ngNOG VIII - University of Benin
Federated Identity Management for NRENs and access to e-
InfrastructuresCletus OkolieNOC Manager
Eko-Konnect Research and Education [email protected]
08023824246
09/11/2013
ngNOG VIII - University of Benin
Outline
• Participation in WACREN project: eI4Africa • What are e-Infrastructures?• Public Key Infrastructure – Certification
Authorities• Federated Identity Services – Terms and
Principles• What is a Science Gateway?• NgREN Catch-All Identity Provider Deployment• Demo09/11/2013
WACREN AGM - Abuja 2013
eI4Africa
• A EU/FP7 project funded by the EC (DG CONNECT) under the ‘Capacities Programme’
• Spanning 24 months (Nov. 2012 - Oct. 2014)• With the aim of:
– Boosting the Research, Technological Development and Innovation (RTDI) potential of African e-Infrastructures
– Supporting policy dialogues – Enhancing Africa-EU cooperation
• In the framework of the joint Africa-EU Strategic Partnership on – Trade, regional integration and infrastructures (JAES Partnership 3) – Science, information society and space (JAES Partnership 8)
03/07/2013
WACREN AGM - Abuja 2013
Objectives• Outreach
– Build cooperation between Euro-African NRENs, RENs & user communities– Raise awareness at policy level on the benefits & value of REN– Promote/strengthen Euro-African collaborative research on e-
Infrastructures & their applications • Produce a state-of-the-art study of e-Infrastructure application
uptake in Africa
• Flagship demonstrations from other continents & illustrate their relevance to the African context in order to stimulate policy dialogue on e-Infrastructures
• Stimulate targeted policy and regulatory discussions
03/07/2013
ngNOG VIII - University of Benin
Virtuous Circle of eI4Africa Activities
09/11/2013
WACREN AGM - Abuja 2013
e-Infrastructures• ICT elements that support e-Science
• e-Science - novel, large-scale inter-disciplinary global collaborations between scientists and researchers across many different areas.
• ICT Elements – high-speed research communication networks– powerful computational resources (dedicated high performance computers,
clusters, large numbers of commodity PCs)– grid and cloud technologies, data infrastructures (data sources, scientific
literature), – sensors, web-based portals, scientific gateways and mobile devices.
• When integrated together = e-Infrastructures
03/07/2013
ngNOG VIII - University of Benin
A potential user of an e-infrastructure needs ….
• A more powerful computer to run an application• A great number of these computers to deliver results faster• Access to specialized High Performance Computing facilities• Access to large data sources• Access to software not available• To collaborate with other scientists across the world• Access to scientific literature resources• To connect to specialized instrumentation for analysis• To connect to sensors for data collection• Access to these facilities via a web-based portal or mobile
device09/11/2013
ngNOG VIII - University of Benin
Vision for African e-Infrastructure
09/11/2013
The el4african vision is a standard-based fully interoperable ICT platform that will enableScientist to do better research with collaborators across Africa and in other regions.New training and education programs will be available to form the new generation of Africane-researchers able to tackle problems affecting the region
ngNOG VIII - University of Benin
Technical Services Teams
• African organizations in the eI4Africa technical services teams– Eko-Konnect (Nigeria)– JKUAT and Kenya (Kenya)– MERAKA (South Africa)– TERNET (Tanzania)– MAREN (Malawi)– More welcome!!
09/11/2013
WACREN AGM - Abuja 2013
Outputs• Certification Authorities– Nigeria, Kenya, Tanzania, South Africa, Malawi– Deployed and issuing X.509 certificates tested on
GILDA t-Infrastructure• Catch-All Identity Providers– Nigeria, Kenya, South Africa, Tanzania
• Africa Grid Science Gateway • Capacity building for resource sharing across
geographic and organisation boundaries with established PKI Infrastructure
03/07/2013
ngNOG VIII - University of Benin
Federated Identity Services, Certification Authorities & Science Gateways
Principles and Terminology
09/11/2013
ngNOG VIII - University of Benin
Public Key Infrastructure
A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. The PKI creates digital certificates which map public keys to entities, securely stores these certificates in a central repository and revokes them if needed
09/11/2013
ngNOG VIII - University of Benin
PKI Concepts
• Certification Authority – CA
- issues and verifies the digital certificates• Registration Authority – RA
- verifies the identity of users requesting information from the CA. Can be one or more
• Validation Authority – VA- responsible for providing information on whether certificates are valid or not. Can be one or more
• End Entity- user, such as an e-mail client, a web server, a web browser or a VPN-gateway.
