Federated Authentication with Web Services Clients in the context of SAML based AAI federations Thomas Lenggenhager thomas.lenggenhager@switch.ch Mannheim, 8. March 2011
Overview SAML n-tier Delegation with ECP Profile Argus A scalable Authorization Service ECP Enhanced Client or Proxy (ECP) Profile http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf http://saml.xml.org/saml-specifications 2
SAML n-tier Delegation with ECP Profile Allow a Web Portal to make use of delegation to access one or more Web Service Providers (WSP) The Web Portal and each WSP is a SAML SP Configuration changes required at IdP: 1) Download and install delegation plug-in 2) Add a profile handler for LibertyIDWSFSSOS Profile 3) Change profile config to restrict delegation by Portal to its WSPs. 4) Add a new security policy for Liberty SSOS (a static explicit key signature trust engine) 5) Add a new SingleSignOnService endpoint for the Liberty SSOS in the metadata it is not as easy as you would like it to be! 3
SAML n-tier Delegation with ECP Profile (2) A single SAML entity https://spaces.internet2.edu/display/shibuportal/configuring+shibboleth+delegation+for+a+portal 4
Where is AuthN required, where AuthZ? Authentication could be moved to the edges If inner components trust the outer components, no further authentication may be required Outer components with WebSSO support could act as gateways to inner components. Outer components to pass user attributes to inner components for authorization decisions close to the data access. The Authorization Service Argus could play a role in such a scenario 5
Argus A scalable Authorization Service Argus is an authorization service developed by EGEE / EMI Argus answers the question Is user X allowed to perform action Y on resource Z? in the most general way EMI European Middleware Initiative Argus 1.2 was released in Nov 2010 Argus 1.3 to be released for EMI-1 in April 2011 6
Argus Integration & Interoperability 7
Argus Integration & Interoperability (2) Integration with lightweight PEP client API Interoperability with direct XACML authorization request (SOAP) Common XACML Authorization Profile 8
Argus Deployment 9
PAP: Policy Administration Point Manages the XACML policies Tools for administrators to manage policies Simple Policy Language (SPL) hides XACML complexity Hierarchical deployment of PAP servers e.g. for global banning 10
PDP: Policy Decision Point XACML engine Retrieves policies from PAP Receives authorization request from PEP daemon Evaluates authorization requests against the policies 11
PEP daemon: Policy Enforcement Point Client/Server architecture Processes the client requests Applies PIP to incoming requests Extracts data from end-entity certificate Processes the client responses Applies obligation handler to outgoing responses Determines user and group mapping 12
PEP client libraries Lightweight client libraries to communicate with the PEP daemon ANSI C and Java client libraries Hides the complexity of XACML 13
Argus A Grid Example Argus answers the question Is user X allowed to perform action Y on resource Z? in the most general way A Grid example: Is CN=Peter Pan, DC=example,DC=org allowed to submit a job to Computing Element ce.example.com? 14
Argus A Grid Example (2) Authorization rules (policies) are expressed in XACML For most use cases XACML is too abstract Argus CLI supports a simplified policy language e.g.: allow user Peter to perform any action on resource my_resource resource my_resource" {! action ".*" {! rule permit { subject="/dc=org/dc=example/cn=peter Pan" }! }! } Parameterize Policies with attributes, e.g. DN, subject, CA, Manage Policies locally or import from remote repositories Combination possible: e.g. local policy & global black list 15
Argus Summary + Service management on the command line + Pluggable architecture, written in Java + easy to add new features and deploy + Client has simple API in C & Java with virtually no dependencies + easy to integrate into new clients + All Argus components can be deployed on one single host or on distributed hosts Argus Documentation <argus-support@cern.ch> https://twiki.cern.ch/twiki/bin/view/egee/authorizationframework https://twiki.cern.ch/twiki/bin/view/egee/simplifiedpolicylanguage https://twiki.cern.ch/twiki/bin/view/egee/authzpapcli 16
What's missing? A System Security Architect should be tasked to draft a Middleware Architecture for CLARIN 17