Presentation is loading. Please wait.

Presentation is loading. Please wait.

FI-WARE Testbed Access Control temporary solution.

Published byKierra Farran Modified over 9 years ago

Similar presentations

Presentation on theme: "FI-WARE Testbed Access Control temporary solution."— Presentation transcript:

1 FI-WARE Testbed Access Control temporary solution

2 Introduction  We will define a short and a medium term solution to deal with the issues regarding access control to FI-WARE GEs deployed on the FI- WARE Testbed  The medium term solution will evolve as to incorporate components developed in the FI-WARE Security chapter for the 2 nd Release of FI-WARE

3 Basic ingredients of the solution Oauth v2.0Keystone  User Profile Management  Multi-tenancy  Management and access to FI- WARE GE  Authentication  Authorization and Trust Management  Single Sign-On (SSO) among services/apps  Web/JavaScript/APIs access Client Apps: Web Apps, Server Apps or Desktop Apps.

4 MEDIUM TERM Solution

5 Scenarios to be covered  Client Apps may run on: Web Servers Web Browsers (user agents) On top of an Operating Systems (Native apps)

6 Client Apps running on Web Servers  Three-tier Web applications  Clients that invoke FI-WARE GE APIs run on web servers (e.g., servlets)  Users authenticate via IdM web page  The IdM maintains the confidentiality

7 FI-WARE Testbed IdM Client App (WS backend) Keystone FI-Ware GE Instance IdM Web Portal Access App Login via Fi-Ware Login to WebApp via IdM Send redirect URI with authentication code Access Redirect URL Send authentication code, client_id, client_secret Return access token User logged in FI-WARE GE API request with token Keystone Middleware Validate token Ok FI-WARE GE API request App URL (interaction) Create Token

8 User-agent-based Application  It is a public Client App  Downloadable from Web Servers  It runs in a user-agent (e.g., javascript in a web browser)  Users authenticate via IdM web page  Confidentiality is not maintained (Downloaded Client App assumes your identity)

9 FI-WARE Testbed IdM Keystone IdM Web Portal Access App Login via Fi-WARE Login to ClientApp via IdM Send redirect URI with access token Create Token Access Redirect URL Client App loads token from fragment Client App (User Agent) Validate token Ok FI-WARE GE API request FI-WARE GE API requests with token Keystone Middleware FI-Ware GE Instance

10 Native Application  Native apps, scripts, etc.  Credentials are sent via the Client App  User gives credentials to the Client App  Confidentiality is not maintained (Downloaded Client App assumes your identity)

11 FI-WARE Testbed IdM Client App Keystone IdM Web Portal Create Token Return access token Access with token Keystone Middleware Validate token OkAccess FI-Ware GE Instance

12 SHORT TERM Solution

13 FI-WARE Testbed IdM Client App (WS backend) Keystone FI-Ware GE Instance IdM Web Portal Access App Login web page FI-WARE GE API requests App URL (interaction) FI-WARE Testbed Firewall Registration of IP a.b.c.d FI-WARE Testbed Admin Fixed IP: a.b.c.d Login to ClientApp Validation User Logged In (1) Validation via request using Keystone API Validation (1)

14 FI-WARE Testbed IdM Keystone IdM Web Portal Access App Login via Fi-WARE Login to ClientApp via IdM (1) Validation Client App (User Agent) FI-WARE GE API requests FI-WARE Testbed Firewall first (temporal) IP: a1.b1.c1.d1 a1.b1.c1.d1 FI-Ware GE Instance User Logged In (1) Login via request using Keystone API or via javascript library provided by FI-WARE

15 (re-login, a2.b2.c2.d2) FI-WARE Testbed IdM Keystone IdM Web Portal Access App Client App (User Agent) FI-WARE GE API requests FI-WARE Testbed Firewall first (temporal) IP: a1.b1.c1.d1 (new a2.b2.c2.d2 assigned) a2.b2.c2.d2 FI-Ware GE Instance

16 IdM Web Portal functionality in the short term  Every UC project will be associated to an “Organization”  Every UC project will have an admin user account  Using the IdM Web Portal, admin users will be able to create new user accounts linked to the same Organization

17 MORE DETAILS

18 IDM Web Portal  Provides Identity Management  Provides OAuth 2 modes  API with Keystone to manage GE tokens Interface with Keystone to manage tokens and provide them via OAuth

19 Keystone  It provides management of Users, roles and organizations Only one Keystone admin  Credentials: username and password  Tuples  Tokens associate to  Many roles per user and organization  GEs establish permissions per role

20 Keystone  Provides management of GE (Services)  Each GE owns a list of endpoint URLs Users access to these URLs

Download ppt "FI-WARE Testbed Access Control temporary solution."

Similar presentations

Different Approaches to Single-Sign-On Jeff Kahn, Verbena Consulting.

Different Approaches to Single-Sign-On Jeff Kahn, Verbena Consulting.
WP8 Security and Privacy Identity Management 15. November 2012 Wolfgang Steigerwald (DT) Robert Seidl (NSN)

WP8 Security and Privacy Identity Management 15. November 2012 Wolfgang Steigerwald (DT) Robert Seidl (NSN)
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)

- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
Workflow OpenID Scenario Users get OpenID from provider Andy is given access to service, and then to workflow server. Andy installs workflow Workflow gets.

Workflow OpenID Scenario Users get OpenID from provider Andy is given access to service, and then to workflow server. Andy installs workflow Workflow gets.
Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.
IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.
OmStore Cloud API Harshit Agarwal Sohil Habib. About Us ●We are graduate students at CMU ●Currently at CMU Silicon Valley campus ●Working part time with.

OmStore Cloud API Harshit Agarwal Sohil Habib. About Us ●We are graduate students at CMU ●Currently at CMU Silicon Valley campus ●Working part time with.
Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Fraser Technical Solutions, LLC

Fraser Technical Solutions, LLC
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Access Gateway Operation

Access Gateway Operation
Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.

Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Similar presentations

Ads by Google