Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Federations - Overview

Published byElmer Crawford Modified over 6 years ago

Similar presentations

Presentation on theme: "Identity Federations - Overview"— Presentation transcript:

1 Identity Federations - Overview
Marco Fargetta - INFN – Italy EthERNet e-Research Hackfest – Addis Ababa (Ethiopia)

2 Identity Management

3 Authorisation

4 Remote Identity

5 Single Sign-On

6 SAML distinguish two main resources
SAML Federation SAML distinguish two main resources Identity Provider (IdP) Service Provider (SP) Federation is a group of resources They sharing a common policy Are managed as a single entity The authentication is always between an IdP and a SP The federation establish only the initial trust among the resources

7 A user want to access an SP
SAML Authentication A user want to access an SP The user is redirect to a Discovery Service It can be an external service or embedded in the SP Allow the user to choose the IdP The user goes back to the SP with the ID of the own IdP The user is redirect to the IdP Authentication is performed The user goes back to the SP with the authentication All the steps above are associated with a SAML assertion (it is an XML)

8 SAML Authentication

9 SAML Authentication was mainly designed for WebServices
Authentication flow SAML Authentication was mainly designed for WebServices It is possible to implement other type of resources Either web based or native application Resources can support multiple SAML profiles The profile identifies the exchange protocol and the message format Most used profile for web application is redirect The browser show a page with a javascript performing the redirect

10 IdP keeps tracks of user authentications
Single Sign-On IdP keeps tracks of user authentications Multiple requests from different services require to authenticate only once Although services can require different information Attribute release has to be confirmed and authorised by the user This is not implemented in all the IdP software Discovery service could store the user selection If this is the case users could have problem to change the IdP in the future

11 Each SP is responsible for the authorization of the accessing users
SAML Authorisation Each SP is responsible for the authorization of the accessing users Authorisation is not federated The federation is responsible to uniform the attributes used by the resources and create the trust among the entities The user authentication is point-to-point between the two involved resources

12 An SP can apply the authorisation in different ways
SAML Authorisation An SP can apply the authorisation in different ways Accept all the federated users Accept federated user according to some filters User of a subset of IdPs User with some specific value in the attribute Perform an authorisation request step in the SP Some tools are emerging to perform federated authorisation but not widely adopted Not needed for many SPs

13 A federation is not needed to use SAML
Using SAML A federation is not needed to use SAML Authentication is point-to-point in any case IdPs can be deployed to test new SPs services Many public IdPs available for test Simple SPs can be deployed to test IdPs It can be a single web page GrIDP federation provide a test federation where new services can be tested together with some production services

14 The resource will be tested to identify technical problem, e.g.:
Join a federation To join a federation the service should be properly configured to use SAML The resource will be tested to identify technical problem, e.g.: Misconfiguration with some attributes Missed information on the SAML description The organisation has to sign an agreement with the federation Could require to define a policy for the user complying with the federation rules

15 Resources can be aggregated into a federation
Inter-Federation SAML authentication can be used among a bunch of resources by configuring all the connections Resources can be aggregated into a federation Can be either a national federation or a federation with trans-national scope Federation can be aggregated into a inter-federation eduGAIN is the biggest inter-federation

16 Delegation to multiple service and REST APIs
Delegation is possible but over complicated The delegation allows to demand a service to operate on behalf of the user A profile for native application is available and could be used to access REST APIs but has many limitation If APIs are stateless the authentication has to be performed at every request Too computational and network demanding

17 AARC blueprint architecture
AARC is a EU project aiming at define authentication and authorisation for research collaboration Propose to integrate the SAML federation with other technologies best fitting for the problem SAML used to authenticate in a proxy A proxy can release a token for the access to the other services, e. g. SAML <-> OpenID-Connect conversion

18 Implementation example: the INDIGO-DataCloud IAM service
INDIGO-DataCloud is a EU project implementing cloud service for the research communities IAM is the component implementing the SAML to OpenID-Connect proxy Source: Andrea Ceccanti (INFN)

19 Summary and conclusions
Identity Federation allows to connect services with Identities separating the Identity manager from the service manager Many possibility to integrate with SAML federations For specific problems other protocols could be integrated

20 Thank you! sci-gaia.eu

Download ppt "Identity Federations - Overview"

Similar presentations

WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
NASA NEX & OpenID -- Observations -- Andreas Matheus Secure Dimensions.

NASA NEX & OpenID -- Observations -- Andreas Matheus Secure Dimensions.
Survey of Identity Repository Security Models JSR 351, Sep 2012.

Survey of Identity Repository Security Models JSR 351, Sep 2012.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
Helsinki Institute of Physics (HIP) - 2003 Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.

1 Emergency Alerts as RSS Feeds with Interdomain Authorization Filippo Gioachin 1, Ravinder Shankesi 1, Michael J. May 1,2, Carl A. Gunter 1, Wook Shin.
Www.jrc.ec.europa.eu Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.

Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.
Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Shibboleth: An Introduction

Shibboleth: An Introduction
Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.
EduGain Federation – Web SSO

EduGain Federation – Web SSO
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Similar presentations

Ads by Google