Presentation is loading. Please wait.

Presentation is loading. Please wait.

Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Published byHarold McGee Modified over 6 years ago

Similar presentations

Presentation on theme: "Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015"— Presentation transcript:

1 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015
Non Web access Technical session 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

2 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015
Why? Currently Umbrella can only be used for web browser based access. That’s perfect for WUO type access! We aim to extend it to: Data access (webdav ?, S3 ? Need your imput) Analyses workstation access (PaNDaS like project) SSH Remote display These new usages are often not inside web browser. 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

3 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015
Our needs Simple to use at least for the users Federation – SP should never get access to pwd. 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

4 Many solutions exists …
Modifications Readiness Scope Moonshot Client Server IdP Yes SSH NFSv4 Owncloud SSH Keys SP Prototype ? Ldap facade Any LDAP compatible service (where pwd field sufficiently long) SASL-SAML Client (?) Prototype (2012) IMAP Oauth2 Prototypes WebDav 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

5 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015
SSH Keys Basic Workflow: Users register their public key on their account on umbrellaid.org The IdPs distribute the Key as part of the SAML metadata (other mechanism possible). The SPs collect the keys (like for EAAHash) and populate authorized_keys (user home dir, ldap, …) Users could connect with their umbrella username and private key 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

6 More details/constraints
Provisioning: need to have usernames (from umbrellaid.org) in SP ldap probably with the same uidNumber and homeDirectory than the local user account to benefit from local account authorization). Need for uid uniqueness in the case we also accept local login – Need to identify that accounts belongs to Umbrella. Attributes update - Deprovisioning: SP need to validate that the account is still valid (automated asynchronous check on the IdP, SAML AssertionQuery profile) ? 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

7 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015
Pros/Cons Pros: Very simple for the users Pragmatic solution – Mostly ready Development cost very small Cons: Need to check asynchronously that user is still valid. Potential uid collision in case local and umbrella account could login – need differentiator Only valid for SSH authentication 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

8 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015
LDAP facade In production at the bwIDM - Föderatives Identity Management Baden-Württemberg (KIT is part of it) Slides from Marcus Hardt (KIT) 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

9 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015
LDAP Facade Basic Workflow (Enhanced client) Users authenticates with their web browser (websso profile) to SP Users download the SAML assertion. They use this assertion as password in their ssh client The SSH server send the usename/password (assertion) to the LDAP façade. The LDAP façade checks/accepts the username + assertion as valid login credentials and allows the user to log in 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

10 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015
Pros/Cons Pros: Relatively simple for the users Pragmatic solution – Mostly ready Development cost relatively small (Availability of the code for the LDAP façade?) Could work with all services based on LDAP Cons: Potential uid collision in case local and umbrella account could login – could need differentiator 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

11 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015
Technical team Possible task and actions : Refine the needs (SSH, RDP ? which one, Data Access ? which one) – action All Setup 3rd/ /4th IdP – Action DESY/STFC+ Geo DNS and IdP session sharing Prototype Non Browser Access : Moonshot – Proposal to the Steering Committee for voting SSH Keys - Prototype LDAP Facade – Doris to get in touch with Marcus Hardt Attribute management and release / attribute authority Check addresses validity Level Of Assurance – prototyping Indico 15th-16th June 2015 Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015

Download ppt "Jean-François Perrin (ILL) - Umbrella Annual Meeting 2015"

Similar presentations

IEEE Automated Meeting Attendance Tool Attendee Enrollment Process Michael Kipness Christina Sahr

IEEE Automated Meeting Attendance Tool Attendee Enrollment Process Michael Kipness Christina Sahr
IEEE Automated Meeting Attendance Tool Attendee Enrollment Process Michael Kipness Christina Sahr

IEEE Automated Meeting Attendance Tool Attendee Enrollment Process Michael Kipness Christina Sahr
Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.

Forms Authority Database Store Username and Passwords: ASP.NET framework allows you to control access to pages, classes, or methods based on username and.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.

SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.
Design for Senior Project December 05, 2007 Raytheon_Design_Review.ppt 1 of 19 Raytheon – Google Earth Roy Daniels, Marc Maciel, Rifina Pierre Department.

Design for Senior Project December 05, 2007 Raytheon_Design_Review.ppt 1 of 19 Raytheon – Google Earth Roy Daniels, Marc Maciel, Rifina Pierre Department.
Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education www.netprof.us.

Identity Management in Education. Welcome Scott Johnson, NetProf, Inc. Creator of OmnID Identity Management for Education
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
Identity on Force.com & Benefits of SSO Nick Simha.

Identity on Force.com & Benefits of SSO Nick Simha.
Researcher ID September13 2013 Presented by Terry Smith - AAF Technical Manager.

Researcher ID September Presented by Terry Smith - AAF Technical Manager.
Shibboleth 2.0 IdP Training: Authentication January, 2009.

Shibboleth 2.0 IdP Training: Authentication January, 2009.
Introduction Moonshot workshop 6.2.2014

Introduction Moonshot workshop
An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.

An Overview of Single Sign-On, Federation, Its Benefits, and Basic Procedures for Integrating Applications.
Shibboleth Update Fall 2012. Ch-ch-changes Chad moving on to new job opportunity, requires realigning product responsibilities and reviewing roadmap Tom.

Shibboleth Update Fall Ch-ch-changes Chad moving on to new job opportunity, requires realigning product responsibilities and reviewing roadmap Tom.
Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.

Edugate Glenn Wearen HEAnet.. Summary 1 year Pilot Project / 2 years in production All IoT’s, Universities, Colleges, but only half of HEAnet’s members.

Similar presentations

Ads by Google