FeduShare Update

J
jbasney
FeduShare Update AuthNZ the SAML way for VOs
FeduShare Goals: ● Provide transparent sharing of campus resources in support of (multi-institutional) collaboration ● Support both HTTP and non-web access using federated authentication and Shib ECP ● Leverage the knowledge and talents of campus IAM staff ● Eliminate GUEST/AFFILIATE identities ● Commence/increase communication between IAM experts at NCSA, GeNI, XSEDE, OSG and campus
Assumptions ● Campus supports Shibboleth ○ Campus may support OAuth ○ Shib ECP + R&S ● Resource owner sets policy and controls access to shared resource ● There is a federated Virtual Organization management service ● Resource owner authorization processes should make use of the federated VO service
FeduShare use case 1: Shared use of campus HPC ● Federated SSH (non-web) ○ Demonstrated Utah login to Clemson Palmetto cluster in October 2015, using Shib-ECP and modified OpenSSH (gss-mechsaml-ECP) ● Partnership with JISC Moonshot Project ○ Uses gss-mechsaml-EAP ● Partnership with GeNI project office ○ Have implemented a Shibboleth Attribute Authority that can assert a subset of information such as GeNi Project membership or role as a SAML assertion
Today’s Demo: ○ We will demonstrate integration with MoonShot ssh client GUI ○ Authorization will use attribute(s) from an Attribute Authority separate from campus ■ CILogon 2.0 ■ GENI RBAC infrastructure ○ We have fixed prior need to store password in a local file ○ We will review security concerns
Attribute based access control ● Access denied by clearing local-login-user attribute ● Shibboleth SP and IdP provide configurable rules for denying attributes ● Examples: ○ #1 ■ SP queries AA with EPPN ■ AA releases list of identifiers of VOs user is a member of ■ SP denies access if list does not include resource owner’s VO ○ #2 ■ SP queries AA with EPPN and VO identifier ■ AA releases a boolean true if user is a member of VO ■ SP denies access if response attribute is false ○ SP and AA configuration for examples at https://github.com/fedushare/ecp-ssh-demo-environment/tree/master/docs/configurations
Demo SSH client (SAML ECP enabled) SSH server (ECP enabled SAML SP) SAML IdP (home organization) SAML AA (VO membership) 3. User Authentication 4. SAML Authn Assertion 5. SAML Authn Assertion 1. SAML Authn Request 2. SAML Authn Request 6. SAML Attribute Query 7. SAML Attribute Assertion SAML Metadata (Federation) SAML AA (local account mapping) 8. SAML Attribute Query 9. SAML Attribute Assertion
SSH ECP Security: Distributed Trust ● Federation signs metadata containing IdP/SP/AA identities and public keys ● IdP verifies signature on authentication request from SP ● IdP informs the client of the SP's verified identity ● SP verifies signatures on assertions from IdP/AAs ● GSS channel binding connects SAML flows with SSH session ● User trusts client to send password securely to home IdP ● SP trusts IdP to authenticate the user ● SP trusts the VO AA to manage VO memberships ● SP trusts the local AA to manage local account mappings
How does this relate to TIER ● Shibboleth for federated authentication ● Co-Manage is a proven VO management service (LIGO) ○ Co-Manage already supports OAuth ● Look at Co-Manage as a vehicle for replacing GUEST/AFFILIATE identities ● Conversation about stand-alone Attribute Authorities needed in InCommon
Moonshot updates and use cases ● macOS support is coming! ○ Mac development house engaged, contracts are being exchanged ○ Initial support expected in early 2017 ● SSH forwarding (ProxyCommand etc) ○ Proven to work with Moonshot ○ Chained multiple levels and it happily works ○ Used by eMedLab project in the UK ● New projects + federations looking at Moonshot ○ eMedLab (EMBL-EBI, Sanger + FARR Institutes, QMUL, etc) ○ PathFinder AAAI (a national UK project working on deploying Moonshot) ○ SANReN + REUNA are evaluating Moonshot as well ○ Umbrella ID (photon + neutron community IdP)
FeduShare Futures ● Observation: a shared campus resource might exist in one or more clouds ● Co-Manage is being integrated with CILogon for access to XSEDE and OSG resources; how can this service be used by campuses? ● If campuses set up local Co-Manage instances, can we establish common practices so that there is consistency across campuses and with CILogon? ● Will we need a “WIYVO” (Where is your VO?) service akin to WAYF? ● Sustainability: Will JISC adopt gss-mechsaml-ECP? Would there be any US funding to do this? ● Will campuses discuss shared resource policies in campus silos, or will there be community discussion? ● Challenges: POLICY based authorization and Provisioning
1 of 11

FeduShare Update

Download to read offline
Technology

A FeduShare project update at the Internet2 Technology Exchange meeting (Sep 28 2016). https://meetings.internet2.edu/2016-technology-exchange/detail/10004482/ FeduShare focuses on federated logon for non-web applications, ssh in particular, in the context of architecting campus IAM to support multi-institutional collaboration. This presentation will cover integration with Project MoonShot -- adding an Identity selector to the Moonshot GUI. In addition, the TIER CoManage component will be used to demonstrate using Virtual Organizations and CoManage workflows to automatically provision accounts on a campus HPC cluster for external collaborators. Finally, future directions for FeduShare in the TIER ecosystem will be described.

