Presentation is loading. Please wait.

Presentation is loading. Please wait.

Contrail and Federated Identity Management

Similar presentations


Presentation on theme: "Contrail and Federated Identity Management"— Presentation transcript:

1 Contrail and Federated Identity Management
03/06/12 Contrail and Federated Identity Management Philip Kershaw, RAL Space, STFC Jens Jensen, e-Science, STFC (and others: XLab, CNR, INRIA …) contrail is co-funded by the EC 7th Framework Programme 1

2 Outline Contrail overview and goals Architecture Single sign-on
03/06/12 Outline Contrail overview and goals Architecture Single sign-on Delegation requirements Delegation solutions OAuth flow Conclusions Collaborations 2

3 Contrail Overview and Goals
03/06/12 Contrail Overview and Goals EC FP7 Project, led by INRIA, 36 month, completes Sept 2013 Federation of cloud providers Federation with external IdPs “Elastic” CAs for dynamically created services Autonomous SLA management from project IaaS and PaaS integration Reuse of existing open standards: OVF OCCI CDMI WS-Security models 3

4 Contrail Overview and Goals+
03/06/12 Contrail Overview and Goals+ EC FP7 Project, led by INRIA, 36 month, completes Sept 2013 Federation of cloud providers Federation with external IdPs “Elastic” CAs for dynamically created services Autonomous SLA management from project IaaS and PaaS integration Reuse of existing open standards: OVF OCCI CDMI WS-Security models Federated access to resources, building on existing identity federations 4

5 Architecture Federation of Cloud Providers Federation CLI Browser
03/06/12 Architecture Federation CLI Browser Browser and rich client access Federation Web Portal Online CA  REST API  Federation core Federation Identity Provider Federation of Cloud Providers 5

6 Architecture – Single Sign-on
03/06/12 Architecture – Single Sign-on Federation CLI Browser Single Sign-on Single Sign-on Federation Web Portal Credentials mapping Online CA  REST API  Federation core Federation Identity Provider Single Sign-on Cloud Providers 6

7 Architecture - Delegation
03/06/12 Architecture - Delegation Federation CLI Browser Multiple delegation hops Federation Web Portal Online CA  REST API  Federation core Federation Identity Provider Cloud Providers 7

8 Delegation … but how? Delegator, delegates authority to another, a delegatee Rights that the delegatee inherits can vary e.g. Identity-based – inherits all the rights of the user Inherit rights to access a single resource Some technology options: GSI Proxy certificates OAuth 1.0 (CILogon), OAuth 2.0? Others…

9 Delegation: technology options
03/06/12 Delegation: technology options GSI Proxy certificates Delegatee inherits all the rights of the user Custom SSL extensions needed to support verification OAuth 1.0 Gained traction in commercial environment: Twitter etc… Digital signature of HTTP header artifacts – canonicalisation can be problematic OAuth 2.0 Simplified flow Use SSL: no digital signature implementation necessary CILogon Use OAuth to protect a short-lived credential service (SLCS) but based on OAuth 1.0 Delegatees obtain a standard End Entity Certificate SLCS + OAuth 2.0 ✔ 9

10 OAuth Flow (1) Cloud Providers Browser
03/06/12 OAuth Flow (1) Browser Objective: get delegated credential for portal to make onward requests to the federation core [OAuth Authorisation Server] 1. User request Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 10

11 OAuth Flow (2  3) Cloud Providers Browser
03/06/12 OAuth Flow (2  3) Browser 2. Portal requests authorisation for delegation from user 3. User is redirected to authorisation server [OAuth Authorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 11

12 OAuth Flow (4) Cloud Providers Browser [OAuth Authorisation Server]
03/06/12 OAuth Flow (4) Browser 4. User authenticates and approves the delegation request [OAuth Authorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 12

13 OAuth Flow (5) Cloud Providers Browser [OAuth Authorisation Server]
03/06/12 OAuth Flow (5) Browser 5. Return authorisation grant to portal via a redirect [OAuth Authorisation Server] … redirect back to portal Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 13

14 OAuth Flow (6) Cloud Providers Browser [OAuth Authorisation Server]
03/06/12 OAuth Flow (6) Browser [OAuth Authorisation Server] 6. Portal requests certificate (oauth access token) passing authorisation grant as proof of user approval Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 14

15 OAuth Flow (7) Cloud Providers Browser [OAuth Authorisation Server]
03/06/12 OAuth Flow (7) Browser [OAuth Authorisation Server] Federation Web Portal [OAuth Client] 7. Online CA authenticates portal and returns certificate Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 15

16 OAuth Flow (8) Cloud Providers Browser [OAuth Authorisation Server]
03/06/12 OAuth Flow (8) Browser [OAuth Authorisation Server] Federation Web Portal [OAuth Client] 8. Portal uses certificate to authenticate with core services Online CA [OAuth Resource Server] Federation core Federation Identity Provider Cloud Providers 16

17 OAuth Flow (9) Cloud Providers Browser [OAuth Authorisation Server]
03/06/12 OAuth Flow (9) Browser [OAuth Authorisation Server] Federation Web Portal [OAuth Client] Online CA [OAuth Resource Server] Federation core Federation Identity Provider 9. Further delegation needed: ‘2-legged’ OAuth Cloud Providers 17

18 03/06/12 Development Status Web portal and federation SSO demonstrated with support for: SAML OpenID Command line SSO with shell script client to Short-Lived Credential Service (X.509 EECs) Delegation with 2-legged OAuth-like interface, full OAuth to be integrated 18

19 Technology used Federation Web
03/06/12 Technology used Federation Web User interface: Python 2.7+ / Django 1.4 / buildout / Apache2 SAML2: Djangosaml2 v0.5 OpenID: Django-authopenid Federation IdP IdP: SimpleSAMLphp 1.9 rc2 User DB: Java 6 / JPA subclipse / Tomcat

20 Conclusion Single sign-on support with: Browser: SAML2 and OpenID
03/06/12 Conclusion Single sign-on support with: Browser: SAML2 and OpenID Other client: X.509 short-lived end entity certificates Delegation with OAuth 2.0 protected Short-Lived Credential Service Can we offer Federation-in-a-box or federation-as-a- service ? => Federated access to resources, building on existing identity federations.

21 Contrail collaborations
03/06/12 Contrail collaborations Contrail evaluation with: EUDAT, CLARIN, ENES EGI federated cloud task force Climate science and Earth Observation communities: OAuth solution for workflows OGF groups FEDSEC-CG: federated identity for grids and clouds IDEL-WG: working group on identity delegation Cloud security activities ... Moonshot

22 contrail is co-funded by the
03/06/12 contrail is co-funded by the EC 7th Framework Programme Funded under: FP7 (Seventh Framework Programme) Area: Internet of Services, Software & virtualization (ICT ) Project reference: Total cost: 11,29 million euro EU contribution: 8,3 million euro Execution: From till Duration: 36 months Contract type: Collaborative project (generic) 22


Download ppt "Contrail and Federated Identity Management"

Similar presentations


Ads by Google