Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October 15-16 2014.

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Trusted 3 rd Party Authentication & Friends: SSO and IdM NWACC Security Workshop 2013 Portland.
Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.
Implementing and Administering AD FS
Virtualized Infrastructure Deployment Policies (Copper) 19 February 2015 Bryan Sullivan, AT&T.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 Cisco’s Application Development Transformation to Openstack - Retrospective.
WSO2 Identity Server Road Map
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
WebFTS as a first WLCG/HEP FIM pilot
CLOUD FEDERATION Are We There Yet?. Tim Bell - CERN Why Do We Federate?
Innovative Foundation For an Open Source API Management Platform Asanka
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
1 World-Leading Research with Real-World Impact! Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC 2015.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Identity Management Report By Jean Carreon and Marlon Gonzales.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Chad La Joie Shibboleth’s Future.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
Rackspace Analyst Event Tim Bell
GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,
DEV-09: User Authentication in an OpenEdge™ 10.1 Distributed Computing Environment Michael Jacobs Development Architect.
SAML 2.0: Federation Models, Use-Cases and Standards Roadmap
Authentication Proxy for the VistA Hospital Information System William Majurski Information Technology Laboratory.
Paul Andrew. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Tim Bell 24/09/2015 2Tim Bell - RDA.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Navigating the Standards Landscape Andrew Owen SEARCH.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
Shibboleth: An Introduction
Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.
EduGain Federation – Web SSO
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.
Opening Up OpenStack’s Identity Service David W Chadwick, Ioram S Sette, Kristy W Siu.
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Kipper – a Grid bridge to Identity Federation Andrey Kiryanov.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.
Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.
INDIGO – DataCloud CERN CERN RIA
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
1 Authorization Federation in Multi-Tenant Multi-Cloud IaaS Navid Pustchi Advisor: Prof. Ravi Sandhu.
Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014.
Secure Single Sign-On Across Security Domains
WLCG Update Hannah Short, CERN Computer Security.
Authentication Interact Cloud.
Federation made simple
Shibboleth Roadmap
HMA Identity Management Status
Identity Federations - Overview
Géant-TrustBroker Dynamic inter-federation identity management
Openlab major review Marek Denis Openlab research fellow
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Exam Dumps.  Published: November 30, 2017  Languages: English  Audiences:IT professionals  Technology: Microsoft Azure  Credit toward certification:
Shibboleth Implementation in EZproxy
ESA Single Sign On (SSO) and Federated Identity Management
Mix & Match: Resource Federation
Office 365 Identity Management
Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.
Shibboleth 2.0 IdP Training: Introduction
Preparing for the Windows 8. 1 MCSA Module 6: Securing Windows 8
Presentation transcript:

Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October

Rackspace and CERN openlab › Rackspace joined CERN openlab last year › The project officially kicked off on October 1 st › We are contributing directly to the OpenStack › …and received good feedback about the importance of the topic we are working on 15/10/2014Marek Denis – CERN openlab2

Cloud federation “A federated cloud (also called cloud federation) is the deployment and management of multiple external and internal cloud computing services to match business needs. A federation is the union of several smaller parts that perform a common action.” 15/10/2014Marek Denis– CERN openlab3

Bringing old concepts into cutting edge technology › First steps towards hybrid clouds (Holy Grail of cloud computing) › Federation allows for splitting authentication and authorization  Security  Ease of configuration  Centralized Identity management 15/10/2014Marek Denis– CERN openlab4

How does CERN use it? › CERN to join EduGAIN federation at the beginning of the 2015 (allowing CERN to share cloud resources with others) › Presumably the first production setup in the world › In the future CERN may easily burst into various public and private clouds 15/10/2014Marek Denis – CERN openlab5

Last year in retrospection 15/10/2014First Name and Family Name – CERN openlab6 › We started with vague design charts (we only knew SAML2 could be used as an identity transport layer) › In April OpenStack Icehouse was released. Key New Features New v3 API features /v3/OS-FEDERATION/ allows Keystone to consume federated authentication via Shibboleth for multiple Identity Providers, and mapping federated attributes into OpenStack group-based role assignments (see documentation).Shibbolethdocumentation

Last year in retrospection › Keystone client has all the plugins required for federated authentication  Getting unscoped tokens from Shibboleth based Identity Providers  Getting unscoped tokens from Microsoft ADFS2.0  Listing available projects and domains for federated user  Scoping unscoped federated tokens › Openstack client can now utilize federated authentication as well its configuration (identity providers, mappings, protocols). › CADF (Cloud Audit Data Format) now take federation-related events into account 15/10/2014Marek Denis – CERN openlab7

How to federate your cloud › Join of create your federation › Exchange SPs and IdPs metadata › Configure Apache webserver and Shibboleth Service Provider › Prepare local projects, domains, groups › Via the Identity API version 3 cloud administrator must configure:  Trusted Identity Providers  Mappings  Protocols 15/10/2014Marek Denis – CERN openlab8

Federation in Openstack – a big picture 15/10/2014Marek Denis – CERN openlab9 Credits Luca Tartarini

Transforming assertion into local credentials 15/10/2014Marek Denis – CERN openlab10 LOGIN: madenis LANGUAGE: EN DEPARTMENT: IT/OIS FULLNAME: Marek Denis Saml Assertion Keystone credentials {name: madenis groups: [ “developers”, “openlab” ]} [ { "local": [ { "user": { "name": "{0}" } } ], "remote": [ { "type": "ADFS_LOGIN" } ] }, { "local": [ { "group": { "id": „devs" } } ], "remote": [ { "type":"DEPARTMENT", "any_one_of": ["IT/OIS"] } ] } ]

It’s video time › Before we take off  Local user tim  Local groups: managers, developers, contractors  Local projects: manager, developer, contractor  Tim is a member of all the groups (hence he can access any of the 3 projects)  No local user madenis 15/10/2014Marek Denis – CERN openlab11

It’s video time › Identity Provider: cern › Mapping: cern › Protocol: saml2 › Federated user will have my CERN login: madenis › He will have access to developer project only 15/10/2014Marek Denis – CERN openlab12

› The answer is: almost › We CAN share identities between clouds › We need to build virtual inter-cloud networks › We need share images between clouds › We need inter-cloud metering Cloud federation – are we there yet? 15/10/2014Marek Denis – CERN openlab13

What next? › Last release we were working on another functionality (codename Keystone2Keyston) › Enhance clients with smarter token handling and token reuse › Test scalable solutions › Work on everything that is not possible yet (and was listed on the previous slide) 15/10/2014Marek Denis – CERN openlab14

Thank you Marek Denis 15/10/2014Marek Denis – CERN openlab15

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.