Keystone and SAML in multi-tenant environments – Two concepts get together Alex Alex Stel ellwag, Open Telekom Cloud Architect ,T-Systems Yue uefen eng Pan an, Senior Cloud Solutions Architect, Huawei Open Telekom Cloud 26.06.2017 1
Agenda • SAML and Keystone – Generals and limitations • Open Telekom Cloud (OTC) – Use Cases and Challenges • Identity and Access Management Service on OTC Open Telekom Cloud 26.06.2017 2
Agenda • SAML and Keystone – Generals and limitations • Open Telekom Cloud (OTC) – Use Cases and Challenges • Identity and Access Management Service on OTC Open Telekom Cloud 26.06.2017 3
SAML V2 – the refresher • SAML V2 - Security Assertion Markup Language 2.0 • is a standard to exchange authentication/authorisation data between security domains • provides web based support for Single Sign On (SSO) scenarios • reduces administrative overhead for maintaining different identity providers • allows a services provider to accept an identity that was authenticated by an external IdP 1. Login request User Use (Cloud) Service Provider 3. User login at IdP SAML assertion 5. IdP returns 7. Service provider grants access ext extern rnal 4. IdP authenticates according to mapping rules IdP Id user Identity Provider Open Telekom Cloud 26.06.2017 4
Keystone… and its limitations • native keystone • is able to be configured as a service provider (SP) • as an SP keystone is able to support the SAML protocol • supports one IdP per OpenStack domain only • needs to be configured by the OpenStack service administrator to support an external SAML based IdP on domain level • does not support APIs for federated token management and querying and importing of metadata for each tenant, respectively Keystone needs to be extended to support the requirements of federated identities in multitenant environments Open Telekom Cloud 26.06.2017 5
Agenda • SAML and Keystone – Generals and limitations • Open Telekom Cloud (OTC) – Use Cases and Challenges • Identity and Access Management Service on OTC Open Telekom Cloud 26.06.2017 6
Open Telekom Cloud (OTC) – Use Cases and challenges • Open Telekom Cloud (OTC) • an Openstack based (currently Mitaka) public cloud • specifically designed for business customers ACME1 IdP IdP IdP ACM CME1 IdP IdP IdP ACME2 IdP Use Case 1: Multiple business customers with own IdPs Use Case 2: Single business customer with multiple IdPs Requirements: Requirements: • support of more than one IdP per Openstack system • support of more than one IdP per domain • IdP support on domain level • IdP support on domain level • IdP management rights on domain level • IdP management rights on domain level • API support for metadata and token management • API support for metadata and token management Open Telekom Cloud 26.06.2017 7
The Key to the limitations and challenges Ch Chal allenges Solu So lutions Identity federation configured by the Identity Federation configured by tenants OpenStack service administrator manually through console or API Several regions only one keystone service, Cached proxy bottleneck Keystone only supports one IDP per Keystone patch to support of more than one OpenStack domain IDPs per domain Open Telekom Cloud 26.06.2017 8
Agenda • SAML and Keystone – Generals and limitations • Open Telekom Cloud (OTC) – Use Cases and Challenges • Identity and Access Management Service on OTC Open Telekom Cloud 26.06.2017 9
Fe Federate derated d key keystone stone and IAM and IAM Identity Identity Fe Federation deration OTC C fr frontend Ho Horizon IAM fr frontend Apache Se Server IAM cac ached pr proxy Sh Shib ibboleth/Mell llon/ ... .. (SAML) (SAML) IAM Co Core re Ser Servic ice (Keystone/K /Keyston one-extension) Key eystone Open Telekom Cloud 26.06.2017 10
Architectur Architecture e of IAM of IAM Service Service IAM Frontend IAM Console Auth UI IAM Cached Proxy IAM Cached Proxy TCache IAM Core Service Keystone Keystone Patch Keystone V3 Native Interface KS-DB(MySQL) KSX-DB Keystone V3 Extend Interface Open Telekom Cloud 26.06.2017 11
IAM IAM core core service service – key keystone stone ex extensions tensions More More th than one an one I IDPs DPs for for each t ach tenant nant IAM Core Service Keystone Keystone Patch KS-DB(MySQL) KSX-DB Acti ctive/ e/Standby KS-DB KS DB KSX-DB DB identityprovider ext-idp Mor ore tha han on one e IDPs for or eac each ten tenant protocol … mapping user project … Open Telekom Cloud 26.06.2017 12
