INDIGO AAI An overview and status update!

Similar documents
INDIGO-Datacloud Identity and Access Management Service

Beyond X.509: Token-based Authentication and Authorization with the INDIGO Identity and Access Management Service

INDIGO-DataCloud Architectural Overview

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

AAI in EGI Current status

[GSoC Proposal] Securing Airavata API

Storage Management in INDIGO

2. HDF AAI Meeting -- Demo Slides

Guidelines on non-browser access

AARC Blueprint Architecture

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Partner Center: Secure application model

The EGI AAI CheckIn Service

Federated access to e-infrastructures worldwide

RCauth.eu / MasterPortal update

WP JRA1: Architectures for an integrated and interoperable AAI

EUDAT. Towards a pan-european Collaborative Data Infrastructure

Sentinet for BizTalk Server SENTINET

Authentication. Katarina

SAP Security in a Hybrid World. Kiran Kola

dcache integration into HDF

Sentinet for Windows Azure VERSION 2.2

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

5 OAuth EssEntiAls for APi AccEss control layer7.com

Tutorial: Building the Services Ecosystem

Sentinet for Microsoft Azure SENTINET

Technical Overview. Version March 2018 Author: Vittorio Bertola

SLCS and VASH Service Interoperability of Shibboleth and glite

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Federated Services for Scientists Thursday, December 9, p.m. EST

The computing architecture for the ISOLPHARM_Ag project. Lisa Zangrando. Lisa Zangrando INFN-PD

API Security Management with Sentinet SENTINET

FeduShare Update. AuthNZ the SAML way for VOs

Allowing the user to define the attribute release 21 May 2014

GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0

5 OAuth Essentials for API Access Control

An integrated IaaS and PaaS architecture for scientific computing

Deliverable D3.5 Harmonised e-authentication architecture in collaboration with STORK platform (M40) ATTPS. Achieving The Trust Paradigm Shift

A solution for Access Delegation based on SAML. Ciro Formisano Ermanno Travaglino Isabel Matranga

Federated Identities and Services: the CHAIN-REDS vision

Federated Authentication with Web Services Clients

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

Liferay Security Features Overview. How Liferay Approaches Security

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

CIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products

Office 365 and Azure Active Directory Identities In-depth

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

The SciTokens Authorization Model: JSON Web Tokens & OAuth

CAS s IDP system and resources in Education Cloud

openid connect all the things

SAML-Based SSO Solution

Warm Up to Identity Protocol Soup

Single Sign-On Best Practices

Introduction to SciTokens

UMA and Dynamic Client Registration. Thomas Hardjono on behalf of the UMA Work Group

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, April 2018

Intro to the Identity Experience Engine. Kim Cameron, Microsoft Architect of Identity ISSE Paris November 2016

Single Sign-On for PCF. User's Guide

OpenIAM Identity and Access Manager Technical Architecture Overview

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

SA1 CILogon pilot - motivation and setup

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Overview SENTINET 3.1

Integration Patterns for Legacy Applications

SAML-Based SSO Solution

A RESTful Approach to Identity-based Web Services

API Security Management SENTINET

GLOBUS TOOLKIT SECURITY

Sentinet for BizTalk Server VERSION 2.2

Challenges in Authenticationand Identity Management

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

The Modern Web Access Management Platform from on-premises to the Cloud

OPENID CONNECT 101 WHITE PAPER

dcache: challenges and opportunities when growing into new communities Paul Millar on behalf of the dcache team

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

Securing Modern API and Microservice Based Applications by Design A closer look at security concerns for modern applications Farshad Abasi / Forward

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

CA SSO Cloud-Enabled with SSO/Rest

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.

