Now SAML takes it all:

Similar documents
2. HDF AAI Meeting -- Demo Slides

bwsync&share: A cloud solution for academia in the state of Baden-Württemberg

Attributes for Apps How mobile Apps can use SAML Authentication and Attributes

bwfdm Communities - a Research Data Management Initiative in the State of Baden-Wuerttemberg

SSO Integration Overview

SAML-Based SSO Solution

Canadian Access Federation: Trust Assertion Document (TAD)

Inside Symantec O 3. Sergi Isasi. Senior Manager, Product Management. SR B30 - Inside Symantec O3 1

SAP Security in a Hybrid World. Kiran Kola

Hands-On Workshop bwunicluster June 29th 2015

Canadian Access Federation: Trust Assertion Document (TAD)

SAML-Based SSO Solution

Access: bwunicluster, bwforcluster, ForHLR

FeduShare Update. AuthNZ the SAML way for VOs

Guidelines on non-browser access

Do I Really Need Another Account? External Identities for Campus Applications

Canadian Access Federation: Trust Assertion Document (TAD)

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES BEST PRACTICES FOR IDENTITY FEDERATION IN AWS E-BOOK

A Long-distance InfiniBand Interconnection between two Clusters in Production Use

Canadian Access Federation: Trust Assertion Document (TAD)

Ramnish Singh IT Advisor Microsoft Corporation Session Code:

The Modern Web Access Management Platform from on-premises to the Cloud

IT Governance Framework at KIT

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

The Long, Long Road to True Single Sign On at Fermilab. Al Lilianstrom and Dr. Olga Terlyga NLIT 2018 May 22 nd, 2018

Canadian Access Federation: Trust Assertion Document (TAD)

globus online Globus Nexus Steve Tuecke Computation Institute University of Chicago and Argonne National Laboratory

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

BEYOND AUTHENTICATION IDENTITY AND ACCESS MANAGEMENT FOR THE MODERN ENTERPRISE

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

dcache integration into HDF

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

bwfortreff bwhpc user meeting

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Performance Analysis and Prediction for distributed homogeneous Clusters

Operating two InfiniBand grid clusters over 28 km distance

Novell Access Manager 3.1

CA SSO Cloud-Enabled with SSO/Rest

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Canadian Access Federation: Trust Assertion Document (TAD)

IBM Tivoli Directory Server

SMS 2.0 SSO / LDAP Launch Kit

Identity Provider for SAP Single Sign-On and SAP Identity Management

Integration Patterns for Legacy Applications

Canadian Access Federation: Trust Assertion Document (TAD)

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

SLCS and VASH Service Interoperability of Shibboleth and glite

CoreBlox Integration Kit. Version 2.2. User Guide

Leveraging the InCommon Federation to access the NSF TeraGrid

Canadian Access Federation: Trust Assertion Document (TAD)

INDIGO AAI An overview and status update!

Access Manager Applications Configuration Guide. October 2016

Canadian Access Federation: Trust Assertion Document (TAD)

Gatlet - a Grid Portal Framework

SAP Single Sign-On 2.0 Overview Presentation

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Canadian Access Federation: Trust Assertion Document (TAD)

WP JRA1: Architectures for an integrated and interoperable AAI

Manage SAML Single Sign-On

Warm Up to Identity Protocol Soup

EGI-InSPIRE. GridCertLib Shibboleth authentication for X.509 certificates and Grid proxies. Sergio Maffioletti

ForgeRock Access Management Core Concepts AM-400 Course Description. Revision B

BIG-IP V11.3: PRODUCT UPDATE. David Perodin Field Systems Engineer III

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

O365 Solutions. Three Phase Approach. Page 1 34

Canadian Access Federation: Trust Assertion Document (TAD)

A Simplified Access to Grid Resources for Virtual Research Communities

SOCIAL IDENTITIES IN HIGHER ED: WHY AND HOW WITH REAL-WORLD EXAMPLES

Canadian Access Federation: Trust Assertion Document (TAD)

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Canadian Access Federation: Trust Assertion Document (TAD)

Single Sign-On Best Practices

Kerberos for the Web Current State and Leverage Points

Canadian Access Federation: Trust Assertion Document (TAD)

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

INCOMMON FEDERATION: PARTICIPANT OPERATIONAL PRACTICES

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

Okta Integration Guide for Web Access Management with F5 BIG-IP

SAML-Based SSO Configuration

Oracle Access Manager Configuration Guide

Canadian Access Federation: Trust Assertion Document (TAD)

App Gateway Deployment Guide

Canadian Access Federation: Trust Assertion Document (TAD)

Configuration Guide - Single-Sign On for OneDesk

Canadian Access Federation: Trust Assertion Document (TAD)

Best Practices in Securing Your Customer Data in Salesforce, Force.com & Chatter

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

[GSoC Proposal] Securing Airavata API

Options for Joining edugain. Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

Canadian Access Federation: Trust Assertion Document (TAD)

Introducing Shibboleth. Sebastian Rieger

Challenges in Authenticationand Identity Management

BEST PRACTICES GUIDE MFA INTEGRATION WITH OKTA

DDS Identity Federation Service

Authentication. Katarina

Press Release Page 1 / 5 Monika Landgraf Press Officer (acting)

ForgeRock Access Management Customization and APIs

Quick Connection Guide

April Understanding Federated Single Sign-On (SSO) Process

Transcription:

Now SAML takes it all: Federation of non Web-based Services in the State of Baden-Württemberg Sebastian Labitzke Karlsruhe Institute of Technology (KIT) Steinbuch Centre for Computing (SCC) labitzke@kit.edu

My home organization ;-) Karlsruhe Institute of Technology (KIT) Merger of the University of Karlsruhe (TH) and the Research Center Karlsruhe (FZK) >9,200 employees, almost 24,000 students Budget: almost 800 Mio. Euros p.a. Steinbuch Centre for Computing (SCC) Computing Center of the KIT 223 employees about 50% scientist and 50% technicians and adminstrative staff Two locations (Campus North and South), about 10km distance Identity and Access Management, R&D in scientific computing, HPC, Big Data, Grids, Clouds, Mission statement: Science for Services Services for Science 15.05.2013 Sebastian Labitzke - Now SAML takes it all 2

The Project: Vision Federated access to services of the State of Baden-Württemberg Access control based on local accounts of the home organizations In the state of Baden-Württemberg, researchers can access decentralized webbased AND by the use of their local account bwservices is not about establishing IDM systems, it s about federating existing IDM systems and services. 15.05.2013 Sebastian Labitzke - Now SAML takes it all 3

The Project: Key Facts Project Management Prof. Dr. Hannes Hartenstein (KIT) Dr.-Ing. Martin Nußbaumer (KIT) Partners Core-Team: KIT and the Universities of Ulm, Konstanz, and Freiburg Partner Universities: Stuttgart, Mannheim, Hohenheim, Heidelberg, and Tübingen Funding: Baden-Württemberg Ministry of Science, Research and the Arts (MWK) Period of time: 2011-07 to 2013-12 15.05.2013 Sebastian Labitzke - Now SAML takes it all 4

Outline The Challenge Today s Federated Identity Management Requirements for Federating non Web-based Services FACIUS: Easy-to-Deploy Concept to Federate Non Web-based Services Current Work Conclusions 15.05.2013 Sebastian Labitzke - Now SAML takes it all 5

The Challenge HPC resources LSDF employee or student portal online publishing 15.05.2013 Sebastian Labitzke - Now SAML takes it all 6

The Challenge HPC resources Identities LSDF Identities Different credentials for different services. employee or student portal online publishing Identities Identities Possibly stale identity data. Security risks due to password reuse. 15.05.2013 Sebastian Labitzke - Now SAML takes it all 7

Today s Federated Identity Management HPC resources LSDF employee or student portal online publishing Identities Identities NON WEB-BASED SERVICES NON WEB-BASED SERVICES Cannot be seamlessly applied Cannot be seamlessly applied to to non web-based services, non web-based services, yet. yet. Home Organization 1 WEB-BASED SERVICES Well established for web-based services. J (e.g. SAML, OpenID, WS*) Home Organization 2 Home Organization 3 15.05.2013 Sebastian Labitzke - Now SAML takes it all 8

