Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Similar documents
Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Authentication in the Cloud. Stefan Seelmann

INDIGO AAI An overview and status update!

Beyond X.509: Token-based Authentication and Authorization with the INDIGO Identity and Access Management Service

OAuth and OpenID Connect (IN PLAIN ENGLISH)

How to use or not use the AWS API Gateway for Microservices

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Configuration Guide - Single-Sign On for OneDesk

SAML-Based SSO Solution

INDIGO-Datacloud Identity and Access Management Service

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017

Authentication. Katarina

WSO2 Identity Management

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

SAML-Based SSO Solution

2. HDF AAI Meeting -- Demo Slides

The EGI AAI CheckIn Service

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Warm Up to Identity Protocol Soup

Single Sign-On for PCF. User's Guide

Single Sign-On Best Practices

AUTHENTICATION AND AUTHORIZATION: TWO SECURITY ESSENTIALS THAT WORK TOGETHER

XSEDE Iden ty Management Use Cases

Unified Secure Access Beyond VPN

API Gateway. Version 7.5.1

Container-Native Applications

ArcGIS Server and Portal for ArcGIS An Introduction to Security

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Tutorial: Building the Services Ecosystem

openid connect all the things

Guidelines on non-browser access

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Technical Overview. Version March 2018 Author: Vittorio Bertola

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

Introduction to SciTokens

API Security Management with Sentinet SENTINET

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Integration Patterns for Legacy Applications

Easily Secure your Microservices with Keycloak. Sébastien Blanc Red

SAP IoT Application Enablement Best Practices Authorization Guide

5 OAuth EssEntiAls for APi AccEss control layer7.com

Building the Modern Research Data Portal. Developer Tutorial

[GSoC Proposal] Securing Airavata API

SAP Security in a Hybrid World. Kiran Kola

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

API Security Management SENTINET

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Check to enable generation of refresh tokens when refreshing access tokens

Allowing the user to define the attribute release 21 May 2014

Red Hat Single Sign-On 7.1 Authorization Services Guide

Web Based Single Sign-On and Access Control

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, April 2018

ForgeRock Access Management Customization and APIs

5 OAuth Essentials for API Access Control

Authentication & Authorization systems developed for CTA

Liferay Security Features Overview. How Liferay Approaches Security

Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway

Securing APIs and Microservices with OAuth and OpenID Connect

Access Manager 4.4 Release Notes

OPENID CONNECT 101 WHITE PAPER

Your Auth is open! Oversharing with OpenAuth & SAML

Sentinet for BizTalk Server SENTINET

AARC Blueprint Architecture

Qualys SAML & Microsoft Active Directory Federation Services Integration

Access Manager 4.4 Service Pack 3 Release Notes

Access Management Handbook

Salesforce External Identity Implementation Guide

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Open standards: Open authentication and Identity Management tool

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Horizon Workspace Administrator's Guide

Salesforce External Identity Implementation Guide

GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0

SLCS and VASH Service Interoperability of Shibboleth and glite

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

penelope case management software AUTHENTICATION GUIDE v4.4 and higher

SOCIAL IDENTITIES IN HIGHER ED: WHY AND HOW WITH REAL-WORLD EXAMPLES

DreamFactory Security Guide

Salesforce External Identity Implementation Guide

Deploying OAuth with Cisco Collaboration Solution Release 12.0

Configure Unsanctioned Device Access Control

Cloud Access Manager Configuration Guide

Real-world security analyses of OAuth 2.0 and OpenID Connect

All about SAML End-to-end Tableau and OKTA integration

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Administering Jive Mobile Apps for ios and Android

Author: Nils Meulemans, CTO. Date: June 7, Version: 2.1

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Configuring Apache Knox SSO

OpenIAM Identity and Access Manager Technical Architecture Overview

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

Oracle Mobile and Social Access Management

THE ESSENTIAL OAUTH PRIMER: UNDERSTANDING OAUTH FOR SECURING CLOUD APIS

API Manager Version May User Guide

Exostar Identity Access Platform (SAM) User Guide September 2018

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

Directory Integration with Okta. An Architectural Overview. Okta Inc. 301 Brannan Street San Francisco, CA

Single Sign-On (SSO)Technical Specification

Transcription:

Best Practices: Authentication & Authorization Infrastructure Massimo Benini HPCAC - April, 03 2019

Agenda - Common Vocabulary - Keycloak Overview - OAUTH2 and OIDC - Microservices Auth/Authz techniques AAI @CSCS 2

Common Vocabulary part1 Authentication: is a process of identifying an individual, usually based on a username and password. Authorization: is the process of giving someone the permission to do something. It needs the valid user's identification to check whether that user is authorized or not. Identity Provider (IdP): A trusted provider of identity information. This may be backed by LDAP, SQL, AD, or Mongo. The identity provider is able to construct user attributes into Assertions or Claims. Service Provider (SP): A service that consumes identity information. Many web applications that utilize single sign-on are examples of service providers. SAML: An XML-based standard approach to federated identity. The resultant document that contains user attributes is called an Assertion. OAUTH2 and OpenID Connect: A newer standard approach to federated identity. Leverages OAuth 2.0, and ditches XML in favor of JSON. The resultant information about the user is called a Claim. Assertions and Claims: A standard method of representing information and attributes about a user. An identity provider may issue Assertions or Claims, based on the standard they use, for service providers to consume. AAI @CSCS 3

What is Keycloak? Identity Solution for Modern Applications, Services and APIs. Integrated SSO and IAM for browser apps and RESTful Web Services. Keycloak provides: Single-Sign On Identity Brokering and Social Login User Federation Client Adapters Admin Console Account Management Console AAI @CSCS 4

What is Keycloak? Keycloak integrates with: LDAPs / RDBMSs / Custom user storage. External Identity Providers. Kerberos. Social Providers (google, facebook, stackoverflow,..). Relies on standards: OpenID Connect (Keycloak is OIDC Authorisation Server and uses this standard in its client adapters). SAML 2 (Keycloak is SAML2 IdP and provides SAML2 SP libraries). Provides Web SSO integration. extensive Management UI: Self-Registration, Forgot Password, Verify User/Email, TOTP, various Verification (Work-)Flows, Customer Attributes, Custom Themes, Impersonation, etc.. AAI @CSCS 5

Identity Brokering Intermediary service, connects multiple service providers with different identity providers. The IB is responsible for creating a trust relationship with external IdPs in order to use its identities to access internal services exposed by SPs. Enables Federation between peers sites. (ICEI project). AAI @CSCS 6

Keycloak at CSCS Introduced by RedHat as solution for integrating Openstack Keystone with CSCS s AAI infrastructure (Kerberos+LDAP). Adoption due to the capacity to solve the problem with keystone but also for the potentiality of the product (Federation). Needed a identity solution for modern applications, (Micro)services and APIs. Effort to integrate new services into one source of authentication. AAI @CSCS 7

Keycloak admin console AAI @CSCS 8

keycloak account management console AAI @CSCS 9

Federation initiative: Deliver federated compute and data services to European researchers by aggregating capacity from multiple resource providers and enabling access from existing community platforms. The federation needs to rely on a robust and reliable Authentication and Authorization Infrastructure (AAI), a trustworthy environment where users can be managed and granted to access resources securely and as seamlessly as possible. Two services, a Central IdP (SATOSA) which is responsible to proxy authentication requests among federated IdPs, and an Attributes Provider (FURMS) managing users authorization through budget allocation, groups and roles. CEA Visit 10

OAUTH Lot of confusion about OAUTH Jargons and often incorrect advice on the web A little bit of history: Identity use case pre 2006/2007: Simple logins (forms and cookies) Single Sign-On across sites (SAML) New use cases: mobile app login Delegated authorization: How can I let a website access my data without giving it my password? OAuth is an open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords. The OAuth 2.0 Framework describes patterns for granting authorization but does not define how to actually perform authentication. AAI @CSCS 11

First attempts to solve delegated authorization AAI @CSCS 12

Common Vocabulary part2 Resource Owner: is defined as an entity having the ability to grant access to their own data hosted on the resource server. When the resource owner is a person, it is called the end-user. Client: is an application making protected resource requests to perform actions on behalf of the resource owner. Authentication Server: gets permission from the resource owner and distributes the access tokens to clients, to access protected resource hosted by the resource server. Resource Server: API server that can be used to access the user's information. It has the capability of accepting and responding to protected resource requests with the help of access tokens. Redirect URI: callback where the Authentication Server redirect the browser after being authenticated. Authorization Token: An intermediary token generated when a user authorizes a client to access protected resources on their behalf. The client receives this token and exchanges it for an access token. Access Token: A token used to access protected resources. Scope: are permissions. how we define and apply fine-grained access control to individual resources, information, or actions available in our system. AAI @CSCS 13

OAUTH 2 Authorization code flow AAI @CSCS 14

OpenID Connect (OIDC) Strictly defines an ID Token for returning user information and userinfo endpoint. The scopes are defined as openid, profile, email, address and phone, and each grants access to that specific information. If you use any scope beyond those, you re beyond the OIDC specification and back into general Oauth. OIDC is just a special, simplified case of OAuth, not a replacement. It uses the same terminology and concepts. It s a way to standardize authentication over Oauth. AAI @CSCS 15

OpenID Connect flow Hello Massimo! AAI @CSCS 16

Demo simple oidc web app AAI @CSCS 17

Anatomy of a JWT AAI @CSCS 18

API Gateway - Kong All requests from clients first go through the API Gateway. It then routes requests to the appropriate microservice Security (authentication and potentially authorization) Mnaging access quotas and throttling Caching (proxy statements and cache) API composition and processing Rete limiting API health monitoring (performance monitoring) CEA Visit 19

KS-proxy Proxy that masks a 2-step authentication process (SAML in this case, but OIDC is similar) behind a regular username/password authentication. By deploying this "companion" service, you can use the standard keystone regularly and point to this service only whenever you have a client that does not implement the two steps. Limitations: you can only use it with one single federated IdP CEA Visit 20

Conclusions Tokens: in modern security standards are all about them. Decoupling authentication / authorization (OIDC authentication code flow). Claims contain any additional information needed and have defined timeline, tokens can be invalidated or managed in central manner. Delegation of authentication to dedicated and trusted server / provider. AAI @CSCS 21

Thank you for your attention.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback