Adding Federated Identity Management to OpenStack



Similar documents
Adding Federated Identity Management to Openstack

ABFAB and OpenStack(in the Cloud)

Cloud federation. Prelude to Hybrid Clouds. CHEP 2015 Okinawa, Japan. Marek Denis CERN Geneva, Switzerland

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Federated Identity Management

How to create a SP and a IDP which are visible across tenant space via Config files in IS

Information Security Group Active-client based identity management

Flexible Identity Federation

Federated Access Control in Heterogeneous Intercloud Environment: Basic Models and Architecture Patterns

Getting Started with AD/LDAP SSO

The Top 5 Federated Single Sign-On Scenarios

Authentication and Single Sign On

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Federated Identity Management

Integrating Multi-Factor Authentication into Your Campus Identity Management System

S P I E Information Environments Shibboleth and Its Integration into Security Architectures. EDUCAUSE & Internet 2 Security Professionals Conference

Single Sign On. SSO & ID Management for Web and Mobile Applications

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

OpenLogin: PTA, SAML, and OAuth/OpenID

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

IGI Portal architecture and interaction with a CA- online

Cloud Computing. Chapter 5 Identity as a Service (IDaaS)

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Authentication Methods

Entrust IdentityGuard Comprehensive

Copyright Pivotal Software Inc, of 10

Swivel Secure and the Cloud

PROVIDING SINGLE SIGN-ON TO AMAZON EC2 APPLICATIONS FROM AN ON-PREMISES WINDOWS DOMAIN

Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Vidder PrecisionAccess

Copyright: WhosOnLocation Limited

Canadian Access Federation: Trust Assertion Document (TAD)

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

Authentication Integration

INTEGRATION GUIDE. DIGIPASS Authentication for SimpleSAMLphp using IDENTIKEY Federation Server

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

managing SSO with shared credentials

Keeping access control while moving to the cloud. Presented by Zdenek Nejedly Computing & Communications Services University of Guelph

Connected Data. Connected Data requirements for SSO

Federated Authentication and Credential Translation in the EUDAT Collaborative Data Infrastructure

Application of the PAPI authn and authz system to the TJ-II Remote Participation environment. Madrid, 21 March 2003

HP Software as a Service

INF3510 Information Security University of Oslo Spring Lecture 8 Identity and Access Management. Audun Jøsang

Identity Management: The authentic & authoritative guide for the modern enterprise

Configuring. Moodle. Chapter 82

Security APIs for My Private Cloud

How to Configure Active Directory based User Authentication

Licia Florio Project Development Officer Identity Federations in Europe

Introduction to SAML

Agenda. How to configure

HOL9449 Access Management: Secure web, mobile and cloud access

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Domain 12: Guidance for Identity & Access Management V2.1

SAML single sign-on configuration overview

UNI. UNIfied identity management. Krzysztof Benedyczak ICM, Warsaw University

Agenda. Federation using ADFS and Extensibility options. Office 365 Identity overview. Federation and Synchronization

Flexible Identity Federation

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

IBM WebSphere Application Server

External and Federated Identities on the Web

Mobile Security. Policies, Standards, Frameworks, Guidelines

Software Design Document SAMLv2 IDP Proxying

OIX IDAP Alpha Project - Technical Findings

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

Introduction to Directory Services

CAS s IDP system and resources in Education Cloud

Implementing two-factor authentication: Google s experiences. Cem Paya (cemp@google.com) Information Security Team Google Inc.

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

Identity Management in Telcos. Jörg Heuer, Deutsche Telekom AG, Laboratories. Munich, April 2008

Building Secure Applications. James Tedrick

Web Based Single Sign-On and Access Control

DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture

TECHNOLOGY LEADER IN GLOBAL REAL-TIME TWO-FACTOR AUTHENTICATION

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

The increasing popularity of mobile devices is rapidly changing how and where we

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

The saga of WebFTS and Federated Identity

Leveraging SAML for Federated Single Sign-on:

HP Software as a Service. Federated SSO Guide

Single Sign-On Implementation Guide

Perceptive Experience Single Sign-On Solutions

SAML Security Option White Paper

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Transcription:

Adding Federated Identity Management to OpenStack David Chadwick University of Kent 3 December 2012 University of Kent 1 Some Definitions What is Identity? A whole set of attributes that in combination uniquely characterise a person hair colour, sound of their voice, height, name, qualifications, past actions, reputation etc. Attribute a property, quality or characteristic of an entity Identifier a string used to uniquely identify an entity in a domain. Often used as login id or primary key in a database. A special type of attribute since it is usually the only one on its ownthat can uniquely identify an entity in a domain. X.500/LDAP DNs, IP addresses, DNS names, URIs, key IDs, login IDs, 128 bit random numbers are all identifiers. Attribute Assertion a statement made by an authority that an entity has a particular attribute. An authority can be the entity itself or a (trusted) third party. Attribute Certificate/Authorisation Credential a cryptographically protected (usually digitally signed) attribute assertion that can be validated Attribute Authority (AA) an authoritative source for asserting attributes about entities Service Provider an entity that provides a service to clients Identity Provider an entity that provides an authentication service, and is often also an AA for a set of identity attributes of its users 3 December 2012 University of Kent 2 1

So What is Federated Identity Management? A group of organisations that set up trust relationships which allow them to send assertions about users identities between themselves, in order to grant users access to their resources A user can use his credentials (authnand authz) from one or more identity providers to gain access to other sites (service providers) within the federation The authenticating IdPwill usually provide the user with Single Sign On, but this may be transparent to the SP FIM systems typically require the following: data repositories, communications systems, provisioning systems, access management systems, cryptographic systems, trusted third parties and legal agreements 3 December 2012 University of Kent 3 How Does FIM Work? Service Provider Trust Relationship Identity Provider 3 December 2012 University of Kent 4 2

Why Do It? Makes it easier for users Less credentials to remember/manage Provides single sign on Makes it easier for system developers Don t need to develop secure credential storage or authentication mechanisms and protocols Provides much more flexibility Allows any type of authentication mechanism to be easily incorporated since it is out of scope of the federation protocol and OpenStack code Can make it more secure Users can have one set of strong credentials, so less likely to share them, forget them etc. No longer a honeypot of credentials to be stolen by attackers Makes it easier for operations/administration staff No need to register new users, replace lost or forgotten credentials, remove old users 3 December 2012 University of Kent 5 Identity Management in OpenStack Today Services are owned by tenants and users are assigned to tenants Many to many mapping tenants to services, tenants to users Keystone is the identity service which holds all the user account information (un/pw/tenants/roles) User information must be manually configured by OpenStack administrator or bulk loaded from corporate database In order to access an OpenStack service the user 1. Enters his un/pw, tenant and service request to the client 2. The client passes un/pw and tenant to Keystone 3. Keystone returns a scoped token 4. The client passes the scoped token to the service along with the service request 5. The service passes the scoped token to Keystone for validation 6. Keystone returns the users tenant and role(s) 7. The service uses the role(s) for authorisation via simple RBAC policy 3 December 2012 University of Kent 6 3

Identity Management in OpenStack 3 December 2012 University of Kent 7 Guiding Principles Keep it simple for Cloud Service Providers (CSPs) Bulk of security should be done by Keystone (user authnand attribute validation) Backwards Compatibility. Each CSP should keeps it existing tenants and roles for authzand trusts Keystone to correctly issue them to users Keystone must have trust relationships with a set of external IdPs, ASs and AAs Need Credential Validation Service for validating these. All IdP/AA issued attributes/roles must be globally identifiable User knows which cloud service he wishes to use, so this should be his first port of call User should not need to know about Keystone. CSP can dynamically change Keystone. CSP can dynamically change its role requirement policy However this is not backwards compatible with existing mechanism so will be postponed for now 3 December 2012 University of Kent 8 4

Some Challenges IdPDiscovery Problem How does OpenStackknow which IdPthe user wants to use Nascarsolution: display a set of IdPicons to user Shibboleth Where Are You From Service: lets user pick/search for his IdP Automatic selection: if SP knows, or global user IDs are used as in OpenID, EduRoam, ABFAB Decided to implement an IdP Directory Service Are thousands of IdPs/AAs and attributes but CSPs must keep their existing tenants and roles Need an Attribute Mapping Service that must be configurable in Keystone, e.g. through policies or config files What Protocol to use OpenID(Connect), SAML, Oauth etc. Decided to use a pluggable module, Request Issuing Service, so that protocol can be easily switched 3 December 2012 University of Kent 9 Attribute + Authn DB Attribute DB Authn DB FIM Components IdP AA AS AM RIS CVS Credn Validation Policy User/ Client Keystone TIS TVS Directory/ Service Catalog Cloud Service Provider 1 Cloud Service Provider 2... Cloud Service Provider n Authz (PDP) Access Control Policy 3 December 2012 University of Kent 10 Policy DB 5

Single IdP, Simple Client User 1 5 21 32 12 31 Keystone Internal Services Client CSP PDP Dir KS AM RIS CVS TIS TVS IDP 26 31 6 14 22 30 2 20 25 4 10 27 29 3 8 11 18 24 3 December 2012 University of Kent 11 7 9 12 15 16 17 23 19 28 13 Limitations Still need a way to finely differentiate users from one IdP for authorisation purposes Still need to be able to ban abusive users Both of the above are a problem if you cannot administer the IdP s user account database Solution in Grid world is to introduce VOMS Does not currently support attribute aggregation where user gets attributes from multiple IdPs/AAs Most federated identity management systems today are open to phishing attacks from evil service providers who redirect user to a clone IdP Use zero knowledge proof authn mechanism Have intelligent client that does not require redirection and can determine itself how to contact the user s IdP 3 December 2012 University of Kent 12 6

User Single IdP, Intelligent Client AtAg 0 7 11 6 13 Keystone Internal Services Client CSP PDP Dir KS AM RIS CVS TIS TVS IDP 1 2 3 5 4 10 8 14 9 11 12 15 on, as before 3 December 2012 University of Kent 13 AA using an AS, Intelligent Client Keystone Internal Services User AtAg Client CSP PDP Dir KS AM RIS CVS TIS TVS AA AS 0 1 2 3 4 6 5 7 8 9 10 12 11 13 14 18 19 16 15 17 From 15, as before 3 December 2012 University of Kent 14 7

User AtAg Keystone Internal Services Client CSP PDP Dir KS AM RIS CVS AA2 AA1 AS 1 Attribute Aggregation with a federated AS 17. Same as AA using an AS 19 23 18 21 20 24 22 25, same as step 18 in AA using an AS 3 December 2012 University of Kent 15 Acronyms AA Attribute Authority. AM Attribute Mapper AS Authentication Service. AtAg Intelligent component of the client (Attribute Aggregator) CSP Cloud Service CVS Credential Validation Service Dir Directory Service IDP Identity Provider Keystone OpenStackGateway (Currently the role played by Keystone) PDP Policy Decision Point RIS Request Issuing Service TIS Token Issuing Service TVS Token Validation Service 3 December 2012 University of Kent 16 8

Next Steps Build an Attribute Mapping Service that can be administered by each IdP administrator Incorporate a VOMS server (being done by Aerospace in the US) 3 December 2012 University of Kent 17 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information