Presentation is loading. Please wait.

Presentation is loading. Please wait.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.

Published byAnissa Shepherd Modified over 9 years ago

Similar presentations

Presentation on theme: "Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel."— Presentation transcript:

1 Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel Ormancey (IT-OIS)

2 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS SSO - Summer 2012 Updates - 2 Primary objective Prepare CERN Authentication for IAA Extend SSO to HEP community through Federation –Allow HEP members to access CERN resources with their local IDs. –Decrease the ‘CERN Account’ requirement Extend SSO to Public Services authentication (Google, Facebook, etc.) –Allow people to access CERN resources with their public credentials (e.g. Gmail account) –Decrease the ‘Lightweight Account’ requirement

3 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS SSO - Summer 2012 Updates - 3 Technical objectives Improve service, fix issues and requests Provide Strong Authentication methods –SMS one time password, Yubikey, Smartcard Allow SSO Authentication using scripts & programs Facilitate SSO management for Application owners Address the large number of E-Groups problems –‘Header too big’ Apache issue

4 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS SSO - Summer 2012 Updates - 4 SSO Management Site http://cern.ch/sso-management Application registration & lifecycle –Reassign the registration to another account. Identity Class (Basic) Authorization –Using the Identity Class, restrict access to the Application at the SSO level. –Lightweight accounts not authorized by default E-Groups Authorization –Filter E-Groups needed for Authorization –User token size decreased, containing E-Group membership only within the E-Groups filter.

5 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS SSO - Summer 2012 Updates - 5 Identity Class Authorization Provide Basic Authorization using a unique value representing the level of assurance (LoA) of the user and the authentication method used. CERN Registered Represents the currently active CERN primary accounts. ​ CERN TrustedRepresents the currently active CERN secondary and service accounts. HEP Trusted ​ HEP people registered in the CERN HR database, authenticating using their HEP systems (through Federation). Named Identity ​ Ex-members of personnel, like retirees, former staff, etc. They still have an entry in the CERN HR database but no CERN account anymore. Anonymous Identity ​ Anonymous unverified people, like external/lightweight accounts, Facebook/Google accounts, Federation accounts not verified. Default basic authorization set to CERN Registered only. Configuration at SSO level through http://cern.ch/sso- managementhttp://cern.ch/sso- management Configuration at Application level through usual configuration files.

6 Operating Systems & Information Services The Road to 5 Identity Classes Types Summary Identity TypesAuth Types Auth LevelsComments CERN_REGCERN 1st STDCERN Accounts / CERN Users CERN_EXCERN 2nd 2FAEXTN and RETR UNREGCERN service UNREG are all available in AD/LDAP as disabled lightweight, same as E-Groups members FED SOCIAL Types Expanded Identity TypesAuth TypesResult/identifier/levelAuth LevelsComments CERN_REGCERN 1st CERN Registered STD CERN_REGCERN 1st CERN Registered 2FA CERN_REGCERN 2nd CERN Trusted STD CERN_REGCERN 2nd 2FA No 2FA (no card,yubikey or gsm) CERN_REGCERN service CERN Trusted STD CERN_REGCERN service 2FA No 2FA (no card,yubikey or gsm) CERN_REGFED HEP Trusted STD Could be CERN Trusted, but making the difference between CERN and HEP could be interesting CERN_REGFED HEP Trusted 2FA CERN_REGSOCIAL STD Social auth forbidden for CERN_REG CERN_REGSOCIAL 2FA Social auth forbidden for CERN_REG CERN_EXCERN 1st Named Identity STD Lightweight EXMP account as today. RETR to be moved to REG CERN_EXCERN 1st 2FA No 2FA (no card,yubikey or gsm) CERN_EXCERN 2nd STD CERN_EX cannot own CERN 2nd CERN_EXCERN 2nd 2FA No 2FA (no card,yubikey or gsm) CERN_EXCERN service STD CERN_EX cannot own CERN service CERN_EXCERN service 2FA No 2FA (no card,yubikey or gsm) CERN_EXFED STD EXMP/RETR can auth with FedID ? No, as trust-relation is void. CERN_EXFED 2FA EXMP/RETR can auth with FedID ? No, as trust-relation is void. CERN_EXSOCIAL STD Social auth forbidden for CERN_EX CERN_EXSOCIAL 2FA Social auth forbidden for CERN_EX UNREGCERN 1st Anonymous Identity STD Lightweight external account as today UNREGCERN 1st 2FA No 2FA (no card,yubikey or gsm) UNREGCERN 2nd STD UNREG cannot own CERN 2nd UNREGCERN 2nd 2FA No 2FA (no card,yubikey or gsm) UNREGCERN service STD UNREG cannot own CERN service UNREGCERN service 2FA No 2FA (no card,yubikey or gsm) UNREGFED Anonymous Identity STD UNREGFED 2FA We don't care UNREGSOCIAL Anonymous Identity STD UNREGSOCIAL 2FA We don't care

7 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS SSO - Summer 2012 Updates - 7 E-Groups Authorization Current situation: –An account can be member of hundreds of E- Groups –The token size can be huge when the Application needs only some to handle Authorization. New Authorization E-Groups Filter: –Define the list of E-Groups needed for Authorizations. –The User token will contain E-Group membership only within the E-Groups filter.

8 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS SSO - Summer 2012 Updates - 8 Authentication Methods Standard Authentication: –Forms: user types in his login and password. –Kerberos or Windows: reuse the current Kerberos or Windows (NTLM) credentials for authentication. –Certificates: use your CERN CA or EuGridPMA (IGTF) trusted certificate to authenticate. Two Factor Authentication: –Smartcard: use a CERN Smartcard to authenticate (pilot, see http://cern.ch/smartcards).http://cern.ch/smartcards –Yubikey: use a Yubikey hardware token to authenticate. –SMS One Time Password: validate your authentication with a PIN code sent by SMS to your CERN GSM. Federation Authentication: –USATLAS/BNL, INFN, Switch AAI, etc... : coming soon. Public Services Authentication: –Google, Facebook, Live, Yahoo, Orange.

9 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS SSO - Summer 2012 Updates - 9 Federation & Social ID Federation Authentication: –USATLAS/BNL & INFN: testing, Switch AAI: coming soon. –Can be used to authenticate a CERN Account: IdentityClass = HEP Trusted –Can be used to authenticate any other: IdentityClass = Anonymous Identity Public Services Authentication: –Using standards: OAuth, OpenID –Cannot be used to authenticate a CERN Account. –IdentityClass = Anonymous Identity –Can be added in E-Groups (email based)

10 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Web App login.cern.ch UPN: emmanuel.ormancey@cern.chemmanuel.ormancey@cern.ch IdentityClass: CERN Registered E-Groups: it-dep-ois; atlas-members; UPN: emmanuel.ormancey@cern.chemmanuel.ormancey@cern.ch IdentityClass: CERN Registered E-Groups: it-dep-ois; atlas-members; Web App login.cern.ch UPN: emmanuel.ormancey@gmail.comemmanuel.ormancey@gmail.com IdentityClass: Anonymous Identity E-Groups: alice-friends; twiki-reader; UPN: emmanuel.ormancey@gmail.comemmanuel.ormancey@gmail.com IdentityClass: Anonymous Identity E-Groups: alice-friends; twiki-reader; Active Directory Login or email lookup Active Directory email lookup Login on SSO process CERN Account or Federation/Social Account Authorization based on E-Groups, IdentityClass and any other available attribute Authorization based on E-Groups, IdentityClass and any other available attribute Authentication + Authorization based on IdentityClass Authentication + Authorization based on IdentityClass Federation / Social site login.cern.ch

11 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS SSO - Summer 2012 Updates - 11 Demo… http://cern.ch/sso-management –List applications & Management page https://shib2.cern.ch –Authenticate with Facebook (and display Application authorization page) –Show Strong Authentication systems Demo SMS Otp

12 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS SSO - Summer 2012 Updates - 12 More… Help and Documentation: –http://cern.ch/loginhttp://cern.ch/login SSO Management: –http://cern.ch/sso-managementhttp://cern.ch/sso-management Demo site: –https://shib2.cern.chhttps://shib2.cern.ch Support: –service-desk@cern.chservice-desk@cern.ch

13 CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Questions? Contact: emmanuel.ormancey@cern.ch

Download ppt "Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel."

Similar presentations

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.

Forms Authentication, Users, Roles, Membership Ventsislav Popov Crossroad Ltd.
1 Wolfgang Lierz Staff IT-Services / Network & Security Admin ETH-Bibliothek Zurich Integration Primo-Aleph-PDS-SSO- AAI Wolfgang Lierz / IGeLU 2012 Zurich.

1 Wolfgang Lierz Staff IT-Services / Network & Security Admin ETH-Bibliothek Zurich Integration Primo-Aleph-PDS-SSO- AAI Wolfgang Lierz / IGeLU 2012 Zurich.
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.

Authentication solutions for Outlook and Office 365 Multi-factor authentication for Office 365 Outlook client futures.
Dan Usher Joel Ward. Who we are… What we’ve seen… Security Concerns in today’s world Why SmartCards? Authentication & Authorization of SharePoint IIS.

Dan Usher Joel Ward. Who we are… What we’ve seen… Security Concerns in today’s world Why SmartCards? Authentication & Authorization of SharePoint IIS.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland

Provisioning of Services Authentication Requirements David Henry Office of Information Technology University of Maryland
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.

CUWebAuth Technical Presentation Pete Bosanko Identity Management Team.
Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.

Remote User Authentication. Module Objectives By the end of this module participants will be able to: Describe the methods available for authenticating.
GRDevDay March 21, 2015 Cloud-based Identity for Applications.

GRDevDay March 21, 2015 Cloud-based Identity for Applications.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009 Mark Scheible Manager, Identity.

Identity and Access Management (IAM) What’s in it for Me? NC State University - Computer Security Day October 26, 2009 Mark Scheible Manager, Identity.
Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.

Copyright 2007, Information Builders. Slide 1 WebFOCUS Authentication Mark Nesson, Vashti Ragoonath Information Builders Summit 2008 User Conference June.
CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Ideas for 2011 Prepare must be done work items –Warranty –Software maintenance –Commitments.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Ideas for 2011 Prepare must be done work items –Warranty –Software maintenance –Commitments.
Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation www.telerik.com.

Forms Authentication, Users, Roles, Membership Svetlin Nakov Telerik Corporation
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education www.netprof.us.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
CERN IT Department CH-1211 Genève 23 Switzerland t Identity Management Alberto Pace CERN, Information Technology Department

CERN IT Department CH-1211 Genève 23 Switzerland t Identity Management Alberto Pace CERN, Information Technology Department

Similar presentations

Ads by Google