Federated Authentication and Credential Translation in the EUDAT Collaborative Data Infrastructure



Similar documents
Single Sign On for UNICORE command line clients

Certificates in a Nutshell. Jens Jensen, STFC Leader of EUDAT AAI TF

UNI. UNIfied identity management. Krzysztof Benedyczak ICM, Warsaw University

Federated Identity Management for the EUDAT Data e-infrastructure

Federated Identity Management Interest Group

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Extend and Enhance AD FS

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

HOL9449 Access Management: Secure web, mobile and cloud access

SAML and OAUTH comparison

TrustedX: eidas Platform

IGI Portal architecture and interaction with a CA- online

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

How To Build An Open Source Data Infrastructure

Adding Federated Identity Management to OpenStack

Agenda. How to configure

Flexible Identity Federation

How To Manage Identity On A Cloud (Cloud) With A User Id And A Password (Saas)

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

OpenAM All-In-One solution to securely manage access to digital enterprise and customer services, anytime and anywhere.

EUDAT. Towards a pan-european Collaborative Data Infrastructure. Willem Elbers

Integrating Multi-Factor Authentication into Your Campus Identity Management System

Logout in Single Sign-on Systems

HP Software as a Service

The Role of Identity Enabled Web Services in Cloud Computing

Shibboleth Identity Provider (IdP) Sebastian Rieger

Building blocks for establishing federation with organizations like ESA

LinuxCon North America

Introduction to SAML

A Standards-based Mobile Application IdM Architecture

The Primer: Nuts and Bolts of Federated Identity Management

Globus Auth. Steve Tuecke. The University of Chicago

PRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY

GRIP:Creating Interoperability between Grids

Single Sign On. SSO & ID Management for Web and Mobile Applications

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

ABFAB and OpenStack(in the Cloud)

API Architecture. for the Data Interoperability at OSU initiative

Introducing Shibboleth

IVOA Single-Sign-On Profile: Authentication Mechanisms Version 2.0

Federated Identity Management for Research Communities (FIM4R)

Licia Florio Project Development Officer Identity Federations in Europe

HP Software as a Service. Federated SSO Guide

Securing WebFOCUS A Primer. Bob Hoffman Information Builders

Cloud federation. Prelude to Hybrid Clouds. CHEP 2015 Okinawa, Japan. Marek Denis CERN Geneva, Switzerland

OpenLogin: PTA, SAML, and OAuth/OpenID

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics

Shibboleth N-Tier Support. Chad La Joie

The Challenges of Web single sign-on

Axway API Gateway. Version 7.4.1

Mobile Identity and Edge Security Forum Sentry Security Gateway. Jason Macy CTO, Forum Systems

Building Secure Applications. James Tedrick

THE NEW DIGITAL EXPERIENCE

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Federated Identity Management

Identity. Provide. ...to Office 365 & Beyond

Adding Federated Identity Management to Openstack

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Three Case Studies in Access Management

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

The Role of Federation in Identity Management

Shibboleth Configuration in Tübingen

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

The increasing popularity of mobile devices is rapidly changing how and where we

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

CAS s IDP system and resources in Education Cloud

Session Code*: 0310 Demystifying Authentication and SSO Options in Business Intelligence. Greg Wcislo

Identity and Access Management for Federated Resource Sharing: Shibboleth Stories

The Future of Cloud Identity Security. Michael Schwartz Founder / CEO Gluu

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

THE NEW DIGITAL EXPERIENCE

Federated AAA middleware and the QUT SSO environment

CLAIMS-BASED IDENTITY FOR WINDOWS

Transcription:

Federated Authentication and Credential Translation in the EUDAT Collaborative Data Infrastructure Ahmed Shiraz Memon (JSC - DE) Jens Jensen (STFC escience - UK) Ales Cernivec (XLAB - SL) Krzysztof Benedyczak (ICM - PL) Morris Riedel (HI - IS) Cloud Federation Management Workshop, Dec. 8th, 2014

Outline Background Motivation & Goals Components of the AAI Authentication Architecture Service Interaction Data Staging Use case Conclusion UCC/CFM 2014, 8th Dec., London 2

Background: The EUDAT Project EC funded FP7 Project Scientific User Communities: VPH, ENES, EPOS, CLARIN, LifeWatch Aims at providing the Data e-infrastructure Services: Safe Replication, Dynamic replication, Research Data Store, PID, Data Sharing, AAI Internal Services: Wiki, JIRA, SCM, Portal, etc UCC/CFM 2014, 8th Dec., London 3

