420 likes | 580 Views
ESG-CET Security September 6, 2014. Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands Meeting Boulder, Colorado. Single Sign On (SSO) Solutions. Single Sign On Solutions. PKI SSO Single Sign On for non-browser applications MyProxy Online CA
E N D
ESG-CET SecuritySeptember 6, 2014 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands Meeting Boulder, Colorado Earth System Grid Center for Enabling Technologies
Single Sign On Solutions • PKI SSO • Single Sign On for non-browser applications • MyProxy Online CA • Auto-provisioning of trust configuration • Web SSO • Single sign on for http/https applications • OpenID Earth System Grid Center for Enabling Technologies: (ESG-CET)
MyProxyLogin with Provisioning Attribute Service Online-CA AuthN Svc AuthenticationDB ProvisioningDatabase 0. Trusted CA/CRLs App Svc • LoginUsername/Password Application Client + PKI Client
MyProxyLogin with Provisioning Attribute Service Online-CA AuthN Svc AuthenticationDB ProvisioningDatabase 0. Trusted CA/CRLs 2. Authentication and Attributes retrieval App Svc Application Client + PKI Client
MyProxyLogin with Provisioning Attribute Service Online-CA AuthN Svc AuthenticationDB ProvisioningDatabase 0. Trusted CA/CRLs App Svc 3. Short term X509 credentials with attributes, CAs, CRLs Application Client + PKI Client
MyProxyLogin with Provisioning Attribute Service Online-CA AuthN Svc Authentication DB ProvisioningDatabase 0. Trusted CA/CRLs App Svc 4. Access using X509 Credentials Application Client + PKI Client
MyProxyLogin with Provisioning Attribute Service Online-CA AuthN Svc Authentication DB ProvisioningDatabase 0. Trusted CA/CRLs 5. Update trust roots App Svc Application Client + PKI Client
Web SSO using OpenID Site Attribute Service IdentityProvider(IdP) Authentication DB Application Server Service Provider (SP) Browser
Web SSO using OpenID Site Attribute Service IdentityProvider(IdP) Authentication DB Application Server Service Provider (SP/RP) 1. Client access application server Browser
Web SSO using OpenID Site Attribute Service IdentityProvider(IdP) Authentication DB Application Server Service Provider (SP) 2. Redirected to Identity Provider Browser
Web SSO using OpenID Site Attribute Service IdentityProvider(IdP) Authentication DB Application Server Service Provider (SP) 3. User authenticates with IdP Browser
Web SSO using OpenID Site Attribute Service IdentityProvider(IdP) Authentication DB Application Server Service Provider (SP) 4. AuthN completed, user identity. Browser
Web SSO usign OpenID Site Attribute Service IdentityProvider(IdP) Authentication DB Application Server Service Provider (SP) 4. Authenticated Call. Browser
Integrated WebSSO & PKI-SSO AuthNDB uname password MyProxy Online-CA AuthN Svc OpenID IdP PKIClient BrowserClient PKI App Svc trusts CA => <= trusts IdP Web Svc http-redirect + cookie X509 PK-authN u/p => X509 creds u/p => cookie Earth System Grid Center for Enabling Technologies: (ESG-CET)
Gateway Integration: PKI SSO • PKI SSO • Tested MyProxy Online CA with ESG user database • Next steps: • Install MyProxy on Gateway • Plan integration/shipping with Gateway software • Bootstrap of MyProxy CA certificate • Download from ESG portal • Part of ESG client download • Investigate pre-configured web start application Earth System Grid Center for Enabling Technologies: (ESG-CET)
Gateway Integration: OpenID SP • OpenID Service Provider (SP) • Provides SSO for gateway portal • Prototyped Acegi filter (Gateway team) • Next steps: • Session management in the portal? • Configuration of trusted IdPs • Add support to OpenID4Java Earth System Grid Center for Enabling Technologies: (ESG-CET)
Gateway Integration: OpenID IdP • OpenID Identity Provider (IdP) • IdP front-end to username/password database • Must comply with following requirements: • SSL should be used for communication • Identifiers should be Yadis IDs • Next steps: • Design and develop IdP service to host on gateway • IdP service shell (Gateway team) • OpenID specifics (Argonne team) • Integrate with ESG user database Earth System Grid Center for Enabling Technologies: (ESG-CET)
Gateway Integration: Open Issues Approved list of IdPs Propagate and update white list of IdPs Enforced at ESG-VO’s SPs Support for external IdPs? Maybe commercial IdP with right “signing-policy” Register with ESG? Attribute handling Integrate with IdP
Data Publishing Integration: OpenID SP • Desktop application to publish data • Two phase publishing • Desktop application is unaware of OpenID • Integrated desktop application • Handle OpenID redirect to IdP • OpenID Python libraries • Issue with IdP login page • Could be added to IdP profile • Would PKI based authentication be easier? • PKI client authentication can be built in • Investigate dual-client authN option on SPs? Earth System Grid Center for Enabling Technologies: (ESG-CET)
Data node Integration: PKI SSO • OPeNDAP server • Integrate with PKI SSO solution and GridFTP • Prototype integration completed (Jose/Stephan) • Next steps: • MyProxy client/library added to ESG distribution • Trusted CA installation • MyProxy to provision • Is OpenID integration required? • Issue with delegation of rights for GridFTP? • SRM: • user access to data servers that don’t trust ESG CA? Earth System Grid Center for Enabling Technologies: (ESG-CET)
Product server Integration: OpenID SP • Components: LAS and F-TDS • Use case: access via portal • Token-authentication solutions can be adopted (Gateway team) • Use case: direct client access? • OpenID SP tomcat filter • Integration with backend applications • Identity push from LAS to OPeNDAP? Earth System Grid Center for Enabling Technologies: (ESG-CET)
Question Current status: If a gateway is down, the user cannot access ESG infrastructure Requirement It is acceptable for 24-48 hours down time What does the single sign on solution buy?
