contrail and federated identity management
DESCRIPTION
Contrail and Federated Identity Management. Philip Kershaw, RAL Space, STFC Jens Jensen, e-Science, STFC (and others: XLab , CNR , INRIA …). contrail is co-funded by the EC 7th Framework Programme. 1. Outline. Contrail overview and goals Architecture S ingle sign -on - PowerPoint PPT PresentationTRANSCRIPT
1
Contrail and Federated Identity Management
Philip Kershaw, RAL Space, STFCJens Jensen, e-Science, STFC
(and others: XLab, CNR, INRIA …)
contrail is co-funded by the EC 7th Framework Programme
contrail-project.eu
Outline•Contrail overview and goals•Architecture•Single sign-on•Delegation requirements•Delegation solutions•OAuth flow•Conclusions•Collaborations
2
contrail-project.eu
Contrail Overview and Goals• EC FP7 Project, led by INRIA, 36 month, completes
Sept 2013• Federation of cloud providers• Federation with external IdPs• “Elastic” CAs for dynamically created services• Autonomous SLA management from SLA@SOI project• IaaS and PaaS integration• Reuse of existing open standards:
OVF OCCI CDMI
WS-Security
SLA@SOI models 3
contrail-project.eu
Contrail Overview and Goals+• EC FP7 Project, led by INRIA, 36 month, completes
Sept 2013• Federation of cloud providers• Federation with external IdPs• “Elastic” CAs for dynamically created services• Autonomous SLA management from SLA@SOI project• IaaS and PaaS integration• Reuse of existing open standards:
OVF OCCI CDMI
WS-Security
SLA@SOI models 4
Federated access to resources, building on existing identity federations
contrail-project.eu
Architecture
5
Federation of Cloud Providers
Federation CLI Browser
Federation Web Portal
Federation core
Online CA
Federation Identity Provider REST API
Browser and rich client access
contrail-project.eu
Architecture – Single Sign-on
6
Cloud Providers
Federation CLI Browser
Federation Web Portal
Federation core
Online CA
Federation Identity Provider REST API
Single Sign-on
Single Sign-on
Single Sign-on
Credentials mapping
contrail-project.eu7
Cloud Providers
Federation CLI Browser
Federation Web Portal
Federation core
Online CA
Federation Identity Provider REST API
Multiple delegation hops
Architecture - Delegation
contrail-project.eu8
• Delegator, delegates authority to another, a delegatee
• Rights that the delegatee inherits can vary e.g.• Identity-based – inherits all the rights of
the user
• Inherit rights to access a single resource
• Some technology options:
• GSI Proxy certificates
• OAuth 1.0 (CILogon), OAuth 2.0?
• Others…
Delegation … but how?
contrail-project.eu
Delegation: technology options• GSI Proxy certificates
•Delegatee inherits all the rights of the user•Custom SSL extensions needed to support verification
• OAuth 1.0•Gained traction in commercial environment: Twitter etc…•Digital signature of HTTP header artifacts – canonicalisation can be problematic
• OAuth 2.0•Simplified flow•Use SSL: no digital signature implementation necessary
•CILogon•Use OAuth to protect a short-lived credential service (SLCS) but based on OAuth 1.0•Delegatees obtain a standard End Entity Certificate
•SLCS + OAuth 2.0 ✔
9
contrail-project.eu
OAuth Flow (1)
10
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
1. User request
BrowserObjective: get delegated credential for portal to make onward requests to the federation core
contrail-project.eu
OAuth Flow (2 3)
11
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
2. Portal requests authorisation for delegation from user
Browser
3. User is redirected to authorisation server
contrail-project.eu
OAuth Flow (4)
12
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
Browser
4. User authenticates and approves the delegation request
contrail-project.eu
OAuth Flow (5)
13
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
Browser
5. Return authorisation grant to portal via a redirect
… redirect back to portal
contrail-project.eu
OAuth Flow (6)
14
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
Browser
6. Portal requests certificate (oauth access token) passing authorisation grant as proof of user approval
contrail-project.eu
OAuth Flow (7)
15
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
Browser
7. Online CA authenticates portal and returns certificate
contrail-project.eu
OAuth Flow (8)
16
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
8. Portal uses certificate to authenticate with core services
Browser
contrail-project.eu
OAuth Flow (9)
17
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
Browser
9. Further delegation needed: ‘2-legged’ OAuth
contrail-project.eu
Development Status• Web portal and federation SSO demonstrated with support for:
• SAML
• OpenID
•Command line SSO with shell script client to Short-Lived Credential Service (X.509 EECs)
•Delegation with 2-legged OAuth-like interface, full OAuth to be integrated
18
contrail-project.eu
Technology used Federation Web
User interface: Python 2.7+ / Django 1.4 / buildout / Apache2
SAML2: Djangosaml2 v0.5 OpenID: Django-authopenid
Federation IdP IdP: SimpleSAMLphp 1.9 rc2 User DB: Java 6 / JPA subclipse / Tomcat
contrail-project.eu
Conclusion Single sign-on support with:
Browser: SAML2 and OpenID
Other client: X.509 short-lived end entity certificates
Delegation with OAuth 2.0 protected Short-Lived Credential Service
Can we offer Federation-in-a-box or federation-as-a-service ?
=> Federated access to resources, building on existing identity federations.
contrail-project.eu
Contrail collaborations• Contrail evaluation with:
• EUDAT, CLARIN, ENES• EGI federated cloud task force • Climate science and Earth Observation
communities: OAuth solution for workflows• OGF groups
• FEDSEC-CG: federated identity for grids and clouds• IDEL-WG: working group on identity delegation
• Cloud security activities• ... Moonshot
contrail-project.eu22
Funded under: FP7 (Seventh Framework Programme)Area: Internet of Services, Software & virtualization (ICT-2009.1.2)Project reference: 257438Total cost: 11,29 million euroEU contribution: 8,3 million euroExecution: From 2010-10-01 till 2013-09-30Duration: 36 monthsContract type: Collaborative project (generic)
contrail is co-funded by the EC 7th Framework Programme