Presentation is loading. Please wait.

Presentation is loading. Please wait.

CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López

Published byOsborne Logan Modified over 7 years ago

Similar presentations

Presentation on theme: "CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López"— Presentation transcript:

1 CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez (alex@um.es)alex@um.es Rafael Marín (rafa@um.es)rafa@um.es Gabriel López (gabilm@um.es),gabilm@um.es TNC 2015, Porto June 17 th, 2015 1

2 Introduction 2 CLASSe (Cloud-ABFAB Federation Services in eduroam) Objectives: 1.Enabling GÉANT users to access cloud services (OpenStack) using ABFAB technologies 2.Improving the SSO user experience 3.Designing solutions to support Virtual Organizations (VOs)

3 ABFAB 3 IETF WG –Application Bridging for Federated Access Beyond web Federated identity for Internet protocols not based on HTTP –E.g: SMTP, SSH or NFS

4 ABFAB 4 Key components: –EU  Wants to access a service –RP  Provides the service –IdP  Authenticates the EU and provides authorization information to the RP

5 ABFAB 5 Core technology  GSS-EAP (RFC 7055): –GSS-API  Access control to the service –EAP  User authentication –RADIUS  Federation –SAML  Authorization information Moonshot  Reference implementation

6 CLASSe 6 Allowing GÉANT users to access cloud services using ABFAB technologies –Modified OpenStack to support for ABFAB authentication (using Moonshot) –And to translate SAML attributes to OpenStack attributes Benefits: –Any member of the GÉANT community can access the cloud service without requiring the creation of a new account As a result of the project, official support for Moonshot is being included in OpenStack

7 CLASSe 7 Objectives: 1.Enabling GÉANT users to access cloud services (OpenStack) using ABFAB technologies 2.Improving the SSO user experience 3.Designing solutions to support Virtual Organizations (VOs)

8 Single Sign-On (SSO) 8 Objectives: –Prompt the EU for credentials once at the beginning of the session –The rest of accesses to different RPs do not require introducing the credentials again Two different models, that we have called: –Traditional SSO –Real SSO

9 Single Sign-On (SSO) 9 Traditional SSO –Secure storage of credentials on the EU’s device E.g.: Gnome-keyring, Window’s credential manager, Firefox credential manager... –Software agent takes care of the automatic selection and provision of credentials  Does not require any specific SSO mechanism at protocol level  A complete authentication process is performed for each different access  high resource utilization Moonshot uses this model  Identity Selector

10 Single Sign-On (SSO) 10 Real SSO –Provides the EU with some sort of authentication token –The token is used to speed up subsequent authentication processes E.g.: Kerberos, SAML, OpenID…  The authentication processes typically consists on a single round trip  low resource utilization  Requires support at protocol level

11 CLASSe 11 Improving the SSO user experience –Optimize how traditional SSO is performed in Moonshot –Introduce real SSO in ABFAB

12 Optimizing traditional SSO in Moonshot 12 Typical Moonshot EAP methods are TTLS and PEAP –~7 round-trips to complete –Several asymmetric cryptography operations (e.g.: DH exchange) We have implemented support for TLS-resumption –Store TLS session state in the EU’s device after first authentication –Use it to speed up authentication in subsequent accesses –Authentication is reduced to 3 round-trips with no DH

13 Performance analysis 13 We have measured: –Total amount of time to complete the access to the cloud service (including authentication, authorization, OpenStack operations…) –Total amount of data exchanged between the entities during the whole access process –Amount of time spent in the AAA infrastructure –Amount of data exchanged in the AAA infrastructure

14 Performance analysis 14 MoonshotTTLS-resumption Total time2727 ms2056 ms (-24%) AAA time567 ms231 ms (-59%) Total data (bytes)64395 bytes47958 bytes (-25%) AAA data (bytes)6450 bytes2420 bytes (-62%)

15 Introducing real SSO in ABFAB 15 ERP (EAP Re-authentication Protocol) –Standard mechanism for fast re- authentication in EAP –Needs minor adaptations in GSS-EAP Documented in draft-perez-abfab-wg-arch-erp-00 –Reduces the number of round-trips to 1 Less amount of traffic and time spent in the AAA infrastructure –Avoid contacting the IdP for intra-domain SSO

16 Performance analysis 16 MoonshotERP (inter-domain)ERP (intra-domain) Total time2727 ms1779 ms (-34%)1659 ms (-39%) AAA time567 ms76 ms (-86%)0 ms (-100%) Total data (bytes)64395 bytes43682 bytes (-32%)41929 bytes (-35%) AAA data (bytes)6450 bytes1645 bytes (-75%)0 bytes (-100%)

17 Main contributions to the IETF 17 ERP extensions for GSS-EAP –Describes how to support ERP in the GSS-EAP mechanism (RFC 7055) –Personal draft: draft-perez-abfab-wg-arch-erp-00 Fragmentation support for RADIUS –Defines how to send RADIUS packets over the 4096 limit –Recently published as RFC 7499 A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and Confirmation Methods for SAML –Defines how to transport SAML over RADIUS –Active collaboration and editorship –WG document: draft-ietf-abfab-aaa-saml

18 Summary 18 Improving traditional SSO in Moonshot with TLS- resumption –Solution at implementation level  Moonshot –Provides substantial reductions on the overload on the AAA infrastructure (59%) Introducing real SSO in ABFAB with ERP –Solution at specification level  ABFAB –Provides further reductions on the overload on the AAA infrastructure (86%-100%) ABFAB-enabled applications do not need of any change

19 Next steps 19 Continue moving forward our ERP proposal for real SSO on the ABFAB WG Try to push ERP support into FreeRADIUS

20 20 Thank you for your attention

Download ppt "CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López"

Similar presentations

Authentication.

Authentication.
RadSec – A better RADIUS protocol

RadSec – A better RADIUS protocol
Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
SINGLE SIGN-ON. Definition - SSO Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password in order.

SINGLE SIGN-ON. Definition - SSO Single sign-on (SSO) is a session/user authentication process that permits a user to enter one name and password in order.
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Project Moonshot update TF-EMC2 & TF-MNM 14 & 16 February 2011.

Project Moonshot update TF-EMC2 & TF-MNM 14 & 16 February 2011.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.
Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.

Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23, 2014 1.

ACE – Design Considerations Corinna Schmitt IETF ACE WG meeting July 23,
ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Similar presentations

Ads by Google