IAM IAM core core service service – key keystone stone ex extensions tensions create create a n a new identit w identity y provid provider r for for a a te tenant nant Check the for Ch format of of metadata fi file Register Re er an an IdP Register Re er a a Prot Protocal Create a Cr a Ma Mapping Import a Imp a Me Metadata A New A New IdP fo for r a a Tena Tenant URL : PUT /v3/OS- POST /v3-ext/OS- PUT /v3/OS- PUT /v3/OS- https://auth.otc.t- FEDERATION/identity_pr FEDERATION/identity_provide FEDERATION/identity_pr FEDERATION/mappi systems.com/authui/federatio oviders/{idp_id}/protocols rs/{idp_id}/protocols/{protocol oviders/{id} ngs/{id} n/websso?idp={idp- /{protocol_id} _id}/metadata name}&protocol={protocol}&se Default Mapping rules: rvice={otc-console-url} { "remote": [ { "type": "__NAMEID __“ } ], "local": [ {"user": {"name": "FederationUser" }}] } Open Telekom Cloud 26.06.2017 13
IAM IAM core core service service – key keystone stone ex extensions tensions th the p proc rocess ss of of fe federat deration ion aut authe hentication ntication User OTC IAM(SP) Identity Provider User attempts to access a protected resource IdP Discovery Redirect to the IdP HTTP redirect endpoint Access the IdP HTTP redirect endpoint Validate SAML request Present a login form to the user Authenticate to the Identity Provider Validate credentials Generate SAML response Instruct browser to post the SAML response Post the SAML response to SP Verify the SAML assertion Return the protected resource to the user Mapping to local groups and users Open Telekom Cloud 26.06.2017 14
IAM IAM core core service service – key keystone stone ex extensions tensions delete del te a a ident identity prov ity provider ider for for a a te tenant nant De Delete a a Ma Mappin ing Delet De ete e a a Pr Protoca cal De Delete a a Me Meta tadata One On e IDP de delet eted ed fo for r a Te Tena nant nt Delete an De an IDP DELETE /v3/OS- DELETE /v3-ext/OS- DELETE /v3/OS- DELETE /v3/OS- FEDERATION/identity_pr FEDERATION/identity_provide FEDERATION/mappings FEDERATION/identit oviders/{idp_id}/protocols rs/{idp_id}/protocols/{protocol /{id} y_providers/{id} /{protocol_id} _id}/metadata Open Telekom Cloud 26.06.2017 15
IAM IAM core core service service – key keystone stone ex extensions tensions Identity Fe Ident ity Federat deration ion th through rough API API AP API UR URI Func unction POST /v3-ext/OS- Import a metadata file of a tenant FEDERATION/identity_providers/{idp_id}/protocols/{protoco l_id}/metadata GET /v3-ext/OS- Query the content of the metadata file imported by FEDERATION/identity_providers/{idp_id}/protocols/{protoco an IDP to the IAM system l_id}/metadata GET /v3-ext/auth/OS-FEDERATION/SSO/metadata Get metadata content of IAM federation. Open Telekom Cloud 26.06.2017 16
IAM IAM cached cached proxy proxy - Acceleratio Acceleration n of Key of Keystone stone core core servic services es Reg Region1 Considerations: • Secure cached credential • Limit scope IAM Cached Proxy1 • Expiration IAM Cached Proxy TCache Open Telekom Cloud 26.06.2017 17
IAM IAM cached cached proxy proxy - Acceleratio Acceleration n of Key of Keystone stone core core servic services es ecs.region1.com ecs.region2.com Region2 Reg Region1 Reg API Gateway API Gateway IAM Cached Proxy1 IAM Cached Proxy2 IAM Cached Proxy IAM Cached Proxy TCache TCache IAM Core Service (Keystone) Open Telekom Cloud 26.06.2017 18
IAM IAM frontend frontend – cons console ole Ident Identity ity Fe Federat deration ion functions functions Create Delete Edit Query Identity Provider Metadata File ile Upload Download Create Delete Edit Query Map apping Rul ules Open Telekom Cloud 26.06.2017 19
IAM frontend IAM frontend – cons console ole Identity Ident ity Fe Federat deration ion th through rough co conso nsole le 10 10 ide identity ty pr provide ders rs of f eac each te tenants Open Telekom Cloud 26.06.2017 20
IAM IAM frontend frontend – cons console ole Ident Identity ity Fe Federat deration ion th through rough co conso nsole le Logi ogin li link nk for or IDP IDP Uplo pload d metad etadata a fi file le of of IDP IDP Map apping of of IDP ac acce cess ss rul ules es to o OTC ac acce cess s rul ules es Open Telekom Cloud 26.06.2017 21
IAM IAM frontend frontend – cons console ole Identity Ident ity Fe Federat deration ion th through rough co conso nsole le Open Telekom Cloud 26.06.2017 22
Recommend
More recommend