09/11/2013
ngNOG VIII - University of Benin
PKI Access Flow
• A user applies for a certificate with his public key at a Registration Authority (RA)
• User identity is confirmed and certificate is issued• The user digitally signs the new certificate• The Validation authority checks the identity of
the issued certificate• Implemented in softwareCA =
https://ngca.eko-konnect.net.ng/CAVA = https://ngca.eko-konnect.net.ng/CA/mgt/scert.php
09/11/2013
ngNOG VIII - University of Benin
PKI Access Flow
09/11/2013
ngNOG VIII - University of Benin 09/11/2013
ngNOG VIII - University of Benin
Identity Federations
An identity federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about
users and resources to enable access via authentication
09/11/2013
Service Provider (SP)
• Used to describe anyone who has a service, resource or set of content that they want to make available to users via a login.
• Login may be to limit access to subscribers or specialist groups, or for personalisation
• The SP do not hold information about users. They rely on Identity Providers i.e. the institution or organisation that a user belongs to get user information
09/11/2013 ngNOG VIII - University of Benin
ngNOG VIII - University of Benin
Identity Provider (IdP)
An Identity Provider or 'IdP' is a term used to describe any
institution or organisation that manages information about its
users and wants to provide access to resources for these users.
09/11/2013
ngNOG VIII - University of Benin
Access Control
After the successful authentication the identity provider will release a certain
amount of attributes to the service provider
Access control is performed by matching these attributes supplied by IdPs against
rules defined by SPs.
09/11/2013
ngNOG VIII - University of Benin
Authentication vs Authorization
• Authentication establishes the user’s identity, done by identity provider– To get authenticated by an IdP people have to be enrolled on it
and registered, upon proper identification, on the registry connected to the IdP
• Authorization defines the user’s permission within the application, done at service provider– The fact that you are the one you claim to be (i.e., you are
authenticated by an IdP) does not imply, by portal policy, that you are automatically authorised to access and use the SP e.g Africa Grid Science Gateway. To do so people have to fill the authorisation request.
09/11/2013
ngNOG VIII - University of Benin
SAML
• Security Assertion Markup Language – XML standard for exchanging the information
• Used for Web browser Single Sign-On (SSO)• three roles: the principal (typically a user), the identity
provider (IdP), and the service provider (SP)• does not specify the method of authentication at the
identity provider. You can choose authentication source. LDAP, Active Directory, SQL, Custom
• Shibboleth (Java) and SimpleSAMLphp (PHP)- popular SAML implementations used with OpenLDAP and EduERP in Eko-Konnect.
09/11/2013
ngNOG VIII - University of Benin
SAML – Web SSO Example
09/11/2013
Sourced from Wikipedia
ngNOG VIII - University of Benin
NgREN Federation
• There is only one CA and IdF per country except in some countries like US
• Currently a “Catch-All” IdP for NgREN is maintained by Eko-Konnect as part of eI4Africa. at https://ngidp.eko-konnect.net.ng
• Used by UNN and LionGRID users in their workshops
• With a database of users, any institution can setup an IdP and participate in the evolution of policies and framework for the NgREN federation.
09/11/2013
ngNOG VIII - University of Benin
What are Science gateways?• A Science Gateway is a community-developed set of tools, applications, and
data that are integrated via a portal or a suite of applications, usually in a graphical user interface, that is further customized to meet the needs of a specific community.
• Gateways allow science teams to access data, perform shared computations and generally work on resources together.
• Gateways provide access to a variety of capabilities including – Workflows– General or domain-specific analytic and software visualization – Collaborative interfaces– resource discovery– Job submission tools– job execution services.– Education modules
• Different SGW exists e.g African Grid Science Gateway
09/11/2013
Africa Grid Science Gateway
• The Africa Grid Science Gateway is a standard-based web 2.0 demonstrative platform to show the lighthouse applications identified by the el4africa project and execute them on a worldwide e-infrastructure.
09/11/2013 ngNOG VIII - University of Benin
ngNOG VIII - University of Benin
Problems accessing the Science Gateways?
• Some applications in a Science Gateway are freely accessible but others are not and require user authentication
• GRIDS and the diverse middleware have been difficult for scientists to grasp
• access to the Africa Science Gateway requires federated credentials issued by an Identity Provider.
09/11/2013
ngNOG VIII - University of Benin
Problems with Access contd.
• PKI and Personal Certs have been barrier to access to e-infrastructure
• This is what IdF seeks to solve.
09/11/2013
ngNOG VIII - University of Benin
SG Access Workflow
• a user wants to sign in or requires a service that requires authentication and authorisation
• the portal redirects the user to an IdP and user details is checked in an LDAP server
• the portal contacts a service called eToken Service where a proxy is created from a robot certificate installed on a special USB-shape smartcard
• the action is done on the grid• the output is retrieved back to the portal machine• the user is notified that the output is ready and she can
download it09/11/2013
ngNOG VIII - University of Benin
Deploying the NgREN Catch-All Identity Provider
Shibboleth and OpenLDAP
09/11/2013
ngNOG VIII - University of Benin
Overview
• Installation and configuration of Shibboleth based IdP with LDAP backend
• Shibboleth is an open-source project that provides Single Sign-On (SSO) capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.