Federated Identity Management grid resources network filesystem employee or student portal online publishing Identities Identities NON WEB-BASED SERVICES Cannot be seamlessly applied to non web-based services, yet. CONSTRAINTS Home Organization 1 No new federated identity management framework for non web-based services WEB-BASED SERVICES Well established for webbased services. J (e.g. SAML, OpenID, WS*) Home Organization 2 Most services to be federated are already deployed and operational Home Organization 3 15.05.2013 Sebastian Labitzke - Now SAML takes it all 9

How can existing solutions for Federated Identity Management be leveraged to federate non web-based services? 15.05.2013 Sebastian Labitzke - Now SAML takes it all 10

Requirements Service Provider requirements Integration effort Legal aspects (De-)Provisioning Security Performance Maintainability Deployability Alternative authentication methods Transparency Use of home credentials Legal aspects Necessary software adaptions User requirements Home Organization requirements 15.05.2013 Sebastian Labitzke - Now SAML takes it all 11

Outline Motivation Today s Federated Identity Management Requirements for Federating non Web-based Services FACIUS: Easy-to-Deploy Concept to Federate Non Web-based Services Current Work Conclusions 15.05.2013 Sebastian Labitzke - Now SAML takes it all 12

Getting Access to the Service user HPC resource https://... REGISTRATION web application SAMLfied: User can make use of credentials of his/her home org. ACCESS Via a native service client Authorization based on assertions of the Home Organization Provisioning of a local context In the SSH case: Establishment of a UID, a home directory, local identity store of service 15.05.2013 Sebastian Labitzke - Now SAML takes it all 13

FACIUS - Overview User Service Provider Home Organization Browser Login & Provisioning Registr. Registration- Webapplication SAML SP SAML IdP Login-Node SSH-Client Login SSH- Server PAM- Module Further Information: Existing components Generic components Partially service-specific components J. Köhler, S. Labitzke, M. Simon, M. Nussbaumer, H. Hartenstein: FACIUS: An Easy-to- Deploy SAML-based Approach to Federate Non Web-Based Services, Proc. of Trustcom 2012 15.05.2013 Sebastian Labitzke - Now SAML takes it all 14

Three Login Alternatives Enhanced Proxy Credentials Service Provider ECP Home Organization Enhanced Client Credentials ECP Service Provider Home Organization Local Authentication Credentials Service Provider Assertion Query Home Organization 15.05.2013 Sebastian Labitzke - Now SAML takes it all 15

Evaluation User Requirements: Enhanced Proxy Enhanced Client Local Authentication Unmodified client usable Login with credentials of the Home Organization No harm by malicious Service Providers Operable in parallel to other login alternatives Service Provider Requirements: Integration effort Maintainability Performance (SSH-Login) Integration into existing Federations Provisioning/Deprovisioning Legal aspects Integration of the Pluggable Authentication Module with the Service Access Point Based on existing frameworks 1.01 s vs. 0.30 s (regular login) SAML-based federations User consent to policies can be requested Home Organization Requirements: Legal aspects No software adaptions User consent to policies can be requested 15.05.2013 Sebastian Labitzke - Now SAML takes it all 16

Current Work: The plug-and-play solution LDAP-Facade Appears to be a local LDAP directory Includes FACIUS logic (incl. the web registration) Transparent from the perspective of service providers Deployable like any other SAML-based service provider Single component to be deployed at a service provider User Service Provider Home Organization Browser Login & Registration Provisioning Webapplication Registr. SAML-SP SAML IdP LDAP Facade SSH-Client Login Login Node Standard components Customized components 15.05.2013 Sebastian Labitzke - Now SAML takes it all 17

Conclusions federation of 9 universities of the state of Baden-Württemberg (non) web-based services federates the access to non web-based services such as grid, cloud, and HPC resources. FACIUS Deployable, operable, and maintainable approach to federate non web-based services: If you have to bring non web-based services together with SAML, make use of the FACIUS approach! FACIUS makes active use of the SAML-ECP and AssertionQuery profile FACIUS offers users a high usability in trustworthy federations Easy-to-deploy solution for service collaborations of universities (and companies as well) Single registration process per service service access Successfully deployed in testing environments Production by the end of June Special thanks to Jens Köhler, Michael Simon, and Dr. Martin Nußbaumer! 15.05.2013 Sebastian Labitzke - Now SAML takes it all labitzke@kit.edu 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback