Presentation is loading. Please wait.

Presentation is loading. Please wait.

Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht.

Published byBrianne Casey Modified over 8 years ago

Similar presentations

Presentation on theme: "Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht."— Presentation transcript:

1 https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht Non web access 24-26 May 2016 AARC SA1.3 Poznan Supercomputing and Networking Center

2 https://aarc-project.eu Local resource provisioning Setup local account To be done once, using web is possible Token translation Map „federated” attributes or group/roles to the local ones Verify the „federated” credentials while accessing the resource (e.g. to forbid users that left their home institution) Local resource deprovisioning When the local account and connected data may be deleted? Problem statement 2

3 https://aarc-project.eu The account is being created while registration step (LDAP Facade). Pools of accounts are created locally, the user is mapped to the account on the first sign on (LCMAPS). Approaches Provisioning 3

4 https://aarc-project.eu Enhanced proxy Enhanced client Local authentication PKI based authentication (GSI). Accounts with limited activity time Approaches Token Translation 4

5 https://aarc-project.eu Fact: the user’s attributes/rights are changing rarely and usually there is no need to verify all the time The assertion obtained at the login is not "continuously" verifying, but assumed as true for some (session) time Assertions signed included in X509 (proxy) certificates are valid for some time The workflow: 1.The user access the web portal, web SSO profile is used for authentication and obtaining some attributes from IdP 2.The attributes are mapped to local username, group membership, etc. 3.On the first login the user must setup local access (public key, password…) 4.The provisioned account is valid for some limited time (e.g. 12h) 5.The user must login to the non-web resource within this limited time 6.After that time the local account is locked, the user may unlock it by logging again to the web portal Issue LDAP doesn’t support locking/unlocking an account out of the box Accounts with limited activity time 5

6 https://aarc-project.eu SSH/SFTP LDAP Facade Moonshot Unity + LDAP plugin GSI OpenSSH GSI (Grid Security Infrastructure) –gridFTP VOMS + LCMAPS CILogon Unity + online CA (EUDAT B2ACCESS) iRODS Unity + iCAT provisioning script (EUDAT B2ACCESS) Kerberos Application specific LibreOffice / ownCloud integration OpenStack …. Access Protocols Pilots coverage 6

7 https://aarc-project.eu Production Designed to work with Federation of non Web-based Services in the State of Baden-Württemberg (bwIDM) Uses bwIDM specific attributes for mapping the user to account and groups The pilot required modification of the code (the mapping cannot be defined via the portal) PSNC development: key based authentication Development „Zero attributes” policy implemented (well, Uid or ePPN are used to produce username) Some issues not present in the production version (e.g. the user cannot deregister) Other features on the roadmap: OIDC for authentication LDAP Facade Piloted versions 7

8 https://aarc-project.eu Translation Services -comparison Requirements R4 Community-based authorisation R7 Federation solutions based on open and standards-based technologies R8 Persistent user identifiers R9 Unique user identities R11 Up-to-date identity information R12 User groups and roles groups based on attributes, currently support for inter-IdP groups R14 Browser & non-browser based federated access

9 https://aarc-project.eu Moonshot pilot Status and experience Moonshot installation Closed environment - all components on local VMs No federated access tested So far conclusions Installing a complete OS with server from DVD is pretty easy Comprehensive documentation But still the installed environment had an issue, solved by direct intervention of the support No security issues „by design” But intrudes „badly designed” standard ssh authentication (requires both dedicated client and server) Was it the cause of my issue? The federation must be „trust infrastructure” eduGAIN is currently not, but some work is in progress „Proxy IdP” is not a solution (TI contains also SPs) TI would solve some issues present in eduGAIN

10 https://aarc-project.eu Translation Services -comparison Protocols ServiceTranslate fromTranslate to LDAP FacadeSAML 2LDAP MoonshotSAML/RADIUSGSS-EAP Unity(one time) passwords challenge-response X509 LDAP/AD SAML OpenId OAuth Web UI SAML 2 Web SAML 2 WS OpenId OAuth1 (LDAP) CILogonSAML OpenId OAuth X509

11 https://aarc-project.eu Translation Services -comparison Typical use cases ServiceUse caseExample LDAP Facade Access to resource via ssh/sftp, gridFTP in plans bwIDM (Federation of non Web-based Services in the State of Baden- Württemberg) MoonshotAccess to web and non-web resources, e.g. GSS enabled SSH server, Apache, MS Exchange EUPanData (access to data using Shibboleth authentication) UnityTranslation between different SSO protocols, (inter-) federation, IdMaaS EUDAT B2ACCESS CILogonProvide certificates for accessing grid resources (gridFTP, WS, Globus Gatekeeper) CILogon Service (provide certificates for InCommon federation)

12 https://aarc-project.eu Translation Services -comparison Requirements Requirement LDAP Facade MoonshotUnityCILogon R4 Community-based authorisation VVVV R7 Federation solutions based on open and standards-based technologies VVVV R8 Persistent user identifiers VVVV R9 Unique user identities VVVV R11 Up-to-date identity information ?VVV R12 User groups and roles ?VVV R14 Browser & non-browser based federated access VVVV Cer t dat e

13 https://aarc-project.eu Translation Services -comparison R1 User and Service Provider friendliness 13 ServiceUserAdministrator LDAP FacadeRequires registration step Standard client software No documentation (in English) Software is not packaged, must be compiled and deployed some config might be done automatically Good installation documentation Lack of portal documentation Issues with underlying software Admin ifc not completelly translated to English MoonshotClient software must be modified Documentation in place Installing a complete OS with server from DVD is pretty easy Comprehensive documentation But still the installed environment had an issue, solved by direct intervention of the support

14 https://aarc-project.eu © GÉANT on behalf of the AARC project. The work leading to these results has received funding from the European Union’s Horizon 2020 research and innovation programme under Grant Agreement No. 653965 (AARC). Thank you Any Questions? https://aarc-project.eu jankowsk@man.poznan.pl

15 https://aarc-project.eu LDAP Facade Architecture source: S.Labitzke Now SAML takes it all: Federation of non Web-based Services in the State of Baden-Württemberg, European Identity & Cloud Conference 2013

16 https://aarc-project.eu LDAP Facade Workflow Prior resource provisioning/registration via web portal and SAML WebSSO profile Access to the resource is possible in two models: Full trust the user passess his IdP password to ssh server the server verifies the password using LDAP Facade LDAP Facade authenticates the user against IdP (enhanced proxy SAML profile) Limited trust after registration the user sets up pair of keys to access ssh server the user is authenticated using the keys the server verifies the user using LDAP Façade LDAP Facade checks the user against his IdP (assertion query SAML profile)

17 https://aarc-project.eu Moonshot Architecture source: https://wiki.moonshot.ja.net/display/Moonshot/The+Architecture+and+Protocol+Flows+of+Moonshot https://wiki.moonshot.ja.net/display/Moonshot/The+Architecture+and+Protocol+Flows+of+Moonshot

18 https://aarc-project.eu Moonshot Workflow Prerequisites credential from Moonshot IdP trust relationship with a Moonshot Relying Party Proxy installed/configured client software server software modified/configured to talk with local RP Proxy Authentication/Authorisation the client contacts the server, usage of GSS-API is negotiated the user selects identity to be used for the particular service TLS tunnel is set from the client to the IdP thru the Service the tunnel is used to authenticate the user and to verify RP (RP name sent by the client and name of „tunnel proxy” are compared) IdP sends RADIUS Access-Accept and optionally SAML assertion to RP RP Proxy and then the service authorize the user depending on the above and on local policies

19 https://aarc-project.eu Unity Architecture source: http://www.unity-idm.euhttp://www.unity-idm.eu Access via different endpoints. Each endpoint has low level binding (web, SOAP, etc.) Each endpoint is associated with authenticator(s) that collect and check credentials. Each user must be registered in a local database.

Download ppt "Https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Contrail and Federated Identity Management

Contrail and Federated Identity Management
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.

Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
ArcGIS Server and Portal for ArcGIS An Introduction to Security

ArcGIS Server and Portal for ArcGIS An Introduction to Security
Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.

Authentication and Authorisation for Research and Collaboration Licia Florio (GÉANT) Christos Kanellopoulos (GRNET) Service orientation.
Introduction Moonshot workshop 6.2.2014

Introduction Moonshot workshop
Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.

Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Similar presentations

Ads by Google