Motivation User communities have their own established Federated Identity Management Systems Multiple authentication protocols (SAML, X.509, OpenID Connect, LDAP) Registration of User required at each service - lead to maintenance overhead, attributes management, synchronization, etc UCC/CFM 2014, 8th Dec., London 4

Goals Intuitive authentication method (SSO, Username-Password) Support for interactive (e.g. User-Service) and automated (e.g. Service-Service) authentication Support for Browser and non-browser clients Delegated access of host and Web portal to data services Translation between authentication tokens Harmonisation of attributes from multiple attribute providers UCC/CFM 2014, 8th Dec., London 5

Main Components of AAI Unity OAuth 2.0 Authorisation Server Online CA (SLCS) Web Portal / Certificate Client Identity Provider B2-<*> Services UCC/CFM 2014, 8th Dec., London 6

Unity Complete Authentication and Identity Management solution Manage users, users attributes, and group membership Support multiple authentication protocols: X.509, OpenID-Connect (OIDC), SAML 2.0 (SOAP and WebSSO) Proxy IdP Pattern: simultaneous roles in AuthN flow i.e. SAML SP and SAML/OIDC IdP at the same time Advanced support for designing user registration forms Translation profiles Developed at ICM / University of Warsaw Increasing take-up: HBP, LSDMA, EUDAT, PL-Grid UCC/CFM 2014, 8th Dec., London 7

Contrail OAuth 2.0 Framework Developed within FP7 Contrail Project A reference implementation of OAuth 2.0 Framework Authentication of users (Resource Owners) is based on SAML WebSSO, thus exposed as SAML Service Provide Supported Grant types: Authorization Code and Client Credentials Provision to manage tokens, clients, and users UCC/CFM 2014, 8th Dec., London 8

Contrail Online CA Issues short-lived X.509 credentials to the portals (on user s behalf) An OAuth 2.0 Resource Server X.509 Credentials are useful for authentication as well as authorisation How? Embeds user s attributes inside the certificate extensions Querys the user attributes from Unity via its SOAP query interface UCC/CFM 2014, 8th Dec., London 9

Other components Community Web Portal / Certificate Client A gateway to the EUDAT federation An OAuth client Asks for user consent, generate CSR, and post it to the online CA Use certificate wher/n-ever necessary to perform operations on user s behalf, e.g. GridFTP transfers Identity and/or Attribute Providers Resides at home institutes Authenticates users Provides attributes to trusted SAML SPs B2-<*> Services Data management services offered to the scientific user communities UCC/CFM 2014, 8th Dec., London 10

Unity <<SAML IdP>> <<SAML SP>> Authenticate User <<SAML SP>> AAI Architecture Authenticate User SAML OAuth REST <<SAML IdP>> Identity Provider B2SHARE B2SAFE Query Attributes OAuth2 AS Request Access token Online CA <<OAuth Authorisation Server>> Validate Access token <<OAuth Resource Server>> Request X.509 Cert. <<OAuth Client>> Community Portal/Cerificate Client Create, Share, Stage, Find Data B2FIND B2STAGE UCC/CFM 2014, 8th Dec., London 11

Authentication Flow UCC/CFM 2014, 8th Dec., London 12

Credential Translation Flow UCC/CFM 2014, 8th Dec., London 13

Use case: Data Staging with Federated Identities Goal: Moving data between EUDAT and PRACE infrastructures using Federated Identities Different authentication protocols EUDAT: Username/Password PRACE: X.509 Options PRACE trusts EUDAT online CA and map/link DNs PRACE issues new credentials to the EUDAT users and DCAU to establish an authentication session between the endpoints + establish a trust relationship Not relying on the user credentials; instead an automated client that has a robot certificate and performs the transfer UCC/CFM 2014, 8th Dec., London 14

AAI as a Framework Powerful framework sufficiently enough to address EUDAT Communities requirements and based on loosely coupled components that can be replaced and used independently Technically interoperable while adopting standards Also, a need to understand semantic interoperability, i.e. different understanding of attributes and policies harmonisation EUDAT carefully follows FIM4R (RDA FIM) and edugain to understand the implementation of policies Address federated authorisation challenges UCC/CFM 2014, 8th Dec., London 15

Conclusion Federated AAI evolved from Contrail and Unity projects Combined diverse technologies: SAML, OpenID, OpenID-Connect (OAuth) and X.509, to address integration requirements It offers both Web and command line authentication Supports delegation Coarse grained via OAuth Fine grained with SAML push attributes Learn from other e-infrastructure projects (e.g. XSEDE, HBP, ESFRIs) UCC/CFM 2014, 8th Dec., London 16

Thanks!!! Questions??? UCC/CFM 2014, 8th Dec., London 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information