J
jbasney

Recommended

CILogon 2.0 MAGIC SC16 by
CILogon 2.0 MAGIC SC16CILogon 2.0 MAGIC SC16
CILogon 2.0 MAGIC SC16jbasney
836 views18 slides
Guidance and Survey Results from the Trustworthy Data Working Group by
Guidance and Survey Results from the Trustworthy Data Working GroupGuidance and Survey Results from the Trustworthy Data Working Group
Guidance and Survey Results from the Trustworthy Data Working Groupjbasney
161 views52 slides
Federated Identity Needs for the Large Synoptic Survey Telescope (LSST) by
Federated Identity Needs for the Large Synoptic Survey Telescope (LSST)Federated Identity Needs for the Large Synoptic Survey Telescope (LSST)
Federated Identity Needs for the Large Synoptic Survey Telescope (LSST)jbasney
181 views21 slides
CILogon & SciTokens: OIDC/OAuth Federation by
CILogon & SciTokens: OIDC/OAuth FederationCILogon & SciTokens: OIDC/OAuth Federation
CILogon & SciTokens: OIDC/OAuth Federationjbasney
156 views12 slides
CILogon 2.0 - IAM Online Webinar Series by
CILogon 2.0 - IAM Online Webinar SeriesCILogon 2.0 - IAM Online Webinar Series
CILogon 2.0 - IAM Online Webinar Seriesjbasney
190 views22 slides
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure by
Lightweight Cybersecurity Risk Assessment Tools for CyberinfrastructureLightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructure
Lightweight Cybersecurity Risk Assessment Tools for Cyberinfrastructurejbasney
474 views20 slides

More Related Content

More from jbasney

CILogon PEARC17 by
CILogon PEARC17CILogon PEARC17
CILogon PEARC17jbasney
370 views13 slides
CILogon 2.0 at 2017 Internet2 Global Summit by
CILogon 2.0 at 2017 Internet2 Global SummitCILogon 2.0 at 2017 Internet2 Global Summit
CILogon 2.0 at 2017 Internet2 Global Summitjbasney
419 views11 slides
CTSC+SWAMP: cybersecurity resources for your campus by
CTSC+SWAMP: cybersecurity resources for your campusCTSC+SWAMP: cybersecurity resources for your campus
CTSC+SWAMP: cybersecurity resources for your campusjbasney
748 views13 slides
CILogon: An Integrated Identity and Access Management Platform for Science by
CILogon: An Integrated Identity and Access Management Platform for ScienceCILogon: An Integrated Identity and Access Management Platform for Science
CILogon: An Integrated Identity and Access Management Platform for Sciencejbasney
547 views10 slides
CILogon 2.0 Update at TechEx 2016 by
CILogon 2.0 Update at TechEx 2016CILogon 2.0 Update at TechEx 2016
CILogon 2.0 Update at TechEx 2016jbasney
513 views12 slides
Trusting External Identity Providers for Global Research Collaborations by
Trusting External Identity Providers for Global Research CollaborationsTrusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research Collaborationsjbasney
717 views41 slides

More from jbasney(13)

