Globus Auth. Steve Tuecke. The University of Chicago



Similar documents
Globus Research Data Management: Introduction and Service Overview

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

MIT Tech Talk, May 2013 Justin Richer, The MITRE Corporation

Enterprise Access Control Patterns For REST and Web APIs

Copyright Pivotal Software Inc, of 10

A Standards-based Mobile Application IdM Architecture

ACR Connect Authentication Service Developers Guide

Onegini Token server / Web API Platform

SINGLE & SAME SIGN-ON ASPECTS

OpenID Deutsche telekom. Dr. Torsten Lodderstedt, Deutsche Telekom AG

OAuth 2.0: Theory and Practice. Daniel Correia Pedro Félix

Flexible Identity Federation

Building Secure Applications. James Tedrick

How to Grow and Transform your Security Program into the Cloud

How to Extend Identity Security to Your APIs

Security and ArcGIS Web Development. Heather Gonzago and Jeremy Bartley

OAuth 2.0. Weina Ma

Identity Management with Spring Security. Dave Syer, VMware, SpringOne 2011

Egnyte Single Sign-On (SSO) Installation for OneLogin

Identity Federation: Bridging the Identity Gap. Michael Koyfman, Senior Global Security Solutions Architect

Traitware Authentication Service Integration Document

Login with Amazon. Getting Started Guide for Websites. Version 1.0

Axway API Gateway. Version 7.4.1

EHR OAuth 2.0 Security

Oracle Fusion Middleware Oracle API Gateway OAuth User Guide 11g Release 2 ( )

OAuth: Where are we going?

OpenID Connect 1.0 for Enterprise

How To Write A Blog Post On Globus

globus online Integrating with Globus Online Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

Login with Amazon. Developer Guide for Websites

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

SETTING UP YOUR JAVA DEVELOPER ENVIRONMENT

OAuth 2.0 Developers Guide. Ping Identity, Inc th Street, Suite 100, Denver, CO

PRACTICAL IDENTITY AND ACCESS MANAGEMENT FOR CLOUD - A PRIMER ON THREE COMMON ADOPTION PATTERNS FOR CLOUD SECURITY

Fairsail REST API: Guide for Developers

HOL9449 Access Management: Secure web, mobile and cloud access

OpenID Single Sign On and OAuth Data Access for Google Apps. Ryan Dave Primmer May 2010

OpenLogin: PTA, SAML, and OAuth/OpenID

Agenda. How to configure

Assignment # 1 (Cloud Computing Security)

Blending Embedded Hardware OTP, SSO, and Out of Band Auth for Secure Cloud Access

Comparative analysis - Web-based Identity Management Systems

Enabling SSO for native applications

How To Use Kiteworks On A Microsoft Webmail Account On A Pc Or Macbook Or Ipad (For A Webmail Password) On A Webcomposer (For An Ipad) On An Ipa Or Ipa (For

Identity Implementation Guide

WHITEPAPER. NAPPS: A Game-Changer for Mobile Single Sign-On (SSO)

Web 2.0 Lecture 9: OAuth and OpenID

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

IBM WebSphere Application Server

Single Sign On. SSO & ID Management for Web and Mobile Applications

WHITEPAPER. SECUREAUTH 2-FACTOR AS A SERVICE 2FaaS

Mobile Security. Policies, Standards, Frameworks, Guidelines

Authenticate and authorize API with Apigility. by Enrico Zimuel Software Engineer Apigility and ZF2 Team

Cloud Powered Mobile Apps with Azure

OneLogin Integration User Guide

Contents. 2 Alfresco API Version 1.0

Extend and Enhance AD FS

Administering Jive Mobile Apps

OAuth Guide Release 6.0

An Overview of Samsung KNOX Active Directory and Group Policy Features

Globus Research Data Management: Endpoint Configuration and Deployment. Steve Tuecke Vas Vasiliadis

Flexible Identity Federation

The Role of Identity Enabled Web Services in Cloud Computing

Single-Sign-On between On-Premises and the Cloud: Leveraging Windows Azure Active Directory to authenticate custom solutions and Apps

Mashery OAuth 2.0 Implementation Guide

Audience Profile This course is intended for any developer that is tasked with creating applications that interface with O365.

SECURITY AND REGULATORY COMPLIANCE OVERVIEW

BYOD How-To Guide. How do I securely deliver my company s applications and data to BYOD?

Using ArcGIS with OAuth 2.0. Aaron CTO, Esri R&D Center Portland

Authentication Methods

managing SSO with shared credentials

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Federated single sign-on (SSO) and identity management. Secure mobile access. Social identity integration. Automated user provisioning.

SAML and OAUTH comparison

UMA in Health Care: Providing Patient Control or Creating Chaos?

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

Using SAML for Single Sign-On in the SOA Software Platform

An Overview of Samsung KNOX Active Directory-based Single Sign-On

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

IBM Tivoli Federated Identity Manager

How To Use Salesforce Identity Features

Centrify Mobile Authentication Services

Axway API Portal. Putting APIs first for your developer ecosystem

OAuth 2.0 andinternet Standard. Torsten Lodderstedt Deutsche Telekom AG

SAP HANA Cloud Platform Security Tutorial Securing your Web API with OAuth 2.0

My Stuff Everywhere Your Content On Any Screen

The Top 5 Federated Single Sign-On Scenarios

Android In The Cloud: A New PaaS Computing Platform

Remote Access End User Reference Guide for SHC Portal Access

Glinda Cummings World Wide Tivoli Security Product Manager

The increasing popularity of mobile devices is rapidly changing how and where we

Configuration Guide. BES12 Cloud

Transcription:

Globus Auth Enabling an extensible, integrated ecosystem of services and applications for the research and education community. Steve Tuecke The University of Chicago

Cloud has transformed how platforms and software are delivered Software as a service: SaaS (web & mobile apps) Platform as a service: PaaS Infrastructure as a service: IaaS PaaS enables more rapid, cheap, and scalable delivery of powerful apps as SaaS 2

Globus and XSEDE adopted Globus SaaS early Much usage of Transfer and Sharing 3

4

Instrument 1 Researcher initiates transfer request; or requested automatically by script, science gateway Globus SaaS: Research data lifecycle Globus transfers files reliably, securely 2 Transfer Only a Web browser required Use storage system of your choice Access using your campus credentials Compute Facility 3 Share Researcher selects files to share, selects user or group, and sets access permissions Collaborator logs in to Globus and accesses shared files; no local account required; download via Globus 5 Personal Computer 4 Globus controls access to shared files on existing storage; no need to move files to cloud storage! 6 Researcher assembles data set; describes it using metadata (Dublin core and domainspecific) Publish 6 7 Curator reviews and approves; data set published on campus or other system Peers, collaborators search and discover datasets; transfer and share using Globus Discover Publication Repository 8 5

Globus by the numbers 4 major services 135 PB transferred 20 billion files processed 31,000 registered users 13 national labs use Globus 10,000 active endpoints ~400 active daily users 99.9% uptime 35+ institutional subscribers 1 PB largest single transfer to date 3 months longest continuously managed transfer 130 federated campus identities

No Globus usernames required! (coming tomorrow) Globus users no longer require a Globus username & password Old Globus usernames moved to separate, optional Globus ID identity provider Any identity recognized by Globus is now sufficient to access Globus Globus Account is a primary identity plus a set of linked identities Verified email address can be a linked identity 7

Demo Using Globus with any identity Sharing with any identity 8

Globus and XSEDE adopted Globus SaaS early Much usage of Transfer and Sharing XSEDE now adopting Globus PaaS as the XSEDE platform à Any science gateway can now integrate trivially with XSEDE services, including Globus transfer 9

A science CI platform can spur creation of a science CI ecosystem Software as a service: SaaS (web and mobile apps) Platform as a service: PaaS Infrastructure as a service: IaaS In so doing, we can slash costs, improve quality, and accelerate discovery across the sciences 10

A science CI platform can spur creation of a science CI ecosystem Software as a service: SaaS (web and mobile apps) Platform as a service: PaaS 2010-2014- Infrastructure as a service: IaaS In so doing, we can slash costs, improve quality, and accelerate discovery across the sciences 11

Globus PaaS: Ecosystem enabler Globus APIs Data Publication & Discovery File Sharing File Transfer & Replication Globus Connect Auth & Groups Globus Toolkit 12

Globus PaaS at NCAR Research Data Archive at NCAR Integrate Globus for data downloads Shared endpoint with subfolder per request Single sign on via streamlined account provisioning

Globus Auth Foundational identity and access management (IAM) platform service Brokers authentication and authorization interactions between: end-users identity providers: XSEDE, InCommon, web apps resource servers: services with REST APIs clients: web, mobile, desktop, command line apps resource servers acting as clients to other resource servers 14

Based on widely used web standards OAuth 2.0 Authorization Framework aka OAuth2 OpenID Connect Core 1.0 aka OIDC Allows use of standard OAuth2 and OIDC libraries E.g., Google OAuth Client Libraries (Java, Python, etc.), Apache mod_auth_openidc 15

Globus Auth is authorization server Resource Owner Client HTTPS/REST call Resource Server Authorization Server (Globus Auth) Identity Identity Identity 16

Globus Auth is authorization server Resource Owner Client HTTPS/REST call Resource Server (1) Authenticates a resource owner Authorization Server (Globus Auth) Identity Identity Identity Using existing identities: XSEDE, University (via InCommon), Google, web app, etc. User can link multiple identities into a single Globus Account No Globus username & password (Globus ID) required Globus Auth handles naming details (e.g., eppn vs eptid) 17

