Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security for Science Gateways Initial Design Discussions

Published byebrew Αναστασιάδης Modified over 5 years ago

Similar presentations

Presentation on theme: "Security for Science Gateways Initial Design Discussions"— Presentation transcript:

1 Security for Science Gateways Initial Design Discussions
Custos Security for Science Gateways Initial Design Discussions

2 High-Level Overview

3 Use case 1: Institutional Login
GW Custos CILogon IDP OIDC Custos AuthN Redirect OIDC CILogon AuthN Redirect SAML CILogon AuthN Redirect AuthN AuthN Login SAML AuthN

4 Use case 1: Institutional Login
Kind of doing repetitive work. Validate SAML Token GW Custos CILogon IDP OIDC Response (Redirect) OIDC Response (Redirect) OIDC Response SAML Authn Response OIDC Response SAML Authn Response (Redirect)

5 Use case 1: Institutional Login
Unify. Validate SAML Token GW Custos CILogon IDP OIDC Response (Redirect) OIDC Response (Redirect) OIDC Response SAML Authn Response OIDC Response SAML Authn Response (Redirect)

6 Use case 1: Institutional Login
GW Custos IDP OIDC Custos AuthN Redirect SAML CILogon AuthN Redirect AuthN SAML AuthN Login

7 Use case 1: Institutional Login
Validate SAML Token Keycloak can validate the token. GW Custos IDP OIDC Response (Redirect) SAML Authn Response OIDC Response SAML Authn Response (Redirect)

8 Resource Authentication
Good for having something working Thinking backward This is what I did for a while That is understand the functionalities cloud providers giving for delegated/federated authentication and try to implement our use case. Thinking forward Implement the custos use case and list what we need from cloud providers. Good if we can influence cloud provides

9 Users Types of users as far as resources are concerned
Forward Types of users as far as resources are concerned Users with proper authentication credentials to the resource (resource user) Users without proper authentication credentials but authorize to use credentials of a user who has credentials to a resource.(none resource user) Types of users as far as resource is concerned (AWS): Root User (has a dedicated AWS billing account) IAM User (associated to another root account) Neither root nor IAM (no relationship to AWS at all) Backward

10 Use Case 2: Adding a resource by a resource user
GW Custos Resource (AWS/GCP) Custos AddResource Redirect Oauth Resource Redirect AddResource Authorize Add Resource Oauth Scopes are defined based on what user specified. Specify what retrieving credentials can do. E.g., execute code, access s3

11 Use Case 2: Adding a resource by a resource user
Store Auth code GW Custos Resource (AWS/GCP) Success Redirect Auth Code Auth code, redirect to Custos Resource Added

12 Use Case 3: Accessing a resource by a resource user
Is access token along sufficient? Get Credentials GW Custos Credentials Access Token Auth Code SDK+ Credentials (Access token) Resource (AWS/GCP) Access Resource

13 Use Case 4: Accessing a resource by a none resource user
In order for none resource user to access a resource, he/she must be associated with a resource user. Associate auth codes with different entities: Single user (resource user) A group A role

14 Use Case 4: Accessing a resource by a none resource user
Find associated auth code(s) Get Credentials GW Custos Credentials Access Token Auth Code SDK+ Credentials (Access token) Resource (AWS/GCP) Access Resource

15 Use Case 4: Accessing a resource by a none resource user
Every user in the group has same access privileges. We lose audit logs at the resource but we can maintain audit logs at the custos. If we want functionalities similar to throttling we need to implement them at the custos level.

16 Custos Components Single server that embeds KeyCloak and other functionalities API KeyCloak User Management CredentialStore/Vault Primary user store Storing auth codes, ssh keys, generate keys Sharing Service Manages resource authentication for a user + throttling, limiting user access to resource. Profile Service Resource Authentication/ Authorization Admin/ Monitoring Registering client ids, client secrets + other admin/monitoring things Secure audits, manages audit queries Auditing

Download ppt "Security for Science Gateways Initial Design Discussions"

Similar presentations

SearchSearch User Profiles SearchSearchExcelExcelUserProfilesUserProfiles Managed Metadata.

SearchSearch User Profiles SearchSearchExcelExcelUserProfilesUserProfiles Managed Metadata.
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Will Darby 91.514 5 April 2010.  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.

Will Darby April  What is Federated Security  Security Assertion Markup Language (SAML) Overview  Example Implementations  Alternative.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
One Stop Mail Service Bhattacharya, Tonmoy, Bhattacharya, Tonmoy, Hariharan, Rama Krishnan, MS in Engineering Science,

One Stop Mail Service Bhattacharya, Tonmoy, Bhattacharya, Tonmoy, Hariharan, Rama Krishnan, MS in Engineering Science,
OmStore Cloud API Harshit Agarwal Sohil Habib. About Us ●We are graduate students at CMU ●Currently at CMU Silicon Valley campus ●Working part time with.

OmStore Cloud API Harshit Agarwal Sohil Habib. About Us ●We are graduate students at CMU ●Currently at CMU Silicon Valley campus ●Working part time with.
SACMAT02-1 Security Prototype Defining a Signature Constraint.

SACMAT02-1 Security Prototype Defining a Signature Constraint.
Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.

Esri UC2013. Technical Workshop. Technical Workshop 2013 Esri International User Conference July 8–12, 2013 | San Diego, California Building Secure Applications.
Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.

Cloud app Cloud app Cloud app Separate username/password sign-in Manual or semi-automated provisioning Active Directory App Separate username/password.
Google App Engine Google APIs OAuth Facebook Graph API

Google App Engine Google APIs OAuth Facebook Graph API
SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13, 2014 1.

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
© 2012 Autodesk Implementing Cloud-Based Productivity Solutions with the AutoCAD® ObjectARX® API Ravi Krishnaswamy Senior Software Architect.

© 2012 Autodesk Implementing Cloud-Based Productivity Solutions with the AutoCAD® ObjectARX® API Ravi Krishnaswamy Senior Software Architect.
FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.

FIspace SPT Seyhun Futaci. Technology behind FIspace Authentication and Authorization IDM service of Fispace provides SSO solution for web apps, mobile.
OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”

OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”
Running List of Comanage Framework Stuff. Parked issues Discussion of how to share the work of domesticating apps - real important to do soon, but the.

Running List of Comanage Framework Stuff. Parked issues Discussion of how to share the work of domesticating apps - real important to do soon, but the.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

SSO Case Study Suchin Rengan Principal Technical Architect Salesforce.com.

Similar presentations

Ads by Google