[PPT] - =C=Fermilab Managed by Fermi Research Alliance, LLC for the U.S. PowerPoint Presentation

SLIDE 1

Federation At Fermilab

Al Lilianstrom National Laboratories Information Technology Summit May 2015

FERMILAB-SLIDES-18-102-CD This manuscript has been authored by Fermi Research Alliance, LLC under Contract No. DE-AC02-07CH11359 with the U.S. Department of Energy, Office of Science, Office of High Energy Physics.

=C=Fermilab

Managed by Fermi Research Alliance, LLC for the U.S. Department of Energy Office of Science

SLIDE 2

About Fermilab

Since 1967, Fermilab has worked to answer fundamental

questions and enhance our understanding of everything we see around us. As the United States' premier particle physics laboratory, we work on the world's most advanced particle accelerators and dig down to the smallest building blocks of matter.

Fermilab collaborates with more than 20 countries on physics

experiments based in the United States and elsewhere.

Fermilab's 6,800-acre site is located in Batavia, Illinois, and is

managed by the Fermi Research Alliance LLC for the U.S. Department of Energy Office of Science. FRA is a partnership

f the University of Chicago and Universities Research

Association Inc., a consortium of 86 research universities.

4/17/2015 Al Lilianstrom | Federation At Fermilab 2------------------------0

Fermilab

SLIDE 3

Bison

4/17/2015 Al Lilianstrom | Federation At Fermilab 3------------------------0

Fermilab

SLIDE 4

Terms

ADFS – Active Directory Federation Services

– https://technet.microsoft.com/en-us/windowsserver/dd448613.aspx

COTS - Commercial Off The Shelf
IdP – Identity Provider
InCommon

– https://www.incommon.org/

LDAP – Lightweight Directory Access Protocol

– http://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol

SP – Service Provider
SAML – Security Assertion Markup Language

– http://saml.xml.org/about-saml

Shibboleth

– https://shibboleth.net/

SSL – Security Sockets Layer

– http://en.wikipedia.org/wiki/Transport_Layer_Security

SSO – Single Sign On

4/17/2015 Al Lilianstrom | Federation At Fermilab 4

SLIDE 5

Abstract

Fermilab is working to provide a seamless web for science

and business applications by using federated identities from internal identity providers such as Active Directory Federation Services and Shibboleth and external identity providers such as InCommon Federation members and social identities such as Google.

This talk will focus on the complexities of internal and

external identities, open source and COTS identity providers, and open source and COTS applications and how we are working to make the user experience for authentication as simple and secure as possible.

4/17/2015 Al Lilianstrom | Federation At Fermilab 5------------------------0

Fermilab

SLIDE 6

History

2008

– Centrally managed LDAP service for web application authentication was brought online – Computer Security initiated push for web application owners to move from .htaccess files to LDAP over SSL – Not federation – just a single password

A big step in the right direction
2010

– Fermilab hosted Shibboleth Installfest – 20+ attendees from Fermilab and several other institutions – Significant interest from all attendees

*Shibboleth 1.0 - 2003

4/17/2015 Al Lilianstrom | Federation At Fermilab 6------------------------0

Fermilab

SLIDE 7

Crickets

4/17/2015 Al Lilianstrom | Federation At Fermilab 7------------------------0

Fermilab

SLIDE 8

History

2013

– ADFS IdP in Production

2014

– ADFS SP

SharePoint 2013
Office 365

– Shibboleth IdP in Production

On premise
Managed Service

– Joined InCommon Federation

2015

– CiLogon SP

Shibboleth Service

4/17/2015 Al Lilianstrom | Federation At Fermilab 8------------------------0

Fermilab

SLIDE 9

Why Federate?

Passwords

– Same password as LDAP Service

Single Logon
External identities

– Social Media

Identity Proofing

– Authoritative source

Control of Information
Platform Independent

– OS/Application/etc

Security Boundaries

4/17/2015 Al Lilianstrom | Federation At Fermilab 9------------------------0

Fermilab

SLIDE 10

Why Federate?

