FI-WARE Testbed Access Control temporary solution.

Slides:

Advertisements

Similar presentations

Different Approaches to Single-Sign-On Jeff Kahn, Verbena Consulting.

Advertisements

WP8 Security and Privacy Identity Management 15. November 2012 Wolfgang Steigerwald (DT) Robert Seidl (NSN)

- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.

Securing web applications using Java EE Dr Jim Briggs 1.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Workflow OpenID Scenario Users get OpenID from provider Andy is given access to service, and then to workflow server. Andy installs workflow Workflow gets.

Hannes Tschofenig MIT CFP Privacy & Security Working Group Feb. 2 nd 2011.

IT:Network:Applications VIRTUAL DESKTOP INFRASTRUCTURE.

OmStore Cloud API Harshit Agarwal Sohil Habib. About Us ●We are graduate students at CMU ●Currently at CMU Silicon Valley campus ●Working part time with.

Clients using wide variety of devices/languages/platforms Server applications using wide variety of platforms/languages Browser Native app Server.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Fraser Technical Solutions, LLC

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Access Gateway Operation

Solution SusQtech (Winchester, VA) SharePoint MVP since 2007 Working with SharePoint since 2001 Work on all types of deployments Dream about.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

Identity on Force.com & Benefits of SSO Nick Simha.

SharePoint Security Fundamentals Introduction to Claims-based Security Configuring Claims-based Security Development Opportunities.

How to Log-in to EPIC for the First Time. to FY 2015 Form 471 Authorized Signer Looks Like:

Module 11: Securing a Microsoft ASP.NET Web Application.

Integrating and Troubleshooting Citrix Access Gateway.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

Case Study.  Client needed to build data collection agents for various mobile platform  This needs to be integrated with the existing J2ee server 

BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Enabling Cloud Native Security with Multi-Tenant UAA

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Satisfy Your Technical Curiosity 27, 28 & 29 March 2007 International Convention Center (ICC) Ghent, Belgium.

February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.

Securing Angular Apps Brian Noyes

Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.

Agenda Pattern Authenticate a user against UCWA Operations happen using the user’s identity Interact with the UCWA service endpoint Make HTTP requests.

API Auth By Kyle Bradley. Role Definitions  User (Resource Owner)  The resource owner is the person who is giving access to some portion of their account.

VPN. CONFIDENTIAL Agenda Introduction Types of VPN What are VPN Tokens Types of VPN Tokens RSA How tokens Work How does a user login to VPN using VPN.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

Secure Mobile Development with NetIQ Access Manager

#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson

B2access.eudat.eu B2ACCESS User Training How to register with B2ACCESS Version 1 February 2016 This work is licensed under the Creative Commons.

Azure Active Directory is becoming one of, if not the, primary user identity management services for cloud applications. One of Azure Active Directory's.

Antonio Fuentes RedIRIS Barcelona, 15 Abril 2008 The GENIUS Grid portal.

Win8 Single Sign On: Brief. How does Authentation using the WebAuth Broker look like.

Agent Services Making Tax digital for Business

Using Your Own Authentication System with ArcGIS Online

4/18/2018 1:15 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Consuming OAuth Services in Alfresco Share

Single Sign-On Led by Terrice McClain, Jen Paulin, & Leighton Wingerd

Authentication Interact Cloud.

EDC Process Proposal Brian Brandaw Manager of IT Common Platforms

Migrating SharePoint Add-ins from Azure ACS to Azure AD

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

WStore Programmer Guide

OpenStack Ani Bicaku 18/04/ © (SG)² Konsortium.

Dynamic DNS support for EGI Federated cloud

Multifactor Authentication & First Time Login

IOS SDK v1.0 with NAM 4.2.

Multi-Factor Authentication

Public Key Infrastructure from the Most Trusted Name in e-Security

Objectives In this lesson you will learn about: Need for servlets

Central Authentication Service

SharePoint Online Authentication Patterns

Office 365 Development.

Introduction into the Power BI REST API Jan Pieter Posthuma

Management Application for all segments

Una herramienta para la gestión de identidad, el control de acceso y uso compatible con la regulación de identidad europea eIDAS.

