AARNet Copyright 2013 Network Operations OpenConext Workshop Down-Under Enabling Federated Team Management, Group-Aware SPs, and SP Shop-Fronts Neil Witheridge,

Slides:



Advertisements
Similar presentations
Federated Identity for Grid Architects Tom Scavo NCSA
Advertisements

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Implementing Shibboleth-based Virtual Organisations and VO Federations using IAMSuite (including AAF update) James Dalziel & Alan Lin Professor of Learning.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Understanding Active Directory
AARNet Copyright 2011 Network Operations OpenConext Workshop Down-Under Enabling Federated Team Management, Group-Aware SPs, and SP Shop-Fronts Neil Witheridge,
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Turkey IDA Info-Day PM Session, September 25, 2003 CIRCA 1 CIRCA : The IDA Collaborative Software Tool Grzegorz Ambroziewicz European Commission - DG Enterprise.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
AAF Middleware update February Presented by Terry Smith Technical Manager and Heath Marks Manager.
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.
Evolution to CIMI Charles (Cal) Loomis & Mohammed Airaj LAL, Univ. Paris-Sud, CNRS/IN2P3 29 August 2013.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
ArcGIS Server and Portal for ArcGIS An Introduction to Security
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Middleware Support for Virtual Organizations Internet 2 Fall 2006 Member Meeting Chicago, Illinois Stephen Langella Department of.
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.
Researcher ID September Presented by Terry Smith - AAF Technical Manager.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
1 Schema Registries Steven Hughes, Lou Reich, Dan Crichton NASA 21 October 2015.
Grouper Training Developers and Architects Advanced Topics Chris Hyzer Internet2 University of Pennsylvania This work licensed under a Creative Commons.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.
SURFfederatie & SURFconext Federated identity system for scientific collaborations 9-10 June 2011 CERN Remco Poortinga – van Wijnen*, SURFnet
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Grouper Tom Barton University of Chicago. I2MM Spring Outline  Grouper’s place in the world  Some Grouper guts  Deployment scenarios.
WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.
Authentication and Authorisation for Research and Collaboration Niels van Dijk AARC General Meeting Authentication and Authorisation.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Copyright JNT Association 20051Optional Copyright JNT Association The UK federation TNC - 22 nd May 2007 Mark Tysom, UKERNA.
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
Diego R. Lopez, RedIRIS TF-EMC2, Umea SIR, FedSSH and more to come…
June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
A uthentication & A uthorization for R esearch & C ollaboration Pilots in SA1 Paul van Dijk, SURFnet AARC.
Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,
Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Networks ∙ Services ∙ People Andrea Biancini #TNC15, Porto, Portugal Implementing Grouper to federate user authorization Federated Authorization.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI-InSPIRE PY5 new activities Peter Solagna – EGI.eu.
TNC2014 Service Delivery NREN style: Using OpenConext to build service delivery platforms Neil Witheridge AARnet Carl Vincent Jisc Netskills 20 May 2014TNC.
B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.
Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
AAI for a Collaborative Data Infrastructure
Federation made simple
eduTEAMS platform for collaboration Niels Van Dijk
An authorization service for Virtual Organizations (VO)
Identity Federations - Overview
Neil Witheridge’s slides
ESA Single Sign On (SSO) and Federated Identity Management
Overview and Development Plans
SharePoint Online Authentication Patterns
Community AAI with Check-In
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

AARNet Copyright 2013 Network Operations OpenConext Workshop Down-Under Enabling Federated Team Management, Group-Aware SPs, and SP Shop-Fronts Neil Witheridge, AARNet Authentication & Authorisation Services Technical Manager 25 th October 2013 Session 1: Overview

AARNet Copyright 2013 Session 1: Overview - Topics Session Topics: Federated Authentication & Authorisation Background OpenConext Features (SP Shopfront, Group/Team mgnt & Group info retrieval)OpenConext Features Architecture & Components (Demo clean installed OpenConext)Architecture & Components SAML Proxy: IdP and SP Integration (Demo integrated IdP and SP)SAML Proxy: IdP and SP Integration Group/Team Management (Demo Team Creation & Management)Group/Team Management Group Proxy: Group Provider Integration (Demo API Playground)Group Proxy: Group Provider Integration 2 Overview