Identities

– External identities

Business Partners
Social Media

– Identity Proofing

How do you know who RadGenius@gmail.com really is?
Federation Members
Authoritative source

– Termination

– Authorization

Application Compatibility

– Username – Email Address

4/17/2015 Al Lilianstrom | Federation At Fermilab 10

SLIDE 11

Why Federate?

Control of Information

– Links not E-Mail – Authentication Source

Platform Independent

– Operating System – Application

SAML Support

– SP – IdP

– Client

Web Browser

4/17/2015 Al Lilianstrom | Federation At Fermilab 11

-----------------------0

Fermilab

SLIDE 12

Security Boundaries

Two types of logons at Fermilab

– Interactive and Web – Password strength requirements are the same

Interactive

– Logon to Linux or Windows – Remote Desktop – SSH

Web

– SharePoint – Email

Interactive logons are not used to access web services
Web logons are not used for interactive access to computers

– There is no direct connection between the services in the Interactive and Web environments

4/17/2015 Al Lilianstrom | Federation At Fermilab 12

-----------------------0

Fermilab

SLIDE 13

Security Boundaries

4/17/2015 Al Lilianstrom | Federation At Fermilab 13

CAF

7
1/

RSA ~curlD

C

Ql

Windows

Web

1

SharePoint

2013

CMS

VPN

~rviceNow

()

() Radius

~hibbolet/

~

\~

c£

..

1

SLIDE 14

Security Boundaries

Why?

– Goal was to prevent compromised web credentials from gaining access to interactive systems

As more services move to the web is this a valid concern?
Some applications are designed around logon accounts

being used to gain access to web services

– Exchange – SharePoint

Can Federation provide a true SSO environment?

4/17/2015 Al Lilianstrom | Federation At Fermilab 14

-----------------------0

Fermilab

SLIDE 15

Security Boundaries

ADFS

– Windows Integrated Authentication – ADFS in Windows Logon Domain

IdP as a RP to primary ADFS IdP

– Logon credentials used to access web applications

Logon credentials are never presented to the web application
No passwords on the wire

– Ever

– Non-Windows clients can kinit against the Windows Domain and use the applications in the same manner*

4/17/2015 Al Lilianstrom | Federation At Fermilab 15

-----------------------0

Fermilab

SLIDE 16

Security Boundary

ADFS to ADFS

4/17/2015 Al Lilianstrom | Federation At Fermilab 16

(Active Directory)

ADFS Server in our primary Windows domain. Windows Integrated Authentication is used t get ADFS token in

browser to access web apps without password

' .

' .

ADFS ADFS

FADFS.FNAL.GOV

SSO. FNAL.GOV No trust exists between FERMI and SERVICES Active Directory Domains ADFS in SERVICES accepts ADFS

tokens from FERMI and issues claims

based on contents

On Premise Share Point SP On Premise Exchan2e SP

C=Fermilab

SLIDE 17

Federation Service Today

4/17/2015 Al Lilianstrom | Federation At Fermilab 17

On Prem~ Apache Web Server,; SP

Shibboleth

IDP.FNALGOV

Sh bboleth man ed service ADFS to Shibboleth

trust in Test

ADFS SSO.FNAL.GOV

7 .

ADFS w'I be used for the Microsoft

product line Both Shibboleth and

ADFS use the same AD domain for authentication and attribute source

7 .

On Premise Share Point SP

Testing ADFS to ADFS ADFS Server in our Windows domain. Use WIA to get ADFS token to access web apps thout password

SERVICES (Active Directory)

ADFS

Windows Domain

C=Fermilab

SLIDE 18

Federation Service Today

Hybrid Solution

– ADFS

Microsoft stack

– SharePoint – Office 365

– Shibboleth

Everything else 

– InCommon – CiLogon – Central Web Services – Service Now – Apache Based Applications – Social Connections