WSO2 Identity Management

DARIAH-AAI. DASISH AAI Meeting. Nijmegen, March 9th,

User Management. Juan J. Doval DEIMOS SPACE S.L.U. NextGEOSS, September 25 th 2017

Identity Provider for SAP Single Sign-On and SAP Identity Management

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Authorization Strategies for Virtualized Environments in Grid Computing Systems

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

Novell Access Manager 3.1

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

Microsoft Graph API Deep Dive

A Guanxi Shibboleth based Security Infrastructure for e-social Science

SAP IoT Application Enablement Best Practices Authorization Guide

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

Grid Middleware and Globus Toolkit Architecture

What Does Logout Mean?

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

API Gateway. Version 7.5.1

Transcription:

RIA-653549 INDIGO DataCloud INDIGO AAI An overview and status update! Andrea Ceccanti (INFN) on behalf of the INDIGO AAI Task Force! indigo-aai-tf@lists.indigo-datacloud.org

INDIGO Datacloud An H2020 project approved in January 2015 in the EINFRA-1-2014 call 11 M 30 Months (Apr. 2015 -> Sept. 2017) Who: 26 partners from 11 European countries What: develop an open source platform for computing and data targeted at multi-disciplinary scientific communities Where: provisioned over hybrid (public and private) e-infrastructures 2

INDIGO objectives Provide seamless access to data and computing provisioned over private, public or hybrid e- infrastuctures Leverage and extend current Cloud technologies, fill the gaps, provide tools and services to support scientists, software developers, resource providers and e-infrastructures for the efficient exploitation of computing, data and network technologies: Better software for better science 3

The INDIGO approach Based on Open Source solutions widely supported by big communities whenever possible exploit general solutions instead of specific tools/services increased sustainability ensure that the framework offered to final users, as well as to developers, will have a low learning curve ease of adoption and integration 4

Example use case scenario Computational Portal as a service 5

Example use case scenario Computational Portal as a service A scientific community has an application (or a set of them) that should be accessed through a portal, and: Requires a dynamically instantiated batch queue as a back-end Exhibits unpredictable workload Supports multiple access profiles Should be deployable through Cloud providers, with features such as redundancy and elasticity May require cloud-bursting to other infrastructures Should support access to external reference data and data local to the application, which must be accessible in a distributed way 6

The AAI problem Heterogeneous authentication/authorization mechanisms but we need common AAI ground, persistent identifiers, support for delegation, easy integration in services To be effective, security should not impact usability we need support for federated identities We need AAI solutions that allow our users to manage authentication and authorization on dynamically provisioned resources in a secure way Without being security experts! INDIGO-DataCloud RIA-653549 7

INDIGO AAI: approach How can we have common AuthN and AuthZ primitives that just work across several distributed infrastructures? Which tools should we provide to our users so that they have complete control on how AuthN and AuthZ is configured and performed on the resources (assembled from distributed providers) they will use for their research? How do we avoid reinventing the wheel? How do we exploit what is already available, leverage existing standards and ensure that what we develop is sustainable? INDIGO-DataCloud RIA-653549 8

INDIGO AAI: main challenges Authentication/Identity Supporting federated authn mechanism Persistent INDIGO identifier Offline access Authorization Orthogonal to AuthN Attribute-based Dynamic Consistent across heterogeneous infrastructure Delegation 9

INDIGO AAI architecture 10

Authentication Slide courtesy of Paul Millar 11

Identity layer challenges Support multiple AuthN mechanisms SAML, OpenID-Connect, X.509 Harmonise Identities One INDIGO identity linked to multiple user authn mechanisms Persistent INDIGO identity identifier Link group membership and other attributes to INDIGO identity similarly to what VOMS does with VO attributes and X.509 certificates, but in a way that is orthogonal to the AuthN mechanism used 12

Identity in INDIGO The INDIGO identity layer speaks OpenID-connect The INDIGO Identity and Access Management Service is an OIDC provider Authenticates users with supported AuthN mechanism SAML, X.509, OIDC Provides to RP access to identity information through standard OIDC interfaces Can be seen as a first credential translation step 13

