Single Sign On for UNICORE command line clients

Similar documents
UNI. UNIfied identity management. Krzysztof Benedyczak ICM, Warsaw University

Federated Authentication and Credential Translation in the EUDAT Collaborative Data Infrastructure

Axway API Gateway. Version 7.4.1

IBM WebSphere Application Server

Entrust IdentityGuard Comprehensive

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

SAML and OAUTH comparison

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Building Secure Applications. James Tedrick

Use Enterprise SSO as the Credential Server for Protected Sites

Enterprise Access Control Patterns For REST and Web APIs

Agenda. How to configure

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

Security and ArcGIS Web Development. Heather Gonzago and Jeremy Bartley

Salesforce1 Mobile Security Guide

CS 356 Lecture 28 Internet Authentication. Spring 2013

API-Security Gateway Dirk Krafzig

SAML SSO Configuration

Single Sign On. SSO & ID Management for Web and Mobile Applications

IGI Portal architecture and interaction with a CA- online

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Connected Data. Connected Data requirements for SSO

Getting Started with AD/LDAP SSO

Copyright Pivotal Software Inc, of 10

Copyright: WhosOnLocation Limited

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

SharePoint Comparison of Features

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

BIG-IP Access Policy Manager Tech Note for BIG-IP Edge Client App for ios

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

Egnyte Single Sign-On (SSO) Installation for OneLogin

ADFS Integration Guidelines

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

WHMCS LUXCLOUD MODULE

Administering Jive for Outlook

HP Software as a Service

NCSU SSO. Case Study

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

September 9 11, 2013 Anaheim, California 507 Demystifying Authentication and SSO Options in Business Intelligence

How To Use Saml 2.0 Single Sign On With Qualysguard

UFTP AUTHENTICATION SERVICE

Contents Release Notes System Requirements Administering Jive for Office

OpenID Deutsche telekom. Dr. Torsten Lodderstedt, Deutsche Telekom AG

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

An Oracle White Paper Dec Oracle Access Management OAuth Service

T his feature is add-on service available to Enterprise accounts.

Administering Jive Mobile Apps

WHITEPAPER SECUREAUTH IDP DEVICE FINGERPRINTING LOW-FRICTION, BYOD AUTHENTICATION

How To Use Salesforce Identity Features

Meeting Rooms User Manual

TIBCO Spotfire Platform IT Brief

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

SFTP Server User Login Instructions. Open Internet explorer and enter the following url:

Call center statistics are offered via the Unity Client Call Center product set, which includes

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

OneLogin Integration User Guide

User Migration Tool. Note. Staging Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0(1) 1

SAML 2.0 SSO Deployment with Okta

How to create a SP and a IDP which are visible across tenant space via Config files in IS

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Defender Token Deployment System Quick Start Guide

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Configuring on-premise Sharepoint server SSO

What s New in Propalms VPN 3.5?

SAP NetWeaver AS Java

Onegini Token server / Web API Platform

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Automated CPanel Backup Script. for home directory backup, remote FTP backup and Amazon S3 backup

5 Day Imprivata Certification Course Agenda

Configuring. Moodle. Chapter 82

Transferring AIS to a different computer

Sharepoint server SSO

Perceptive Experience Single Sign-On Solutions

Microsoft Office 365 Using SAML Integration Guide

Identity Implementation Guide

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

SSO Methods Supported by Winshuttle Applications

UFTP High-performance data transfer for UNICORE

The saga of WebFTS and Federated Identity

Installing the PA 100 VM in VMware Workstation 9.x

Check Point FDE integration with Digipass Key devices

/ Preparing to Manage a VMware Environment Page 1

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Protecting Juniper SA using Certificate-Based Authentication. Quick Start Guide

Web Applications Access Control Single Sign On

Angel Dichev RIG, SAP Labs

An Oracle White Paper Dec Oracle Access Management Security Token Service

managing SSO with shared credentials

Microsoft Office 365 with ADFS

Setup Guide Access Manager 3.2 SP3

AVG Business SSO Partner Getting Started Guide

Connecting an Android to a FortiGate with SSL VPN

NetSupport DNA Configuration of Microsoft SQL Server Express

Transcription:

Single Sign On for UNICORE command line clients Krzysztof Benedyczak ICM, Warsaw University

Current status of UNICORE access Legacy certificates still fully supported nice on home workstation, especially when loaded into a browser With help of Unity username & password authentication is possible as well as federated login to UNICORE portal. Unity also solves delegation issue: it generates it on user's behalf, so chained Grid workflows can be executed.

The gap SSO works only for client runtime duration. After restart authentication must be repeated. Not a problem for URC, portal and UCC in the shell mode. UCC in non-shell mode is problematic, yet more useful. Same problem occurs with agent machines where real credentials can't be uploaded due to security policies. Old Proxy Certificates were tackling this issue...

Technical perspective of the problem There are two parts of the problem to be solved. To access a server, the client has to authenticate itself: with SAML authn assertion or by using certificate&pk Additionally trust delegation must be sent: either signed with PK or received from Unity actually not always required but often is

Is certificate enough? If a certificate is available, a trust delegation can be generated. Using the certificate directly in automated scenario requires either: storing PK without password, or storing password in a text file Insecure, violates CA policies, can't be used with federations, no go...

Access with help of Unity

Access with help of Unity When using Unity trust delegation is generated by Unity on user's behalf. validity is sufficient, typically 2 weeks or so. However SAML authentication assertion is: targeted at particular receiver (server container) very short lived (range of minutes) Hacking SAML authentication is theoretically possible but controversial.

Security sessions to rescue? UNICORE security stack supports security sessions concept In response to the first, fully authenticated and authorized client's request, a server returns session identifier. Client can subsequently use this identifier instead of pushing the AA data again. Improves performance Enhancing the mechanism to store the session ids on disk is possible. Unfortunately for each connected service container we need to send AA data again...

Problem summary SAML authentication assertion is the root of our problem. Usage of certificates doesn't help. Client<->Server security sessions won't help too. We need something easy to use, as easy as proxies are (after you have one generated!).

Proposed approach Session between Unity and client used only when requesting assertions from Unity token stored on disk protected with FS rights

JWT endpoint and authn in Unity Unity already supports such mechanism There is a JWT endpoint allowing to generate tokens Token can be also refreshed and revoked Endpoint is trivial, RESTful Token is a signed, self contained JSON Unity also provides JWT authenticator, which can be used for both REST and SOAP endpoints. { } "sub":"c6789770-f587-4936-99df-d57c5d8a68e6", "aud":"https:\/\/localhost:53456#testr", "iss":"https:\/\/localhost:53456", "exp":1441292091, "iat":1441292089, "jti":"c97cf800-0259-44c0-8d0e-bdb0446c9fb8"

Complete scenario

Missing parts to be implemented UCC (or secutils-cxf?) would need to have simple JWT support Commands to revoke and refresh token UCC authentication method using JWT How to cleanly implement this? In fact we have two anthn mechanisms here, Unity then JWT Currently JWT validity is only controlled in endpoint's configuration. If needed it can be enhanced in Unity so client can control the validity in an allowable range.

Summary From user perspective: single authentication to Unity Token can be copied/reused/refreshed and revoked. No or minimal Unity modifications.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information