1 contrail and federated identity management philip kershaw, ral space, stfc jens jensen, e-science,...

1

Contrail and Federated Identity Management

Philip Kershaw, RAL Space, STFCJens Jensen, e-Science, STFC

(and others: XLab, CNR, INRIA …)

contrail is co-funded by the EC 7th Framework Programme

contrail-project.eu

Outline

•Contrail overview and goals

•Architecture

•Single sign-on

•Delegation requirements

•Delegation solutions

•OAuth flow

•Conclusions

•Collaborations

2

contrail-project.eu

Contrail Overview and Goals

• EC FP7 Project, led by INRIA, 36 month, completes Sept 2013

• Federation of cloud providers

• Federation with external IdPs

• “Elastic” CAs for dynamically created services

• Autonomous SLA management from SLA@SOI project

• IaaS and PaaS integration

• Reuse of existing open standards:

OVF OCCI CDMI

WS-Security

SLA@SOI models 3

contrail-project.eu

Contrail Overview and Goals+

• EC FP7 Project, led by INRIA, 36 month, completes Sept 2013

• Federation of cloud providers

• Federation with external IdPs

• “Elastic” CAs for dynamically created services

• Autonomous SLA management from SLA@SOI project

• IaaS and PaaS integration

• Reuse of existing open standards:

OVF OCCI CDMI

WS-Security

SLA@SOI models 4

Federated access to resources, building on existing identity federations

contrail-project.eu

Architecture

5

Federation of Cloud Providers

Federation CLI Browser

Federation Web Portal

Federation core

Online CA

Federation Identity Provider REST API

Browser and rich client access

contrail-project.eu

Architecture – Single Sign-on

6

Cloud Providers



Federation core

Online CA


Single Sign-on

Single Sign-on

Single Sign-on

Credentials mapping

contrail-project.eu7

Cloud Providers



Federation core

Online CA


Multiple delegation hops

Architecture - Delegation


• Delegator, delegates authority to

another, a delegatee

• Rights that the delegatee inherits

can vary e.g.

• Identity-based – inherits all the rights of

the user

• Inherit rights to access a single resource

• Some technology options:

• GSI Proxy certificates

• OAuth 1.0 (CILogon), OAuth

2.0?

• Others…

Delegation … but how?

contrail-project.eu

Delegation: technology options• GSI Proxy certificates

•Delegatee inherits all the rights of the user

•Custom SSL extensions needed to support verification

• OAuth 1.0

•Gained traction in commercial environment: Twitter etc…

•Digital signature of HTTP header artifacts – canonicalisation can be problematic

• OAuth 2.0

•Simplified flow

•Use SSL: no digital signature implementation necessary

•CILogon

•Use OAuth to protect a short-lived credential service (SLCS) but based on OAuth 1.0

•Delegatees obtain a standard End Entity Certificate

•SLCS + OAuth 2.0 ✔

9

contrail-project.eu

OAuth Flow (1)

10

Cloud Providers

Federation Web Portal[OAuth Client]

Federation core

Online CA[OAuth Resource Server]

Federation Identity Provider

[OAuth Authorisation Server]

1. User request

BrowserObjective: get delegated credential for portal to make onward requests to the federation core

contrail-project.eu

OAuth Flow (2 3)

11

Cloud Providers


Federation core




2. Portal requests authorisation for delegation from user

Browser

3. User is redirected to authorisation server

contrail-project.eu

OAuth Flow (4)

12

Cloud Providers


Federation core




Browser

4. User authenticates and approves the delegation request

contrail-project.eu

OAuth Flow (5)

13

Cloud Providers


Federation core




Browser

5. Return authorisation grant to portal via a redirect

… redirect back to portal

contrail-project.eu

OAuth Flow (6)

14

Cloud Providers


Federation core




Browser

6. Portal requests certificate (oauth access token) passing authorisation grant as proof of user approval

contrail-project.eu

OAuth Flow (7)

15

Cloud Providers


Federation core




Browser

7. Online CA authenticates portal and returns certificate

contrail-project.eu

OAuth Flow (8)

16

Cloud Providers


Federation core




8. Portal uses certificate to authenticate with core services

Browser

contrail-project.eu

OAuth Flow (9)

17

Cloud Providers


Federation core




Browser

9. Further delegation needed: ‘2-legged’ OAuth

contrail-project.eu

Development Status

• Web portal and federation SSO demonstrated with support for:

• SAML

• OpenID

•Command line SSO with shell script client to Short-Lived Credential Service (X.509 EECs)

•Delegation with 2-legged OAuth-like interface, full OAuth to be integrated

18

contrail-project.eu

Technology used Federation Web

User interface: Python 2.7+ / Django 1.4 / buildout / Apache2

SAML2: Djangosaml2 v0.5 OpenID: Django-authopenid

Federation IdP IdP: SimpleSAMLphp 1.9 rc2 User DB: Java 6 / JPA subclipse / Tomcat

contrail-project.eu

Conclusion Single sign-on support with:

Browser: SAML2 and OpenID

Other client: X.509 short-lived end entity certificates

Delegation with OAuth 2.0 protected Short-Lived Credential Service

Can we offer Federation-in-a-box or federation-as-a-service ?

=> Federated access to resources, building on existing identity federations.

contrail-project.eu

Contrail collaborations

• Contrail evaluation with:

• EUDAT, CLARIN, ENES

• EGI federated cloud task force

• Climate science and Earth Observation communities: OAuth solution for workflows

• OGF groups

• FEDSEC-CG: federated identity for grids and clouds

• IDEL-WG: working group on identity delegation

• Cloud security activities

• ... Moonshot


Funded under: FP7 (Seventh Framework

Programme)

Area: Internet of Services, Software &

virtualization (ICT-2009.1.2)

Project reference: 257438

Total cost: 11,29 million euro

EU contribution: 8,3 million euro

Execution: From 2010-10-01 till 2013-09-30

Duration: 36 months

Contract type: Collaborative project (generic)

contrail is co-funded by the EC 7th Framework Programme

1 contrail and federated identity management philip kershaw, ral space, stfc jens jensen, e-science,...

Documents