integrating non web based services
play

Integrating non web-based services with identity federations Jens - PowerPoint PPT Presentation

bw IDM Integrating non web-based services with identity federations Jens Khler, Michael Simon, Sebastian Labitzke, Tobias Dussa, Martin Nubaumer bw IDM The bwIDM project Services of the state of Baden-Wrttemberg placed at


  1. bw IDM Integrating non web-based services with identity federations Jens Köhler, Michael Simon, Sebastian Labitzke, Tobias Dussa, Martin Nußbaumer

  2. bw IDM The bwIDM project • Services of the state of Baden-Württemberg placed at different locations Uni Mannheim • Should be useable by the affiliates of universities • Affiliates should be able to access them with their KIT familiar accounts of their home organization Uni Stuttgart bwIDM: Uni Ulm Federated Identity Management for Baden- Württemberg Uni Freiburg Uni Konstanz 17.09.2012 Integrating non web-based services with identity federations 2

  3. bw IDM The bwIDM project • SAML identity providers are already present at each university Uni Mannheim • Integrating web-based services into this infrastructure is straightforward KIT • Integrating non web-based services is a challenge Uni Stuttgart Uni Ulm FACIUS : An easy-to-deploy concept to federate non web-based Uni Freiburg services based on the SAML standard. Uni Konstanz 17.09.2012 Integrating non web-based services with identity federations 3

  4. bw IDM Non web-based services vs. SAML • Non web-based services: Authentication via the Service Provider 1. Login via credentials SSH Service 2. Access Web-based Service • Main characteristic of SAML: Authentication via the Home Organization • SAML-ECP profile can be used to „ SAMLfy “ arbitrary applications → Technical foundation to enable non web-based services to use SAML exist 17.09.2012 Integrating non web-based services with identity federations

  5. bw IDM Requirements Service Provider requirements Integration effort Legal aspects (De-)Provisioning Security Performance Maintainability Deployability Legal aspects Alternative authentication methods Transparency Necessary software adaptions Use of home credentials Home Organization User requirements requirements 17.09.2012 Integrating non web-based services with identity federations

  6. bw IDM A users perspective: Getting access to the service Registration • Via a Registration-Webapplication (Browser) • Authentication based on the account at the Home Organization Just has to be performed once. Provisioning of a local context • In the SSH case: Establishment of a UID, a home directory , … Accessing the service • Via native service client • Authorization based on assertions of the Home Organization 17.09.2012 Integrating non web-based services with identity federations

  7. bw IDM FACIUS - Overview User Service Provider Home Organization Registration- Login & Provisioning Browser Webapplication Registr. SAML-SP Login-Node Login SSH-Client SSH- PAM- Server Module Partially service-specific Generic components Existing components components Further Information : J. Köhler, S. Labitzke, M. Simon, M. Nussbaumer, H. Hartenstein: FACIUS: An Easy-to- Deploy SAML-based Approach to Federate Non Web-Based Services , Proc. of Trustcom 2012 17.09.2012 Integrating non web-based services with identity federations

  8. bw IDM Login alternatives Creden- Enhanced Service Home Creden- tials User tials Proxy Provider Organization ECP Service Home User ECP Enhanced Provider Organization Client Creden- tials Service Home Local Creden- Assertion User tials Query Authentication Provider Organization Local Enhanced Enhanced User requirements: Authentication Proxy Client Unmodified client usable Login with credentials of the Home Organization No harm by malicious Service Providers Operable in parallel to other login alternatives 17.09.2012 Integrating non web-based services with identity federations

  9. bw IDM Evaluation • Service Provider requirements: Integration of the Pluggable Authentication Integration effort : Module with the Service Access Point Based on existing frameworks Maintainability : 1.01 s vs. 0.30 s (regular login) ? Performance (SSH-Login): Integration into existing Federations : SAML-based federations Provisioning/Deprovisioning : Legal aspects : User consent to policies can be requested • Home Organization requirements: Legal aspects : User consent to policies can be requested No software adaptions : 17.09.2012 Integrating non web-based services with identity federations

  10. bw IDM Conclusion • bwIDM …. – …is a project to establish a federation of 9 universities and services of the state of Baden-Württemberg. – …has the goal to federate access to non web -based services such as grid resources. • FACIUS… – …enables non web -based services to join SAML-federations. – …aims to be easily deployable for existing service providers. – …makes active use of the SAML -ECP and AssertionQuery profile. – …offers users a high usability in trustworthy federations. – …has been successfully applied to federate SSH services. • We are planning to… – …federate an operational cluster by the end of the year. – …federate additional services based on FACIUS. 17.09.2012 Integrating non web-based services with identity federations

  11. bw IDM How does FACIUS fit into the EGI federated identity management platform? SSH-Server (SP) FACIUS 17.09.2012 Integrating non web-based services with identity federations

Recommend


More recommend