Presentation on Federated identity and Access Management

731 views

Published on

Presentation on Federated Identity and Access Management for NRENs and deployment of a Catch-All Identity Provider for the Nigerian Research and Education Network (NgREN) given at the NgNOG Meeting in the University of Benin

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
731
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
26
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  •  
  • See https://refeds.org/resources/resources_info.html for talking notes
  • EduERP already set up with faculty and groupings useful in attribute mapping but can be created in OpenLDAP or other directory.
  • I identity provider for every campus to be plugged into the catch-all
  • Presentation on Federated identity and Access Management

    1. 1. Federated Identity Management for NRENs and access to eInfrastructures Cletus Okolie NOC Manager Eko-Konnect Research and Education Initiative okoliec@eko-konnect.net.ng 08023824246 09/11/2013 ngNOG VIII - University of Benin
    2. 2. Outline • Participation in WACREN project: eI4Africa • What are e-Infrastructures? • Public Key Infrastructure – Certification Authorities • Federated Identity Services – Terms and Principles • What is a Science Gateway? • NgREN Catch-All Identity Provider Deployment • Demo 09/11/2013 ngNOG VIII - University of Benin
    3. 3. eI4Africa • A EU/FP7 project funded by the EC (DG CONNECT) under the ‘Capacities Programme’ • Spanning 24 months (Nov. 2012 - Oct. 2014) • With the aim of: – Boosting the Research, Technological Development and Innovation (RTDI) potential of African e-Infrastructures – Supporting policy dialogues – Enhancing Africa-EU cooperation • In the framework of the joint Africa-EU Strategic Partnership on – Trade, regional integration and infrastructures (JAES Partnership 3) – Science, information society and space (JAES Partnership 8) 03/07/2013 WACREN AGM - Abuja 2013
    4. 4. Objectives • Outreach – Build cooperation between Euro-African NRENs, RENs & user communities – Raise awareness at policy level on the benefits & value of REN – Promote/strengthen Euro-African collaborative research on eInfrastructures & their applications • Produce a state-of-the-art study of e-Infrastructure application uptake in Africa • Flagship demonstrations from other continents & illustrate their relevance to the African context in order to stimulate policy dialogue on e-Infrastructures • Stimulate targeted policy and regulatory discussions 03/07/2013 WACREN AGM - Abuja 2013
    5. 5. Virtuous Circle of eI4Africa Activities 09/11/2013 ngNOG VIII - University of Benin
    6. 6. e-Infrastructures • ICT elements that support e-Science • e-Science - novel, large-scale inter-disciplinary global collaborations between scientists and researchers across many different areas. • ICT Elements – high-speed research communication networks – powerful computational resources (dedicated high performance computers, clusters, large numbers of commodity PCs) – grid and cloud technologies, data infrastructures (data sources, scientific literature), – sensors, web-based portals, scientific gateways and mobile devices. • When integrated together = e-Infrastructures 03/07/2013 WACREN AGM - Abuja 2013
    7. 7. A potential user of an e-infrastructure needs …. • • • • • • • • • • A more powerful computer to run an application A great number of these computers to deliver results faster Access to specialized High Performance Computing facilities Access to large data sources Access to software not available To collaborate with other scientists across the world Access to scientific literature resources To connect to specialized instrumentation for analysis To connect to sensors for data collection Access to these facilities via a web-based portal or mobile device 09/11/2013 ngNOG VIII - University of Benin
    8. 8. Vision for African e-Infrastructure The el4african vision is a standard-based fully interoperable ICT platform that will enable Scientist to do better research with collaborators across Africa and in other regions. New training and education programs will be available to form the new generation of African e-researchers able to tackle problems affecting the region 09/11/2013 ngNOG VIII - University of Benin
    9. 9. Technical Services Teams • African organizations in the eI4Africa technical services teams – Eko-Konnect (Nigeria) – JKUAT and Kenya (Kenya) – MERAKA (South Africa) – TERNET (Tanzania) – MAREN (Malawi) – More welcome!! 09/11/2013 ngNOG VIII - University of Benin
    10. 10. Outputs • Certification Authorities – Nigeria, Kenya, Tanzania, South Africa, Malawi – Deployed and issuing X.509 certificates tested on GILDA t-Infrastructure • Catch-All Identity Providers – Nigeria, Kenya, South Africa, Tanzania • Africa Grid Science Gateway • Capacity building for resource sharing across geographic and organisation boundaries with established PKI Infrastructure 03/07/2013 WACREN AGM - Abuja 2013
    11. 11. Federated Identity Services, Certification Authorities & Science Gateways Principles and Terminology 09/11/2013 ngNOG VIII - University of Benin
    12. 12. Public Key Infrastructure A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. The PKI creates digital certificates which map public keys to entities, securely stores these certificates in a central repository and revokes them if needed 09/11/2013 ngNOG VIII - University of Benin
    13. 13. PKI Concepts • Certification Authority – CA - issues and verifies the digital certificates • Registration Authority – RA - verifies the identity of users requesting information from the CA. Can be one or more • Validation Authority – VA - responsible for providing information on whether certificates are valid or not. Can be one or more • End Entity - user, such as an e-mail client, a web server, a web browser or a VPN-gateway. 09/11/2013 ngNOG VIII - University of Benin
