contrail and federated identity management

1

Contrail and Federated Identity Management

Philip Kershaw, RAL Space, STFCJens Jensen, e-Science, STFC

(and others: XLab, CNR, INRIA …)

contrail is co-funded by the EC 7th Framework Programme

contrail-project.eu

Outline•Contrail overview and goals•Architecture•Single sign-on•Delegation requirements•Delegation solutions•OAuth flow•Conclusions•Collaborations

2

contrail-project.eu

Contrail Overview and Goals• EC FP7 Project, led by INRIA, 36 month, completes

Sept 2013• Federation of cloud providers• Federation with external IdPs• “Elastic” CAs for dynamically created services• Autonomous SLA management from SLA@SOI project• IaaS and PaaS integration• Reuse of existing open standards:

OVF OCCI CDMI

WS-Security

SLA@SOI models 3

contrail-project.eu

Contrail Overview and Goals+• EC FP7 Project, led by INRIA, 36 month, completes

Sept 2013• Federation of cloud providers• Federation with external IdPs• “Elastic” CAs for dynamically created services• Autonomous SLA management from SLA@SOI project• IaaS and PaaS integration• Reuse of existing open standards:

OVF OCCI CDMI

WS-Security

SLA@SOI models 4

Federated access to resources, building on existing identity federations

contrail-project.eu

Architecture

5

Federation of Cloud Providers

Federation CLI Browser

Federation Web Portal

Federation core

Online CA

Federation Identity Provider REST API

Browser and rich client access

contrail-project.eu

Architecture – Single Sign-on

6

Cloud Providers



Federation core

Online CA


Single Sign-on

Single Sign-on

Single Sign-on

Credentials mapping

contrail-project.eu7

Cloud Providers



Federation core

Online CA


Multiple delegation hops

Architecture - Delegation


• Delegator, delegates authority to another, a delegatee

• Rights that the delegatee inherits can vary e.g.• Identity-based – inherits all the rights of

the user

• Inherit rights to access a single resource

• Some technology options:

• GSI Proxy certificates

• OAuth 1.0 (CILogon), OAuth 2.0?

• Others…

Delegation … but how?

contrail-project.eu

Delegation: technology options• GSI Proxy certificates

•Delegatee inherits all the rights of the user•Custom SSL extensions needed to support verification

• OAuth 1.0•Gained traction in commercial environment: Twitter etc…•Digital signature of HTTP header artifacts – canonicalisation can be problematic

• OAuth 2.0•Simplified flow•Use SSL: no digital signature implementation necessary

•CILogon•Use OAuth to protect a short-lived credential service (SLCS) but based on OAuth 1.0•Delegatees obtain a standard End Entity Certificate

•SLCS + OAuth 2.0 ✔

9

contrail-project.eu

OAuth Flow (1)

10

Cloud Providers

Federation Web Portal[OAuth Client]

Federation core

Online CA[OAuth Resource Server]

Federation Identity Provider

[OAuth Authorisation Server]

1. User request

BrowserObjective: get delegated credential for portal to make onward requests to the federation core

contrail-project.eu

OAuth Flow (2 3)

11

Cloud Providers


Federation core




2. Portal requests authorisation for delegation from user

Browser

3. User is redirected to authorisation server

contrail-project.eu

OAuth Flow (4)

12

Cloud Providers


Federation core




Browser

4. User authenticates and approves the delegation request

contrail-project.eu

OAuth Flow (5)

13

Cloud Providers


Federation core




Browser

5. Return authorisation grant to portal via a redirect

… redirect back to portal

contrail-project.eu

OAuth Flow (6)

14

Cloud Providers


Federation core




Browser

6. Portal requests certificate (oauth access token) passing authorisation grant as proof of user approval

contrail-project.eu

OAuth Flow (7)

15

Cloud Providers


Federation core




Browser

7. Online CA authenticates portal and returns certificate

contrail-project.eu

OAuth Flow (8)

16

Cloud Providers


Federation core




8. Portal uses certificate to authenticate with core services

Browser

contrail-project.eu

OAuth Flow (9)

17

Cloud Providers


Federation core




Browser

9. Further delegation needed: ‘2-legged’ OAuth

contrail-project.eu

Development Status• Web portal and federation SSO demonstrated with support for:

• SAML

• OpenID

•Command line SSO with shell script client to Short-Lived Credential Service (X.509 EECs)

•Delegation with 2-legged OAuth-like interface, full OAuth to be integrated

18

contrail-project.eu

Technology used Federation Web

User interface: Python 2.7+ / Django 1.4 / buildout / Apache2

SAML2: Djangosaml2 v0.5 OpenID: Django-authopenid

Federation IdP IdP: SimpleSAMLphp 1.9 rc2 User DB: Java 6 / JPA subclipse / Tomcat

contrail-project.eu

Conclusion Single sign-on support with:

Browser: SAML2 and OpenID

Other client: X.509 short-lived end entity certificates

Delegation with OAuth 2.0 protected Short-Lived Credential Service

Can we offer Federation-in-a-box or federation-as-a-service ?

=> Federated access to resources, building on existing identity federations.

contrail-project.eu

Contrail collaborations• Contrail evaluation with:

• EUDAT, CLARIN, ENES• EGI federated cloud task force • Climate science and Earth Observation

communities: OAuth solution for workflows• OGF groups

• FEDSEC-CG: federated identity for grids and clouds• IDEL-WG: working group on identity delegation

• Cloud security activities• ... Moonshot


Funded under: FP7 (Seventh Framework Programme)Area: Internet of Services, Software & virtualization (ICT-2009.1.2)Project reference: 257438Total cost: 11,29 million euroEU contribution: 8,3 million euroExecution: From 2010-10-01 till 2013-09-30Duration: 36 monthsContract type: Collaborative project (generic)

contrail is co-funded by the EC 7th Framework Programme

contrail and federated identity management

Documents

soi models3 contrailproject

goalsec fp7 project

problematic oauth

verification oauth

goals ec fp7 project

inria contrail

soi projectiaas

portal requests authorisation