Why OpenID connect Standard and widely adopted in industry Don t reinvent the wheel Reduced integration complexity in relying services Lots of things we need are covered and standardized Dynamic Registration of clients/relying parties Token revocation Discovery Session management Distributed/Aggregated claims Mobile-friendly 14

INDIGO AuthN flow Access service INDIGO Service Marcus wants to access some service at INDIGO service Home IdP Indigo IAM

INDIGO AuthN flow Access service INDIGO Service INDIGO Services sees that Marcus is not authenticated, and redirects him to INDIGO IAM for authentication Home IdP Indigo IAM

INDIGO AuthN flow INDIGO Service redirect to IAM for AuthN Home IdP Indigo IAM

INDIGO AuthN flow INDIGO Service redirect to IAM for AuthN IAM lets Marcus choose how he wants to authenticate Marcus chooses his Home IdP Home IdP Indigo IAM

INDIGO AuthN flow INDIGO Service redirect to home IdP for AuthN Home IdP Indigo IAM

INDIGO AuthN flow INDIGO Service Home IdP authenticates Marcus and sends back an AuthN assertion Home IdP Indigo IAM

INDIGO AuthN flow INDIGO Service IAM validates assertion. Marcus is now authenticated at IAM. Home IdP Indigo IAM

INDIGO AuthN flow INDIGO Service send back to IS OIDC authz code Home IdP Indigo IAM

INDIGO AuthN flow INDIGO Service exchange authz code for OIDC ID-token access token Home IdP Indigo IAM

INDIGO AuthN flow INDIGO Service IS validates ID-Token. Marcus is now authenticated at IS Home IdP Indigo IAM

INDIGO AuthN flow INDIGO Service IS requests additional profile information about Marcus from IAM user info endpoint Home IdP Indigo IAM

IAM Status Implementation based on the Mitre OpenID connect server reference implementation https://github.com/mitreid-connect/openid-connect- Java-Spring-Server Certified open source OIDC server implementation Actively maintained also used as the base of the Shibboleth IdP OIDC implementation Main OIDC functionality covered Token issuing and management, Client registration/discovery, Scope management Simple and usable management web application provided 26

IAM Authentication status OAuth client/token/consent management Local username/password authentication External SAML IdP authentication Identity orthogonal to AuthN Group information available via OIDC External OIDC IdP authentication Certificate authentication AuthN mechanism exposed via OIDC done done done done done in progress in progress in progress 27

IAM Authentication status OAuth client/token/consent management Local username/password authentication External SAML IdP ETA: authentication June release Identity orthogonal to AuthN Group information available via OIDC External OIDC IdP authentication Certificate authentication AuthN mechanism exposed via OIDC done done done done done in progress in progress in progress 27

Authorization Slide courtesy of Paul Millar 28

Authorization challenges Consistency Provide solutions to dynamically define, propagate, compose and enforce authorization policies on resources at various levels of the infrastructure Scalability in a scalable way Manageability supporting cross-organizational user, group and privilege management as well as enrollment and registration flows Integration in a way that produces minimal integration friction in services 29

Authorization challenges Consistency Provide solutions to dynamically define, propagate, compose and enforce authorization policies on resources at various levels of the infrastructure Scalability in a scalable way Manageability supporting cross-organizational user, group and privilege management as well as enrollment and registration flows Integration in a way that produces minimal integration friction in services 30

AuthZ in INDIGO: OAuth 2 A standard framework for delegated authorization to access HTTP protected resources Decouples AuthZ from AuthN Natural solution for delegated authorization in HTTP services 31

Authorization in INDIGO INDIGO services are HTTP APIs protected by an OAuth Authorization Service In order to access resources, a client needs an access token OAuth scopes used to target the token to specific APIs/ services provide hints for finer grained authz Identity layer provides other attributes as base for AuthZ decisions 32

