Presentation is loading. Please wait.

Presentation is loading. Please wait.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Published bySimon Gregory Modified over 8 years ago

Similar presentations

Presentation on theme: "External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes."— Presentation transcript:

1 External Identity and Authorization in GENI

2 kjk@internet2.edu Topics Federated identity and virtual organizations ABAC Creating and transporting attributes Applying to GENI Demo

3 kjk@internet2.edu Federated identity Builds on deployed authentication services Identity Provider (IdP) services at universities etc. IdPs handle logins (single sign-on) and assert attributes Can supply roles, permissions, common attributes (name, organization, affiliations, citizenship, capabilities, etc.) Uses SAML and metadata (aka Shibboleth) International trust fabric now being deployed on Internet- scale, first in R&E but expanding to other sectors Greater than 150M world-wide, 5M US, exponential growth

4 Duke Shibboleth Identity Provider (IdP) HTTPS XMLRPC / SOAP Users and “hands-free” tools Web Service Portal (SP) Authenticated user identity Attributes for authorization

5 kjk@internet2.edu Virtual Organizations Research and scholarly efforts, sharing both domain and collaborative resources and tools. Typically cross-cutting institutionally and internationally, with high-profile participants. Often have education and outreach requirements Want to leverage both institutional and collaborative personas (the sum is greater than the parts) GENI and its clusters are nested VOs. GENI technologies may enable VO network capabilities

6 kjk@internet2.edu Advantages Institutions maintain the accounts (they do it anyway) Secure privacy-preserving login Single sign on (SSO) Expiration/revocation! Institutions can hold their users accountable Supplies attributes for access control (e.g., ABAC) Standard attributes (student, faculty, etc.) Groups: easy to create and maintain Course enrollment, research group, etc. Use COmanage for Virtual Organizations (e.g., GENI)

7 kjk@internet2.edu ABAC No fun to maintain 200K accounts Use federated identity Not much fun to maintain an access control list of 200K identities Use attributes Group membership is a good access control attribute Easy to create and maintain Easy for users to understand and administer Solves 80% of the use cases Finer-grain controls are needed for the rest

8 kjk@internet2.edu SFA observations (from an ignorant bystander) Move from v1 to v2 adds another option – external authn/z - to security built-in via X.509 identity and attribute certs V2 does a good thing but… Does not help integration, convergence, deployability, scale, robustness, etc. On what scales is it meso-scale? Devices? Experiments? Users? Can we fix things later with “another level of indirection?”

9 kjk@internet2.edu

10

11

12 Duke’s Shibboleth IdP says: “The user is authenticated as chase@cs.duke, a Duke professor who is a member of the group cs.geni.test”.

13 kjk@internet2.edu Code snipped from portal source: get session attributes.

14 kjk@internet2.edu Config snippet from the portal’s web.xml descriptor. It says: “let OIOSAML filter access to this Web portal” with the configured IdP bindings.

15 kjk@internet2.edu

16

17

18

19 “Remove Chase from the group cs.geni.test”.

20 kjk@internet2.edu On next login, Duke’s Shibboleth IdP says: “The user is authenticated as chase@cs.duke, a Duke professor who is not a member of any group.”

21 kjk@internet2.edu

22 Allocation policy considers group membership attributes of requester (ABAC).

23 kjk@internet2.edu Attribute-Based Access Control (ABAC) This simple example illustrates ABAC. The attributes are asserted by an IdP. The resource broker policy trusts and understands attributes from this source. The policy uses the attributes to make a policy decision. Authorization Resource Control Shibboleth and ABAC work together.

24 kjk@internet2.edu A Few Points about SFA 2.0 SFA 1.0 Specified identity/trust mechanisms and attributes. SFA 2.0 Mechanisms of SFA 1.0 are optional They are instances of an open framework. Shibboleth+ABAC is SFA-compliant. SFA server policies may choose which IdPs and attributes to consider.

25 kjk@internet2.edu COmanage and GENI CO is a platform supporting the work of VOs, using enterprise tools (including Shib and Grouper) reassembled for VO use COmanage is a platform that allows federated identities to be gathered, assigned attributes and fed to applications Consistent identity and group management across apps Collaboration apps (wikis, listprocessors, IM, videoconferencing, file shares, etc) Domain apps (grids, ssh-based, etc.) Provides scalable, secure, federated, flexible A/A to apps A GENI cluster, or GENI itself, could be well-served on a COmanage instance

26 kjk@internet2.edu COManage Elements Dashboard (including invitation/registration) Shib SP GrouperSTS Shib IdP LdapPC / SPML provisioning Applications Data Store

27 kjk@internet2.edu Flows Dashboard (including invitation/registration) Shib SP GrouperSTS Shib IdP LdapPC / SPML provisioning Applications Data Store Users Portal/Gateway SP Collabmins (RA’s, PI’s, sysadmins, etc.) A/A A/AA/A

28 kjk@internet2.edu Sample Flows of attributes Enterprise Data Store Project comanage RelyingParty Enterprise

29 kjk@internet2.edu What’s in a COmanage data store Enterprise AttributesProject/VO attributes Federated IdPI groups Enrolled classesWiki editing permissions Display nameInstrument permissions CitizenshipVO certificates Enterprise affiliation…

30 kjk@internet2.edu Collabmin GUI

31 kjk@internet2.edu Demo 1 Using enterprise-based identity to assign GENI privileges Enterprise authentication Enterprise located groups Transported to portal by SAML, consumed and carried within ORCA

32 kjk@internet2.edu Demo 1 basics On the user side, Duke identities (PI’s, RA’s, students) are assigned ORCA permissions through standard Duke group management tools On the ORCA web portal side, Shib relying party code was added to the Java server. It consumes assertions from Duke Shib identity provider Those attributes are fed to an ORCA policy engine, which creates ORCA native credentials and sends them on Users going to the ORCA portal are redirected to authenticate at Duke (unless already authenticated)

33 kjk@internet2.edu Demo 2 Using enterprise identity and VO attributes to control ORCA Enterprise asserts identity VO asserts groups and privileges Integrated into the larger VO science and collaboration environment Permissions (fine-grain authz) also possible

Download ppt "External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes."

Similar presentations

Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…

From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Enterprise Integration from network.

A Middleware Unified Field Theory Identity Management / Directories Privileges / Groups Single Sign-On / Federation Enterprise Integration from network.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Widely Distributed Access Management Tom Barton University of Chicago.

Widely Distributed Access Management Tom Barton University of Chicago.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.

Shibboleth 2.0 : An Overview for Developers Scott Cantor The Ohio State University / Internet2 Scott Cantor The Ohio.
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.

Shibboleth: New Functionality in Version 1 Steve Carmody July 9, 2003 Steve Carmody July 9, 2003.
Federated A(A(A))I Jens Jensen hepsysman, RAL, 20110701.

Federated A(A(A))I Jens Jensen hepsysman, RAL,
Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Authorization Scenarios with Signet RL “Bob” Morgan University of Washington Internet2 Member Meeting, September 2004.

Similar presentations

Ads by Google