Demystifying Identity Federation. Colleen Murphy ~ cmurphy

Similar documents
Shibboleth/Federation Operator Tutorial TIIME Workshop DAASI International. Date: 6 Feb 2018

Enabling Cloud-Native Applications with Application Credentials in Keystone

Setting up a Shibboleth SP

Hands-On Exercises. Enroll in Registry Using Federated Identity. Upload Your SSH Public Key. SSH Into the VM

Authentication & Authorization systems developed for CTA

Identity federation in OpenStack - an introduction to hybrid clouds

Configure Unsanctioned Device Access Control

Sci-GaIA OAR Documentation. Release latest

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

Configuring Alfresco Cloud with ADFS 3.0

Canadian Access Federation: Trust Assertion Document (TAD)

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Configuration Guide - Single-Sign On for OneDesk

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Qualys SAML & Microsoft Active Directory Federation Services Integration

Warm Up to Identity Protocol Soup

Okta Integration Guide for Web Access Management with F5 BIG-IP

Administering Jive Mobile Apps for ios and Android

Authentication. Katarina

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Unified Secure Access Beyond VPN

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

SAP Security in a Hybrid World. Kiran Kola

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

SAML 2.0 Software comparison Andreas Åkre Solberg EuroCAMP, Athens,

SAML-Based SSO Solution

Develop and test Web authentication with containers

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Lecture no. 2 Shibboleth SP: installation and basic configuration for Single Sign On (SSO) second part. Andrea Biancini Consortium GARR

MyWorkDrive SAML v2.0 Okta Integration Guide

Integration Guide. SafeNet Authentication Service. Protecting SugarCRM with SAS

Oracle Access Manager Configuration Guide

All about SAML End-to-end Tableau and OKTA integration

F5 BIG-IP Access Policy Manager: SAML IDP

Manage SAML Single Sign-On

Shibboleth authentication for Sync & Share - Lessons learned

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

2 Oracle WebLogic Overview Prerequisites Baseline Architecture...6

The Long, Long Road to True Single Sign On at Fermilab. Al Lilianstrom and Dr. Olga Terlyga NLIT 2018 May 22 nd, 2018

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

Authentication in the Cloud. Stefan Seelmann

O365 Solutions. Three Phase Approach. Page 1 34

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Cloud Secure Integration with ADFS. Deployment Guide

ComponentSpace SAML v2.0 Okta Integration Guide

Oracle WebLogic. Overview. Prerequisites. Baseline. Architecture. Installation. Contents

Configuring Confluence

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Integrating the RHCI Suite with IdM

Configuring Apache Knox SSO

Canadian Access Federation: Trust Assertion Document (TAD)

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

SAML-Based SSO Solution

Single Sign-On for PCF. User's Guide

ArcGIS Server and Portal for ArcGIS An Introduction to Security

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for Web Access Management with Multifactor Authentication

Cloud Access Manager Configuration Guide

Quick Start Guide for SAML SSO Access

ISA Action 1.17: A Reusable INSPIRE Reference Platform (ARE3NA)

RSA SecurID Access SAML Configuration for Datadog

Introduction to application management

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Google Auto User Provisioning

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Canadian Access Federation: Trust Assertion Document (TAD)

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

IMPLEMENTING SINGLE SIGN-ON (SSO) TO KERBEROS CONSTRAINED DELEGATION AND HEADER-BASED APPS. VMware Identity Manager.

