INDIGO-Datacloud Identity and Access Management Service

Similar documents
Beyond X.509: Token-based Authentication and Authorization with the INDIGO Identity and Access Management Service

INDIGO AAI An overview and status update!

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

The EGI AAI CheckIn Service

API Security Management SENTINET

RCauth.eu / MasterPortal update

Single Sign-On for PCF. User's Guide

API Security Management with Sentinet SENTINET

AARC Blueprint Architecture

openid connect all the things

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

API Gateway. Version 7.5.1

Allowing the user to define the attribute release 21 May 2014

ForgeRock Access Management Customization and APIs

Authentication in the Cloud. Stefan Seelmann

Warm Up to Identity Protocol Soup

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

WSO2 Identity Management

SAP Security in a Hybrid World. Kiran Kola

penelope case management software AUTHENTICATION GUIDE v4.4 and higher

Introduction to SciTokens

OPENID CONNECT 101 WHITE PAPER

Guidelines on non-browser access

Securing Modern API and Microservice Based Applications by Design A closer look at security concerns for modern applications Farshad Abasi / Forward

Technical Overview. Version March 2018 Author: Vittorio Bertola

Building the Modern Research Data Portal. Developer Tutorial

OneLogin SCIM. Table of Contents. Summary... 2 System Requirements... 2 Installation & Setup... 2 Contact Us... 6

Deploying Tableau at Enterprise Scale in the Cloud

Securing APIs and Microservices with OAuth and OpenID Connect

Federated Authentication with Web Services Clients

EGI Check-in service. Secure and user-friendly federated authentication and authorisation

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Management der Virtuellen Organisation DARIAH im Rahmen von Shibboleth- basierten Föderationen. 58. DFN- Betriebstagung, Berlin, 12.3.

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Argus: The Simplified Policy Language

ClearPass. Onboard and Cloud Identity Providers. Configuration Guide. Onboard and Cloud Identity Providers. Configuration Guide

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

Enterprise Access Gateway Management for Exostar s IAM Platform June 2018

OpenIAM Identity and Access Manager Technical Architecture Overview

Check to enable generation of refresh tokens when refreshing access tokens

Building the Modern Research Data Portal using the Globus Platform. Rachana Ananthakrishnan GlobusWorld 2017

UMA and Dynamic Client Registration. Thomas Hardjono on behalf of the UMA Work Group

INDIGO-DataCloud Architectural Overview

Canadian Access Federation: Trust Assertion Document (TAD)

4.2. Authenticating to REST Services. Q u i c k R e f e r e n c e G u i d e. 1. IdentityX 4.2 Updates

Release 3.0. Delegated Admin Application Guide

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Summer Salesforce.com, inc. All rights reserved.

CIAM: Need for Identity Governance & Assurance. Yash Prakash VP of Products

Salesforce External Identity Implementation Guide

Intro to the Identity Experience Engine. Kim Cameron, Microsoft Architect of Identity ISSE Paris November 2016

Salesforce External Identity Implementation Guide

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Administering Jive Mobile Apps for ios and Android

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

SLCS and VASH Service Interoperability of Shibboleth and glite

AAI in EGI Current status

Configuring Apache Knox SSO

SAML-Based SSO Solution

REST API Operations. 8.0 Release. 12/1/2015 Version 8.0.0

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

How to use or not use the AWS API Gateway for Microservices

Verizon MDM UEM Unified Endpoint Management

TextExpander Okta SCIM Configuration

Partner Center: Secure application model

Integration Patterns for Legacy Applications

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

Salesforce External Identity Implementation Guide

Tutorial: Building the Services Ecosystem

ForeScout Extended Module for MobileIron

Challenges in Authenticationand Identity Management

SA1 CILogon pilot - motivation and setup

Google Identity Services for work

Certification Exam Guide SALESFORCE CERTIFIED IDENTITY AND ACCESS MANAGEMENT DESIGNER. Winter Salesforce.com, inc. All rights reserved.

Creating relying party clients using the Nimbus OAuth 2.0 SDK with OpenID Connect extensions

EGI AAI Platform Architecture and Roadmap

WHITEPAPER ON NEXT-LEVEL ACCESS MANAGEMENT

PSD2 AND OPEN BANKING SOLUTION GUIDE

DreamFactory Security Guide

Copyright Altice Labs, S.A.

Using Keycloak to Provide Authentication, Authorization, and Identity Management Services for Your Gateway

Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan

Deploying OAuth with Cisco Collaboration Solution Release 12.0

GDPR, PSD2, CIAM, and the Role of User-Managed Access 2.0

Expertise that goes beyond experience.