Globus Auth is authorization server Resource Owner Client consent HTTPS/REST call Resource Server (1) Authenticates a resource owner (2) Obtains authorization (consent) for a client to access a resource Authorization Server (Globus Auth) Resource is provided by a resource server Limited by a scope Identity Identity Identity 18

Globus Auth is authorization server Resource Owner Client access token HTTPS/REST call Resource Server (1) Authenticates a resource owner (2) Obtains authorization (consent) for a client to access a resource (3) Issues OAuth2 access token to client Authorization Server (Globus Auth) Access token is opaque to client May include a refresh token, for offline access Identity Identity Identity 19

Globus Auth is authorization server Resource Owner Client id_token HTTPS/REST call Resource Server (1) Authenticates a resource owner (2) Obtains authorization (consent) for a client to access a resource (3) Issues OAuth2 access_token to client (4) May issue OIDC id_token to client with resource owner identity Authorization Server (Globus Auth) Identity Identity Identity JWT id_token: sub: Globus Auth identity id iss: https://auth.globus.org name: full name preferred_username: e.g., tuecke@uchicago.edu email: email contact other standard OIDC claims 20

Globus Auth is authorization server Resource Owner Client HTTPS/REST call Authorization: Bearer <access_token> Resource Server (1) Authenticates a resource owner (2) Obtains authorization (consent) for a client to access a resource (3) Issues OAuth2 access_token to client (4) May issue OIDC id_token to client with resource owner identity (5) HTTPS/REST call with access_token Authorization Server (Globus Auth) Identity Identity Identity 21

Globus Auth is authorization server Resource Owner Client HTTPS/REST call Resource Server access_token (1) Authenticates a resource owner (2) Obtains authorization (consent) for a client to access a resource (3) Issues OAuth2 access_token to client (4) May issue OIDC id_token to client with resource owner identity (5) HTTPS/REST call with access_token (6) Validates access_token for resource server, and gets additional information Authorization Server (Globus Auth) Identity Identity Identity RFC 7662: OAuth 2.0 Token Introspection response: active: true or false client_id scope sub: Globus Auth identity id username: user@example.com identity_set: linked identities email name other standard claims 22

Globus Auth is authorization server Resource Owner Client (1) Authenticates a resource owner (2) Obtains authorization (consent) for a client to access a resource (3) Issues OAuth2 access_token to client (4) May issue OIDC id_token to client with resource owner identity (5) HTTPS/REST call with access_token (6) Validates access_token for resource server, and gets additional information (7) Issues dependent access tokens to resource server HTTPS/REST call Authorization Server (Globus Auth) Identity Identity Identity Resource Server Dependent Resource Servers Allows resource server to act as client to other resource servers 23

Simple web app server login

Simple web app server login Web App Server (Client) id_token Browser Globus Auth Identity Identity Identity OAuth2 Authorization Code Grant with Globus Auth With OIDC scopes: openid email profile User logs into Globus account using their favorite identity provider Globus Auth returns OIDC id_token to the web server With identity sub (unique id), name, preferred_username, email Client policy can require identity from a particular identity provider 25

Login + Globus Auth REST API Web App Server (Client) (1) id_token, access token (2) REST calls w/ access_token Browser Globus Auth Identity Identity Identity OAuth2 Authorization Code Grant with Globus Auth With OIDC scopes: openid email profile And scope: urn:globus:auth:scope:auth.globus.org:view_identies Globus Auth returns OAuth2 access token to Web App Server (OAuth2 client) for use with Globus Auth REST API Web App Server calls Globus Auth REST API with access token Authorization: Bearer <access_token> Get identity information, including full set of linked identities 26

Browser-based web app login 27

Browser-based web app login Web App Server Browser JS Web App (Client) id_token Globus Auth OAuth2 Implicit Grant With OIDC scopes: openid email profile Identity Identity Identity Globus Auth returns OIDC id_token to the browser-based Javascript client With identity sub (unique id), name, preferred_username, email Client policy can require identity from a particular identity provider 28

Globus transfer integration Browser Web App Server (Client) (1) id_token, access token (2) access_token Globus Transfer (3) Verify access token Globus Auth OAuth2 Authorization Code Grant with Globus Auth Scopes: openid email profile urn:globus:auth:scope:transfer.api.globus.org:all Globus Auth returns OAuth2 access token to Web App Server (OAuth2 client) for use with Globus Transfer REST API Web App Server (OAuth2 client) calls Globus Transfer REST API Authorization: Bearer <access_token> 29

Using existing web app identities Web App Server (Client) Browser id_token, access token Globus Auth Globus Transfer Web App Id Provider Identity Identity (OpenIDConnect) Web App Server does OAuth2 Authorization Code Grant with Globus Auth Scopes: openid email profile urn:globus:auth:scope:transfer.api.globus.org:all Globus Auth does OIDC login with Web App Identity Provider Results in Web App Server having: User login information from own Web App Id Provider Access token(s) that it can use with REST APIs for Globus Transfer, XSEDE, etc. SSO to your web app and Globus using only your web app identities! 30

Research data portal 31

Research data portal Globus Auth Browser Portal Web Server (Client) Globus Transfer User s Endpoint Portal Endpoint Science DMZ XSEDE Endpoint Move portal storage into Science DMZ, with Globus endpoint High performance, managed storage Leave Portal Web server behind firewall Globus handles the data heavy lifting 32

HTTPS to endpoints (coming soon) Globus Auth Browser Portal Web Server (Client) Globus Transfer HTTPS to Globus Endpoint Portal Endpoint Science DMZ Globus Connect Server will soon allow HTTPS access to endpoint storage Your web application can directly link to files on the Portal Endpoint Globus Auth and Transfer mediated security Restrict HTTPS access to files by particular users and groups 33

Globus Web App Integration 34

Globus Web App integration Web App Server (Client) (2) access_token 1 Globus Transfer Browser (1) id_token, access token 1 Globus Auth (5) access token 2 (3) Redirect (4) id_token, access token 2 Globus Web App OAuth2 Authorization Code Grant with Globus Auth Scopes: openid email profile urn:globus:auth:scope:transfer.api.globus.org:all Globus Auth returns OIDC id_token & OAuth2 access token to client Web App Server can redirect browser to Globus Web App pages Globus Web App can be skinned to look like Web App Server Globus Web App provides special pages for selecting files and selecting a group Globus Auth provides single sign-on across multiple apps 35

Other resource servers 36

XSEDE services integration Browser Web App Server (Client) (1) id_token, access tokens Globus Auth (2) access_token 1 Globus Transfer (3) access_token 2 XSEDE services Globus Web App OAuth2 Authorization Code Grant with Globus Auth Scopes: openid email profile urn:globus:auth:scope:transfer.api.globus.org:all urn:globus:auth:scope:api.xsede.org:all Globus Auth returns OIDC id_token & OAuth2 access tokens to client Globus Auth returns different access tokens for different resource servers Web App Server calls each resource server with appropriate access token 37

Add your own resource servers Web App Server (Client) Globus Transfer Browser (1) id_token, access tokens Globus Auth (3) Verify access_token 3 XSEDE services (2) access_token 3 Globus Web App Your service OAuth2 Authorization Code Grant with Globus Auth Scopes: openid email profile urn:globus:auth:scope:transfer.api.globus.org:all urn:globus:auth:scope:api.xsede.org:all urn:globus:auth:scope:api.example.com:all Globus Auth returns OIDC id_token & OAuth2 access tokens to client Resource Server must register with Globus Auth Resource server policy can require identity from a particular identity provider 38

Both client and resource server Browser Web App Server (Client & Resource Server) (2) REST calls w/ access_token (3) Verify access_token Another Client (1) Get access_token Globus Auth Web App Server can be both a client and a resource server Another Client can use any OAuth2 grant with Globus Auth to get access_token for your Web App Server Scope: urn:globus:auth:scope:api.example.com:all 39

Dependent resource servers Web App Server (Client) Globus Transfer Browser (1) id_token, access tokens (2) access_token 3 (4) Dependent access_token 4 Globus Auth (3) Get dependent access tokens for access_token 3 Resource Server OAuth2 Dependent Token Grant with Globus Auth Scopes: openid email profile urn:globus:auth:scope:api.example.com:all Resource Server registers its Globus Transfer dependency with Globus Auth Resource Server uses request access token to get dependent access tokens Resource Server uses dependent access token to call Globus Transfer 40

Mobile applications Globus Auth will be adding support for mobile apps Log in with Globus in mobile apps o RFC 7636: Extension to OAuth2 to allow OAuth2 Authorization Code Grant to work from mobile apps Mobile apps can call any resource server REST APIs that use Globus Auth ios and Android 41

An extensible platform for CI Apps Domain-independent and domain-specific services AWS, Google, Azure services Foundation services: Globus Auth, Groups, etc. Globus provides foundation and other services Community can extend to meet domain-specific and domain-independent needs 42

Come to Chicago in April to learn more!

Summary Globus no longer requires a Globus username and password Globus Auth makes it easy to: add user login to your web app integrate with Globus, XSEDE, and other services add OAuth2 support to your service s REST API create services to leverage other services 44

Together we can create an integrated ecosystem of services and applications for the research and education community 45

Thank you to our sponsors! U. S. DEPARTMENT OF ENERGY 46