Uploaded byheiland
PDF, PPTX447 views

SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant Service

This document discusses authentication and authorization considerations for multi-tenant services. It provides an overview of the Center for Trustworthy Scientific Cyberinfrastructure (CTSC) and the Science Gateways Platform (SciGaP). SciGaP is a multi-tenant service that provides generalized services like authentication, identity management, and job scheduling through a public API. The document reviews the evolution of authentication approaches including usernames/passwords, Kerberos, PKI/X.509 certificates, and API keys. It proposes adopting the OAuth standard for SciGaP's authentication solution to cover current use cases and integrate with the WSO2 Identity Server.

Embed presentation

Download as PDF, PPTX
Authentication and Authorization Considerations for a Multi-tenant Service SCREAM 2015 June16, 2015 UITS Randy Heiland, Scott Koranda, Suresh Marru, Marlon Pierce, Von Welch UITS Research Technologies
Overview •  CTSC •  SciGaP •  Auth •  Some history •  Examples •  Criteria/Selection
Center for Trustworthy Scientific Cyberinfrastructure (CTSC) •  Collaborate with NSF projects to help improve their cybersecurity (=engagements) (IceCube, Pegasus, Globus, SciGaP) •  Organize annual NSF Cybersecurity Summits (this year: Aug 17-19) •  Outreach & Education in cybersecurity trustedci.org (Von Welch, PI)
Who’s this paper/talk for? •  Science Gateway community •  Distributed CI community •  Cybersecurity community •  Actually, me
“… a Multi-tenant Service” •  SciGaP – Science Gateways Platform as a service (scigap.org) •  Hosted, generalized services with a public API •  Auth, Identity Management, Job scheduling, Workflows, Auditing, etc.
SciGaP Arch Schematic
Auth: an evolving idea •  Username/Password •  Kerberos •  PKI (à X.509) •  API Keys •  OAuth •  …
Passphrases https://xkcd.com/936/
Public Key Infrastructure (PKI) •  Arose from cryptographic keys (D-H, 1976) •  PKI uses asymmetric keys (public, private) •  à X.509 (IETF rfc 5280) •  Crypto algorithm •  Signature •  Certificate Authority (CA) à Good security; high complexity
DCI: PKI à GSI IEEEComputer,Dec.2000
V. Welch: 10/7/2010 seminar
OAuth •  Practically speaking: lets users log into 3rd party sites using their “big” credentials (Google, FB, Twitter, MS) •  OAuth 1.0, circa 2007 (for Twitter; now ~500M users) •  OAuth 2.0, 2012 (IETF rfc 6749) •  User creds NOT shared; an access token generated & shared •  Multiple “grant flow” options possible
OAuth Flow From Evernote dev docs.
OAuth: who’s using it? •  Google •  FB •  AWS •  GitHub •  Twitter •  Evernote •  … à Broad support; LOTS of OAuth libraries, in multiple languages
Planned Auth Solution for SciGaP •  Adopt OAuth •  covers all current SciGaP use cases •  Supported by WSO2 Identity Server (being used by SciGaP) •  API keys supported via OAuth grant option •  Incorporate into SciGaP’s SDKs
Parting thoughts •  Science of CI: Research, Experience, Applications and Models •  Science of Security (rf. Fred Schneider, Cornell) •  Open question: is it possible to model, measure, and be more quantitative about these domains?
Funding NSF ACI #1339774 and #1234408 THANKS!

More Related Content

PDF
SwiftRiver Overview
byUshahidi
 
PPTX
Unlocking LOCKSS with APIs
bynullhandle
 
PDF
2018 01-15 infra coders meetup vienna ii
byAleksandar Lazic
 
PPTX
Big data for bay area big data developer
by19scottmiller
 
PDF
Thorisson orcid outreach meeting
byORCID, Inc
 
PPTX
PRESENT
bybushra203
 
PPTX
Implementing an AMS on a National Scale – A Model
byAxiell ALM
 
PDF
Rotenberg Provider's Perspective on Identity and Authentication Management
byNational Information Standards Organization (NISO)
 
