Federating non-web services with LDAP-Façade Arsen.Hayrapetyan@kit.edu
What is LDAP-Façade A solution developed by KIT which enables non web-based services to join SAML-based federations Combines SAML logic and LDAP directory interface Appears to be a local LDAP directory to the service Appears to be a SP to the SAML federation LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna
ECP: Enhanced Client and Enhanced Proxy SP as an enhanced proxy Service client as an enhanced client SP as an enhanced proxy Service client as an enhanced client Courtesy of J. Köhler, M. Simon, M. Nussbaumer, H. Hartenstein LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna
User registration with the service Registration is web-based, using SAML Web-SSO profile A local account is established for the user upon the registration Contains service-specific info: UID, home dir, etc. Allows user to accept the policies of the SP User logs into LDF with her home IdP account User clicks on the service registration link. User accepts the policies of the SP The SAML assertion released to the LDF during the login is used to authenticate the user and fill in the attributes for the local account LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna
SSH example (enhanced proxy case) 6. AuthN OK, user attrs SSH server PAM LDAP authN 1. username, pwd LDF ------ Apache DS ========== Reg-App (SAML SP logic) 2. LDAP authN for the user, pwd forwarded to LDF 3. HTTPS IdP 4. Login with user’s creds 5. SAML assertion 7. User logged in LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna
SSH example (enhanced client case) 6. AuthN OK, user attrs SSH server PAM LDAP authN 1. username, pwd LDF ------ Apache DS ========== Reg-App (SAML SP logic) 4. LDAP authN for the user, SAML assertion forwarded to LDF 5. HTTPS IdP 3. SAML assertion wrapped in the password 2. SAML assertion 7. User logged in LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna
SSH example (enhanced client case) Strategies of passing the SAML assertion to the service provider’s server Wrapping into the password Limitations URL to the assertion to be downloaded by the LDF LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna
Demonstrations SSH with Home Organisation password forwarding to the SSH server SSH without Home Organisation password forwarding to the SSH server LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna
Current usage Approx. 17600 users 13755 active users of bwSync&Share 1020 users of bwUniCluster, 1007 users of bwFileStorage Production LDF servers at KIT, Ulm University Member of DFN-AAI Pre-production LDF server in Mannheim Test LDF servers in Esslingen, Tübingen, Freiburg (last two will go into production) LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna
The roadmap 12/2015 Public prototype for DFN + eduGAIN SAML-Token support 03/2016 Zero-Attribute requirements For simplified support of additional IdPs Support additional IdPs / federations e.g. Umbrella, B2ACCESS, ... 06/2016 OpenID Connect support Integration with globus grid-security-infrastructure i.e. grid-FTP to use LDAP-Facade for (UID, [GID]) 12/2016 Support for 3rd party group membership (e.g. via Attribute Authorities) e.g. Unity (B2ACCESS), VOMS-SAML, ... LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna
References J. Köhler, M. Simon, M. Nussbaumer, H. Hartenstein: Federating HPC access via SAML: Towards a plug-and-play solution. International Supercomputing Conference, Leipizig, Germany, June 2013 LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna
Thank you! LDAP-Facade - 9th FIM4R Workshop, 30.11.2015, Vienna