CILogon PEARC17 by jbasney
CILogon PEARC17CILogon PEARC17
CILogon PEARC17
jbasney370 views
CILogon 2.0 at 2017 Internet2 Global Summit by jbasney
CILogon 2.0 at 2017 Internet2 Global SummitCILogon 2.0 at 2017 Internet2 Global Summit
CILogon 2.0 at 2017 Internet2 Global Summit
jbasney419 views
CTSC+SWAMP: cybersecurity resources for your campus by jbasney
CTSC+SWAMP: cybersecurity resources for your campusCTSC+SWAMP: cybersecurity resources for your campus
CTSC+SWAMP: cybersecurity resources for your campus
jbasney748 views
CILogon: An Integrated Identity and Access Management Platform for Science by jbasney
CILogon: An Integrated Identity and Access Management Platform for ScienceCILogon: An Integrated Identity and Access Management Platform for Science
CILogon: An Integrated Identity and Access Management Platform for Science
jbasney547 views
CILogon 2.0 Update at TechEx 2016 by jbasney
CILogon 2.0 Update at TechEx 2016CILogon 2.0 Update at TechEx 2016
CILogon 2.0 Update at TechEx 2016
jbasney513 views
Trusting External Identity Providers for Global Research Collaborations by jbasney
Trusting External Identity Providers for Global Research CollaborationsTrusting External Identity Providers for Global Research Collaborations
Trusting External Identity Providers for Global Research Collaborations
jbasney717 views
Cybersecurity for Conservation by jbasney
Cybersecurity for ConservationCybersecurity for Conservation
Cybersecurity for Conservation
jbasney653 views
CTSC at TNC16 by jbasney
CTSC at TNC16CTSC at TNC16
CTSC at TNC16
jbasney463 views
CILogon 2.0 at 2016 Internet2 Global Summit by jbasney
CILogon 2.0 at 2016 Internet2 Global SummitCILogon 2.0 at 2016 Internet2 Global Summit
CILogon 2.0 at 2016 Internet2 Global Summit
jbasney678 views
SAML Security Contacts by jbasney
SAML Security ContactsSAML Security Contacts
SAML Security Contacts
jbasney791 views
FeduShare TechEx15 by jbasney
FeduShare TechEx15FeduShare TechEx15
FeduShare TechEx15
jbasney805 views
CILogon 2.0 at REFEDS 30 by jbasney
CILogon 2.0 at REFEDS 30CILogon 2.0 at REFEDS 30
CILogon 2.0 at REFEDS 30
jbasney1.1K views
CILogon and InCommon: Technical Update by jbasney
CILogon and InCommon: Technical UpdateCILogon and InCommon: Technical Update
CILogon and InCommon: Technical Update
jbasney1K views

Recently uploaded

2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue by
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlueShapeBlue
147 views23 slides
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates by
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesShapeBlue
252 views15 slides
Business Analyst Series 2023 - Week 4 Session 8 by
Business Analyst Series 2023 - Week 4 Session 8Business Analyst Series 2023 - Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8DianaGray10
123 views13 slides
NTGapps NTG LowCode Platform by
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform Mustafa Kuğu
423 views30 slides
Future of AR - Facebook Presentation by
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook PresentationRob McCarty
64 views27 slides
Ransomware is Knocking your Door_Final.pdf by
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdfSecurity Bootcamp
96 views46 slides

Recently uploaded(20)

2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue by ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue147 views
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates by ShapeBlue
Keynote Talk: Open Source is Not Dead - Charles Schulz - VatesKeynote Talk: Open Source is Not Dead - Charles Schulz - Vates
Keynote Talk: Open Source is Not Dead - Charles Schulz - Vates
ShapeBlue252 views
Business Analyst Series 2023 - Week 4 Session 8 by DianaGray10
Business Analyst Series 2023 - Week 4 Session 8Business Analyst Series 2023 - Week 4 Session 8
Business Analyst Series 2023 - Week 4 Session 8
DianaGray10123 views
NTGapps NTG LowCode Platform by Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu423 views
Future of AR - Facebook Presentation by Rob McCarty
Future of AR - Facebook PresentationFuture of AR - Facebook Presentation
Future of AR - Facebook Presentation
Rob McCarty64 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp96 views
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava... by ShapeBlue
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
Centralized Logging Feature in CloudStack using ELK and Grafana - Kiran Chava...
ShapeBlue145 views
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue198 views
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue by ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlueElevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
Elevating Privacy and Security in CloudStack - Boris Stoyanov - ShapeBlue
ShapeBlue222 views
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue by ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlueCloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
CloudStack Object Storage - An Introduction - Vladimir Petrov - ShapeBlue
ShapeBlue138 views
Cencora Executive Symposium by marketingcommunicati21
Cencora Executive SymposiumCencora Executive Symposium
Cencora Executive Symposium
marketingcommunicati21159 views
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ by ShapeBlue
Confidence in CloudStack - Aron Wagner, Nathan Gleason - AmericConfidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
ShapeBlue130 views
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue by ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlueCloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
CloudStack Managed User Data and Demo - Harikrishna Patnala - ShapeBlue
ShapeBlue135 views
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by ShapeBlue
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
ShapeBlue184 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue206 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker54 views
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T by ShapeBlue
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&TCloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
CloudStack and GitOps at Enterprise Scale - Alex Dometrius, Rene Glover - AT&T
ShapeBlue152 views
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue by ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlueWhat’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
What’s New in CloudStack 4.19 - Abhishek Kumar - ShapeBlue
ShapeBlue263 views
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P... by ShapeBlue
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
ShapeBlue194 views
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O... by ShapeBlue
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
ShapeBlue132 views

