1 / 0

CERN Single Sign-On

CERN Single Sign-On. Summer 2012 Updates Emmanuel Ormancey (IT-OIS). Primary objective. Prepare CERN Authentication for IAA Extend SSO to HEP community through Federation Allow HEP members to access CERN resources with their local IDs. Decrease the ‘CERN Account’ requirement

glenda
Download Presentation

CERN Single Sign-On

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CERN Single Sign-On

    Summer 2012 Updates Emmanuel Ormancey (IT-OIS)
  2. Primary objective Prepare CERN Authentication for IAA Extend SSO to HEP community through Federation Allow HEP members to access CERN resources with their local IDs. Decrease the ‘CERN Account’ requirement Extend SSO to Public Services authentication (Google, Facebook, etc.) Allow people to access CERN resources with their public credentials (e.g. Gmail account) Decrease the ‘Lightweight Account’ requirement SSO - Summer 2012 Updates - 2
  3. Technical objectives Improve service, fix issues and requests Provide Strong Authentication methods SMS one time password, Yubikey, Smartcard Allow SSO Authentication using scripts & programs Facilitate SSO management for Application owners Address the large number of E-Groups problems ‘Header too big’ Apache issue SSO - Summer 2012 Updates - 3
  4. SSO Management Site http://cern.ch/sso-management Application registration & lifecycle Reassign the registration to another account. Identity Class (Basic) Authorization Using the Identity Class, restrict access to the Application at the SSO level. Lightweight accounts not authorized by default E-Groups Authorization Filter E-Groups needed for Authorization User token size decreased, containing E-Group membership only within the E-Groups filter. SSO - Summer 2012 Updates - 4
  5. Identity Class Authorization Provide Basic Authorization using a unique value representing the level of assurance (LoA) of the user and the authentication method used. Default basic authorization set to CERN Registered only. Configuration at SSO level through http://cern.ch/sso-management Configuration at Application level through usual configuration files. SSO - Summer 2012 Updates - 5
  6. The Road to 5 Identity Classes
  7. E-Groups Authorization Current situation: An account can be member of hundreds of E-Groups The token size can be huge when the Application needs only some to handle Authorization. New Authorization E-Groups Filter: Define the list of E-Groups needed for Authorizations. The User token will contain E-Group membership only within the E-Groups filter. SSO - Summer 2012 Updates - 7
  8. Authentication Methods Standard Authentication: Forms: user types in his login and password. Kerberos or Windows: reuse the current Kerberos or Windows (NTLM) credentials for authentication. Certificates: use your CERN CA or EuGridPMA (IGTF) trusted certificate to authenticate. Two Factor Authentication: Smartcard: use a CERN Smartcard to authenticate (pilot, see http://cern.ch/smartcards). Yubikey: use a Yubikey hardware token to authenticate. SMS One Time Password: validate your authentication with a PIN code sent by SMS to your CERN GSM. Federation Authentication: USATLAS/BNL, INFN, Switch AAI, etc... : coming soon. Public Services Authentication: Google, Facebook, Live, Yahoo, Orange.  SSO - Summer 2012 Updates - 8
  9. Federation & Social ID Federation Authentication: USATLAS/BNL & INFN: testing, Switch AAI: coming soon. Can be used to authenticate a CERN Account: IdentityClass = HEP Trusted Can be used to authenticate any other: IdentityClass = Anonymous Identity Public Services Authentication: Using standards: OAuth, OpenID Cannot be used to authenticate a CERN Account. IdentityClass = Anonymous Identity Can be added in E-Groups (email based) SSO - Summer 2012 Updates - 9
  10. Login on SSO processCERN Account or Federation/Social Account Service Provider Identity Provider Authentication + Authorization based on IdentityClass Authorization based on E-Groups, IdentityClass and any other available attribute CERN Account UPN: emmanuel.ormancey@cern.ch IdentityClass: CERN Registered E-Groups: it-dep-ois; atlas-members; Web App login.cern.ch Federation / Social Account login.cern.ch Federation / Social site UPN: emmanuel.ormancey@gmail.com IdentityClass: Anonymous Identity E-Groups: alice-friends; twiki-reader; Web App login.cern.ch Active Directory Login or email lookup Active Directory email lookup
  11. Demo… http://cern.ch/sso-management List applications & Management page https://shib2.cern.ch Authenticate with Facebook (and display Application authorization page) Show Strong Authentication systems Demo SMS Otp SSO - Summer 2012 Updates - 11
  12. More… Help and Documentation: http://cern.ch/login SSO Management: http://cern.ch/sso-management Demo site: https://shib2.cern.ch Support: service-desk@cern.ch SSO - Summer 2012 Updates - 12
  13. Questions? Contact: emmanuel.ormancey@cern.ch
More Related