Presentation is loading. Please wait.

Presentation is loading. Please wait.

Moonshot, in a nutshell SAML IdP Client Server AAA EAP RADIUS.

Published byAmie Haynes Modified over 7 years ago

Similar presentations

Presentation on theme: "Moonshot, in a nutshell SAML IdP Client Server AAA EAP RADIUS."— Presentation transcript:

1 Moonshot, in a nutshell SAML IdP Client Server AAA EAP RADIUS

2 Moonshot with SSH SAML IdP OpenSSH client OpenSSH server FreeRADIUS
AAA server GSS EAP over SSH RADIUS gss_authorize_localname() to authorise user gss_pname_to_uid() if user is empty

3 Windows Domain Controller
Moonshot with CIFS Windows Domain Controller Protocol Transition (S4U2Self) Samba4 client Samba4 file server FreeRADIUS AAA server GSS EAP over CIFS (SPNEGO) RADIUS (+PAC) gss_get_name_attribute(“urn:mspac:”) gss_inquire_sec_context_by_oid(GSS_C_INQ_SSPI_SESSION_KEY)

4 Moonshot with LDAP SAML IdP OpenLDAP client OpenLDAP server FreeRADIUS
access to attrs=eduPersonEntitlement         by dynacl/gss/eduPersonAffiliation=faculty write         by * read OpenLDAP client OpenLDAP server FreeRADIUS AAA server GSS EAP Over LDAP (SASL) RADIUS (+SAML) Shibboleth gss_get_name_attribute(“eduPersonEntitlement”)

5 Kerberos with SAML Kerberos KDC SAML IdP OpenLDAP client OpenLDAP
TGS-REQ OpenLDAP client OpenLDAP server Kerberos over LDAP (SASL) Shibboleth

6 signs assertion with Kidp
Moonshot with Kerberos delegation FreeRADIUS AAA server SAML IdP signs assertion with Kidp RADIUS Firefox Apache server Kerberos (SASL) IMAP server GSS EAP over HTTP Negotiate Protocol Transition (S4U2Self) Kerberos KDC verifies assertion and re-signs with ticket session key

7 Moonshot with Kerberos delegation: The gory details
C authenticates to S1 using GSS EAP S1 makes PT request with SAML assertion in authorization data KDC verifies assertion signed with Kidp KDC re-signs assertion with Ksession, and authorization data with Ktgs KDC issues ticket (C, S1) S1 makes constrained delegation request for S2 using (C, S1) KDC verifies assertion signature KDC issues ticket (C, S2) containing re-signed assertion (Ksession) S1 authenticates using Kerberos to S2 (AP-REQ) S2 verifies assertion signature with Ksession S2 retrieves assertion from authorization data S2 performs attribute-based authorization of C

8 Patches Cyrus SASL MIT Kerberos Heimdal Samba OpenSSH
GS2 plugin integrated (apparently) MIT Kerberos In master but not shipped MIT 1.8 and 1.9 should work with some features missing Heimdal In master but not reviewed/shipped Probably no shipped versions will work because mechglue loader is broken Samba In progress OpenSSH In Moonshot repository but not integrated upstream OpenLDAP, Jabber server, Adium, etc Use SASL, no changes required ACL plugin in contrib/ in master

9 MIT S4U GSS APIs gss_acquire_cred_impersonate_name
Allows a service to get a ticket to itself for an arbitrary user S4U2Self gss_accept_sec_context Always returns a delegated handle If the client did not provide a TGT, will do “constrained delegation”

Download ppt "Moonshot, in a nutshell SAML IdP Client Server AAA EAP RADIUS."

Similar presentations

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.
Central Authentication Service Roadmap JA-SIG Winter 2004.

Central Authentication Service Roadmap JA-SIG Winter 2004.
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
Project Moonshot February 2012. Background Project Moonshot 2.

Project Moonshot February Background Project Moonshot 2.
SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation

SAML Integration Doug Bayer Director, Windows Security Microsoft Corporation
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.

Moonshot for Federated Identity Jens Jensen, STFC Daniel Kouřil, CESNET EGI CF, April 2013.
James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.

James Johnson. What is it?  A system of authenticating securely over open networks  Developed by MIT in 1983  Based on Needham-Schroeder Extended to.
Authentication & Kerberos

Authentication & Kerberos
© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
Kerberos Authentication for Multi-organization Cross-Realm Kerberos Authentication User sent request to local Authentication Server Local AS shares cross-realm.

Kerberos Authentication for Multi-organization Cross-Realm Kerberos Authentication User sent request to local Authentication Server Local AS shares cross-realm.
Keberos

Keberos
KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.
Project Moonshot TF-MNM. Use cases Project Moonshot 2.

Project Moonshot TF-MNM. Use cases Project Moonshot 2.

Similar presentations

Ads by Google