Morningstar ByAllAccounts SAML Connectivity Guide

OpenID Cloud Identity Connector. Version 1.3.x. User Guide

Unity Connection Version 10.5 SAML SSO Configuration Example

Configuring Apache Knox SSO

CA SiteMinder Federation

ADFS Setup (SAML Authentication)

Quick Start Guide for SAML SSO Access

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

SAML-Based SSO Configuration

Five9 Plus Adapter for Microsoft Dynamics CRM

SSO Integration Overview

Authorizing Access to SPs. SWITCHaai Team

Canadian Access Federation: Trust Assertion Document (TAD)

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

StorageZones Controller 3.3

StorageZones Controller 3.4

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Enabling Single Sign-On Using Microsoft Azure Active Directory in Axon Data Governance 5.2

Enterprise Access Gateway Management for Exostar s IAM Platform June 2018

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

Implement SAML 2.0 SSO in WLS using IDM Federation Services

Transcription:

Demystifying Identity Federation Colleen Murphy ~ cmurphy ~ @_colleenm

About me Cloud developer at SUSE Keystone core reviewer 2

Overview What is identity federation? Vocabulary Types of federation in keystone Auth flows Demo time - let s set up keystone federation! Mappings Future plans 3

What is federated identity? Federated Identity is the ability to share a single authentication mechanism across many systems, in our case clouds. Typically, your organization will already have a source of identity, so creating another set of credentials just for your cloud is annoying. Your cloud should understand how to talk to your identity provider. 4

What is identity federation? OR - you have partner organizations with shared resources. You want to give individuals from your partner organization access to your resources without creating internal accounts for them. You could then set up your cloud to trust their identity provider. 5

What is identity federation? OR - you have a bursty workload that needs to occasionally work on public clouds (or a hosted private cloud). You use your local keystone as an identity provider, and the public/hosted private cloud acts as the service provider. 6

Why is it better than an LDAP backend? A federated identity provider abstracts the actual identity storage behind an authentication protocol, so you don t have to give your password directly to keystone, your authentication is done directly with the provider. 7

How does this work in keystone? Two types of federation in keystone: Keystone using an external identity provider as an auth method (introduced in Icehouse) Handled almost entirely by an HTTPD module sitting in front of keystone Keystone as an identity provider (Keystone to Keystone) (introduced in Kilo) 8

Vocabulary Service Provider (SP) The thing with the resource you need. In our case this is keystone, which provides keystone tokens that we use for other OpenStack services. Identity Provider (IdP) The thing that accepts your credentials, validates them, and generates a yay/nay response and some attributes about you. 9

Vocabulary Entity ID, Remote ID A unique identifier for either an SP or an IdP. Usually takes the form of a URI, but it is not required to resolve to anything. Only requirement is that it is unique within an IdP/SP system Example: https://idp.testshib.org/idp/shibboleth SAML2.0 A common federation authentication protocol Assertion A formatted statement from the identity provider that asserts that a user is authenticated and provides some attributes about them 10

FAQ What are shadow users? A local copy of the user attributes that keystone needs to function, like a username, as well as an internally generated ID so that keystone can assign roles to the user 11

FAQ What federated protocols are supported? Keystone as a service provider: any protocol that can convert user attributes to environment variables in an HTTP request SAML2.0, OpenID Connect, x509, Kerberos Keystone as an identity provider: only SAML2.0 12

FAQ Does this work when keystone sits behind a proxy? Yes, but you need to pay attention to where requests are being sent and ensure the auth protectors and the SAML handlers match 13

FAQ Can I have LDAP and federation at the same time? Yes! LDAP is an identity backend, and federation is an auth method. They can coexist. 14

FAQ What if my identity provider is behind a firewall? SAML2.0: no direct connection is needed between the IdP and the SP, all negotiation is done through the browser/ecp OpenID Connect: the SP needs to be able to request a token from the IdP directly (not usually a problem because the IdP is usually Google) 15

Overview of auth flows Normal keystone SAML2.0 WebSSO SAML2.0 ECP SAML2.0 WebSSO with horizon OpenID Connect x509 Kerberos Keystone to Keystone Find these slides at http://gazlene.net/demystifying-identity-federation.pdf 16

Normal keystone 17

SAML2.0 WebSSO 18

SAML2.0 ECP 19

WebSSO with keystone and horizon 20

Keystone to Keystone 21

Before you start Set debug=true and insecure_debug=true in keystone Set the console logging handler to debug in horizon If possible, turn on debug logging on your IdP Install the SAML Tracer plugin on Firefox 22