Attributes and Authorization Two types of attributes: VO and Site attributes Maybe distinguish VO-Gateway attributes? Is the distinction needed for ESG? VO attributes important with non-ESG IdP Attribute service options Centralized, Gateway, VO level? Attribute retrieval options: Push site attributes with authentication Pull VO attributes post-authentication Pull VO attributes during authorization Earth System Grid Center for Enabling Technologies: (ESG-CET)
Attributes and Domains VO Attr group role IdP Attr openID password affiliation Gateway Attr group role Site IdP Gateway ESG-VO Svcs VO’s Domain Gateway’s Domain Client Client’s Domain 27
Attributes October Test-bed target: Only site attributes Attribute store with IdP Push site attributes with authentication OpenID and MyProxy allow for that Post-test bed Define transition path to include external IdPs and VO attributes
Attributes and Authorization SAML Attribute format Signed SAML Assertions with Attribute Statements Can be independently sent on wire OpenSAML, open source library for SAML processing Configuration of attribute release policy Earth System Grid Center for Enabling Technologies: (ESG-CET)
Attributes and Authorization Push attributes as a part of authentication OpenID protocol allows push of attributes MyProxy Online CA can embed attributes in issued certificates SAML Attribute format Signed SAML Assertions with Attribute Statements Can be independently sent on wire OpenSAML, open source library for SAML processing Earth System Grid Center for Enabling Technologies: (ESG-CET)
Gateway Integration: SSO & Attributes Attribute Provider Remote interface to pull down attributes SAML Attribute Query Interface? PKI SSO Integrate to pull attributes from site attribute provider Embed in certificate SAML attribute assertion or X509 attribute cert? Web SSO Pull from site attribute provider Interface in OpenID4Java to callout to attribute provider SAML?
Gateway Integration: SSO & Attributes PKI SSO Integrate to pull attributes from site attribute provider Embed in certificate SAML attribute assertion or X509 attribute cert? Web SSO Pull from site attribute provider Interface in OpenID4Java to callout to attribute provider SAML?
Gateway Integration: Open Issues VO attributes Either if external IdPs are used or used in addition to site attributes Attribute service hosted by gateways Central ESG-VO attributes and attribute service? SPs pull down attributes from Attribute Service Configuration of attribute release policy? Not required if IdP is set up for ESG use only VO membership of SPs is implicit white-list
Service Providers and Attributes Product services SP: Only relevant in direct access use case Might have to push attributes through to back end applications Other SPs: Relevant for authorization filters only
Attributes and Authorization • Authorization policy • Centralized policy (or) • Per gateway with only policy on resources owned by gateway’s site (or) • Combination of both? • Centralized policy • Replicate to gateway • Partitioned policy • Gateway stores policy only about the resources it owns • Does this improve reliability? Earth System Grid Center for Enabling Technologies: (ESG-CET)
Attributes and Authorization Authorization policy How is it implemented today? Earth System Grid Center for Enabling Technologies: (ESG-CET)
Attributes and Authorization Authorization service interface for remote access Web services? Protocol needed? Configuration for trusted authorization service(s) in application callbacks Endpoint of service Identity of service Trusted certificate
Service Providers and Authorization Gateway Integration Acegi filter to callback to authorization service (embedded?) Data node Integration Callback to authorization service Do we need to push attributes? GridFTP authorization callout can be used Product services Integration Access through portal Token based authorization Direct user access Not relevant for now Define transition path for post-test bed
Security Configuration for Deployment OpenID Identity Providers: Attribute service endpoint White-list of SPs OpenID Service Providers: White-list of IdPs Authorization (and Attribute) service endpoints MyProxy server CA and CRLs Attribute service endpoint PKI Service Providers: MyProxy server endpoint CA and CRLs Authorization service endpoints PKI Clients: MyProxy Server endpoint and bootstrap trust-root VO’s CAs and CRLS
Attribute and meta data replication Meta data replication service Search meta data replication If gateway serves multiple VOs No replication Remote query Performance issues Partial search results. Database based replication No gateway dependency Replication Service (ISI)
Attribute and meta data replication Security meta data Replicate user membership and resource authz policies Metrics reporting issues Exchange all information except user credentials Explore JMS as solution Event driven system Transaction based system - Eliminates gateway dependency