Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
GT 4 Security Goals & Plans Sam Meder
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Lecture 23 Internet Authentication Applications
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Web services security I
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
GridShib Grid-Shibboleth Integration Von Welch, Tom Barton, Kate Keahey, Frank Siebenlist GlobusWORLD 2005.
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
1 Grid Security. 2 Grid Security Concerns Control access to shared services –Address autonomous management, e.g., different policy in different work groups.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.
Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security Token Service Valéry Tschopp - SWITCH.
Grid Security: Authentication Most Grids rely on a Public Key Infrastructure system for issuing credentials. Users are issued long term public and private.
Single Sign-On in the Danish Educational Sector Per Thorboll Deputy director UNI-C.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
Grid Security and Identity Management Mine Altunay Security Officer, Open Science Grid, Fermilab.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
MGRID Architecture Andy Adamson Center for Information Technology Integration University of Michigan, USA.
Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.
The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Project Moonshot Daniel Kouřil EGI Technical Forum
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.
WLCG Update Hannah Short, CERN Computer Security.
LIGO Identity and Access Management
AAI for a Collaborative Data Infrastructure
e-Infrastructure Workshop 28th March 2006, University of Leeds
The DAMe’s First Steps: eduroam and NAS-SAML
CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN
NSF Middleware Initiative: GridShib
Presentation transcript:

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008

Identity Federations linking services and user management systems standardized protocols home institution keeps the most current data service & identity providers services trust clients‘ institutions modified trust model suitable for large infrastructure possible decreasing of users‘ credentials Shibboleth

Users‘ attributes Additional information published by IdP up-to-date any information from HR databases name, , affilitation,... allows for sophisticated access control policies groups of students of a course,... pseudoanonymity Security Assertion Markup Language

SAML assertion example urn:mace:dir:attribute-def:cnDaniel Kouřil urn:mace:dir:attribute-def:givenNameDaniel urn:mace:dir:attribute-def:snKouřil urn:mace:dir:attribute-def:oMasarykova univerzita urn:mace:dir:attribute-def:ouWplace-31200;Wplace ;Facult-1433 urn:mace:dir:attribute-def:eduPersonAffiliationmember;student; employee

Federations in web world schema from SWITCH AAI

Federation in non-web world no redirect mechanism PKI and federated certificates transporting IdP‘s assertions VPN-based solution as general infrastructure obtaining certificates explicit logging into federation

Federated CA bridge to non-federative services on-line CA running as SP in federation federation-based identity vetting GridShib CA key & certificate management done by browser certificates contain users attributes X.509 extension

Management of certificates browser-based solution not ideal GUI and framework desired Network Identity Manager extensible by plugins plugin to manage certificate in MS CertStore embedded browser to obtain certificate pilot implementation ready scheduled deployment at computer center at MU limitation of single identity provider in NIM

NIM plugin

Kerberos and federations many identity federations emerging local NRENs in Europe METACentre project in CR serving users from many institutions Kerberos Easy access for new users at least from selected institution registration and further access Utilizitation of federations

Kerberos and federations several ways possible KAML group no changes to infrastructure, easiness of use for end-users authorization data field for SAML transformation of federated certificates to tickets PKINIT + KDC modified to retain SAML simple, easy to implement SAML is copied from X.509 to TGT as authZ data all derived tickets will inherit the assertion Similar to MS PAC not signed currently SAML artifacts

SAML on Application Server authorization based on SAML attributes policy language authZ decision made by application or third-party component XACML Query/Response protocol components from Grid world „available“ krb5_recvauth (....); krb5_ticket_get_authorization_data_type( context, ticket, KRB5_AUTHDATA_SAML, &saml_data); process_saml_data(saml_data);

Conclusion Simple integration easy to done KDC, users-side tools, application server- side code & authZ service Kerberos as transport mechanism NIM plugin logging into federations useful for other environment as well collaborative systems, videoconferencing