external identity and authorization in geni. [email protected] topics federated identity and virtual...
TRANSCRIPT
External Identity and Authorization in GENI
Federated identity
• Builds on deployed authentication services • Identity Provider (IdP) services at universities etc.
• IdPs handle logins (single sign-on) and assert attributes• Can supply roles, permissions, common attributes (name,
organization, affiliations, citizenship, capabilities, etc.)
• Uses SAML and metadata (aka Shibboleth)• International trust fabric now being deployed on Internet-
scale, first in R&E but expanding to other sectors• Greater than 150M world-wide, 5M US, exponential growth
Duke Shibboleth Identity Provider (IdP)
HTTPSXMLRPC / SOAP
Users and “hands-free”
tools
Web Service Portal(SP)
Authenticated user identityAttributes for authorization
Advantages
• Institutions maintain the accounts (they do it anyway)• Secure privacy-preserving login• Single sign on (SSO)• Expiration/revocation!
• Institutions can hold their users accountable
• Supplies attributes for access control (e.g., ABAC)• Standard attributes (student, faculty, etc.)• Groups: easy to create and maintain• Course enrollment, research group, etc.
• Use COmanage for Virtual Organizations (e.g., GENI)
Duke’s Shibboleth IdP says:“The user is authenticated as [email protected], a Duke professor who is a member of the group cs.geni.test”.
Config snippet from the portal’s web.xml descriptor. It says: “let OIOSAML filter access to this Web portal” with the configured IdP bindings.
On next login, Duke’s Shibboleth IdP says:“The user is authenticated as [email protected], a Duke professor who is not a member of any group.”
Attribute-Based Access Control (ABAC)
• This simple example illustrates ABAC.• The attributes are asserted by an IdP.• The resource broker policy trusts and understands
attributes from this source.• The policy uses the attributes to make a policy decision.• Authorization• Resource Control
• Shibboleth and ABAC work together.
A Few Points about SFA 2.0
• SFA 1.0• Specified identity/trust mechanisms and attributes.
• SFA 2.0• Mechanisms of SFA 1.0 are optional• They are instances of an open framework.• Shibboleth+ABAC is SFA-compliant.• SFA server policies may choose which IdPs and
attributes to consider.
COmanage and GENI • CO is a platform supporting the work of VOs, using enterprise tools
(including Shib and Grouper) reassembled for VO use • COmanage is a platform that allows federated identities to be
gathered, assigned attributes and fed to applications• Consistent identity and group management across apps
• Collaboration apps (wikis, listprocessors, IM, videoconferencing, file shares, etc)
• Domain apps (grids, ssh-based, etc.)• Provides scalable, secure, federated, flexible A/A to apps• A GENI cluster, or GENI itself, could be well-served on a
COmanage instance
Flows
Data Store
Users
Portal/Gateway SP
Collabmins(RA’s, PI’s, sysadmins, etc.)A/A
A/A
A/A
Sample Flows of attributes
En
terprise
Data S
tore
Project comanage
Relyin
g P
arty
En
terprise
What’s in a COmanage data store
Enterprise Attributes Project/VO attributes
Federated Id PI groups
Enrolled classes Wiki editing permissions
Display name Instrument permissions
Citizenship VO certificates
Enterprise affiliation …
Demo 1
• Using enterprise-based identity to assign GENI privileges• Enterprise authentication• Enterprise located groups • Transported to portal by SAML, consumed and
carried within ORCA
Demo 1 basics• On the user side, Duke identities (PI’s, RA’s, students) are
assigned ORCA permissions through standard Duke group management tools
• On the ORCA web portal side, Shib relying party code was added to the Java server.• It consumes assertions from Duke Shib identity provider• Those attributes are fed to an ORCA policy engine, which
creates ORCA native credentials and sends them on
• Users going to the ORCA portal are redirected to authenticate at Duke (unless already authenticated)
Demo 2
• Using enterprise identity and VO attributes to control ORCA• Enterprise asserts identity• VO asserts groups and privileges• Integrated into the larger VO science and
collaboration environment• Permissions (fine-grain authz) also possible