FeduShare Update

  • 1. FeduShare Update AuthNZ the SAML way for VOs
  • 2. FeduShare Goals: ● Provide transparent sharing of campus resources in support of (multi-institutional) collaboration ● Support both HTTP and non-web access using federated authentication and Shib ECP ● Leverage the knowledge and talents of campus IAM staff ● Eliminate GUEST/AFFILIATE identities ● Commence/increase communication between IAM experts at NCSA, GeNI, XSEDE, OSG and campus
  • 3. Assumptions ● Campus supports Shibboleth ○ Campus may support OAuth ○ Shib ECP + R&S ● Resource owner sets policy and controls access to shared resource ● There is a federated Virtual Organization management service ● Resource owner authorization processes should make use of the federated VO service
  • 4. FeduShare use case 1: Shared use of campus HPC ● Federated SSH (non-web) ○ Demonstrated Utah login to Clemson Palmetto cluster in October 2015, using Shib-ECP and modified OpenSSH (gss-mechsaml-ECP) ● Partnership with JISC Moonshot Project ○ Uses gss-mechsaml-EAP ● Partnership with GeNI project office ○ Have implemented a Shibboleth Attribute Authority that can assert a subset of information such as GeNi Project membership or role as a SAML assertion
  • 5. Today’s Demo: ○ We will demonstrate integration with MoonShot ssh client GUI ○ Authorization will use attribute(s) from an Attribute Authority separate from campus ■ CILogon 2.0 ■ GENI RBAC infrastructure ○ We have fixed prior need to store password in a local file ○ We will review security concerns
  • 6. Attribute based access control ● Access denied by clearing local-login-user attribute ● Shibboleth SP and IdP provide configurable rules for denying attributes ● Examples: ○ #1 ■ SP queries AA with EPPN ■ AA releases list of identifiers of VOs user is a member of ■ SP denies access if list does not include resource owner’s VO ○ #2 ■ SP queries AA with EPPN and VO identifier ■ AA releases a boolean true if user is a member of VO ■ SP denies access if response attribute is false ○ SP and AA configuration for examples at https://github.com/fedushare/ecp-ssh-demo-environment/tree/master/docs/configurations
  • 7. Demo SSH client (SAML ECP enabled) SSH server (ECP enabled SAML SP) SAML IdP (home organization) SAML AA (VO membership) 3. User Authentication 4. SAML Authn Assertion 5. SAML Authn Assertion 1. SAML Authn Request 2. SAML Authn Request 6. SAML Attribute Query 7. SAML Attribute Assertion SAML Metadata (Federation) SAML AA (local account mapping) 8. SAML Attribute Query 9. SAML Attribute Assertion
  • 8. SSH ECP Security: Distributed Trust ● Federation signs metadata containing IdP/SP/AA identities and public keys ● IdP verifies signature on authentication request from SP ● IdP informs the client of the SP's verified identity ● SP verifies signatures on assertions from IdP/AAs ● GSS channel binding connects SAML flows with SSH session ● User trusts client to send password securely to home IdP ● SP trusts IdP to authenticate the user ● SP trusts the VO AA to manage VO memberships ● SP trusts the local AA to manage local account mappings
  • 9. How does this relate to TIER ● Shibboleth for federated authentication ● Co-Manage is a proven VO management service (LIGO) ○ Co-Manage already supports OAuth ● Look at Co-Manage as a vehicle for replacing GUEST/AFFILIATE identities ● Conversation about stand-alone Attribute Authorities needed in InCommon
  • 10. Moonshot updates and use cases ● macOS support is coming! ○ Mac development house engaged, contracts are being exchanged ○ Initial support expected in early 2017 ● SSH forwarding (ProxyCommand etc) ○ Proven to work with Moonshot ○ Chained multiple levels and it happily works ○ Used by eMedLab project in the UK ● New projects + federations looking at Moonshot ○ eMedLab (EMBL-EBI, Sanger + FARR Institutes, QMUL, etc) ○ PathFinder AAAI (a national UK project working on deploying Moonshot) ○ SANReN + REUNA are evaluating Moonshot as well ○ Umbrella ID (photon + neutron community IdP)
  • 11. FeduShare Futures ● Observation: a shared campus resource might exist in one or more clouds ● Co-Manage is being integrated with CILogon for access to XSEDE and OSG resources; how can this service be used by campuses? ● If campuses set up local Co-Manage instances, can we establish common practices so that there is consistency across campuses and with CILogon? ● Will we need a “WIYVO” (Where is your VO?) service akin to WAYF? ● Sustainability: Will JISC adopt gss-mechsaml-ECP? Would there be any US funding to do this? ● Will campuses discuss shared resource policies in campus silos, or will there be community discussion? ● Challenges: POLICY based authorization and Provisioning