    14. 14. PKI Access Flow • A user applies for a certificate with his public key at a Registration Authority (RA) • User identity is confirmed and certificate is issued • The user digitally signs the new certificate • The Validation authority checks the identity of the issued certificate • Implemented in software
CA = https://ngca.ekokonnect.net.ng/CA
VA = https://ngca.ekokonnect.net.ng/CA/mgt/scert.php 09/11/2013 ngNOG VIII - University of Benin
    15. 15. PKI Access Flow 09/11/2013 ngNOG VIII - University of Benin
    16. 16. 09/11/2013 ngNOG VIII - University of Benin
    17. 17. Identity Federations An identity federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about users and resources to enable access via authentication 09/11/2013 ngNOG VIII - University of Benin
    18. 18. Service Provider (SP) • Used to describe anyone who has a service, resource or set of content that they want to make available to users via a login. • Login may be to limit access to subscribers or specialist groups, or for personalisation • The SP do not hold information about users. They rely on Identity Providers i.e. the institution or organisation that a user belongs to get user information 09/11/2013 ngNOG VIII - University of Benin
    19. 19. Identity Provider (IdP) An Identity Provider or 'IdP' is a term used to describe any institution or organisation that manages information about its users and wants to provide access to resources for these users. 09/11/2013 ngNOG VIII - University of Benin
    20. 20. Access Control After the successful authentication the identity provider will release a certain amount of attributes to the service provider Access control is performed by matching these attributes supplied by IdPs against rules defined by SPs. 09/11/2013 ngNOG VIII - University of Benin
    21. 21. Authentication vs Authorization • Authentication establishes the user’s identity, done by identity provider – To get authenticated by an IdP people have to be enrolled on it and registered, upon proper identification, on the registry connected to the IdP • Authorization defines the user’s permission within the application, done at service provider – The fact that you are the one you claim to be (i.e., you are authenticated by an IdP) does not imply, by portal policy, that you are automatically authorised to access and use the SP e.g Africa Grid Science Gateway. To do so people have to fill the authorisation request. 09/11/2013 ngNOG VIII - University of Benin
    22. 22. SAML • Security Assertion Markup Language – XML standard for exchanging the information • Used for Web browser Single Sign-On (SSO) • three roles: the principal (typically a user), the identity provider (IdP), and the service provider (SP) • does not specify the method of authentication at the identity provider. You can choose authentication source. LDAP, Active Directory, SQL, Custom • Shibboleth (Java) and SimpleSAMLphp (PHP)- popular SAML implementations used with OpenLDAP and EduERP in Eko-Konnect. 09/11/2013 ngNOG VIII - University of Benin
    23. 23. SAML – Web SSO Example Sourced from Wikipedia 09/11/2013 ngNOG VIII - University of Benin
    24. 24. NgREN Federation • There is only one CA and IdF per country except in some countries like US • Currently a “Catch-All” IdP for NgREN is maintained by Eko-Konnect as part of eI4Africa. at https://ngidp.eko-konnect.net.ng • Used by UNN and LionGRID users in their workshops • With a database of users, any institution can setup an IdP and participate in the evolution of policies and framework for the NgREN federation. 09/11/2013 ngNOG VIII - University of Benin
    25. 25. What are Science gateways? • A Science Gateway is a community-developed set of tools, applications, and data that are integrated via a portal or a suite of applications, usually in a graphical user interface, that is further customized to meet the needs of a specific community. • Gateways allow science teams to access data, perform shared computations and generally work on resources together. • Gateways provide access to a variety of capabilities including – – – – – – – Workflows General or domain-specific analytic and software visualization Collaborative interfaces resource discovery Job submission tools job execution services. Education modules • Different SGW exists e.g African Grid Science Gateway 09/11/2013 ngNOG VIII - University of Benin
    26. 26. Africa Grid Science Gateway • The Africa Grid Science Gateway is a standardbased web 2.0 demonstrative platform to show the lighthouse applications identified by the el4africa project and execute them on a worldwide e-infrastructure. 09/11/2013 ngNOG VIII - University of Benin
    27. 27. Problems accessing the Science Gateways? • Some applications in a Science Gateway are freely accessible but others are not and require user authentication • GRIDS and the diverse middleware have been difficult for scientists to grasp • access to the Africa Science Gateway requires federated credentials issued by an Identity Provider. 09/11/2013 ngNOG VIII - University of Benin
    28. 28. Problems with Access contd. • PKI and Personal Certs have been barrier to access to e-infrastructure • This is what IdF seeks to solve. 09/11/2013 ngNOG VIII - University of Benin
    29. 29. SG Access Workflow • a user wants to sign in or requires a service that requires authentication and authorisation • the portal redirects the user to an IdP and user details is checked in an LDAP server • the portal contacts a service called eToken Service where a proxy is created from a robot certificate installed on a special USB-shape smartcard • the action is done on the grid • the output is retrieved back to the portal machine • the user is notified that the output is ready and she can download it 09/11/2013 ngNOG VIII - University of Benin