SwiftRiver Overview
byUshahidi
 
Unlocking LOCKSS with APIs
bynullhandle
 
2018 01-15 infra coders meetup vienna ii
byAleksandar Lazic
 
Big data for bay area big data developer
by19scottmiller
 
Thorisson orcid outreach meeting
byORCID, Inc
 
PRESENT
bybushra203
 
Implementing an AMS on a National Scale – A Model
byAxiell ALM
 
Rotenberg Provider's Perspective on Identity and Authentication Management
byNational Information Standards Organization (NISO)
 

Viewers also liked

PDF
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
bylisanl
 
DOC
4 dezv-prenat-ii 2013
byjennypain
 
PDF
Two factor authentication with Laravel and Google Authenticator
byAllan Denot
 
PPTX
REST Service Authetication with TLS & JWTs
byJon Todd
 
PDF
Tomasz Janczuk - Webtaskalifragilistexpialidocious
byServerlessConf
 
PPTX
Security models for security architecture
byVladimir Jirasek
 
PPT
graphical password authentication
byAkhil Kumar
 
PDF
3D Password PPT
bySeminar Links
 
PPTX
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
PPTX
Graphical password authentication
byAsim Kumar Pathak
 
PDF
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
PDF
Serverless architectures
bytechmaddy
 
PDF
Enterprise Security Architecture
byKris Kimmerle
 
PPTX
Adidas brand case study
bytomjohnson15
 
Security Authentication and Authorization Service (AAS) for IBM InfoSphere St...
bylisanl
 
4 dezv-prenat-ii 2013
byjennypain
 
Two factor authentication with Laravel and Google Authenticator
byAllan Denot
 
REST Service Authetication with TLS & JWTs
byJon Todd
 
Tomasz Janczuk - Webtaskalifragilistexpialidocious
byServerlessConf
 
Security models for security architecture
byVladimir Jirasek
 
graphical password authentication
byAkhil Kumar
 
3D Password PPT
bySeminar Links
 
NIST CyberSecurity Framework: An Overview
byTandhy Simanjuntak
 
Graphical password authentication
byAsim Kumar Pathak
 
Enterprise Security Architecture for Cyber Security
byThe Open Group SA
 
Serverless architectures
bytechmaddy
 
Enterprise Security Architecture
byKris Kimmerle
 
Adidas brand case study
bytomjohnson15
 

Similar to SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant Service

PDF
Analyzing OAuth
byOliver Pfaff
 
PDF
Centralise legacy auth at the ingress gateway
byAndrew Kirkpatrick
 
PDF
New Trends in Web Security
byOliver Pfaff
 
PDF
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
byShumon Huque
 
PDF
CIS14: Identifying Things (and Things Identifying Us)
byCloudIDSummit
 
PDF
Authentication in 2020 - Predictions by the neXus CTO
byhagero
 
PDF
Introduction to OAuth
byWei-Tsung Su
 
PDF
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
PDF
Ijarcet vol-2-issue-4-1398-1404
byEditor IJARCET
 
PDF
dna-identity-crisis-cloud-web
byRavi Venkat
 
PPTX
Apache Airavata Credential Store
bysmarru
 
PPTX
Anonymous Individual Integration for IoT
byPaul Fremantle
 
PDF
OpenID Contexts
byChris Messina
 
PDF
Stronger/Multi-factor Authentication for Enterprise Applications
byRamesh Nagappan
 
PPTX
Secure your app with keycloak
byGuy Marom
 
PDF
Trusting External Identity Providers for Global Research Collaborations
byjbasney
 
PDF
HSC-IoT: A Hardware and Software Co-Verification based Authentication Scheme ...
byMahmud Hossain
 
PDF
OpenID Connect 4 SSI (DIFCon F2F)
byTorsten Lodderstedt
 
PDF
How to 2FA-enable Open Source Applications
byAll Things Open
 
PPT
Street conf overview
byericsachs
 
Analyzing OAuth
byOliver Pfaff
 
Centralise legacy auth at the ingress gateway
byAndrew Kirkpatrick
 
New Trends in Web Security
byOliver Pfaff
 
Single Sign-On, Two Factor & more: Advanced Authentication & Authorization at...
byShumon Huque
 
