Identity Services beyond Web SSO

Josh Howlett, JANET

19th TF-EMC2, 7 November 2011

Contents  

•  SAML-­‐SASL  

•  SAML-­‐EC  

•  Moonshot  /  Abfab  

2

SAML-­‐SASL  •  dra5-­‐ie7-­‐ki9en-­‐sasl-­‐saml  

•  Aims  to  avoids  changes  to  deployed  infrastructure  

•  Invokes  browser:  not  quite  “beyond  Web  SSO”  J  

•  Binding  of  <AuthNRequest>  to  SASL  

•  h9p://tools.ie7.org/html/dra5-­‐ie7-­‐ki9en-­‐sasl-­‐saml-­‐05  

3

SAML-­‐EC  

•  dra5-­‐ie7-­‐ki9en-­‐sasl-­‐saml-­‐ec  

•  Conceptually  similar  to  SAML  ECP  profile  –  Client  issues  <AuthNRequest>  over  SOAP  to  IdP,  authenUcates  and  obtains  an  asserUon  

–  Client  sends  asserUon  to  RP  over  SASL    •  h9p://tools.ie7.org/html/dra5-­‐ie7-­‐ki9en-­‐sasl-­‐saml-­‐ec-­‐00  

4

Moonshot •  Moonshot  builds  on  the  eduroam  technologies  

–  EAP  (RFC  3748):  strong  mutual  authenUcaUon  –  RADIUS  (RFC  2865):  federaUon  between  domains  

•  To  this,  Moonshot  adds  

–  SAML,  for  rich  authorisaUon  semanUcs  –  ApplicaUon  integraUon,  using  operaUng  system  security  APIs  

•  SSPI:  Windows  •  GSS-­‐API  (RFC  2078):  Other  operaUng  systems  •  SASL  (RFC  4422):  Windows  and  other  operaUng  systems  

–  This  architecture  is  being  standardised  within  the  IETF  Abfab  working  group  (h9p://tools.ie7.org/wg/abfab)  

5

Progress to date •  Moonshot plug-in available for Windows, Mac &

Linux •  Many applications successfully tested •  Domestication of applications requires little or no effort

•  Packaging for Debian and RHEL6; Suse and RHEL5 in progress.

•  Live DVD (Debian) •  Experimental port to JUNOS •  Native Windows support •  IETF standardisation making good progress •  Ongoing discussions with operating system

vendors

6

Application integration

•  Most modern applications use at least one of the security APIs supported by Moonshot

•  Correctly written applications will ‘just work’ without modification or recompilation

•  Less correctly written applications may require minor source modifications

7

PuTTY à OpenSSH

8

IE7 à Apache

9

Outlook 2010 à Exchange 2010

10

Outlook 2010 àExchange 2010

11

Examples of other tested scenarios •  OpenSSH  client  à  OpenSSH  server  (GSS)  

•  OpenLDAP  client  à  OpenLDAP  server  (GSS)  

•  OpenLDAP  client  à  Windows  AcUve  Directory  (SSPI)  

•  Firefox  à  Apache  (GSS)  

•  MyProxy  client  à  MyProxy  server  (SASL)  

•  Adium  à  Jabberd  (SASL)  

•  Console  authenUcaUon  using  PAM  (GSS)  

12

On-going work •  Identity Selector

•  Client-side application to manage multiple identities •  Experimental version available for Windows & Linux •  Porting to Mac & improving the UI and UX •  Production-ready Q1 2012

•  Native Windows support (client and server) •  Advanced proof-of-concept working •  Additional work needed to support Kernel-layer methods •  Production-ready Q1 2012

•  RADIUS à Identity Provider integration •  Home RADIUS server able to obtain SAML assertion using ECP profile •  Talking to OSC about an implementation in Radiator

13

JANET Moonshot Technology Pilot •  JANET Moonshot Technology Pilot started 11 October

•  Focusing initially on e-Research use-cases; primarily Grid and High Performance Computing

•  Piloting activities include

•  Feasibility of replacing user-facing X.509 certificates for access to computing resources

•  Moonshot-based login authentication at consoles within a national scientific facility

•  Integration into JANET’s upcoming Cloud services portfolio

14