09/11/2013
ngNOG VIII - University of Benin
How Shibboleth works?
• It works the same way as other web-based single sign on system
• The major difference its adherence to standard and its ability to provide SSO support to services outside of a user's organization while still protecting their privacy
09/11/2013
ngNOG VIII - University of Benin
Web-based SSO system
• The main elements are• Web Browser - represents the user within the
SSO process• Resource - contains restricted access content
that the user wants• Identity Provider (IdP) - authenticates the user• Service Provider (SP) - performs the SSO
process for the resource
09/11/2013
ngNOG VIII - University of Benin
Single Sign-On steps
• Step 1- User accesses the resources• Step 2- Service provider issues Authentication
request• Step 3- User authenticated at identity provider• Step 4- Identity provider issues Authentication
response• Step 5- Service provider checks authentication
response• Step 6- Resource returns content09/11/2013
ngNOG VIII - University of Benin
How Shibboleth works?• Identity provider Discovery, User attributes and Metadata• Identity Provider Discovery: This what an SP working with multiple IdPs
uses to prompt the user for authentication.• User attributes: this gives the system the ability to receive data about the
user from the IdP e.g email or phone number etc.• Metadata: this gives the IdP and SP the ability to know which url to use
when communicating with each other. – A unique identifier know as entity id– A human readable name and description– A list of urls to which messages should be delivered and some information
about when each should be used– Cryptographic information used when creating and verifying information
• A common function of the Federation is to publish a file that contains all the Metadata for IdP and SP that have agreed to work together
09/11/2013
ngNOG VIII - University of Benin
Reference and Prerequisite
• Linux Operating System (Centos)• OpenLDAP: http://www.openldap.org• Shibboleth: http://www.shibboleth.net• Host Certificates– For both machines from installing on separate
machines– Certificate signed by a CA
09/11/2013
ngNOG VIII - University of Benin
Installation of Shibboleth
• Shibboleth consist of several individual components which includes– Identity Provider (IdP)– Service Provider (SP)– Discovery Service
• Installation requires Java based web server- tomcat
• Follow the installation process on your preferred platform
09/11/2013
ngNOG VIII - University of Benin
Installation and configuration of ldap
• LDAP configuration– Add modules to LDAP server– Configure the root of the tree and superuser– Add organisation
• Add and configure users, groups and services• Secure the host– Enable secure communication to the ldap server– Add the host certificate
09/11/2013
ngNOG VIII - University of Benin
IdP Configuration
• The IdP is a shibboleth service running on a java container. This container is based on tomcat6
• The IdP configuration refers to the– Configuration of the firewall on tomcat server– Configuration of the shibboleth components.
• The components includes a series of xml files in the conf directory
09/11/2013
ngNOG VIII - University of Benin
Shibboleth xml files
• attribute-filter xml- the attributes that will be filtered from ldap server
• attributes-resolver- how the idp will resolve these attributes
• handler.xml- what kind of authentication schemes are allowed
• logging.xml- level and location of logging• relaying-party.xml- parties that will be able to use the IdP• Configuration of the host security and logging• Configuration and authentication/login screen
09/11/2013
ngNOG VIII - University of Benin
NgREN Catch-All Identity Provider
Demonstrationhttp://ngidp.eko-konnect.net.ng
09/11/2013
ngNOG VIII - University of Benin 09/11/2013
ngNOG VIII - University of Benin 09/11/2013
ngNOG VIII - University of Benin
• Ngca.eko-konnect.net.ng• Ngidp.eko-konnect.net.ng• African Grid Science Gateway
09/11/2013
ngNOG VIII - University of Benin
Steps
• Register• Step #2: Accept email confirmation• Step #3: mail notification sent to Admin• Step #4: Admin authorises account and notifies
the user by email• Step # 5: User gets mail• You can now access all the service providers
that can be authenticated with the NgREN catch-all
09/11/2013
ngNOG VIII - University of Benin
What can we do?
• NgNOG task force to complement efforts at NUC level to evolve an IdF - http://ngren.edu.ng/news/ngren-hands-on-training-for-dicts-and-staff
• Evolve projects to collate user information in the community in a central database. Can be spreadsheets per unit and aggregated.
• Join Eko-Konnect to increase demand and resources on the Africa Grid Science Gateway.
• Use lessons learned to from these functional demonstrations to do similar in NgREN
09/11/2013
ngNOG VIII - University of Benin
Thank you for listening
Questions?
09/11/2013