Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

Published byClaribel Sharp Modified over 8 years ago

Similar presentations

Presentation on theme: "Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008."— Presentation transcript:

1 Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008

2 Identity Federations linking services and user management systems standardized protocols home institution keeps the most current data service & identity providers services trust clients‘ institutions modified trust model suitable for large infrastructure possible decreasing of users‘ credentials Shibboleth

3 Users‘ attributes Additional information published by IdP up-to-date any information from HR databases name, email, affilitation,... allows for sophisticated access control policies groups of students of a course,... pseudoanonymity Security Assertion Markup Language

4 SAML assertion example urn:mace:dir:attribute-def:cnDaniel Kouřil urn:mace:dir:attribute-def:givenNameDaniel urn:mace:dir:attribute-def:snKouřil urn:mace:dir:attribute-def:oMasarykova univerzita urn:mace:dir:attribute-def:ouWplace-31200;Wplace- 924000;Facult-1433 urn:mace:dir:attribute-def:eduPersonPrincipalName1388@muni.cz urn:mace:dir:attribute-def:eduPersonAffiliationmember;student; employee urn:mace:dir:attribute-def:mail1388@mail.muni.cz http://www.mefanet.cz/mefaperson/false

5 Federations in web world schema from SWITCH AAI

6 Federation in non-web world no redirect mechanism PKI and federated certificates transporting IdP‘s assertions VPN-based solution as general infrastructure obtaining certificates explicit logging into federation

7 Federated CA bridge to non-federative services on-line CA running as SP in federation federation-based identity vetting GridShib CA key & certificate management done by browser certificates contain users attributes X.509 extension

8 Management of certificates browser-based solution not ideal GUI and framework desired Network Identity Manager extensible by plugins plugin to manage certificate in MS CertStore embedded browser to obtain certificate pilot implementation ready scheduled deployment at computer center at MU limitation of single identity provider in NIM

9 NIM plugin

10 Kerberos and federations many identity federations emerging local NRENs in Europe METACentre project in CR serving users from many institutions Kerberos Easy access for new users at least from selected institution registration and further access Utilizitation of federations

11 Kerberos and federations several ways possible KAML group no changes to infrastructure, easiness of use for end-users authorization data field for SAML transformation of federated certificates to tickets PKINIT + KDC modified to retain SAML simple, easy to implement SAML is copied from X.509 to TGT as authZ data all derived tickets will inherit the assertion Similar to MS PAC not signed currently SAML artifacts

12 SAML on Application Server authorization based on SAML attributes policy language authZ decision made by application or third-party component XACML Query/Response protocol components from Grid world „available“ krb5_recvauth (....); krb5_ticket_get_authorization_data_type( context, ticket, KRB5_AUTHDATA_SAML, &saml_data); process_saml_data(saml_data);

13 Conclusion Simple integration easy to done KDC, users-side tools, application server- side code & authZ service Kerberos as transport mechanism NIM plugin logging into federations useful for other environment as well collaborative systems, videoconferencing

Download ppt "Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch

GridShib: Campus/Grid RBAC Integration GGF15 Workshop: Leveraging Site Infrastructure for Multi-Site Grids October 3th, 2005 Von Welch
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.
Web services security I

Web services security I
Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n. 306819.

Co-ordination & Harmonisation of Advanced e-Infrastructures for Research and Education Data Sharing Research Infrastructures Grant Agreement n

Similar presentations

Ads by Google