1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Slides:



Advertisements
Similar presentations
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
Advertisements

Identity Network Ideals – Heterogeneity & Co-existence
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
High Performance Computing Course Notes Grid Computing.
Functional component terminology - thoughts C. Tilton.
Clouds C. Vuerli Contributed by Zsolt Nemeth. As it started.
Lecture 23 Internet Authentication Applications
A Java Architecture for the Internet of Things Noel Poore, Architect Pete St. Pierre, Product Manager Java Platform Group, Internet of Things September.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Technical Architectures
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
The Architecture of Transaction Processing Systems
Understanding Active Directory
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
1 World-Leading Research with Real-World Impact! Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC 2015.
CLOUD COMPUTING  IT is a service provider which provides information.  IT allows the employees to work remotely  IT is a on demand network access.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
Session-9 Data Management for Decision Support
1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Identity on Force.com & Benefits of SSO Nick Simha.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
10/25/20151 Single Sign-On Web Service Supervisors: Viktor Kulikov Alexander Sherman Liana Lipstov Pavel Bilenko.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.
By Rashid Khan Lesson 6-Building a Directory Service.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.
Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Opening Up OpenStack’s Identity Service David W Chadwick, Ioram S Sette, Kristy W Siu.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
ALCF Argonne Leadership Computing Facility GridFTP Roadmap Bill Allcock (on behalf of the GridFTP team) Argonne National Laboratory.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
1 AHM, 2–4 Sept 2003 e-Science Centre GRID Authorization Framework for CCLRC Data Portal Ananta Manandhar.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
Servizi di brokering Valerio Venturi CCR Giornata di formazione dedicata al Cloud Computing 6 Febbraio 2013.
F5 APM & Security Assertion Markup Language ‘sam-el’
Pertemuan #8 Key Management Kuliah Pengaman Jaringan.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
1 Authorization Federation in Multi-Tenant Multi-Cloud IaaS Navid Pustchi Advisor: Prof. Ravi Sandhu.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Private KEEP OFF! Private KEEP OFF! Open! What is a cloud? Cloud computing is a model for enabling convenient, on-demand network access to a shared.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Training for developers of X-Road interfaces
VIRTUALIZATION & CLOUD COMPUTING
Identity Federations - Overview
InCommon Steward Program: Community Review
Federated IdM Across Heterogeneous Clouding Environment
Distribution and components
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
THE STEPS TO MANAGE THE GRID
Unit 27: Network Operating Systems
Mix & Match: Resource Federation
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

User seamlessly or by choice can use services from another cloud. The user belongs to one CSP. Each cloud has independent administration(different). 2 World-Leading Research with Real-World Impact! Motivation AWS Openstack CSP ACSP B User

Federation  Deployment of multiple CSPs (heterogeneous or homogenous) to provide complex services. Based on deployment  Hybrid Cloud  Community Cloud 3 World-Leading Research with Real-World Impact! Background

Composition of two or more cloud deployment models that remain unique entities but are bound together by proprietary technology that enables data and application portability. One organization provides and manages the resources. 4 World-Leading Research with Real-World Impact! Hybrid Cloud [NIST 2012, p18]

Provisioned for exclusive use by a specific community of consumers from organizations that have shared concerns. It may be owned, managed and operated by one or more of the organizations in the cloud. 5 World-Leading Research with Real-World Impact! Community Cloud [NIST 2012, p18]

Heterogeneity and tight coupling. Pre-established business agreements. Service Delivery Model. 6 World-Leading Research with Real-World Impact! Multi Cloud Restrictions

A central management system. Homogenous federation running the same management system on all infrastructures. Central front end. Common API on top of distinct independent management systems. 7 World-Leading Research with Real-World Impact! Multi Cloud Architectures [VANDER 2012, p4]

Separate infrastructure replaces their management system with a common one. Easy to deploy and maintain. Potential compatibility issues and new software adoption. 8 World-Leading Research with Real-World Impact! Central management system [VANDER 2012, p5]

Each infrastructure manages its resources independent from a central point. Each management infrastructure should be replaced with tools capable of federation. 9 World-Leading Research with Real-World Impact! Homogenous Federation [VANDER 2012, p6]

All facilities and associated tools remain unchanged and keep their own user registration, procedures, etc. The only commonality is a central location, hosting a list of all facilities and their tools. 10 World-Leading Research with Real-World Impact! Central front-end [VANDER 2012, p5]

Each facility keeps its current management software. Common interfaces on top of each management software are specified, standardized and made available within the federation. The need of a common protocol. 11 World-Leading Research with Real-World Impact! Common API [VANDER 2012, p6]

Replication of application. Partition of application system into tiers. Partition of application logic into fragments. Partition of application data into fragments. 12 World-Leading Research with Real-World Impact! Security Prospects Multi Cloud [BOHLI 2013, p3]

Allows to receive multiple results from one operation performed in distinct clouds and compare them. Integrity of the result. 13 World-Leading Research with Real-World Impact! Replication of Application [BOHLI 2013, p3]

Allows to separate the logic from the data. Additional protection against data leakage due to flaws in application logic. 14 World-Leading Research with Real-World Impact! Partition into tiers [BOHLI 2013, p5]

Allows to distribute the application logic into distinct clouds. No cloud provider learns the complete application. No cloud provider learns the overall calculated result. 15 World-Leading Research with Real-World Impact! Logic into Fragments [BOHLI 2013, p5]

Allows distributing fine-grained fragments of data to distinct clouds. None of the involved cloud providers gains access to all the data. 16 World-Leading Research with Real-World Impact! Data into Fragments [BOHLI 2013, p7]

We imagine a university Professor in physics at University of china that is a part of a multi institute scientific collaboration like CERN, who is collaborating on a new data set. He wants to start an analysis program, which dispatches his code to the remote location where data is stored at University of Switzerland. Hence it contacts his identity provider at university of china, in order to get access to University of Switzerland resources that can be used for his simulation. 17 World-Leading Research with Real-World Impact! Federation

18 World-Leading Research with Real-World Impact! Federation University of China Idp University of Switzerland Recourses Client Trust [CHADWK 2014]

19 World-Leading Research with Real-World Impact! Federation University of China Idp University of Switzerland Recourses Client Trust 1.Request for a service. 1 [CHADWK 2014]

20 World-Leading Research with Real-World Impact! Federation University of China Idp University of Switzerland Recourses Client Trust 1.Request for a service. 2.Determine user’s identity provider. 1 2 [CHADWK 2014]

21 World-Leading Research with Real-World Impact! Federation University of China Idp University of Switzerland Recourses Client Trust 1.Request for a service. 2.Determine user’s identity provider. 3.SP redirect user to his idp for authentication and user identity attributes [CHADWK 2014]

22 World-Leading Research with Real-World Impact! Federation University of China Idp University of Switzerland Recourses Client Trust 1.Request for a service. 2.Determine user’s identity provider. 3.SP redirect user to his idp for authentication and user identity attributes. 4.User authentication with his idp [CHADWK 2014]

23 World-Leading Research with Real-World Impact! Federation University of China Idp University of Switzerland Recourses Client Trust 1.Request for a service. 2.Determine user’s identity provider. 3.SP redirect user to his idp for authentication and user identity attributes. 4.User authentication with his idp. 5.Idp authentication response to SP with identity attributes of the user [CHADWK 2014]

24 World-Leading Research with Real-World Impact! Federation University of China Idp University of Switzerland Recourses Client Trust 1.Request for a service. 2.Determine user’s identity provider. 3.SP redirect user to his idp for authentication and user identity attributes. 4.User authentication with his idp. 5.Idp authentication response to SP with identity attributes of the user. 6. Access the resource [CHADWK 2014]

25 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 1.User calling the client for federated log in, giving it the address of the keystone service. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

26 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 1.User calling the client for federated log in, giving it the address of the keystone service. 2.The client calls the federated keystone for the list of IdPs. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

27 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 1.User calling the client for federated log in, giving it the address of the keystone service. 2.The client calls the federated keystone for the list of IdPs. 3.Keystone Calls Directory Service to obtain the list of federation IdPs. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

28 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 1.User calling the client for federated log in, giving it the address of the keystone service. 2.The client calls the federated keystone for the list of IdPs. 3.Keystone Calls Directory Service to obtain the list of federation IdPs. 4.Keystone sends the set of idps back to the client. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

29 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 1.User calling the client for federated log in, giving it the address of the keystone service. 2.The client calls the federated keystone for the list of IdPs. 3.Keystone Calls Directory Service to obtain the list of federation IdPs. 4.Keystone sends the set of idps back to the client. 5.User chooses the idp. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

30 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 1.User calling the client for federated log in, giving it the address of the keystone service. 2.The client calls the federated keystone for the list of IdPs. 3.Keystone Calls Directory Service to obtain the list of federation IdPs. 4.Keystone sends the set of idps back to the client. 5.User chooses the idp. 6.The client returns the chosen idp and asks an Idp request message. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

31 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 1.User calling the client for federated log in, giving it the address of the keystone service. 2.The client calls the federated keystone for the list of IdPs. 3.Keystone Calls Directory Service to obtain the list of federation IdPs. 4.Keystone sends the set of idps back to the client. 5.User chooses the idp. 6.The client returns the chosen idp and asks an Idp request message. 7.Keystone look up the identity provider for its protocol. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

32 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 1.User calling the client for federated log in, giving it the address of the keystone service. 2.The client calls the federated keystone for the list of IdPs. 3.Keystone Calls Directory Service to obtain the list of federation IdPs. 4.Keystone sends the set of idps back to the client. 5.User chooses the idp. 6.The client returns the chosen idp and asks an Idp request message. 7.Keystone look up the identity provider for its protocol. 8.Keystone asks RI for appropriate format of authentication and attribute request. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

33 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 1.User calling the client for federated log in, giving it the address of the keystone service. 2.The client calls the federated keystone for the list of IdPs. 3.Keystone Calls Directory Service to obtain the list of federation IdPs. 4.Keystone sends the set of idps back to the client. 5.User chooses the idp. 6.The client returns the chosen idp and asks an Idp request message. 7.Keystone look up the identity provider for its protocol. 8.Keystone asks RI for appropriate format of authentication and attribute request. 9.RI make request to Directory Service to obtain Idp metadata. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

34 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 1.User calling the client for federated log in, giving it the address of the keystone service. 2.The client calls the federated keystone for the list of IdPs. 3.Keystone Calls Directory Service to obtain the list of federation IdPs. 4.Keystone sends the set of idps back to the client. 5.User chooses the idp. 6.The client returns the chosen idp and asks an Idp request message. 7.Keystone look up the identity provider for its protocol. 8.Keystone asks RI for appropriate format of authentication and attribute request. 9.RI make request to Directory Service to obtain Idp metadata. 10.RI returns Idp message to keystone. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

35 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 11.Keystone returns the request message to client. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

36 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 11.Keystone returns the request message to client. 12.Client or keystone passes request to Idp. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

37 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 11.Keystone returns the request message to client. 12.Client or keystone passes request to Idp. 13.Idp asks user to authenticate. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

38 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 11.Keystone returns the request message to client. 12.Client or keystone passes request to Idp. 13.Idp asks user to authenticate. 14.Client passes the Idps response to keystone. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

39 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 11.Keystone returns the request message to client. 12.Client or keystone passes request to Idp. 13.Idp asks user to authenticate. 14.Client passes the Idps response to keystone. 15.Keystone passes the response to the credential validation function. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

40 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 11.Keystone returns the request message to client. 12.Client or keystone passes request to Idp. 13.Idp asks user to authenticate. 14.Client passes the Idps response to keystone. 15.Keystone passes the response to the credential validation function. 16.Credential validation calls directory to obtain metadata to validate the response. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

41 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 11.Keystone returns the request message to client. 12.Client or keystone passes request to Idp. 13.Idp asks user to authenticate. 14.Client passes the Idps response to keystone. 15.Keystone passes the response to the credential validation function. 16.Credential validation calls directory to obtain metadata to validate the response. 17.Credential validation returns the user’s ID, set of identity attributes and idp to keystone. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

42 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 11.Keystone returns the request message to client. 12.Client or keystone passes request to Idp. 13.Idp asks user to authenticate. 14.Client passes the Idps response to keystone. 15.Keystone passes the response to the credential validation function. 16.Credential validation calls directory to obtain metadata to validate the response. 17.Credential validation returns the user’s ID, set of identity attributes and idp to keystone. 18.Keystone checks with Attribute Issuer Policy to ensure only allowed attributes asserted by Idp. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

43 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 11.Keystone returns the request message to client. 12.Client or keystone passes request to Idp. 13.Idp asks user to authenticate. 14.Client passes the Idps response to keystone. 15.Keystone passes the response to the credential validation function. 16.Credential validation calls directory to obtain metadata to validate the response. 17.Credential validation returns the user’s ID, set of identity attributes and idp to keystone. 18.Keystone checks with Attribute Issuer Policy to ensure only allowed attributes asserted by Idp. 19.Keystone calls User Provisioning module, deletes expired entries and create temporary entry for the user. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

44 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 20.Keystone calls Attribute Mapper to obtain local set authorization attributes. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

45 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 20.Keystone calls Attribute Mapper to obtain local set authorization attributes. 21.Keytone updates these attributes in the temporary user entry and calls the token service to obtain unscoped token. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

46 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 20.Keystone calls Attribute Mapper to obtain local set authorization attributes. 21.Keytone updates these attributes in the temporary user entry and calls the token service to obtain unscoped token. 22.Keystone returns the token and list endpoints available. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

47 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 20.Keystone calls Attribute Mapper to obtain local set authorization attributes. 21.Keytone updates these attributes in the temporary user entry and calls the token service to obtain unscoped token. 22.Keystone returns the token and list endpoints available. 23.The user chooses the service. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

48 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 20.Keystone calls Attribute Mapper to obtain local set authorization attributes. 21.Keytone updates these attributes in the temporary user entry and calls the token service to obtain unscoped token. 22.Keystone returns the token and list endpoints available. 23.The user chooses the service. 24.The client passes the token and chosen domain and project to keystone. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

49 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 20.Keystone calls Attribute Mapper to obtain local set authorization attributes. 21.Keytone updates these attributes in the temporary user entry and calls the token service to obtain unscoped token. 22.Keystone returns the token and list endpoints available. 23.The user chooses the service. 24.The client passes the token and chosen domain and project to keystone. 25.Keystone calls TS to validate unscoped token and get scoped token. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

50 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 20.Keystone calls Attribute Mapper to obtain local set authorization attributes. 21.Keytone updates these attributes in the temporary user entry and calls the token service to obtain unscoped token. 22.Keystone returns the token and list endpoints available. 23.The user chooses the service. 24.The client passes the token and chosen domain and project to keystone. 25.Keystone calls TS to validate unscoped token and get scoped token. 26.Keystone returns to the client scoped token and list of services. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service [CHADWK 2014]

51 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 20.Keystone calls Attribute Mapper to obtain local set authorization attributes. 21.Keytone updates these attributes in the temporary user entry and calls the token service to obtain unscoped token. 22.Keystone returns the token and list endpoints available. 23.The user chooses the service. 24.The client passes the token and chosen domain and project to keystone. 25.Keystone calls TS to validate unscoped token and get scoped token. 26.Keystone returns to the client scoped token and list of services. 27.Client contact the service provider requesting service. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service CSP [CHADWK 2014]

52 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 20.Keystone calls Attribute Mapper to obtain local set authorization attributes. 21.Keytone updates these attributes in the temporary user entry and calls the token service to obtain unscoped token. 22.Keystone returns the token and list endpoints available. 23.The user chooses the service. 24.The client passes the token and chosen domain and project to keystone. 25.Keystone calls TS to validate unscoped token and get scoped token. 26.Keystone returns to the client scoped token and list of services. 27.Client contact the service provider requesting service. 28.CSP passes the token to Keystone for validation. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service CSP [CHADWK 2014]

53 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 20.Keystone calls Attribute Mapper to obtain local set authorization attributes. 21.Keytone updates these attributes in the temporary user entry and calls the token service to obtain unscoped token. 22.Keystone returns the token and list endpoints available. 23.The user chooses the service. 24.The client passes the token and chosen domain and project to keystone. 25.Keystone calls TS to validate unscoped token and get scoped token. 26.Keystone returns to the client scoped token and list of services. 27.Client contact the service provider requesting service. 28.CSP passes the token to Keystone for validation. 29.Keystone contact TS. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service CSP [CHADWK 2014]

54 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 20.Keystone calls Attribute Mapper to obtain local set authorization attributes. 21.Keytone updates these attributes in the temporary user entry and calls the token service to obtain unscoped token. 22.Keystone returns the token and list endpoints available. 23.The user chooses the service. 24.The client passes the token and chosen domain and project to keystone. 25.Keystone calls TS to validate unscoped token and get scoped token. 26.Keystone returns to the client scoped token and list of services. 27.Client contact the service provider requesting service. 28.CSP passes the token to Keystone for validation. 29.Keystone contact TS. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service CSP [CHADWK 2014]

55 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 20.Keystone calls Attribute Mapper to obtain local set authorization attributes. 21.Keytone updates these attributes in the temporary user entry and calls the token service to obtain unscoped token. 22.Keystone returns the token and list endpoints available. 23.The user chooses the service. 24.The client passes the token and chosen domain and project to keystone. 25.Keystone calls TS to validate unscoped token and get scoped token. 26.Keystone returns to the client scoped token and list of services. 27.Client contact the service provider requesting service. 28.CSP passes the token to Keystone for validation. 29.Keystone contact TS. 30.Keystone sends the response to CSP. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service CSP [CHADWK 2014]

56 World-Leading Research with Real-World Impact! Federation Protocol Sequence IdP Keystone Client Trust 31.CSP checks PDP if authorized, reply is granted. Directory Service Federated Keystone Attribute Mapping Request Issuing Federation Protocol Negotiation Credential Validation Attribute Issuing Policy User Provisioning Token Issuing & Validation Service CSP [CHADWK 2014]

NIST. (2012). Cloud Computing Synopsis and Recommendations. Special Publication , May 2012 VANDER. (2013). Architecture for the Heterogeneous Federation of Future Internet Experimentation Facilities. Future Network & MobileSummit, 2013 BOHLI. (2013). Security and Privacy-Enhancing Multicloud Architectures. IEEE Transaction on Dependable and Secure Computing, 2013 CASTILO. (2013). OpenStack Federation in Experimentation Multi-cloud Testbeds. UNICO, 2013 CHADWK. (2014). Adding Federated Identity Management to OpenStack. Journal of Grid Computing, World-Leading Research with Real-World Impact! References

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.