Beyond the Password: Business Enablement Through Identity ...
Identity Services beyond Web SSO - TERENA TF-EMC2... · Identity Services beyond Web SSO Josh...
Transcript of Identity Services beyond Web SSO - TERENA TF-EMC2... · Identity Services beyond Web SSO Josh...
SAML-‐SASL • dra5-‐ie7-‐ki9en-‐sasl-‐saml
• Aims to avoids changes to deployed infrastructure
• Invokes browser: not quite “beyond Web SSO” J
• Binding of <AuthNRequest> to SASL
• h9p://tools.ie7.org/html/dra5-‐ie7-‐ki9en-‐sasl-‐saml-‐05
3
SAML-‐EC
• dra5-‐ie7-‐ki9en-‐sasl-‐saml-‐ec
• Conceptually similar to SAML ECP profile – Client issues <AuthNRequest> over SOAP to IdP, authenUcates and obtains an asserUon
– Client sends asserUon to RP over SASL • h9p://tools.ie7.org/html/dra5-‐ie7-‐ki9en-‐sasl-‐saml-‐ec-‐00
4
Moonshot • Moonshot builds on the eduroam technologies
– EAP (RFC 3748): strong mutual authenUcaUon – RADIUS (RFC 2865): federaUon between domains
• To this, Moonshot adds
– SAML, for rich authorisaUon semanUcs – ApplicaUon integraUon, using operaUng system security APIs
• SSPI: Windows • GSS-‐API (RFC 2078): Other operaUng systems • SASL (RFC 4422): Windows and other operaUng systems
– This architecture is being standardised within the IETF Abfab working group (h9p://tools.ie7.org/wg/abfab)
5
Progress to date • Moonshot plug-in available for Windows, Mac &
Linux • Many applications successfully tested • Domestication of applications requires little or no effort
• Packaging for Debian and RHEL6; Suse and RHEL5 in progress.
• Live DVD (Debian) • Experimental port to JUNOS • Native Windows support • IETF standardisation making good progress • Ongoing discussions with operating system
vendors
6
Application integration
• Most modern applications use at least one of the security APIs supported by Moonshot
• Correctly written applications will ‘just work’ without modification or recompilation
• Less correctly written applications may require minor source modifications
7
Examples of other tested scenarios • OpenSSH client à OpenSSH server (GSS)
• OpenLDAP client à OpenLDAP server (GSS)
• OpenLDAP client à Windows AcUve Directory (SSPI)
• Firefox à Apache (GSS)
• MyProxy client à MyProxy server (SASL)
• Adium à Jabberd (SASL)
• Console authenUcaUon using PAM (GSS)
12
On-going work • Identity Selector
• Client-side application to manage multiple identities • Experimental version available for Windows & Linux • Porting to Mac & improving the UI and UX • Production-ready Q1 2012
• Native Windows support (client and server) • Advanced proof-of-concept working • Additional work needed to support Kernel-layer methods • Production-ready Q1 2012
• RADIUS à Identity Provider integration • Home RADIUS server able to obtain SAML assertion using ECP profile • Talking to OSC about an implementation in Radiator
13
JANET Moonshot Technology Pilot • JANET Moonshot Technology Pilot started 11 October
• Focusing initially on e-Research use-cases; primarily Grid and High Performance Computing
• Piloting activities include
• Feasibility of replacing user-facing X.509 certificates for access to computing resources
• Moonshot-based login authentication at consoles within a national scientific facility
• Integration into JANET’s upcoming Cloud services portfolio
14