Scope-based authorization Each service registers the supported scopes when it registers at the authorization server (AS) The AS maintains policies that determine which client is authorized to request a given scope The request for a given scope is authorized by the user through the OAuth consent mechanism but is possible to define trusted, whitelisted client services for which user consent is not requested Authorization is enforced at the target service considering scopes and other relevant information 33

Scope-based authorization Indigo IAM Registered Scopes js:submit_job js:cancel_job ss:read ss:write Access SG Job Scheduler SG Science Gateway Storage Service

Scope-based authorization Indigo IAM Registered Scopes js:submit_job js:cancel_job ss:read ss:write Redirect for AuthN & consent Job Scheduler SG Science Gateway Storage Service

Scope-based authorization Indigo IAM Authorization requested Scientific Gateway would like to: Registered Scopes js:submit_job js:cancel_job ss:read ss:write Redirect for AuthN & consent know your identity submit jobs on JS on your behalf read files from SS on your behalf write files on SS on your behalf Cancel Accept SG Science Gateway Storage Service

Scope-based authorization Indigo IAM Registered Scopes js:submit_job js:cancel_job ss:read ss:write Returned id token & access token Job Scheduler SG Science Gateway Storage Service

Scope-based authorization Indigo IAM Registered Scopes js:submit_job js:cancel_job ss:read ss:write Submit job Job Scheduler SG Science Gateway Storage Service

Scope-based authorization Indigo IAM Registered Scopes js:submit_job js:cancel_job ss:read ss:write Submit job Job Scheduler Job scheduling is authorized by the js:submit_job scope SG Science Gateway Storage Service

Scope-based authorization Indigo IAM Registered Scopes js:submit_job js:cancel_job ss:read ss:write Job Scheduler Read job output data SG Science Gateway Storage Service

Scope-based authorization Indigo IAM Registered Scopes js:submit_job js:cancel_job ss:read ss:write Job Scheduler Read job output data Data access is authorized by the ss:read scope SG Science Gateway Storage Service

Fine-grained authorization OAuth scope-based AuthZ provides a first coarse grained authorization step Finer-grained authorization can be implemented at services on top of this step taking into account User identity attributes Service authorization policies Collaboration/VO policies Consistent authorization across services is enabled by callouts to the Argus authorization service 40

Fine-grained authorization Indigo IAM Authz! Service Collaboration Policies Policy distribution Read job output data Storage service SG Science Gateway AuthZ Callout Authz! Service Local Policies

Authorization status OAuth2 authorization First level of access control; Mitre OAuth2 implementation already provides most of what is needed for INDIGO use cases Some development now focused on filling the gaps e.g., providing the concept of service groups, in order to simplify OAuth scope management Fine-grained attribute-based authorization Implemented @ services on attributes provided by the OIDC identity layer; really service-dependent Consistency across services via callout to Argus is the scope of the second year of the project 42

Delegation 43

OAuth delegation 44

OAuth chained delegation? 45

OAuth token exchange OAuth flow to implement chained delegation among services! Under standardization Supports impersonation and delegation 46

IAM OAuth token exchange MitreID connect already has some non-standard form of chained delegation, which however does not (in its current form) solve our use cases i.e. delegate offline access to identity information across services Plan is to extend MitreID connect implementation with a subset of the OAuth token exchange standard i.e., the minimum functionality needed to support our use cases! ETA: June 47

The Token Translation Service What about integration with services that do not speak OpenIDconnect? The INDIGO Token Translation Service (TTS) maps INDIGO identity & attributes to external service credentials provides an extensible plugin-based architecture, and will initially support translations to ssh keypair S3 keys X.509 certificate 48

Timeline Architectural and design deliverables done See https://www.indigo-datacloud.eu/documents-deliverables for all INDIGO deliverables! Development activities ongoing! First official INDIGO release expected end of July, 2016 but we will start make available services as soon as they are ready enough to be tested 49

Thanks! Questions?! indigo-aai-tf@lists.indigo-datacloud.eu! 50

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback