Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Contrail and Federated Identity Management Philip Kershaw, RAL Space, STFC Jens Jensen, e-Science, STFC (and others: XLab, CNR, INRIA …) contrail is.

Similar presentations


Presentation on theme: "1 Contrail and Federated Identity Management Philip Kershaw, RAL Space, STFC Jens Jensen, e-Science, STFC (and others: XLab, CNR, INRIA …) contrail is."— Presentation transcript:

1 1 Contrail and Federated Identity Management Philip Kershaw, RAL Space, STFC Jens Jensen, e-Science, STFC (and others: XLab, CNR, INRIA …) contrail is co-funded by the EC 7th Framework Programme

2 contrail-project.eu Outline Contrail overview and goals Architecture Single sign-on Delegation requirements Delegation solutions OAuth flow Conclusions Collaborations 2

3 contrail-project.eu Contrail Overview and Goals EC FP7 Project, led by INRIA, 36 month, completes Sept 2013 Federation of cloud providers Federation with external IdPs “Elastic” CAs for dynamically created services Autonomous SLA management from project IaaS and PaaS integration Reuse of existing open standards: OVF OCCI CDMI WS-Security models 3

4 contrail-project.eu Contrail Overview and Goals+ EC FP7 Project, led by INRIA, 36 month, completes Sept 2013 Federation of cloud providers Federation with external IdPs “Elastic” CAs for dynamically created services Autonomous SLA management from project IaaS and PaaS integration Reuse of existing open standards: OVF OCCI CDMI WS-Security models 4 Federated access to resources, building on existing identity federations

5 contrail-project.eu Architecture 5 Federation of Cloud Providers Federation CLI Browser Federation Web Portal Federation core Online CA Federation Identity Provider  REST API  Browser and rich client access

6 contrail-project.eu Architecture – Single Sign-on 6 Cloud Providers Federation CLI Browser Federation Web Portal Federation core Online CA Federation Identity Provider  REST API  Single Sign-on Credentials mapping

7 contrail-project.eu 7 Cloud Providers Federation CLI Browser Federation Web Portal Federation core Online CA Federation Identity Provider  REST API  Multiple delegation hops Architecture - Delegation

8 contrail-project.eu 8 Delegator, delegates authority to another, a delegatee Rights that the delegatee inherits can vary e.g. Identity-based – inherits all the rights of the user Inherit rights to access a single resource Some technology options: GSI Proxy certificates OAuth 1.0 (CILogon), OAuth 2.0? Others… Delegation … but how?

9 contrail-project.eu Delegation: technology options GSI Proxy certificates Delegatee inherits all the rights of the user Custom SSL extensions needed to support verification OAuth 1.0 Gained traction in commercial environment: Twitter etc… Digital signature of HTTP header artifacts – canonicalisation can be problematic OAuth 2.0 Simplified flow Use SSL: no digital signature implementation necessary CILogon Use OAuth to protect a short-lived credential service (SLCS) but based on OAuth 1.0 Delegatees obtain a standard End Entity Certificate SLCS + OAuth 2.0 ✔ 9

10 contrail-project.eu OAuth Flow (1) 10 Cloud Providers Federation Web Portal [OAuth Client] Federation Web Portal [OAuth Client] Federation core Online CA [OAuth Resource Server] Online CA [OAuth Resource Server] Federation Identity Provider [OAuth Authorisation Server] 1. User request Browser Objective: get delegated credential for portal to make onward requests to the federation core

11 contrail-project.eu OAuth Flow (2  3) 11 Cloud Providers Federation Web Portal [OAuth Client] Federation Web Portal [OAuth Client] Federation core Online CA [OAuth Resource Server] Online CA [OAuth Resource Server] Federation Identity Provider [OAuth Authorisation Server] 2. Portal requests authorisation for delegation from user Browser 3. User is redirected to authorisation server

12 contrail-project.eu OAuth Flow (4) 12 Cloud Providers Federation Web Portal [OAuth Client] Federation Web Portal [OAuth Client] Federation core Online CA [OAuth Resource Server] Online CA [OAuth Resource Server] Federation Identity Provider [OAuth Authorisation Server] Browser 4. User authenticates and approves the delegation request

13 contrail-project.eu OAuth Flow (5) 13 Cloud Providers Federation Web Portal [OAuth Client] Federation Web Portal [OAuth Client] Federation core Online CA [OAuth Resource Server] Online CA [OAuth Resource Server] Federation Identity Provider [OAuth Authorisation Server] Browser 5. Return authorisation grant to portal via a redirect … redirect back to portal

14 contrail-project.eu OAuth Flow (6) 14 Cloud Providers Federation Web Portal [OAuth Client] Federation Web Portal [OAuth Client] Federation core Online CA [OAuth Resource Server] Online CA [OAuth Resource Server] Federation Identity Provider [OAuth Authorisation Server] Browser 6. Portal requests certificate (oauth access token) passing authorisation grant as proof of user approval

15 contrail-project.eu OAuth Flow (7) 15 Cloud Providers Federation Web Portal [OAuth Client] Federation Web Portal [OAuth Client] Federation core Online CA [OAuth Resource Server] Online CA [OAuth Resource Server] Federation Identity Provider [OAuth Authorisation Server] Browser 7. Online CA authenticates portal and returns certificate

16 contrail-project.eu OAuth Flow (8) 16 Cloud Providers Federation Web Portal [OAuth Client] Federation Web Portal [OAuth Client] Federation core Online CA [OAuth Resource Server] Online CA [OAuth Resource Server] Federation Identity Provider [OAuth Authorisation Server] 8. Portal uses certificate to authenticate with core services Browser

17 contrail-project.eu OAuth Flow (9) 17 Cloud Providers Federation Web Portal [OAuth Client] Federation Web Portal [OAuth Client] Federation core Online CA [OAuth Resource Server] Online CA [OAuth Resource Server] Federation Identity Provider [OAuth Authorisation Server] Browser 9. Further delegation needed: ‘2-legged’ OAuth

18 contrail-project.eu Development Status Web portal and federation SSO demonstrated with support for: SAML OpenID Command line SSO with shell script client to Short-Lived Credential Service (X.509 EECs) Delegation with 2-legged OAuth-like interface, full OAuth to be integrated 18

19 contrail-project.eu Technology used Federation Web User interface: Python 2.7+ / Django 1.4 / buildout / Apache2 SAML2: Djangosaml2 v0.5 OpenID: Django-authopenid Federation IdP IdP: SimpleSAMLphp 1.9 rc2 User DB: Java 6 / JPA subclipse / Tomcat

20 contrail-project.eu Conclusion Single sign-on support with: Browser: SAML2 and OpenID Other client: X.509 short-lived end entity certificates Delegation with OAuth 2.0 protected Short-Lived Credential Service Can we offer Federation-in-a-box or federation-as-a- service ? => Federated access to resources, building on existing identity federations.

21 contrail-project.eu Contrail collaborations Contrail evaluation with: EUDAT, CLARIN, ENES EGI federated cloud task force Climate science and Earth Observation communities: OAuth solution for workflows OGF groups FEDSEC-CG: federated identity for grids and clouds IDEL-WG: working group on identity delegation Cloud security activities... Moonshot

22 contrail-project.eu 22 Funded under: FP7 (Seventh Framework Programme) Area: Internet of Services, Software & virtualization (ICT ) Project reference: Total cost: 11,29 million euro EU contribution: 8,3 million euro Execution: From till Duration: 36 months Contract type: Collaborative project (generic) contrail is co-funded by the EC 7th Framework Programme


Download ppt "1 Contrail and Federated Identity Management Philip Kershaw, RAL Space, STFC Jens Jensen, e-Science, STFC (and others: XLab, CNR, INRIA …) contrail is."

Similar presentations


Ads by Google