Demo time 23

Keystone with an external IdP 24

Have an identity provider For this demo I used this node.js app: https://github.com/mcguinness/saml-idp 25

Setup horizon Set WEBSSO = True Add a protocol to WEBSSO_CHOICES WEBSSO_CHOICES = ( ("credentials", "Keystone credentials"), ("saml2", "My Awesome IdP") ) 26

Create federation resources in keystone $ openstack identity provider create demoidp --remote-id=urn:example:idp $ openstack mapping create --rules rules.json demomap $ openstack federation protocol create saml2 --identity-provider demoidp --mapping demomap 27

Set up Apache Install the mod_shib package (or the equivalent for your distro) 28

Set up Apache Add protected Locations to your apache vhost Proxypass Shibboleth.sso! <Location /Shibboleth.sso> SetHandler shib </Location> <Location /identity/v3/os-federation/identity_providers/demoidp/protocols/saml2/auth> AuthType shibboleth Require valid-user ShibRequestSetting requiresession 1 ShibExportAssertion Off </Location> <Location /identity/v3/auth/os-federation/websso/saml2> AuthType shibboleth Require valid-user ShibRequestSetting requiresession 1 ShibRequireSession On ShibExportAssertion Off </Location> 29

Generate keys # shib-keygen 30

Configure metadata Edit /etc/shibboleth/shibboleth2.xml <ApplicationDefaults entityid="http://sp.keystone.demo/shibboleth" REMOTE_USER="eppn persistent-id targeted-id"> #... <SSO entityid="urn:example:idp"> #... <MetadataProvider type="xml" file="/etc/shibboleth/idp.saml.demo.xml" /> 31

Exchange metadata Install the IdP s metadata at the location you configured: <MetadataProvider type="xml" file="/etc/shibboleth/idp.saml.demo.xml" /> 32

Configure metadata Restart shibd and apache: # systemctl restart shibd apache2 Download metadata: $ wget \ https://sp.keystone.demo/shibboleth.sso/metadata 33

Finish setting up keystone Add saml2 as an [auth]/method Set a [saml2]/remote_id_attribute Set a [federation]/trusted_dashboard Create a federated group to match your mapping Copy the SSO template into place 34

Authenticate 35

Authenticate $ openstack --os-auth-type v3samlpassword \ --os-auth-url http://sp.keystone.demo/identity/v3 \ --os-identity-provider demoidp \ --os-identity-provider-url \ https://idp.saml.demo/idp/profile/saml2/soap/ecp \ --os-protocol saml2 \ --os-username username \ --os-password s3cret \ token issue 36

Keystone as an IdP 37

Setup horizon Set WEBSSO = True Add a protocol to WEBSSO_CHOICES WEBSSO_CHOICES = ( ("credentials", "Keystone credentials"), ("saml2", "External Identity Provider") ) Set up horizon on your keystone IdP, not the SP. It will work without any other configuration. 38

Set up your keystone IdP Install xmlsec1 39

Set up your keystone IdP Set [saml] parameters: [saml] idp_entity_id=http://idp.keystone.demo/idp idp_sso_endpoint=http://irrelevant certfile=/etc/keystone/ssl/certs/signing_cert.pem keyfile=/etc/keystone/ssl/private/signing_key.pem idp_metadata_path=/etc/keystone/saml2_idp_metadata.xml 40

Set up your keystone IdP Generate a self-signed key pair Generate metadata $ keystone-manage saml_idp_metadata > \ /etc/keystone/saml2_idp_metadata.xml 41

Set up your keystone IdP Create a service provider resource in your keystone IdP: $ openstack service provider create keystonesp \ --auth-url "http://sp.keystone.demo/identity/v3 /OS-FEDERATION/identity_providers /keystoneidp/protocols/saml2/auth" \ --service-provider-url \ http://sp.keystone.demo/shibboleth.sso/saml2/ecp You don't need to add your SP's metadata to the IdP, because there is no exchange happening 42

