected Short-Lived Credential Service Can we offer Federation-in-a-box or federation-as-a- service ? => Federated access to resources, building on existing identity federations.

Contrail collaborations 03/06/12 Contrail collaborations Contrail evaluation with: EUDAT, CLARIN, ENES EGI federated cloud task force Climate science and Earth Observation communities: OAuth solution for workflows OGF groups FEDSEC-CG: federated identity for grids and clouds IDEL-WG: working group on identity delegation Cloud security activities ... Moonshot

contrail is co-funded by the 03/06/12 contrail is co-funded by the EC 7th Framework Programme Funded under: FP7 (Seventh Framework Programme) Area: Internet of Services, Software & virtualization (ICT- 2009.1.2) Project reference: 257438 Total cost: 11,29 million euro EU contribution: 8,3 million euro Execution: From 2010-10-01 till 2013-09-30 Duration: 36 months Contract type: Collaborative project (generic) 22

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.