D Guidance 26-Jun: Would like to see a refresh of this title slide

Presentation transcript:

FI-WARE Testbed Access Control temporary solution

Introduction  We will define a short and a medium term solution to deal with the issues regarding access control to FI-WARE GEs deployed on the FI- WARE Testbed  The medium term solution will evolve as to incorporate components developed in the FI-WARE Security chapter for the 2 nd Release of FI-WARE

Basic ingredients of the solution Oauth v2.0Keystone  User Profile Management  Multi-tenancy  Management and access to FI- WARE GE  Authentication  Authorization and Trust Management  Single Sign-On (SSO) among services/apps  Web/JavaScript/APIs access Client Apps: Web Apps, Server Apps or Desktop Apps.

MEDIUM TERM Solution

Scenarios to be covered  Client Apps may run on: Web Servers Web Browsers (user agents) On top of an Operating Systems (Native apps)

Client Apps running on Web Servers  Three-tier Web applications  Clients that invoke FI-WARE GE APIs run on web servers (e.g., servlets)  Users authenticate via IdM web page  The IdM maintains the confidentiality

FI-WARE Testbed IdM Client App (WS backend) Keystone FI-Ware GE Instance IdM Web Portal Access App Login via Fi-Ware Login to WebApp via IdM Send redirect URI with authentication code Access Redirect URL Send authentication code, client_id, client_secret Return access token User logged in FI-WARE GE API request with token Keystone Middleware Validate token Ok FI-WARE GE API request App URL (interaction) Create Token

User-agent-based Application  It is a public Client App  Downloadable from Web Servers  It runs in a user-agent (e.g., javascript in a web browser)  Users authenticate via IdM web page  Confidentiality is not maintained (Downloaded Client App assumes your identity)

FI-WARE Testbed IdM Keystone IdM Web Portal Access App Login via Fi-WARE Login to ClientApp via IdM Send redirect URI with access token Create Token Access Redirect URL Client App loads token from fragment Client App (User Agent) Validate token Ok FI-WARE GE API request FI-WARE GE API requests with token Keystone Middleware FI-Ware GE Instance

Native Application  Native apps, scripts, etc.  Credentials are sent via the Client App  User gives credentials to the Client App  Confidentiality is not maintained (Downloaded Client App assumes your identity)

FI-WARE Testbed IdM Client App Keystone IdM Web Portal Create Token Return access token Access with token Keystone Middleware Validate token OkAccess FI-Ware GE Instance

SHORT TERM Solution

FI-WARE Testbed IdM Client App (WS backend) Keystone FI-Ware GE Instance IdM Web Portal Access App Login web page FI-WARE GE API requests App URL (interaction) FI-WARE Testbed Firewall Registration of IP a.b.c.d FI-WARE Testbed Admin Fixed IP: a.b.c.d Login to ClientApp Validation User Logged In (1) Validation via request using Keystone API Validation (1)

FI-WARE Testbed IdM Keystone IdM Web Portal Access App Login via Fi-WARE Login to ClientApp via IdM (1) Validation Client App (User Agent) FI-WARE GE API requests FI-WARE Testbed Firewall first (temporal) IP: a1.b1.c1.d1 a1.b1.c1.d1 FI-Ware GE Instance User Logged In (1) Login via request using Keystone API or via javascript library provided by FI-WARE

(re-login, a2.b2.c2.d2) FI-WARE Testbed IdM Keystone IdM Web Portal Access App Client App (User Agent) FI-WARE GE API requests FI-WARE Testbed Firewall first (temporal) IP: a1.b1.c1.d1 (new a2.b2.c2.d2 assigned) a2.b2.c2.d2 FI-Ware GE Instance

IdM Web Portal functionality in the short term  Every UC project will be associated to an “Organization”  Every UC project will have an admin user account  Using the IdM Web Portal, admin users will be able to create new user accounts linked to the same Organization

MORE DETAILS

IDM Web Portal  Provides Identity Management  Provides OAuth 2 modes  API with Keystone to manage GE tokens Interface with Keystone to manage tokens and provide them via OAuth

Keystone  It provides management of Users, roles and organizations Only one Keystone admin  Credentials: username and password  Tuples  Tokens associate to  Many roles per user and organization  GEs establish permissions per role

Keystone  Provides management of GE (Services)  Each GE owns a list of endpoint URLs Users access to these URLs