Set up your keystone SP Configure your SAML2.0 Apache auth mod. Add a federated auth path to the Apache vhost: <Location /identity/v3/os-federation/identity_providers/keystoneidp/protocols/saml2/auth> AuthType shibboleth Require valid-user ShibRequestSetting requiresession 1 ShibExportAssertion Off </Location> Upload the metadata you generated for your IdP to your SP. 43

Set up your keystone SP Add your new identity provider, a new mapping, and a new protocol for this IdP $ openstack identity provider create keystoneidp \ --remote-id https://idp.keystone.demo/idp $ openstack mapping create k2kmap \ --rules rulesk2k.json $ openstack federation protocol create saml2 \ --mapping k2kmap \ --identity-provider keystoneidp 44

Set up your keystone SP NOTE: as of right now, mod_auth_mellon has a bug that prevents it from being a proper SP in a keystone-to-keystone setup. Use mod_auth_shib instead. For shibboleth, you'll need to allow these attributes to be passed through from the IdP, set them in attribute-map.xml: <Attribute name="openstack_user" id="openstack_user"/> <Attribute name="openstack_roles" id="openstack_roles"/> <Attribute name="openstack_project" id="openstack_project"/> <Attribute name="openstack_user_domain" id="openstack_user_domain"/> <Attribute name="openstack_project_domain" id="openstack_project_domain"/> 45

Authenticate 46

Authenticate $ openstack \ --os-service-provider keystonesp \ --os-remote-project-name demo \ --os-remote-project-domain-name Default \ token issue 47

More on mappings Mappings map attributes found in the user assertion to properties of the keystone user Example: map the username attribute { } "rules": [ { "local": [ { "user": { "name": "{0}" } } ], "remote": [ { "type": "REMOTE_USER" } ] } ] 48

More on mappings Mappings are used to establish authorization for users Example: map the user to a group that has roles on projects { } "rules": [ { "local": [ { "user": { "name": "{0}" }, "group": { "name": "federated_users", "domain": { "name": "Default" } } ], "remote": [ { "type": "REMOTE_USER" } ] } ] 49

More on mappings Sometimes users don't map naturally to groups We can autoprovision projects for them: { } "rules": [ { "local": [ {"user": { "name": "{0}" }}, { "projects": { "name": "Project for {0}", "roles": [{ "name": "Member" }] } } ], "remote": [{ "type": "REMOTE_USER" }] } ] 50

More on mappings We can use conditions to map a variable set of attributes any_one_of and not_any_of produce booleans: they aren't passed into the local rules { "rules": [ { "local": [ { "user": { "name": "{0}" }, "group": { "name": "authorized_users", "domain": { "name": "Default" } } ], "remote": [ { "type": "REMOTE_USER" }, { "type": "REMOTE_GROUPS", "any_one_of": [ "employees", "contractors" ] } ]} ]} 51

More on mappings whitelist and blacklist result in lists that are passed to local rules { "rules": [ { "local": [ { "user": { "name": "{0}" }, "group": { "name": "{1}", "domain": { "name": "Default" } } ], "remote": [ { "type": "REMOTE_USER" }, { "type": "REMOTE_GROUPS", "whitelist": [ "employees", "contractors" ] } ]} ]} 52

Checking your mappings $ cat input.txt REMOTE_USER: user@example.com $ keystone-manage mapping_engine \ --rules rules.json --input input.txt { } "group_ids": [], "user": { "domain": {"id": "Federated"}, "type": "ephemeral", "name": "user@example.com" }, "projects": [], "group_names": [{ "domain": {"name": "Default"}, "name": "federated_users" }] 53

Future improvements Native SAML - no more Apache configuration More functional testing Improved flexibility around protocol configuration, especially with configuring remote_id_attribute Improved client support What do YOU want to see? 54

Questions? Colleen Murphy ~ @_colleenm ~ cmurphy #openstack-keystone

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback