Presentation is loading. Please wait.

Presentation is loading. Please wait.

Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08."— Presentation transcript:

1 Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08

2 ESnet OpenID Presentation2 ESnet ESnet is a high-speed network which is hosted at and managed by Berkeley Lab and is funded by the DOE Office of Science to provide network and collaboration services to thousands of Department of Energy scientists and collaborators worldwide. ESnet's ATF group supports identity and other secure collaboration services and runs the DOEGrids CA, as well as supports several Grid CA federations, including TAGPMA and IGTF. ESnet is interested in emerging federation technologies such as OpenID and Shibboleth. My work is focused on the OpenID authentication protocol.

3 ESnet OpenID Presentation3 OpenID Overview OpenID is an authentication service for exchanging identity information between endpoints using a digital identifier, typically an OpenID URL. Developed in May 2005 by Brad Fitzpatrick at Six Apart and dubbed OpenID 1.0. Eliminates need for multiple usernames across different websites. Decentralized - anyone can use/provide OpenIDs. Single Sign-On – one sign-on per browser session. Relying Parties include LiveJournal, WikiSpaces OpenID Providers include AOL, Yahoo!, Verisign OpenID 2.0 specification released December 2007 with new features (Yadis discovery, proper extension support).

4 ESnet OpenID Presentation4 OpenID Overview RP (Web App.) User Agent (Browser) OP (Authentication Service) 1. OpenID URL 6. Redirect user to RP with Auth. response 7. Authentication response OpenID URL 2. Discovery (Yadis/HTML) 3. Association (optional) 4. Redirect user to OP with Authentication request 5. Authentication request + End user credentials 8. Verification (optional)

5 ESnet OpenID Presentation5 Objectives Experiment with OpenID protocol and available APIs to assess feasibility of implementation. OpenID 1.0 vs. OpenID 2.0 - ESnet wants 2.0 but needs to understand interoperability issues with 1.0. Create OpenID Relying Party and Provider tailored for DOEGrids/ESnet customer base. Investigate user authentication using an LDAP server as the source of truth. Investigate certificate - based user authentication (DOEGrids CA).

6 ESnet OpenID Presentation6 Tools We used the SXIP OpenID4Java API: supports the OpenID 2.0 specification, open source, online documentation, java language Apache HTTP Server – open source, popular, documentation Apache Tomcat backend to Apache HTTP Server to serve Java Servlets and JavaServer Pages.

7 ESnet OpenID Presentation7 Progress Created basic Relying Party to display OpenID Provider responses (parameters, attributes). Used responses from commercial providers to model our Provider’s behavior and set the standard for its functionality. Created OpenID Provider – authenticates against an LDAP server, complies with OpenID 2.0 specification (i.e. supports Attribute Exchange extension, Yadis protocol discovery)

8 ESnet OpenID Presentation8 OpenID Overview RP (Web App.) User Agent (Browser) OP (Authentication Service) 1. OpenID URL 6. Redirect user to RP with Auth. response 7. Authentication response OpenID URL 2. Discovery (Yadis/HTML) 3. Association (optional) 4. Redirect user to OP with Authentication request 5. Authentication request + Username + Password 8. Verification (optional) 5. a) Username + Password 5. b) Auth. result LDAP Server

9 ESnet OpenID Presentation9 1

10 10 4

11 ESnet OpenID Presentation11 5

12 ESnet OpenID Presentation12 7

13 ESnet OpenID Presentation13 7

14 ESnet OpenID Presentation14 OpenID Overview RP (Web App.) User Agent (Browser) OP (Authentication Service) 1. OpenID URL 6. Redirect user to RP with Auth. response 7. Authentication response OpenID URL 2. Discovery (Yadis/HTML) 3. Association (optional) 4. Redirect user to OP with Authentication request 5. Authentication request + User certificate 8. Verification (optional) 5. a) User certificate 5. b) Auth. result LDAP Server

15 ESnet OpenID Presentation15 1

16 ESnet OpenID Presentation16 4

17 ESnet OpenID Presentation17 5

18 ESnet OpenID Presentation18 5

19 ESnet OpenID Presentation19 5

20 ESnet OpenID Presentation20 5

21 ESnet OpenID Presentation21 7

22 ESnet OpenID Presentation22 Relying Party Issues Encountered Compiler errors and server crashes due to missing libraries. Copied over sample app. libraries. Understanding the details of the OpenID specification was helpful in debugging, even with sample code. e.g. Nonce Verification. Hosts should synchronize with NIST time server.

23 ESnet OpenID Presentation23 OpenID Provider Issues Encountered Yadis Discovery initially did not work. Despite API documentation some details had to be learned through experience. The API methods or sample code did not perform direct communication. Initial SSL configuration on Apache HTTP Server interfered with OpenID protocol.

24 ESnet OpenID Presentation24 Why certificate-based authentication? ESnet has over 2500 DOEGrids CA customers with X509 certificates. Integration with OpenID service. Automatic enrollment. Service can be extended to international grid community and customers of commercial CAs e.g. Thawte, VeriSign. OpenID allows for attribute exchange and may be easier to use than certificate-based authentication.

25 ESnet OpenID Presentation25 Interests/Future Considerations Extension support/Attribute Exchange extension Directed Identity – sign in with OP URL Security concerns e.g. Phishing Delegation – You choose your OpenID Roadmap/Recommendations to ESnet ATF

26 ESnet OpenID Presentation26 Attribute Exchange OpenID 2.0 feature, allows for exchange of attributes as UTF-8 strings with no newlines. Each attribute must have an associated attribute type URI which MAY be dereferenced to an attribute description. No central authority on attribute schema definitions. SXIP hosts community project www.axschema.org.www.axschema.org For Yadis discovery, the attribute exchange namespace "http://openid.net/srv/ax/1.0" SHOULD be listed as a child element of the element in the XRDS discovery document.

27 ESnet OpenID Presentation27 Directed Identity OpenID 2.0 feature, user can enter an OP Identifier at the Relying Party instead of their OpenID URL. The Relying Party does discovery on the OP Identifier and redirects the end user to the RP with a claimed ID of http://specs.openid.net/auth/2.0/identifier_select. http://specs.openid.net/auth/2.0/identifier_select At the OP, the user selects their actual OpenID URL to return to the Relying Party. The Relying Party is then required to perform discovery on this URL to ensure that the provider is entitled to authenticate it.

28 ESnet OpenID Presentation28 Security Concerns Phishing is a major concern in the OpenID community. Association prevents tampering of signed fields. The SSL certificate-based authentication approach eliminates this threat. However, on a general scope, Man-in-the- Middle attacks and other security threats can still be investigated.

29 ESnet OpenID Presentation29 Delegation Allows an end user to use a URL to authenticate at any OpenID provider. End user can maintain a consistent OpenID URL while switching between OpenID providers. E.g. to use www.jan.com as OpenID URL, add:www.jan.com http://myopenid.com/server in the tags of the html page. Specifying an “X-XRDS-Location” to an XRDS document via: location allows for specification of multiple OpenIDs and Providers, catering for load balancing, fallback and prioritization. The end user will be authenticated as the Claimed Identifier specified at the Relying Party.

30 ESnet OpenID Presentation30 Recommendations to ESnet ATF Ensure all OpenID communication is on SSL including discovery, association, and direct verification. OpenID 1.x compatibility for the RP removes a lot of functionality. OpenID 1.x compatibility not costly to implement for OP. Recommend delegation to prevent identity ‘correlation’ as opposed to issuing multiple OpenIDs per user account. Long unsightly OpenID URLs can be mitigated with Directed Identity. E.g. titanium.es.net/provider

31 ESnet OpenID Presentation31 Information For more information on OpenID visit: http://openid.net http://wiki.openid.net/FAQ http://www.doegrids.org/OpenID

32 ESnet OpenID Presentation32 Contact Dhiva Muruganantham Jan Durand durand@es.net Mike Helm

Download ppt "Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08."

Similar presentations

Creating an EDS Search Box Using EBSCO’s Search Box Builder Tool

Creating an EDS Search Box Using EBSCO’s Search Box Builder Tool
22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.

22 May 2008IVOA Trieste: Grid & Web Services1 Alternate security mechanisms Matthew J. Graham (Caltech, NVO) T HE US N ATIONAL V IRTUAL O BSERVATORY.
OpenID & Information Card Profiles for ICAM John Bradley

OpenID & Information Card Profiles for ICAM John Bradley
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Inter-Institutional Registration UNC Cause December 4, 2007.

Inter-Institutional Registration UNC Cause December 4, 2007.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Implementing and Administering AD FS

Implementing and Administering AD FS
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
By: Ansuya Chauhan.

By: Ansuya Chauhan.
And YADIS David Recordon Six Apart, Ltd. / LiveJournal.com / Danga Interactive, Inc. Parts of presentation stolen from Brad Fitzpatrick.

And YADIS David Recordon Six Apart, Ltd. / LiveJournal.com / Danga Interactive, Inc. Parts of presentation stolen from Brad Fitzpatrick.
Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.

Mashing Up with User-Centric Identity America Online LLC John Panzer, Praveen Alavilli.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.

OpenID And the Future of Digital Identity Alicia Bozyk April 1, 2008.
Single Sign-on Writ Large. What is OpenID?  Open, Decentralized single sign on standard  Allows users to use a single digital identity across multiple.

Single Sign-on Writ Large. What is OpenID?  Open, Decentralized single sign on standard  Allows users to use a single digital identity across multiple.
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes.

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Similar presentations

Ads by Google