1 contrail and federated identity management philip kershaw, ral space, stfc jens jensen, e-science,...
TRANSCRIPT
1
Contrail and Federated Identity Management
Philip Kershaw, RAL Space, STFCJens Jensen, e-Science, STFC
(and others: XLab, CNR, INRIA …)
contrail is co-funded by the EC 7th Framework Programme
contrail-project.eu
Outline
•Contrail overview and goals
•Architecture
•Single sign-on
•Delegation requirements
•Delegation solutions
•OAuth flow
•Conclusions
•Collaborations
2
contrail-project.eu
Contrail Overview and Goals
• EC FP7 Project, led by INRIA, 36 month, completes Sept 2013
• Federation of cloud providers
• Federation with external IdPs
• “Elastic” CAs for dynamically created services
• Autonomous SLA management from SLA@SOI project
• IaaS and PaaS integration
• Reuse of existing open standards:
OVF OCCI CDMI
WS-Security
SLA@SOI models 3
contrail-project.eu
Contrail Overview and Goals+
• EC FP7 Project, led by INRIA, 36 month, completes Sept 2013
• Federation of cloud providers
• Federation with external IdPs
• “Elastic” CAs for dynamically created services
• Autonomous SLA management from SLA@SOI project
• IaaS and PaaS integration
• Reuse of existing open standards:
OVF OCCI CDMI
WS-Security
SLA@SOI models 4
Federated access to resources, building on existing identity federations
contrail-project.eu
Architecture
5
Federation of Cloud Providers
Federation CLI Browser
Federation Web Portal
Federation core
Online CA
Federation Identity Provider REST API
Browser and rich client access
contrail-project.eu
Architecture – Single Sign-on
6
Cloud Providers
Federation CLI Browser
Federation Web Portal
Federation core
Online CA
Federation Identity Provider REST API
Single Sign-on
Single Sign-on
Single Sign-on
Credentials mapping
contrail-project.eu7
Cloud Providers
Federation CLI Browser
Federation Web Portal
Federation core
Online CA
Federation Identity Provider REST API
Multiple delegation hops
Architecture - Delegation
contrail-project.eu8
• Delegator, delegates authority to
another, a delegatee
• Rights that the delegatee inherits
can vary e.g.
• Identity-based – inherits all the rights of
the user
• Inherit rights to access a single resource
• Some technology options:
• GSI Proxy certificates
• OAuth 1.0 (CILogon), OAuth
2.0?
• Others…
Delegation … but how?
contrail-project.eu
Delegation: technology options• GSI Proxy certificates
•Delegatee inherits all the rights of the user
•Custom SSL extensions needed to support verification
• OAuth 1.0
•Gained traction in commercial environment: Twitter etc…
•Digital signature of HTTP header artifacts – canonicalisation can be problematic
• OAuth 2.0
•Simplified flow
•Use SSL: no digital signature implementation necessary
•CILogon
•Use OAuth to protect a short-lived credential service (SLCS) but based on OAuth 1.0
•Delegatees obtain a standard End Entity Certificate
•SLCS + OAuth 2.0 ✔
9
contrail-project.eu
OAuth Flow (1)
10
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
1. User request
BrowserObjective: get delegated credential for portal to make onward requests to the federation core
contrail-project.eu
OAuth Flow (2 3)
11
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
2. Portal requests authorisation for delegation from user
Browser
3. User is redirected to authorisation server
contrail-project.eu
OAuth Flow (4)
12
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
Browser
4. User authenticates and approves the delegation request
contrail-project.eu
OAuth Flow (5)
13
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
Browser
5. Return authorisation grant to portal via a redirect
… redirect back to portal
contrail-project.eu
OAuth Flow (6)
14
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
Browser
6. Portal requests certificate (oauth access token) passing authorisation grant as proof of user approval
contrail-project.eu
OAuth Flow (7)
15
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
Browser
7. Online CA authenticates portal and returns certificate
contrail-project.eu
OAuth Flow (8)
16
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
8. Portal uses certificate to authenticate with core services
Browser
contrail-project.eu
OAuth Flow (9)
17
Cloud Providers
Federation Web Portal[OAuth Client]
Federation core
Online CA[OAuth Resource Server]
Federation Identity Provider
[OAuth Authorisation Server]
Browser
9. Further delegation needed: ‘2-legged’ OAuth
contrail-project.eu
Development Status
• Web portal and federation SSO demonstrated with support for:
• SAML
• OpenID
•Command line SSO with shell script client to Short-Lived Credential Service (X.509 EECs)
•Delegation with 2-legged OAuth-like interface, full OAuth to be integrated
18
contrail-project.eu
Technology used Federation Web
User interface: Python 2.7+ / Django 1.4 / buildout / Apache2
SAML2: Djangosaml2 v0.5 OpenID: Django-authopenid
Federation IdP IdP: SimpleSAMLphp 1.9 rc2 User DB: Java 6 / JPA subclipse / Tomcat
contrail-project.eu
Conclusion Single sign-on support with:
Browser: SAML2 and OpenID
Other client: X.509 short-lived end entity certificates
Delegation with OAuth 2.0 protected Short-Lived Credential Service
Can we offer Federation-in-a-box or federation-as-a-service ?
=> Federated access to resources, building on existing identity federations.
contrail-project.eu
Contrail collaborations
• Contrail evaluation with:
• EUDAT, CLARIN, ENES
• EGI federated cloud task force
• Climate science and Earth Observation communities: OAuth solution for workflows
• OGF groups
• FEDSEC-CG: federated identity for grids and clouds
• IDEL-WG: working group on identity delegation
• Cloud security activities
• ... Moonshot
contrail-project.eu22
Funded under: FP7 (Seventh Framework
Programme)
Area: Internet of Services, Software &
virtualization (ICT-2009.1.2)
Project reference: 257438
Total cost: 11,29 million euro
EU contribution: 8,3 million euro
Execution: From 2010-10-01 till 2013-09-30
Duration: 36 months
Contract type: Collaborative project (generic)
contrail is co-funded by the EC 7th Framework Programme