Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October 15-16 2014.

Published byAlexandrina Hawkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October 15-16 2014."— Presentation transcript:

1 Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October 15-16 2014

2 Rackspace and CERN openlab › Rackspace joined CERN openlab last year › The project officially kicked off on October 1 st 2013. › We are contributing directly to the OpenStack › …and received good feedback about the importance of the topic we are working on 15/10/2014Marek Denis – CERN openlab2

3 Cloud federation “A federated cloud (also called cloud federation) is the deployment and management of multiple external and internal cloud computing services to match business needs. A federation is the union of several smaller parts that perform a common action.” http://whatis.techtarget.com/definition/federated-cloud-cloud-federation 15/10/2014Marek Denis– CERN openlab3

4 Bringing old concepts into cutting edge technology › First steps towards hybrid clouds (Holy Grail of cloud computing) › Federation allows for splitting authentication and authorization  Security  Ease of configuration  Centralized Identity management 15/10/2014Marek Denis– CERN openlab4

5 How does CERN use it? › CERN to join EduGAIN federation at the beginning of the 2015 (allowing CERN to share cloud resources with others) › Presumably the first production setup in the world › In the future CERN may easily burst into various public and private clouds 15/10/2014Marek Denis – CERN openlab5

6 Last year in retrospection 15/10/2014First Name and Family Name – CERN openlab6 › We started with vague design charts (we only knew SAML2 could be used as an identity transport layer) › In April OpenStack Icehouse was released. Key New Features New v3 API features /v3/OS-FEDERATION/ allows Keystone to consume federated authentication via Shibboleth for multiple Identity Providers, and mapping federated attributes into OpenStack group-based role assignments (see documentation).Shibbolethdocumentation

7 Last year in retrospection › Keystone client 0.11.1 has all the plugins required for federated authentication  Getting unscoped tokens from Shibboleth based Identity Providers  Getting unscoped tokens from Microsoft ADFS2.0  Listing available projects and domains for federated user  Scoping unscoped federated tokens › Openstack client can now utilize federated authentication as well its configuration (identity providers, mappings, protocols). › CADF (Cloud Audit Data Format) now take federation-related events into account 15/10/2014Marek Denis – CERN openlab7

8 How to federate your cloud › Join of create your federation › Exchange SPs and IdPs metadata › Configure Apache webserver and Shibboleth Service Provider › Prepare local projects, domains, groups › Via the Identity API version 3 cloud administrator must configure:  Trusted Identity Providers  Mappings  Protocols 15/10/2014Marek Denis – CERN openlab8

9 Federation in Openstack – a big picture 15/10/2014Marek Denis – CERN openlab9 Credits Luca Tartarini

10 Transforming assertion into local credentials 15/10/2014Marek Denis – CERN openlab10 LOGIN: madenis LANGUAGE: EN DEPARTMENT: IT/OIS FULLNAME: Marek Denis Saml Assertion Keystone credentials {name: madenis groups: [ “developers”, “openlab” ]} [ { "local": [ { "user": { "name": "{0}" } } ], "remote": [ { "type": "ADFS_LOGIN" } ] }, { "local": [ { "group": { "id": „devs" } } ], "remote": [ { "type":"DEPARTMENT", "any_one_of": ["IT/OIS"] } ] } ]

11 It’s video time › Before we take off  Local user tim  Local groups: managers, developers, contractors  Local projects: manager, developer, contractor  Tim is a member of all the groups (hence he can access any of the 3 projects)  No local user madenis 15/10/2014Marek Denis – CERN openlab11

12 It’s video time › Identity Provider: cern › Mapping: cern › Protocol: saml2 › Federated user will have my CERN login: madenis › He will have access to developer project only 15/10/2014Marek Denis – CERN openlab12

13 › The answer is: almost › We CAN share identities between clouds › We need to build virtual inter-cloud networks › We need share images between clouds › We need inter-cloud metering Cloud federation – are we there yet? 15/10/2014Marek Denis – CERN openlab13

14 What next? › Last release we were working on another functionality (codename Keystone2Keyston) › Enhance clients with smarter token handling and token reuse › Test scalable solutions › Work on everything that is not possible yet (and was listed on the previous slide) 15/10/2014Marek Denis – CERN openlab14

15 Thank you Marek Denis marek.denis@cern.ch 15/10/2014Marek Denis – CERN openlab15

Download ppt "Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October 15-16 2014."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
Trusted 3 rd Party Authentication & Friends: SSO and IdM NWACC Security Workshop 2013 Portland.

Trusted 3 rd Party Authentication & Friends: SSO and IdM NWACC Security Workshop 2013 Portland.
Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.

Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.
Implementing and Administering AD FS

Implementing and Administering AD FS
Virtualized Infrastructure Deployment Policies (Copper) 19 February 2015 Bryan Sullivan, AT&T.

Virtualized Infrastructure Deployment Policies (Copper) 19 February 2015 Bryan Sullivan, AT&T.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 Cisco’s Application Development Transformation to Openstack - Retrospective.

Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 Cisco’s Application Development Transformation to Openstack - Retrospective.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
CLOUD FEDERATION Are We There Yet?. Tim Bell - CERN Why Do We Federate?

CLOUD FEDERATION Are We There Yet?. Tim Bell - CERN Why Do We Federate?
Innovative Foundation For an Open Source API Management Platform Asanka

Innovative Foundation For an Open Source API Management Platform Asanka
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
1 World-Leading Research with Real-World Impact! Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC 2015.

1 World-Leading Research with Real-World Impact! Authorization Federation in IaaS Multi Cloud Navid Pustchi, Ram Krishnan and Ravi Sandhu SCC 2015.
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Chad La Joie Shibboleth’s Future.

Chad La Joie Shibboleth’s Future.

Similar presentations

Ads by Google