AARNet Copyright 2013 Session 1: Overview - Topics Session Topics cont’d Virtual Organisations & VO-based Authorisation (Demo VOs & AuthZ)Virtual Organisations & VO-based Authorisation OpenSocial Container, Portal & Gadget Integration (Demo Shindig OpenSocial Container, Rave Portal & Etherpad gadget)OpenSocial Container, Portal & Gadget Integration Security, Sustainability & Usability OpenConext Roadmap Session Wrap-up 3 Overview Non-third-party-sourced content is under the Creative Commons “Attribution 3.0 Unported” license. This means that you are permitted to freely copy, distribute, display, present, or perform material on the wiki, and create derivative works from it, for either commercial or non-commercial purposes.Creative Commons “Attribution 3.0 Unported”

AARNet Copyright 2013 Federated Authentication & Authorisation Background 4 Overview

AARNet Copyright 2013 Federated Authentication SAML Federated Identity & Access ‘state of the art’ –Service Providers trust Identity Providers & vice versa (via SAML metadata) –SPs requests user attributes from the user’s IdP (info stored in institution’s identity store) –IdP delivers according to Attribute Release Policy (ARP), with optional user consent E.g. AAF –Metadata –Policy –Info –WAYF 5 Overview

AARNet Copyright 2013 Authorisation Post Federated AuthN Importance of group-based access for HE&R services –Research Team access to federated services –VOs for Grid Services –Service licensing, restricted access to commercially sensitive info User information used by service for authorisation decision –IdP user attributes IdP authoritative & owned, directory schema -> namespace –Team-attributes (Research Teams, Virtual Organisations) Team authoritative & owned namespace (URN), bilateral agreement with services –urn:collab:group:biolabs:au:genome-team –Authorisation Rights (e.g. populated in eduPersonEntitlement) Service authoritative & owned namespace (URN), delegates authority to issue –urn:service-x:entitlement:foo 6 Overview

AARNet Copyright 2013 Group-management Systems 7 Overview Source: Source: Source: Source: Source: Source: SURFnet

AARNet Copyright 2013 OpenConext Features 8 Overview

AARNet Copyright 2013 SAMLFed, IdP, SP Integration Federated authentication of users 9 Overview

AARNet Copyright 2013 SAML Proxy Benefits 10 OpenConext Engine as an IdP/SP Proxy –Hub&Spoke -> centralised admin –Potential for attribute aggregation –Enables Services Shopfront Overview

AARNet Copyright 2013 Group Information Retrieval Authenticated user group information from “Group Providers” Internal Group Provider “Grouper” + External Group Providers –Registration of Group Providers = shared credentials 11 Overview

AARNet Copyright 2013 Group/Team Management Types of Group Providers supported by OpenConext: –Grouper –OpenSocial Group Management via “Teams” (interface to “Grouper”) –Need trust in both Group management side (cf. IdP & institutional idm) and mechanism for group information retrieval (cf. attribute resolver) –Internet2’s Grouper is comprehensive group management solution Hierarchical groups, stems Advanced delegation of authority to administer –“stem”: string that forms the leading part of a Group's name 12 Overview Source:

AARNet Copyright 2013 OpenConext Architecture and Components 13 Overview

AARNet Copyright 2013 OpenConext Architecture 14 Overview Source:

AARNet Copyright 2013 OpenConext Components 15 Application components making up OpenConext Overview Mock Group Provider API Playground Grouper Java JANUS

AARNet Copyright 2013 OpenConext Installation OpenConext Repository Downloading OpenConext from Github git clone or curl Easy OpenConext installation by running installation scripts –Installation and setup will be covered in next session Mujina IdP –Installed and pre-configured as IdP in OpenConext –convenient ‘test’ and ‘bootstrap’ IdP’ –provides default “admin” user –REST interface provided to create users e.g. “addjane” 16 Overview

AARNet Copyright 2013 Installed Components ServiceRegistry –OpenConext admin user management –SAML Proxy configuration –Adding connections (IdP and SP) Manage –OpenConext usage, access to Engine metadata –Adding Group Providers (also to configure test External Group Provider) –Creating VOs (VO-based authZ described later) Other tools –Teams (creation and management of Teams) (and Grouper native UI) –API Playground (experiment with Group Info retrieval via “API” component) –Profile (basic identity management) 17 Overview

AARNet Copyright 2013 SAML Proxy: IdP and SP Integration 18 Overview

AARNet Copyright 2013 SAML-Proxy functionality Engine proxies trusted SPs to trusted IdPs & vice versa –Trusted IdPs metadata provisioned in Engine SP –Engine IdP metadata provisioned in Trusted SPs 19 Overview

AARNet Copyright 2013 Integration with SAML Fed OpenConext in the national federation –Registered as single SP (Engine) Federation IdPs release attributes to OpenConext Engine Proxy functionality -> “SP shopfront” or “Super SP” 20 Overview

AARNet Copyright 2013 Attribute Release Policy (ARP) OpenConext Engine deployed as SP in the National SAML Fed –Engine SP SAML metadata provisioned in Nat Fed IdPs (& vice versa) –OpenConext SPs provisioned with Engine IdP SAML metadata (& vice versa) –Attribute requirements for Engine determine Nat Fed IdPs’ ARP –Attribute req’s for OpenConext SPs determine OpenConext IdP ARP –Only att’s received by Engine SP are available for release by Engine IdP –OpenConext SP requirements configured in Service Registry 21 Overview

AARNet Copyright 2013 SAML Proxy Technology OpenConext Engine (Corto) & Service Registry (JANUS) –Reuse of mature technology for SAML proxying, metadata admin –SURFnet responsible for JANUS development Corto JANUS 22 Overview Source: Source:

AARNet Copyright 2013 SAML Proxy: Power & Flexibility “IdP A” a member of Nat SAML Fed but not trusting/trusted by OpenConext (i.e. users can’t access “SP 1”, “SP-2”, “SP 3”) “IdP 1”& “IdP 2” not members of Nat Fed but trusted by OpenConext (i.e. users can’t access “SP A” or “SP B”) 23 Overview

AARNet Copyright 2013 Group/Team Management 24 Overview

AARNet Copyright 2013 Group/Team Management Groups/Teams –Groups=Teams in OpenConext –Team types: private, public Group Providers –Source of user group information (cf IdP for SAML federation) –Built-in Group Provider: Internet2’s “Grouper” OpenConext groups/teams are flat –External Group Providers can be integrated Types of Group Provider: Grouper, OpenSocial OpenConext “Teams” service, a GUI for Grouper –Provision of GUI for External Group Providers ? 25 Overview Source:

AARNet Copyright 2013 Team creation and admin “Teams” provides for secure team creation and administration –Delegation of responsibilities for team administration User role requirements for team creation workflow –User added to team at manager’s invitation –User added to team at user’s request Adding Groups to Teams –tbd Using the Grouper GUI directly –Significance of ‘stem’ 26 Overview

AARNet Copyright 2013 Group Proxy Group Provider Integration ( for Group Information Retrieval) 27 Overview

AARNet Copyright 2013 Group Proxy Functionality “API” component acts as Proxy to Group Providers for SPs 28 Overview

AARNet Copyright 2013 VOOT Protocol From SP perspective, requests are issued via VOOT protocol Retrieval of group and person information –Standardised REST API based on OpenSocial Social API Subset of OpenSocial + {voot_membership_role} attributes Supported Requests: –Information about authenticated user –List of groups the user is a member of –List of people that are members of the user’s group –OAuth 2.0 and OAuth 1.0a (for legacy SPs) authentication supported 29 Overview

AARNet Copyright 2013 VOOT Request/Response e.g. GET HTTP/1.1 HTTP/ OK Content-Type: application/json { "entry": [ { "description": "Group containing employees.", "id": "employees", "title": "Employees", "voot_membership_role": "admin" }, { "description": "Group containing everyone at this institute.", "id": "members", "title": "Members", "voot_membership_role": "member" } ], "itemsPerPage": 2, "startIndex": "0", "totalResults": 2 } 30 Overview Source:

AARNet Copyright 2013 OAuth Authentication OAuth v2.0, Authorisation Code Grant 31 Source (reproduced in):

AARNet Copyright 2013 API Playground OpenConext provides an ‘API playground’ for testing OAuth/VOOT calls OAuth actors –Resource, Resource Owner, Resource Server, Client, Authorisation Server OAuth security –Client Registration with Authorisation Server (consumer key, secret) –Reliance on TLS (i.e. use of https) in requests to service end-points API Playground OAuth protocols supported –Version 1.0a 3-legged, 2-legged –Version 2.0 Authorization Code Grant, Implicit Grant API Playground workflow –OAuth Settings –Authorisation Request –API Request (changing the API Request to explore different VOOT requests) 32 Overview

AARNet Copyright 2013 Overview Putting it together: SAML + Group Proxy 33

AARNet Copyright 2013 Virtual Organisations and VO-based Authorisation 34 Overview

AARNet Copyright 2013 VO’s and VO-based AuthZ In OpenConext, a Virtual Organisation is an group aggregator –Defined in terms of groups, IdPs and stems Creating a VO –“Manage” component provides for VO creation –Types of VO: group(s), IdP(s), group(s)+IdP(s), stem Access to resources based on VO membership –Authorisation built into OpenConext engine –VO-based authorisation by virtue of Engine SAML IdP metadata Generate Engine IdP SAML metadata with VO suffix vo: Provision protected SP with Engine IdP metadata Only members of the VO (Groups, IdPs, stem) can access the service 35 Overview

AARNet Copyright 2013 VO-Based Authorisation 36 Overview

AARNet Copyright 2013 OpenSocial Container, Portal and Gadget integration 37 Overview

AARNet Copyright 2013 JISC Conext / Jacson Uptake of OpenConext by JISC –Development of JISC Conext / Jacson (initially for JISCmail) Integration of OpenSocial Container & Portal in OpenConext –Initially intended to be an integral part of OpenConext OpenSocial Container – Apache Shindig OpenSocial Portal – Apache Rave –OpenSocial Gadgets – e.g. Etherpad Federated Authentication and Group Information retrieval Uptake of OpenSocial technology. –Key value of OpenSocial Portal infrastructure such as “Jacson” Potential for Australian HE&R Service Providers? 38 Overview

AARNet Copyright 2013 Security, Sustainability and Ease-of Use 39 Overview

AARNet Copyright 2013 OpenConext Security OpenConext Security Mechanisms –SAML Proxy related, Group Proxy related (OpenSocial API) OpenConext Security –Analysis undertaken of SURFconext components by 3 rd party Australian HE&R focus on Group Information Retrieval –VOOT/OAuth security reliance on TLS –Considerable work on Oauth Security undertaken Security Analysis of Double redirection protocols Overview

AARNet Copyright 2013 OpenConext Sustainability Continuing use for The Netherland’s National SAML Federation Global uptake & collaboration (e.g. in deploying, documenting) JISC Internet2 41 Overview Source: Source:

AARNet Copyright Ease of Use Deployment –Open Source, supported, growing development & user community, maillists –Focus on documentation, ease of installation Development –OpenSocial / OAuth Client libraries available for most languages Java (e.g. Scribe) PHP (e.g. zend_oauth) Python (e.g. rauth) Workshops & conferences –Active topic at technical conferences –Workshops being created & delivered Overview

AARNet Copyright 2013 OpenConext Roadmap 43 Overview

AARNet Copyright 2013 OpenConext Roadmap Niels van Dijk to describe current priorities and future plan for OpenConext development Also (depending on time) report on –Global Uptake –Documentation effort –Commitment of SURFnet to support for global uptake –Keeping informed and contributing to development 44 Overview

AARNet Copyright 2013 Wrapping Up, Questions ? 45 Overview

AARNet Copyright 2013 Preparation for Session 2 Session 2 to go into technical detail, building on Session 1 –SP development work will be undertaken during afternoon sessions Preparation for Session 2: –Preparation section Confirm connectivity Virtual Machines –Assigned to participants – add initials on VM list to reserve –Note IP address, domain name –Username and password on whiteboard –Access via SSH 46 Overview

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.