federated authentication with web services clients

Federated Authentication with Web Services Clients in the context of SAML based AAI federations

Thomas Lenggenhager [email protected]

Mannheim, 8. March 2011

© 2011 SWITCH

Overview

• SAML n-tier Delegation with ECP Profile

• Argus – A scalable Authorization Service

ECP Enhanced Client or Proxy (ECP) Profile http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf http://saml.xml.org/saml-specifications

2 Federated AuthN with Web Services Clients

© 2011 SWITCH

SAML n-tier Delegation with ECP Profile

• Allow a Web Portal to make use of delegation to access one or more Web Service Providers (WSP) • The Web Portal and each WSP is a SAML SP

•  Configuration changes required at IdP: 1)  Download and install delegation plug-in 2)  Add a profile handler for LibertyIDWSFSSOS Profile 3)  Change profile config to restrict delegation by Portal to its WSPs. 4)  Add a new security policy for Liberty SSOS (a static explicit key signature

trust engine) 5)  Add a new SingleSignOnService endpoint for the Liberty SSOS in the

metadata

…it is not as easy as you would like it to be!


© 2011 SWITCH

SAML n-tier Delegation with ECP Profile (2)


https://spaces.internet2.edu/display/ShibuPortal/Configuring+Shibboleth+Delegation+for+a+Portal

A single SAML entity

© 2011 SWITCH

Where is AuthN required, where AuthZ?

• Authentication could be moved to the edges •  If inner components trust the outer components,

no further authentication may be required • Outer components with WebSSO support

could act as gateways to inner components. • Outer components to pass user attributes

to inner components for authorization decisions close to the data access.

• The Authorization Service Argus could play a role in such a scenario


© 2011 SWITCH

Argus – A scalable Authorization Service

• Argus is an authorization service developed by EGEE / EMI

• Argus answers the question

Is user X allowed to

perform action Y on resource Z ?

in the most general way

• Argus 1.2 was released in Nov 2010

• Argus 1.3 to be released for EMI-1 in April 2011


EMI European Middleware Initiative

© 2011 SWITCH

Argus – Integration & Interoperability


© 2011 SWITCH

Argus – Integration & Interoperability (2)

•  Integration with lightweight PEP client API

•  Interoperability with direct XACML authorization request (SOAP)

• Common XACML Authorization Profile


© 2011 SWITCH

Argus Deployment


© 2011 SWITCH

PAP: Policy Administration Point

• Manages the XACML policies

• Tools for administrators to manage policies

• Simple Policy Language (SPL) hides XACML complexity

• Hierarchical deployment of PAP servers

•  e.g. for global banning


© 2011 SWITCH

PDP: Policy Decision Point

• XACML engine

• Retrieves policies from PAP

• Receives authorization request from PEP daemon

• Evaluates authorization requests against the policies


© 2011 SWITCH

PEP daemon: Policy Enforcement Point

• Client/Server architecture

• Processes the client requests

• Applies PIP to incoming requests

•  Extracts data from end-entity certificate

• Processes the client responses

• Applies obligation handler to outgoing responses

•  Determines user and group mapping


© 2011 SWITCH

PEP client libraries

• Lightweight client libraries to communicate with the PEP daemon

• ANSI C and Java client libraries

• Hides the complexity of XACML


© 2011 SWITCH

Argus – A Grid Example

• Argus answers the question

Is user X allowed

to perform action Y on resource Z ?

in the most general way

• A Grid example: •  Is ‘CN=Peter Pan, DC=example,DC=org’ allowed

to submit a job to Computing Element ce.example.com ?


© 2011 SWITCH

Argus – A Grid Example (2)

• Authorization rules (policies) are expressed in XACML • For most use cases XACML is too abstract • Argus CLI supports a “simplified policy language”

e.g.: allow user Peter to perform any action on resource my_resource

• Parameterize Policies with attributes, e.g. DN, subject, CA, …

• Manage Policies locally or import from remote repositories • Combination possible: e.g. local policy & global black list


resource ”my_resource" {! action ".*" {! rule permit { subject="/DC=org/DC=example/CN=Peter Pan" }! }!}

© 2011 SWITCH

Argus Summary

+ Service management on the command line + Pluggable architecture, written in Java + easy to add new features and deploy + Client has simple API in C & Java

with virtually no dependencies + easy to integrate into new clients + All Argus components can be deployed

on one single host or on distributed hosts

•  Argus Documentation <[email protected]> https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI


© 2011 SWITCH

What's missing?

• A System Security Architect

should be tasked to draft

a Middleware Architecture for CLARIN


federated authentication with web services clients

Documents