CIS14: Identifying Things (and Things Identifying Us)
byCloudIDSummit
 
Authentication in 2020 - Predictions by the neXus CTO
byhagero
 
Introduction to OAuth
byWei-Tsung Su
 
APIsecure 2023 - OAuth, OIDC and protecting third-party credentials, Ed Olson...
byapidays
 
Ijarcet vol-2-issue-4-1398-1404
byEditor IJARCET
 
dna-identity-crisis-cloud-web
byRavi Venkat
 
Apache Airavata Credential Store
bysmarru
 
Anonymous Individual Integration for IoT
byPaul Fremantle
 
OpenID Contexts
byChris Messina
 
Stronger/Multi-factor Authentication for Enterprise Applications
byRamesh Nagappan
 
Secure your app with keycloak
byGuy Marom
 
Trusting External Identity Providers for Global Research Collaborations
byjbasney
 
HSC-IoT: A Hardware and Software Co-Verification based Authentication Scheme ...
byMahmud Hossain
 
OpenID Connect 4 SSI (DIFCon F2F)
byTorsten Lodderstedt
 
How to 2FA-enable Open Source Applications
byAll Things Open
 
Street conf overview
byericsachs
 

Recently uploaded

PPTX
Testing Strategies for Agile Teams in 2026
byMatt Calder
 
PPTX
Free AI Paraphrasing Tool to Rewrite Sentences – SENTENCIFY
bySENTENCIFY
 
PPTX
Build Smarter with Google: A Workshop on MediaPipe, Firebase, Gemini and Anti...
byvanshikaprakash05
 
PDF
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
PPTX
EMR Software for Gynaecology Clinics How EasyClinic Supports Continuity, Priv...
byEasy Clinic
 
PDF
Building With Gemini: Hands-On AI for Developers
byhemish04082005
 
PDF
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
PPTX
Aviation Fleet Management Software for Airlines & Operators
bySISGAIN
 
PDF
Salesforce Agentforce Service Agent​.pdf
byRobert Mark
 
PDF
Hack&Verse Kick-off and infor session Event ppt
bysanidhyasahu1120
 
PPTX
Lect 1 Number systems and base conversions. [Autosaved].pptx
byzainiman8511
 
PDF
Latest Courier Management Software 2026 | Complete Courier & Logistics Solution
byCourier Softwares
 
PDF
CodeFulcrum Company Profile - Engineering Scalable Software for High-Growth E...
byCodeFulcrum
 
PPTX
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
PPTX
How Swiggy Assure Scaled B2B Procurement for the HORECA Supply Chain
byIT IDOL Technologies
 
PDF
Incident Management Roles & Responsibilities.pdf
byTaskCall
 
PPTX
Google Trips Data Scraping for Tourism & Demand Analysis.pptx
byWeb Data Crawler
 
PDF
Python Core Interview Cheat Sheet for a Senior Interview
byStanislav Lazarenko
 
PPTX
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
PDF
Problem Solving_20241203_220045_0000.pdf
bythakurayush00991
 
Testing Strategies for Agile Teams in 2026
byMatt Calder
 
Free AI Paraphrasing Tool to Rewrite Sentences – SENTENCIFY
bySENTENCIFY
 
Build Smarter with Google: A Workshop on MediaPipe, Firebase, Gemini and Anti...
byvanshikaprakash05
 
DSD-INT 2025 Large scale unsaturated zone modelling - Sequential Steady State...
byDeltares
 
EMR Software for Gynaecology Clinics How EasyClinic Supports Continuity, Priv...
byEasy Clinic
 
Building With Gemini: Hands-On AI for Developers
byhemish04082005
 
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
Aviation Fleet Management Software for Airlines & Operators
bySISGAIN
 
