Presentation is loading. Please wait.

Presentation is loading. Please wait.

Integrating non web-based services with identity federations

Published byStefanie Sauer Modified over 5 years ago

Similar presentations

Presentation on theme: "Integrating non web-based services with identity federations"— Presentation transcript:

1 Integrating non web-based services with identity federations
Jens Köhler, Michael Simon, Sebastian Labitzke, Tobias Dussa, Martin Nußbaumer

2 The bwIDM project bwUniCluster Services of the state of Baden-Württemberg placed at different locations Should be useable by the affiliates of universities Affiliates should be able to access them with their familiar accounts of their home organization bwIDM: Federated Identity Management for Baden-Württemberg Uni Mannheim bwLSDF KIT bwIBS Uni Stuttgart Uni Ulm bwGrid Uni Freiburg Uni Konstanz Integrating non web-based services with identity federations

3 Integrating non web-based services with identity federations
The bwIDM project bwUniCluster SAML identity providers are already present at each university Integrating web-based services into this infrastructure is straightforward Integrating non web-based services is a challenge FACIUS: An easy-to-deploy concept to federate non web-based services based on the SAML standard. Uni Mannheim bwLSDF KIT bwIBS Uni Stuttgart Uni Ulm bwGrid Uni Freiburg Uni Konstanz Integrating non web-based services with identity federations

4 Non web-based services vs. SAML
Non web-based services: Authentication via the Service Provider Main characteristic of SAML: Authentication via the Home Organization SAML-ECP profile can be used to „SAMLfy“ arbitrary applications → Technical foundation to enable non web-based services to use SAML exist SSH Service 1. Login via credentials 2. Access Web-based Service 1. Request Access 2. Redirect 5. Assertions 4. Redirect 3. Login via credentials Integrating non web-based services with identity federations

5 Integrating non web-based services with identity federations
Requirements Service Provider requirements Maintainability (De-)Provisioning Security Performance Legal aspects Integration effort Deployability Alternative authentication methods Transparency Use of home credentials Legal aspects Necessary software adaptions User requirements Home Organization requirements Integrating non web-based services with identity federations

6 A users perspective: Getting access to the service
Registration Via a Registration-Webapplication (Browser) Authentication based on the account at the Home Organization Just has to be performed once. Provisioning of a local context In the SSH case: Establishment of a UID, a home directory, … Accessing the service Via native service client Authorization based on assertions of the Home Organization Integrating non web-based services with identity federations

7 FACIUS - Overview User Service Provider Home Organization Browser
Login & Registr. Registration-Webapplication Provisioning SAML-SP Login-Node SSH- Server PAM- Module SSH-Client Login Existing components Generic components Partially service-specific components Further Information: J. Köhler, S. Labitzke, M. Simon, M. Nussbaumer, H. Hartenstein: FACIUS: An Easy-to- Deploy SAML-based Approach to Federate Non Web-Based Services, Proc. of Trustcom 2012 Integrating non web-based services with identity federations

8 Integrating non web-based services with identity federations
Login alternatives Creden-tials Enhanced Proxy User Creden-tials Service Provider Home Organization ECP User Service Provider Home Organization Creden-tials Enhanced Client ECP User Service Provider Home Organization Creden-tials Local Authentication Assertion Query Enhanced Proxy Enhanced Client Local Authentication User requirements: Unmodified client usable Login with credentials of the Home Organization No harm by malicious Service Providers Operable in parallel to other login alternatives Integrating non web-based services with identity federations

9 Integrating non web-based services with identity federations
Evaluation Service Provider requirements: Integration effort: Maintainability: Performance (SSH-Login): Integration into existing Federations: Provisioning/Deprovisioning: Legal aspects: Home Organization requirements: No software adaptions: Integration of the Pluggable Authentication Module with the Service Access Point Based on existing frameworks 1.01 s vs s (regular login) ? SAML-based federations User consent to policies can be requested User consent to policies can be requested Integrating non web-based services with identity federations

10 Integrating non web-based services with identity federations
Conclusion bwIDM…. …is a project to establish a federation of 9 universities and services of the state of Baden-Württemberg. …has the goal to federate access to non web-based services such as grid resources. FACIUS… …enables non web-based services to join SAML-federations. …aims to be easily deployable for existing service providers. …makes active use of the SAML-ECP and AssertionQuery profile. …offers users a high usability in trustworthy federations. …has been successfully applied to federate SSH services. We are planning to… …federate an operational cluster by the end of the year. …federate additional services based on FACIUS. Integrating non web-based services with identity federations

11 Integrating non web-based services with identity federations
How does FACIUS fit into the EGI federated identity management platform? FACIUS SSH-Server (SP) Integrating non web-based services with identity federations

Download ppt "Integrating non web-based services with identity federations"

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.

OUC204. Recently Announced… Identity Integration Options 2 3 Identity Management Overview 1.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.
Connect.usatlas.org ci.uchicago.edu ATLAS Connect Technicals & Usability David Champion Computation Institute & Enrico Fermi Institute University of Chicago.

Connect.usatlas.org ci.uchicago.edu ATLAS Connect Technicals & Usability David Champion Computation Institute & Enrico Fermi Institute University of Chicago.
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

Similar presentations

Ads by Google