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Adaptive Gateways for diverse multiple

Configuring Apache Knox SSO

SAML-Based SSO Solution

NetIQ Access Manager 4.3. REST API Guide

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

OAuth and OpenID Connect (IN PLAIN ENGLISH)

5 OAuth EssEntiAls for APi AccEss control layer7.com

Standards-based Secure Signon for Cloud and Native Mobile Agents

ServiceNow Deployment Guide

FeduShare Update. AuthNZ the SAML way for VOs

G Suite Basic or G Suite Business - Setup Instructions

Identity and Data Access: OpenID & OAuth

Transcription:

INDIGO-Datacloud Identity and Access Management Service RIA-653549 Presented by Andrea Ceccanti (INFN) andrea.ceccanti@cnaf.infn.it WLCG AuthZ WG Meeting Dec, 14th 2017

IAM overview

INDIGO IAM The Identity and Access Management (IAM) service Authenticates users with supported mechanisms (SAML, X.509, Google, username/password, ) Provides a persistent id for the user and other attributes (e.g., group membership) to relying applications via standard OpenID Connect/ OAuth2 interfaces Provides the ability to link for X.509 certificates, SAML and OpenID Connect accounts to the IAM account Provides group membership management and registration service for the managed organization Can be configured to support automatic organization enrollment for users authenticated by trusted SAML identity providers Provides SCIM standard provisioning endpoints to expose organization membership information 3

INDIGO IAM The Identity and Access Management (IAM) service Authenticates users with supported mechanisms (SAML, X.509, Google, username/password, ) Provides a persistent id for the user and other attributes (e.g., group membership) to relying applications via standard OpenID Connect/ OAuth2 interfaces Provides the ability to link for X.509 certificates, SAML and OpenID Connect accounts to the IAM account Provides group membership management and registration service for the managed organization Can be configured to support automatic organization enrollment for users authenticated by trusted SAML identity providers Provides SCIM standard provisioning endpoints to expose organization membership information 3

INDIGO IAM The Identity and Access Management (IAM) service Authenticates users with supported mechanisms (SAML, X.509, Google, username/password, ) Provides a persistent id for the user and other attributes (e.g., group membership) to relying applications via standard OpenID Connect/ OAuth2 interfaces Provides the ability to link for X.509 certificates, SAML and OpenID Connect accounts to the IAM account Provides group membership management and registration service for the managed organization Can be configured to support automatic organization enrollment for users authenticated by trusted SAML identity providers Provides SCIM standard provisioning endpoints to expose organization membership information 3

Authorization in INDIGO: OAuth In order to access resources, a client needs an OAuth access token The token is obtained from the INDIGO IAM using standard OAuth/OpenID Connect flows Authorization can then be performed @ the services leveraging: OAuth scopes: authorization labels that can be linked to access tokens at token creation time Identity attributes: e.g. VO name, group membership attributes, username 4

Tokens in INDIGO: Json Web Tokens (JWT) We use signed JWTs for our Access Tokens Access tokens contain basic authz information More authn/authz info about can be obtained via OAuth token introspection & OpenID Connect userinfo IAM endpoints 5

IAM demo

Registration/Enrollment flow Traditional, VOMS-Admin inspired administrator approved enrollment flow, augmented with support for EduGAIN/Google authn 1. Applicant fills basic registration information (which includes AUP acceptance) 2. Applicant Email ownership verification step (via a verification token sent to to the address 3. Organization admins informed via email of incoming membership request 4. Applicant informed of administrators decision 7

Automatic enrollment IAM can also be configured to supports automatic enrollment, without administrator approval, for user authenticating via a trusted SAML IdP 8

Authentication and account linking Users can authenticate to the IAM with IAM username/password credentials (created at registration time) their SAML Home Institution IdP (if SAML AuthN enabled by configuration) their Google account (if Google AuthN enabled by configuration) their X.509 certificate (if X.509 AuthN enabled by configuration) Users can link/unlink any of these credentials to the their IAM account Account linking can happen at registration time later, linking via the IAM dashboard 9

SAML authentication and linking IAM favours a persistent id attribute from the IdP to enable linking The attribute used is configurable, with the default being (in order) EduPersonUniqueID, EduPersonTargetedID, EduPersonPrincipalName IAM allows to restrict which IdPs to trust by IdP EntityId whitelisting IdP SIRTFI compliance or R&S compliance 10

Group management IAM provides Group management functionality via the dashboard SCIM provisioning APIs Groups can be organized hierarchically 11

Provisioning in INDIGO: SCIM SCIM is a IETF standard defining an (extensible) schema to represent users and groups in an organization the REST API used for querying and managing this information IAM implements SCIM endpoints for user and groups management 12

CLI support: getting a token out of IAM OAuth password flow User credentials exposed to the device, cannot leverage SAML/ Google authentication OAuth device code flow (recommended) User credentials not exposed to the device, can leverage any authentication flow supported by IAM 13

IAM OAuth scope policies MitreID does not support limiting the access to certain OAuth scopes to specific users or groups IAM implements the Scope Policy API that allow administrators to restrict which users/groups are entitled to request OAuth scopes 14

Argus Authorization Service & INDIGO AAI Objective: Plan: ETA Integrate INDIGO AAI in Argus to provide consistent and centralized authorization for services that accept OAuth tokens Write an Argus PIP to extract authn and authz information from the OAuth token Write a profile that defines how the attributes can be used to write and enforce policies Done (PR under review) 15

IAM resources IAM @ Github: https://github.com/indigo-iam/iam IAM docs @ Gitbook : https://iam-docs.gitbooks.io/iamdocumentation/content/v/develop/ INDIGO IAM test instance: https://iam-test.indigo-datacloud.eu Contacts: andrea.ceccanti@cnaf.infn.it indigo-aai.slack.com 16

Thank you @indigodatacloud https://www.indigo-datacloud.eu Better Software for Better Science www.indigo-datacloud.eu h2ps://www.facebook.com/indigodatacloud/ 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback