Integrating non web-based services with identity federations

Slides:



Advertisements
Similar presentations
Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Advertisements

Lousy Introduction into SWITCHaai
MyProxy: A Multi-Purpose Grid Authentication Service
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
SWITCHaai Team Introduction to Shibboleth.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.
Connect.usatlas.org ci.uchicago.edu ATLAS Connect Technicals & Usability David Champion Computation Institute & Enrico Fermi Institute University of Chicago.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.
Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland
SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.
Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Milan.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
SAML to LDAP bridging developments Marcus Hardt Marcus kit.eduSteinbuch Centre for Computing (SCC) Motivation Allow linux logins,
Federating non-web services with LDAP-Façade
Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
Development of e-Science Application Portal on GAP WeiLong Ueng Academia Sinica Grid Computing
Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
User and Device Management
EMI is partially funded by the European Commission under Grant Agreement RI Security Token Service (STS) Transforming the Existing User Credentials.
Gridshib-intro-dec051 GridShib An Introduction Tom Scavo NCSA.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks OpenSAML extension library and API to support.
CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI-InSPIRE PY5 new activities Peter Solagna – EGI.eu.
Authentication and Authorisation for Research and Collaboration Michał Jankowski, Maciej Brzeźniak AARC General Meeting, Utrecht.
Authentication and Authorisation for Research and Collaboration Marcus Hardt AARC AHM, Milan Current Status of Non Web (via LDAP.
The FederID project The First Identity Management and Federation Free Software.
Access Policy - Federation March 23, 2016
Using Your Own Authentication System with ArcGIS Online
WLCG Update Hannah Short, CERN Computer Security.
Introduction to Windows Azure AppFabric
Federation made simple
Shibboleth Roadmap
Federation Systems, ADFS, & Shibboleth 2.0
eduTEAMS platform for collaboration Niels Van Dijk
Identity Federations - Overview
Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
Grid accounting system
CheckIn: the AAI platform for EGI
ESA Single Sign On (SSO) and Federated Identity Management
NAAS 2.0 Features and Enhancements
Public Key Infrastructure from the Most Trusted Name in e-Security
Community AAI with Check-In
Management Application for all segments
Una herramienta para la gestión de identidad, el control de acceso y uso compatible con la regulación de identidad europea eIDAS.
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Integrating non web-based services with identity federations Jens Köhler, Michael Simon, Sebastian Labitzke, Tobias Dussa, Martin Nußbaumer

The bwIDM project bwUniCluster Services of the state of Baden-Württemberg placed at different locations Should be useable by the affiliates of universities Affiliates should be able to access them with their familiar accounts of their home organization bwIDM: Federated Identity Management for Baden-Württemberg Uni Mannheim bwLSDF KIT bwIBS Uni Stuttgart Uni Ulm bwGrid Uni Freiburg Uni Konstanz 29.12.2018 Integrating non web-based services with identity federations

Integrating non web-based services with identity federations The bwIDM project bwUniCluster SAML identity providers are already present at each university Integrating web-based services into this infrastructure is straightforward Integrating non web-based services is a challenge FACIUS: An easy-to-deploy concept to federate non web-based services based on the SAML standard. Uni Mannheim bwLSDF KIT bwIBS Uni Stuttgart Uni Ulm bwGrid Uni Freiburg Uni Konstanz 29.12.2018 Integrating non web-based services with identity federations

Non web-based services vs. SAML Non web-based services: Authentication via the Service Provider Main characteristic of SAML: Authentication via the Home Organization SAML-ECP profile can be used to „SAMLfy“ arbitrary applications → Technical foundation to enable non web-based services to use SAML exist SSH Service 1. Login via credentials 2. Access Web-based Service 1. Request Access 2. Redirect 5. Assertions 4. Redirect 3. Login via credentials 29.12.2018 Integrating non web-based services with identity federations

Integrating non web-based services with identity federations Requirements Service Provider requirements Maintainability (De-)Provisioning Security Performance Legal aspects Integration effort Deployability Alternative authentication methods Transparency Use of home credentials Legal aspects Necessary software adaptions User requirements Home Organization requirements 29.12.2018 Integrating non web-based services with identity federations

A users perspective: Getting access to the service Registration Via a Registration-Webapplication (Browser) Authentication based on the account at the Home Organization Just has to be performed once. Provisioning of a local context In the SSH case: Establishment of a UID, a home directory, … Accessing the service Via native service client Authorization based on assertions of the Home Organization 29.12.2018 Integrating non web-based services with identity federations

FACIUS - Overview User Service Provider Home Organization Browser Login & Registr. Registration-Webapplication Provisioning SAML-SP Login-Node SSH- Server PAM- Module SSH-Client Login Existing components Generic components Partially service-specific components Further Information: J. Köhler, S. Labitzke, M. Simon, M. Nussbaumer, H. Hartenstein: FACIUS: An Easy-to- Deploy SAML-based Approach to Federate Non Web-Based Services, Proc. of Trustcom 2012 29.12.2018 Integrating non web-based services with identity federations

Integrating non web-based services with identity federations Login alternatives Creden-tials Enhanced Proxy User Creden-tials Service Provider Home Organization ECP User Service Provider Home Organization Creden-tials Enhanced Client ECP User Service Provider Home Organization Creden-tials Local Authentication Assertion Query Enhanced Proxy Enhanced Client Local Authentication User requirements: Unmodified client usable Login with credentials of the Home Organization No harm by malicious Service Providers Operable in parallel to other login alternatives 29.12.2018 Integrating non web-based services with identity federations

Integrating non web-based services with identity federations Evaluation Service Provider requirements: Integration effort: Maintainability: Performance (SSH-Login): Integration into existing Federations: Provisioning/Deprovisioning: Legal aspects: Home Organization requirements: No software adaptions: Integration of the Pluggable Authentication Module with the Service Access Point Based on existing frameworks 1.01 s vs. 0.30 s (regular login) ? SAML-based federations User consent to policies can be requested User consent to policies can be requested 29.12.2018 Integrating non web-based services with identity federations

Integrating non web-based services with identity federations Conclusion bwIDM…. …is a project to establish a federation of 9 universities and services of the state of Baden-Württemberg. …has the goal to federate access to non web-based services such as grid resources. FACIUS… …enables non web-based services to join SAML-federations. …aims to be easily deployable for existing service providers. …makes active use of the SAML-ECP and AssertionQuery profile. …offers users a high usability in trustworthy federations. …has been successfully applied to federate SSH services. We are planning to… …federate an operational cluster by the end of the year. …federate additional services based on FACIUS. 29.12.2018 Integrating non web-based services with identity federations

Integrating non web-based services with identity federations How does FACIUS fit into the EGI federated identity management platform? FACIUS SSH-Server (SP) 29.12.2018 Integrating non web-based services with identity federations

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.