    30. 30. Deploying the NgREN Catch-All Identity Provider Shibboleth and OpenLDAP 09/11/2013 ngNOG VIII - University of Benin
    31. 31. Overview • Installation and configuration of Shibboleth based IdP with LDAP backend • Shibboleth is an open-source project that provides Single Sign-On (SSO) capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. 09/11/2013 ngNOG VIII - University of Benin
    32. 32. How Shibboleth works? • It works the same way as other web-based single sign on system • The major difference its adherence to standard and its ability to provide SSO support to services outside of a user's organization while still protecting their privacy 09/11/2013 ngNOG VIII - University of Benin
    33. 33. Web-based SSO system • The main elements are • Web Browser - represents the user within the SSO process • Resource - contains restricted access content that the user wants • Identity Provider (IdP) - authenticates the user • Service Provider (SP) - performs the SSO process for the resource 09/11/2013 ngNOG VIII - University of Benin
    34. 34. Single Sign-On steps • Step 1- User accesses the resources • Step 2- Service provider issues Authentication request • Step 3- User authenticated at identity provider • Step 4- Identity provider issues Authentication response • Step 5- Service provider checks authentication response • Step 6- Resource returns content 09/11/2013 ngNOG VIII - University of Benin
    35. 35. How Shibboleth works? • Identity provider Discovery, User attributes and Metadata • Identity Provider Discovery: This what an SP working with multiple IdPs uses to prompt the user for authentication. • User attributes: this gives the system the ability to receive data about the user from the IdP e.g email or phone number etc. • Metadata: this gives the IdP and SP the ability to know which url to use when communicating with each other. – A unique identifier know as entity id – A human readable name and description – A list of urls to which messages should be delivered and some information about when each should be used – Cryptographic information used when creating and verifying information • A common function of the Federation is to publish a file that contains all the Metadata for IdP and SP that have agreed to work together 09/11/2013 ngNOG VIII - University of Benin
    36. 36. Reference and Prerequisite • • • • Linux Operating System (Centos) OpenLDAP: http://www.openldap.org Shibboleth: http://www.shibboleth.net Host Certificates – For both machines from installing on separate machines – Certificate signed by a CA 09/11/2013 ngNOG VIII - University of Benin
    37. 37. Installation of Shibboleth • Shibboleth consist of several individual components which includes – Identity Provider (IdP) – Service Provider (SP) – Discovery Service • Installation requires Java based web servertomcat • Follow the installation process on your preferred platform 09/11/2013 ngNOG VIII - University of Benin
    38. 38. Installation and configuration of ldap • LDAP configuration – Add modules to LDAP server – Configure the root of the tree and superuser – Add organisation • Add and configure users, groups and services • Secure the host – Enable secure communication to the ldap server – Add the host certificate 09/11/2013 ngNOG VIII - University of Benin
    39. 39. IdP Configuration • The IdP is a shibboleth service running on a java container. This container is based on tomcat6 • The IdP configuration refers to the – Configuration of the firewall on tomcat server – Configuration of the shibboleth components. • The components includes a series of xml files in the conf directory 09/11/2013 ngNOG VIII - University of Benin
    40. 40. Shibboleth xml files • attribute-filter xml- the attributes that will be filtered from ldap server • attributes-resolver- how the idp will resolve these attributes • handler.xml- what kind of authentication schemes are allowed • logging.xml- level and location of logging • relaying-party.xml- parties that will be able to use the IdP • Configuration of the host security and logging • Configuration and authentication/login screen 09/11/2013 ngNOG VIII - University of Benin
    41. 41. NgREN Catch-All Identity Provider Demonstration http://ngidp.eko-konnect.net.ng 09/11/2013 ngNOG VIII - University of Benin
    42. 42. 09/11/2013 ngNOG VIII - University of Benin
    43. 43. 09/11/2013 ngNOG VIII - University of Benin
    44. 44. • Ngca.eko-konnect.net.ng • Ngidp.eko-konnect.net.ng • African Grid Science Gateway 09/11/2013 ngNOG VIII - University of Benin
    45. 45. Steps • • • • Register Step #2: Accept email confirmation Step #3: mail notification sent to Admin Step #4: Admin authorises account and notifies the user by email • Step # 5: User gets mail • You can now access all the service providers that can be authenticated with the NgREN catch-all 09/11/2013 ngNOG VIII - University of Benin
    46. 46. What can we do? • NgNOG task force to complement efforts at NUC level to evolve an IdF http://ngren.edu.ng/news/ngren-hands-ontraining-for-dicts-and-staff • Evolve projects to collate user information in the community in a central database. Can be spreadsheets per unit and aggregated. • Join Eko-Konnect to increase demand and resources on the Africa Grid Science Gateway. • Use lessons learned to from these functional demonstrations to do similar in NgREN 09/11/2013 ngNOG VIII - University of Benin
    47. 47. Thank you for listening Questions? 09/11/2013 ngNOG VIII - University of Benin

    ×