SAML to LDAP bridging developments Marcus Hardt. 223.04 2014Marcus kit.eduSteinbuch Centre for Computing (SCC) Motivation Allow linux logins,

Slides:

Advertisements

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Identity Network Ideals – Heterogeneity & Co-existence

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

CLARIN AAI, Web Services Security Requirements

MyProxy: A Multi-Purpose Grid Authentication Service

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

WebFTS as a first WLCG/HEP FIM pilot

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Design Extensions to Google+ CS6204 Privacy and Security.

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Neil Witheridge APAN29 Sydney February 2010 ARCS Authorisation Services Neil Witheridge Manager, ARCS Authorisation Services APAN29, Sydney, February 2010.

Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.

An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.

Tim Bell 24/09/2015 2Tim Bell - RDA.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Shibboleth for Local Attribute Delivery 21 June 2007.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

WebFTS File Transfer Web Interface for FTS3 Andrea Manzi On behalf of the FTS team Workshop on Cloud Services for File Synchronisation and Sharing.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Federating non-web services with LDAP-Façade

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.

126/02/2016 META ACCESS MANAGEMENT SYSTEM A Ship on the Grid – Interoperability between Shibboleth and the Grid – Dr. Erik Vullings Programme Manager Macquarie.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Simplified Credential Management Henri.

Kipper – a Grid bridge to Identity Federation Andrey Kiryanov.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Davide Vaghetti, et al. Topics for PY2 activities.

Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht.

Authentication and Authorisation for Research and Collaboration Peter Solagna, Nicolas EGI AAI integration experiences AARC Project.

Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.

Authentication and Authorisation for Research and Collaboration Marcus Hardt AARC AHM, Milan Current Status of Non Web (via LDAP.

DARIAH EU AAI consideration K. Skala, D. Davidović, Z. Šojat Lisbon, 22 May 2015.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

The IGTF to eduGAIN Bridge

WLCG Update Hannah Short, CERN Computer Security.

LIGO Identity and Access Management

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Authentication Interact Cloud.

HMA Identity Management Status

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

An AAI solution for collaborations at scale

Identity Federations - Installation and operation

GÉANT project update eduTEAMS - AAI as a Service for Collaborative organisations Introduction Status Pilots New Features – input requested InAcademia –

ESA Single Sign On (SSO) and Federated Identity Management

Integrating non web-based services with identity federations

Mechanisms for Distributed Global Authentication David R Newman.

Community AAI with Check-In

A Grid Authorization Model for Science Gateways

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

SAML to LDAP bridging developments Marcus Hardt

Marcus kit.eduSteinbuch Centre for Computing (SCC) Motivation Allow linux logins, using SAML i.e. non-web => ECP Harmonise our existing AuthN infrastructure Give same (UID, [GID]) to user with SAML and X.509 Auth Easy to use solutions Pilot: ssh-login for users from state of Baden-Württemberg

Marcus kit.eduSteinbuch Centre for Computing (SCC) Harmonisation between X.509 and SAML Goal: Map to same (UID, [GID]) regardless of AuthN method Use case: Provide access via [ssh|gsi-ssh|globus-ftp|...] to same filesystem Have credential translation available (DFN-SLCS) Requirement: have single source for user and group information Unity VOMS-SAML REMS Procedure Site-local LDAP interface Input: login information, Assertion, Certificate Return: (UID, [GID]) after intelligent analysis of input This talk: SAML + LDAP

Marcus kit.eduSteinbuch Centre for Computing (SCC) Approach Provide a PAM module (in python) Supports many linux services PAM authentication: (username, password) are handed to PAM module PAM module tries to guess home-IdP from username ) Try to obtain an assertion from selected home-IdP Return (UID, [GID]) based on attributes found inside assertion Update: switch from PAM to LDAP Due to problems with python and one linux distribution => KIT LDAP Facade Linux services can use the LDAP interface LDAP Facade obtains (username, password)... LDAP Facade returns (UID, [GID])

Marcus kit.eduSteinbuch Centre for Computing (SCC) Solved Problems on the way “German problems”: privacy laws & co Setup of a Sub-Federation Development of Federation Access Policy (FAP) Code of Conduct for the SP Different to the Edugain CoC Requirements for interaction between IdP and User => IdPs can hand out any attribute, legally => Web registration prior to first login Click “OK” under the AUP (= terms & conditions) Also used for changing preferences in the SP All local-state universities enable ECP....because their users get 10GB Dropbox like + 10GB via scp for free

Marcus kit.eduSteinbuch Centre for Computing (SCC) Slide courtesy of Sebastian Labitzke, KIT

Marcus kit.eduSteinbuch Centre for Computing (SCC) Authentication Scenarios Image courtesy of Jens Köhler, KIT (a) Enhanced Proxy (ECP) Client sends password to LDAP Facade Login at home-IdP on your behalf ;) (b) Enhanced Client (ECP) Local client handles creation of assertion Assertion passed to LDAP Facade (c) Local authentication Login via other means (e.g. ssh-keys) LDAP Facade runs Assertion query to verify user is still active

Marcus kit.eduSteinbuch Centre for Computing (SCC) Summary We can now use non-web based SAML via ECP e.g. authenticate SSH with home-IdP Unmodified client and server (thanks to LDAP) Future work Prototype of the above in place for Baden-Württemberg users in place National prototype under way Integration with grid-security-infrastructure (i.e. globus-ftpd uses LDAP-Facade for (UID, [GID]) SLCS service at DFN Extend LDAP Facade to support external AA (e.g. Unity, VOMS-SAML,..) Missing: the SSO in ECP

Marcus kit.eduSteinbuch Centre for Computing (SCC)

Marcus kit.eduSteinbuch Centre for Computing (SCC) Slide courtesy of Sebastian Labitzke, KIT