4/17/2015 Al Lilianstrom | Federation At Fermilab 18

-----------------------0

Fermilab

SLIDE 19

Hybrid Solution

Issues

– Usability

Two IdPs

– IdP to IdP Trust

– Support

Managed Service Issues

– Compatibility

Claims

– Formats

4/17/2015 Al Lilianstrom | Federation At Fermilab 19

-----------------------0

Fermilab

SLIDE 20

Hybrid Solution

Why not just use one?
ADFS

– Microsoft Documentation – Microsoft Applications – Open Source Applications

Evil Empire 

– PowerShell – Internal Support

System Configuration

– Hardware – Software

– Quirks – ADFS is an excellent choice for a Windows shop

4/17/2015 Al Lilianstrom | Federation At Fermilab 20

-----------------------0

Fermilab

SLIDE 21

Hybrid Solution

Shibboleth

– Microsoft Applications

Supported but …

– Open Source Applications – Documentation – Product Support

Paid

– https://shibboleth.net/community/consultants.html

Free

– Not always friendly

– Internal Support

System Configuration

– Hardware – Software

4/17/2015 Al Lilianstrom | Federation At Fermilab 21

SLIDE 22

Changing the Solution

Federation is starting to gain acceptance at Fermilab

– Multiple SPs testing

Central web services
Content Management
Cloud SaaS
Issues with current solution

– Support – Reliability

Need a robust supported solution

– Internal Support – Vendor – Third-party

4/17/2015 Al Lilianstrom | Federation At Fermilab 22

-----------------------0

Fermilab

SLIDE 23

Federation Phase Three

Shibboleth out, Ping Federate in

– Standards Compliant – Industry leader – Excellent support – In use in the DOE complex – Mobile device integration – Not without issues

Configuration
Metadata

– Import – Export

IdP Trust

4/17/2015 Al Lilianstrom | Federation At Fermilab 23

-----------------------0

Fermilab

SLIDE 24

Federation Service – Planned

4/17/2015 Al Lilianstrom | Federation At Fermilab 24

On Pn,m~ Apache Web Servers

SP

7 .

Ping Federate

IDP.FNAL.GOV

Goal is to use P .,]

l

as a SAML2 provider to replace Shibboleth

DFS and Ping need to

trust" each other so that

nly one authentication is

necessary to access any SP managed by either Ping or ADFS

ADFS

On Premise Share Point

SP

SSO.FNAL.GOV

ADFS will be used for the Microsoft product line Both Ping and ADFS use

the same AD domain for authentication and attribute source

On Prem~ Exchange

SP

1----ir..==::-III ADFS Server in our

7 .

Windows domain. Use WIA to get ADFS to ·en to access web a Jps without

ADFS

password

SERVICES (Active Directory)

Windows Domain

C=Fermilab

SLIDE 25

Federation Phase Four

Simplify ADFS

– As part of “upgrade” to ADFS v3 – Move from SQL Server to Windows Integrated Database

More redundancy

– Data Centers

Ping Federate
ADFS
Domain Controllers
Cloud

4/17/2015 Al Lilianstrom | Federation At Fermilab 25

-----------------------0

Fermilab

SLIDE 26

Federation Service – Goals

True SSO for Windows Users

– Domain Members

True SSO for Linux and OSX Users

– Kerberos Login Required

Forms Based SSO

– All other

Mobile Device Support

– Improve ease of use

4/17/2015 Al Lilianstrom | Federation At Fermilab 26

-----------------------0

Fermilab

SLIDE 27

Lessons Learned

COTS

– Features – Support

Open Source

– Support Issues

Managed Service

– Vendor Response

Standards

– Support

4/17/2015 Al Lilianstrom | Federation At Fermilab 27

-----------------------0

Fermilab

SLIDE 28

Lessons Learned

Evaluate the market

– Products are constantly evolving

Don’t be afraid to change

– Results can be worth the pain

4/17/2015 Al Lilianstrom | Federation At Fermilab 28

-----------------------0

Fermilab

SLIDE 29

Questions?
Contact Information

–Al Lilianstrom –lilstrom@fnal.gov

-----------------------0

Fermilab