Federated User Credential Deployment Portal (FEUDAL) Lukas Burgey | - - PowerPoint PPT Presentation

federated user credential deployment portal feudal
SMART_READER_LITE
LIVE PREVIEW

Federated User Credential Deployment Portal (FEUDAL) Lukas Burgey | - - PowerPoint PPT Presentation

Apr 23, 2023 294 likes •523 views

Federated User Credential Deployment Portal (FEUDAL) Lukas Burgey | August 29, 2018 STEINBUCH CENTRE FOR COMPUTING www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Research Centre of the Helmholtz Association

slide-1
SLIDE 1

STEINBUCH CENTRE FOR COMPUTING

Federated User Credential Deployment Portal (FEUDAL)

Lukas Burgey | August 29, 2018

KIT – University of the State of Baden-Wuerttemberg and National Research Centre of the Helmholtz Association

www.kit.edu

slide-2
SLIDE 2

Context

Helmholtz Data Federation (HDF)

Sites: KIT, FZJ, DKFZ, AKI, GSI, and DESY Federated Identities using SP-IdP-Proxy (AARC BPA) User Authentication by the IdPs at the sites Extends user information from IdPs

Lukas Burgey – FEUDAL – August 29, 2018 2/1

slide-3
SLIDE 3

Deployment

User deployment Account provisioning Deployment of user credentials

SSH public key password etc.

Lukas Burgey – FEUDAL – August 29, 2018 3/1

slide-4
SLIDE 4

Requirements (1/2)

Web Portal Deployment

Federated user authentication Credentials: SSH public keys Fault tolerant Response time: Close to network latency

Services

Services can be hosted at multiple sites Sites can host multiple services

Lukas Burgey – FEUDAL – August 29, 2018 4/1

slide-5
SLIDE 5

Requirements (2/2)

At the sites:

Interface with all possible User Management Systems Customisable by the local Administrator Attractive to host services No incoming connections

Secure

Lukas Burgey – FEUDAL – August 29, 2018 5/1

slide-6
SLIDE 6

FEUDAL Workflow

1

User: SSH public key upload

2

User: VO / service selection

3

Portal: Account provisioning at the services

4

Portal: Key deployment to the account

5

Portal: Display login information to the user

6

User: Can access the services with the public key

Lukas Burgey – FEUDAL – August 29, 2018 6/1

slide-7
SLIDE 7

Architecture (1/2)

Distributed:

FEUDAL clients

Every site hosts one or more clients The clients execute the deployments

Central elements:

Web portal

User interface

FEUDAL backend + database

Sends messages to the clients Stores user information and credentials

Lukas Burgey – FEUDAL – August 29, 2018 7/1

slide-8
SLIDE 8

Backend REST-API Webpage RabbitMQ Database

  • Client

script call Client script call Own implementation Preexisting Backend Server User Site Site SP-IdP-Proxy Unity IdP IdP

authentication initialize user info, groups requests publish fetch, acknowledge send

slide-9
SLIDE 9

Architecture (1/2)

Technology SP-IdP-Proxy: OpenID Connect Backend: Django/Python

Inbuilt administration frontend Simplifies usage of Database Django REST Framework

Clients: Go

Static linking

Webpage: Angular/Typescript

Asynchronous requests

Lukas Burgey – FEUDAL – August 29, 2018 9/1

slide-10
SLIDE 10

Messaging (1/4)

Messages (JSON): Backend → Client:

identifier action ∈ {“deploy”, “remove”} service SSH public key user info (from OpenID Connect) group memberships (from Unity)

Backend ← Client: Acknowledgement

identifier login information

Lukas Burgey – FEUDAL – August 29, 2018 10/1

slide-11
SLIDE 11

Messaging (2/4)

Publish Subscribe Quick transmission (close to network latency) Only outgoing connections at the clients Dedicated message broker: RabbitMQ

Delegated authentication of clients Inbuilt message routing

Lukas Burgey – FEUDAL – August 29, 2018 11/1

slide-12
SLIDE 12

Messaging (3/4)

Message routing

Exchange Publisher Backend queue service0 queue service1 queue service1 client0 client1 RabbitMQ

Figure: Clients receive only messages for the services of their site.

Lukas Burgey – FEUDAL – August 29, 2018 12/1

slide-13
SLIDE 13

Messaging (4/4)

Clients manually fetch messages On startup

Missed deployments

Per interval (e.g. 30 minutes)

Result: Unacknowledged deployments are retried

Lukas Burgey – FEUDAL – August 29, 2018 13/1

slide-14
SLIDE 14

Security Considerations (1/2)

Confidentiality & Integrity

TLS for all transmissions

Authentication

User: OpenID Connect FEUDAL Client: password

Lukas Burgey – FEUDAL – August 29, 2018 14/1

slide-15
SLIDE 15

Security Considerations (2/2)

Authorisation

User

groups from Unity service ↔ groups

FEUDAL Client: configuration

Trust

Service provider need to trust

SP-IdP-Proxy Backend

→ Future work: Confirm data from the backend

Lukas Burgey – FEUDAL – August 29, 2018 15/1

slide-16
SLIDE 16

Demo Time

Demo Time

Lukas Burgey – FEUDAL – August 29, 2018 16/1

slide-17
SLIDE 17

Key Features

Asynchronous deployment: if a site is down for a while, all deployments are retransmitted, once the site is back up. Future deployments: New machines can receive all users in the supported VO. Realtime deployments: http sockets to push information. Integration to local usermanagement left to the site-admin

Lukas Burgey – FEUDAL – August 29, 2018 17/1

slide-18
SLIDE 18

Questions?

Questions?

Lukas Burgey – FEUDAL – August 29, 2018 18/1

slide-19
SLIDE 19

Backup Slides

Backup Slides

Lukas Burgey – FEUDAL – August 29, 2018 19/1

slide-20
SLIDE 20
slide-21
SLIDE 21

WaTTS

Token Translation Service (AARC BPA) Uses plugins to translate tokens Plugins can be used to do deployment

Not optimal

Lukas Burgey – FEUDAL – August 29, 2018 21/1

slide-22
SLIDE 22

Backend 2: Authentication Request

  • IdP

SP-IdP-Proxy 4: IdP selection Site 1: redirect 3: redirect 5: redirect 6: authentication 7: redirect 8: redirect 9: redirect