Presentation is loading. Please wait.

Presentation is loading. Please wait.

CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

Published byGyles Anthony Modified over 8 years ago

Similar presentations

Presentation on theme: "CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,"— Presentation transcript:

1 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey, Alberto Pace CERN IT/IS

2 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Single Sign On, Identity and Access Management at CERN - 2 Agenda History and current situation Identity and Access Management concepts CERN authentication  Web Single-Sign-On system  Non-web applications Links

3 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t History A few years ago, a user had to type in:  Credentials to open a Windows session  Credentials to open a Linux session  Credentials to read mail  Credentials to manage holidays  Credentials to upload a presentation in Indico  … All with different user names and passwords  Different databases of users  Each application had its own authentication and authorization mechanisms Single Sign On, Identity and Access Management at CERN - 3

4 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Now In 2007, situation is better  2 pairs of login/password: AFS + Windows But…  Some experiments/applications still have their own databases of users and credentials  …sometimes stealing passwords to synchronize them with private user database  Problem of data synchronization between databases of users Situation is not yet optimal Single Sign On, Identity and Access Management at CERN - 4

5 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t What do we want? Central Identity and Access Management Identity Management  Information about persons, and processes to manage this information  Ability to identify a person Access Management  Information about who is allowed to do what on a resource  Possible restrictions on when/where/how Single Sign On, Identity and Access Management at CERN - 5

6 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t IAM Architecture The AAA Rule. Three components, independent Authentication  Identification of the person who is trying to connect.  Several methods (username + password, certificate, smartcard + pin code, biometry, …) Authorization  Verification that the connected user has the permission to access a given resource  Best practice: “Role-Based Access Control” grant permissions to groups instead of persons (role creation) manage authorization with group membership (role assignment) Accounting  Traceability of all changes and transactions rollback Single Sign On, Identity and Access Management at CERN - 6

7 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Benefits of central IAM Simplify !  One user database  One login/password pair to remember + support alternate authentication methods (certificates…)  Use roles to control access to services No more: Creating/Blocking/Deleting separate accounts for Windows/Mail/Indico But: Allow/Disallow access to Windows/Mail/Indico Centralize  Provide global Group/Role membership (RBAC)  Support External accounts (lightweight registration) Improve security  Block all accesses to applications in one click  Use permissions and delegation instead of sharing credentials  Complexity does not increase security !!! Single Sign On, Identity and Access Management at CERN - 7

8 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Components CERN authentication (deployed)  A central authentication system  Single account, single password for all services (more and more joining in)  Single-sign-on between web applications  Support for certificates/smartcards Central group management system  Used for role assignment  “Automatic” (based on queries in HR databases) or “manual” groups  Currently: Simba mailing lists (limited)  To be replaced with eGroups Single Sign On, Identity and Access Management at CERN - 8

9 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t The direction Authenticated and authorized end-user receiving services HR Database HR Database Account Database Account Database Resource owner and Service manager give authorization using : Accounts E-groups: based on HR data or custom Identity Management Made by CERN Administration Unique account Unique set of groups / roles (for all services) Global E-Group management Global E-Group management Computing Services at CERN: Mail, Web, Windows, Unix, EDMS, Administration, Indico, Document Server Remedy, Oracle, … Authorization Authentication Role membership Access granted Single Sign On, Identity and Access Management at CERN - 9

10 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Single-Sign-On for web apps Goal:  Enable web apps to easily use CERN authentication and central groups Support different authentication methods  Classic Forms (login and password)  Certificates (CERN CA, Grid Certificates, smartcards)  Windows Integrated Provide support for External Accounts  An application can authenticate non-CERN users  A single External Account for all apps Single Sign On, Identity and Access Management at CERN - 10

11 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Single-Sign-On for web apps Web application receives user information  Name, email, building, etc… from central user database  Group/Mailing Lists membership is available  Application takes authorization decisions based on group membership Authentication is independent  All Web Applications use the same login page: https://login.cern.ch https://login.cern.ch  Does not re-ask credentials if user is already authenticated on another application  A Linux web application can use Windows Integrated  Authentication with certificate comes for free!

12 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t CERN Authentication Overview Single Sign On, Identity and Access Management at CERN - 12

13 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Technical background Overview Identity Provider Microsoft ADFS Windows + IIS Microsoft ADFS or Shibboleth SP Linux or Unix + Apache Shibboleth SP Service Provider Single Sign On, Identity and Access Management at CERN - 13

14 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Technical background Checks identity, supports various authentication methods Loads and shares user information: “Claims” Microsoft ADFS based  Active Directory Federation Services Credentials are checked in Active Directory  WS-Federation Passive Requester Profile (WS-F PRP) compliant Hosted on load balanced servers, in critical UPS area  Minimize downtime: authentication is critical ! Identity Provider Single Sign On, Identity and Access Management at CERN - 14

15 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Technical background SSO ‘clients’  Allow a Web Application to use SSO ‘identities’  IIS module, Apache module, or application module (i.e. Java) Windows hosted Websites  IIS (Internet Information Services) module comes with Windows 2003 R2. Linux/Apache hosted Websites  Shibboleth Apache module, Open Source project (Internet2) IIS or Apache modules replace the basic authentication modules  Transparent for the Application Service Providers Single Sign On, Identity and Access Management at CERN - 15

16 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Non-web applications CERN authentication for NON Web applications  Use a SOAP Web Service To verify credentials (username/password only) To get and verify group membership  Requires some coding: Write a SOAP client Send credentials and decode return codes  Not a standard: a CERN made interface (but based on SOAP standard) Single Sign On, Identity and Access Management at CERN - 16

17 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Links and documentation CERN Authentication  http://cern.ch/login http://cern.ch/login Microsoft ADFS  http://technet2.microsoft.com/windowsserver /en/technologies/featured/adfs/default.mspx http://technet2.microsoft.com/windowsserver /en/technologies/featured/adfs/default.mspx Shibboleth  http://shibboleth.internet2.edu http://shibboleth.internet2.edu Single Sign On, Identity and Access Management at CERN - 17

18 CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Questions Questions ? Single Sign On, Identity and Access Management at CERN - 18

Download ppt "CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,"

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
CERN, Information Technology Department

CERN, Information Technology Department
Welcome to Middleware Joseph Amrithraj

Welcome to Middleware Joseph Amrithraj
ELAG Trondheim 2004 1 Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Identity and Access Management

Identity and Access Management
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Managing Client Access

Managing Client Access
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS Ideas for 2011 Prepare must be done work items –Warranty –Software maintenance –Commitments.

CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Ideas for 2011 Prepare must be done work items –Warranty –Software maintenance –Commitments.
Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland www.cern.ch/i t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS CERN Single Sign-On Summer 2012 Updates Emmanuel.
Module 8 Configuring and Securing SharePoint Services and Service Applications.

Module 8 Configuring and Securing SharePoint Services and Service Applications.
Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.

Enterprise Identity Steve Plank – Microsoft Ivor Bright – Charteris Dave Nesbitt – Oxford Computer Group.
CERN IT Department CH-1211 Genève 23 Switzerland t Identity Management Alberto Pace CERN, Information Technology Department

CERN IT Department CH-1211 Genève 23 Switzerland t Identity Management Alberto Pace CERN, Information Technology Department
Case Study: DirXML Implementation at Waste Management Rick Wagner Systems Engineer Novell, Inc.

Case Study: DirXML Implementation at Waste Management Rick Wagner Systems Engineer Novell, Inc.

Similar presentations

Ads by Google