Salesforce Agentforce Service Agent​.pdf
byRobert Mark
 
Hack&Verse Kick-off and infor session Event ppt
bysanidhyasahu1120
 
Lect 1 Number systems and base conversions. [Autosaved].pptx
byzainiman8511
 
Latest Courier Management Software 2026 | Complete Courier & Logistics Solution
byCourier Softwares
 
CodeFulcrum Company Profile - Engineering Scalable Software for High-Growth E...
byCodeFulcrum
 
Feasibility Analysis in System Development Using Data Flow Diagrams
byM Munim
 
How Swiggy Assure Scaled B2B Procurement for the HORECA Supply Chain
byIT IDOL Technologies
 
Incident Management Roles & Responsibilities.pdf
byTaskCall
 
Google Trips Data Scraping for Tourism & Demand Analysis.pptx
byWeb Data Crawler
 
Python Core Interview Cheat Sheet for a Senior Interview
byStanislav Lazarenko
 
Inside An AI Powered ERP System for Process Manufacturers
byBatchMaster Software Pvt. Ltd.
 
Problem Solving_20241203_220045_0000.pdf
bythakurayush00991
 

SCREAM-15: Authentication and Authorization Considerations for a Multi-tenant Service

  • 1.
    Authentication and Authorization Considerationsfor a Multi-tenant Service SCREAM 2015 June16, 2015 UITS Randy Heiland, Scott Koranda, Suresh Marru, Marlon Pierce, Von Welch UITS Research Technologies
  • 2.
    Overview •  CTSC •  SciGaP • Auth •  Some history •  Examples •  Criteria/Selection
  • 3.
    Center for Trustworthy ScientificCyberinfrastructure (CTSC) •  Collaborate with NSF projects to help improve their cybersecurity (=engagements) (IceCube, Pegasus, Globus, SciGaP) •  Organize annual NSF Cybersecurity Summits (this year: Aug 17-19) •  Outreach & Education in cybersecurity trustedci.org (Von Welch, PI)
  • 4.
    Who’s this paper/talkfor? •  Science Gateway community •  Distributed CI community •  Cybersecurity community •  Actually, me
  • 5.
    “… a Multi-tenantService” •  SciGaP – Science Gateways Platform as a service (scigap.org) •  Hosted, generalized services with a public API •  Auth, Identity Management, Job scheduling, Workflows, Auditing, etc.
  • 6.
  • 7.
    Auth: an evolvingidea •  Username/Password •  Kerberos •  PKI (à X.509) •  API Keys •  OAuth •  …
  • 10.
  • 11.
    Public Key Infrastructure(PKI) •  Arose from cryptographic keys (D-H, 1976) •  PKI uses asymmetric keys (public, private) •  à X.509 (IETF rfc 5280) •  Crypto algorithm •  Signature •  Certificate Authority (CA) à Good security; high complexity
  • 12.
    DCI: PKI àGSI IEEEComputer,Dec.2000
  • 13.
  • 14.
    OAuth •  Practically speaking:lets users log into 3rd party sites using their “big” credentials (Google, FB, Twitter, MS) •  OAuth 1.0, circa 2007 (for Twitter; now ~500M users) •  OAuth 2.0, 2012 (IETF rfc 6749) •  User creds NOT shared; an access token generated & shared •  Multiple “grant flow” options possible
  • 15.
  • 16.
    OAuth: who’s usingit? •  Google •  FB •  AWS •  GitHub •  Twitter •  Evernote •  … à Broad support; LOTS of OAuth libraries, in multiple languages
  • 17.
    Planned Auth Solutionfor SciGaP •  Adopt OAuth •  covers all current SciGaP use cases •  Supported by WSO2 Identity Server (being used by SciGaP) •  API keys supported via OAuth grant option •  Incorporate into SciGaP’s SDKs
  • 18.
    Parting thoughts •  Scienceof CI: Research, Experience, Applications and Models •  Science of Security (rf. Fred Schneider, Cornell) •  Open question: is it possible to model, measure, and be more quantitative about these domains?
  • 19.
    Funding NSF ACI #1339774and #1234408 THANKS!