1. https://aarc-project.eu Authentication and Authorisation for Research and Collaboration Marcus Hardt AARC AHM, Milan Current Status of Non Web (via LDAP Facade) 2-3, Nov 2015 KIT

2. https://aarc-project.eu ECP: Enhanced Client or Proxy profile Proxy We can steal your password Enhanced Client You have to modify your client software ECP Problems Nobody wants to modify the clients Proxy-style federations cannot support this => Our Enhanced Client mix: Goal: Allow non-web without exposing the password, without ECP 1.Website “SAML-delegation.data.kit.edu” Authenticate using WebSSO (OIDC) Issue a token 2.Extension of LDAP-Facace mechanism (PAM / LDAP + Authention-interceptor): 2 Motivation: Bring federated identities to the commandline

3. https://aarc-project.eu Intercepts password / token Looks up a PID for given UIDNumber Forwards PID + password to LDAP Facade LDAP-Facade performs SAML ECP If fails: Forward PID + password / token to saml-delegation.data.kit.edu There: Verify token (PID + expiration time) 3 Authenticator

4. https://aarc-project.eu Demo: plain login: Log in with ka_ym0762 and password non-exposed-password/saml: Log in with ka_ym0762 via saml-delegation (via kit-IDP) non-exposed-password/oidc: Log in with mcvsmob via saml-delegation (google) 0-Attr: Log in with umbrella_marcvs => only password login, registration Things to mention: Deprovisioning Account linking Link to docs http://wiki.data.kit.edu/index.php/LDAP-Facade Demo