Integrating non web-based services with identity federations Jens - - PowerPoint PPT Presentation

integrating non web based services
SMART_READER_LITE
LIVE PREVIEW

Integrating non web-based services with identity federations Jens - - PowerPoint PPT Presentation

Dec 27, 2022 435 likes •563 views

bw IDM Integrating non web-based services with identity federations Jens Khler, Michael Simon, Sebastian Labitzke, Tobias Dussa, Martin Nubaumer bw IDM The bwIDM project Services of the state of Baden-Wrttemberg placed at

slide-1
SLIDE 1

bwIDM

Integrating non web-based services with identity federations

Jens Köhler, Michael Simon, Sebastian Labitzke, Tobias Dussa, Martin Nußbaumer

slide-2
SLIDE 2

bwIDM

The bwIDM project

17.09.2012 Integrating non web-based services with identity federations 2

KIT Uni Mannheim Uni Ulm Uni Konstanz Uni Freiburg Uni Stuttgart

  • Services of the state of

Baden-Württemberg placed at different locations

  • Should be useable by the

affiliates of universities

  • Affiliates should be able to

access them with their familiar accounts of their home organization bwIDM: Federated Identity Management for Baden- Württemberg

slide-3
SLIDE 3

bwIDM

The bwIDM project

17.09.2012 3

KIT Uni Mannheim Uni Ulm Uni Konstanz Uni Freiburg Uni Stuttgart

  • SAML identity providers are

already present at each university

  • Integrating web-based

services into this infrastructure is straightforward

  • Integrating non web-based

services is a challenge FACIUS: An easy-to-deploy concept to federate non web-based services based on the SAML standard.

Integrating non web-based services with identity federations

slide-4
SLIDE 4

bwIDM

Non web-based services vs. SAML

  • Non web-based services:

Authentication via the Service Provider

  • Main characteristic of SAML:

Authentication via the Home Organization

  • SAML-ECP profile can be used to „SAMLfy“ arbitrary applications

→ Technical foundation to enable non web-based services to use SAML exist

Web-based Service SSH Service

  • 1. Login via credentials
  • 2. Access

17.09.2012 Integrating non web-based services with identity federations

slide-5
SLIDE 5

bwIDM

Requirements

Service Provider requirements Home Organization requirements User requirements

Legal aspects Necessary software adaptions Alternative authentication methods Transparency Use of home credentials Maintainability (De-)Provisioning Security Performance Legal aspects Integration effort

Deployability

17.09.2012 Integrating non web-based services with identity federations

slide-6
SLIDE 6

bwIDM

A users perspective: Getting access to the service

Registration

  • Via a Registration-Webapplication (Browser)
  • Authentication based on the account at the Home

Organization

Provisioning of a local context

  • In the SSH case:

Establishment of a UID, a home directory, …

Accessing the service

  • Via native service client
  • Authorization based on assertions of the

Home Organization

Just has to be performed once.

17.09.2012 Integrating non web-based services with identity federations

slide-7
SLIDE 7

bwIDM

FACIUS - Overview

Provisioning

User Service Provider Home Organization

Login & Registr.

SAML-SP Browser Registration- Webapplication

SSH- Server PAM- Module

Login-Node

Existing components Generic components Partially service-specific components Login

SSH-Client

Further Information:

  • J. Köhler, S. Labitzke, M. Simon, M. Nussbaumer, H. Hartenstein: FACIUS: An Easy-to-

Deploy SAML-based Approach to Federate Non Web-Based Services, Proc. of Trustcom 2012 17.09.2012 Integrating non web-based services with identity federations

slide-8
SLIDE 8

bwIDM Unmodified client usable Login with credentials of the Home Organization No harm by malicious Service Providers Enhanced Client Enhanced Proxy Local Authentication

User Service Provider Home Organization

Creden- tials Creden- tials

Enhanced Proxy Operable in parallel to other login alternatives

ECP

User Service Provider Home Organization

Creden- tials

Enhanced Client

ECP

User Service Provider Home Organization

Creden- tials

Local Authentication

Assertion Query

User requirements:

Login alternatives

17.09.2012 Integrating non web-based services with identity federations

slide-9
SLIDE 9

bwIDM

Evaluation

User consent to policies can be requested User consent to policies can be requested Integration of the Pluggable Authentication Module with the Service Access Point Based on existing frameworks SAML-based federations ? 1.01 s vs. 0.30 s (regular login)

  • Service Provider requirements:

Integration effort: Maintainability: Performance (SSH-Login): Integration into existing Federations: Provisioning/Deprovisioning: Legal aspects:

  • Home Organization requirements:

Legal aspects: No software adaptions:

17.09.2012 Integrating non web-based services with identity federations

slide-10
SLIDE 10

bwIDM

Conclusion

  • bwIDM….

– …is a project to establish a federation of 9 universities and services of the state

  • f Baden-Württemberg.

– …has the goal to federate access to non web-based services such as grid resources.

  • FACIUS…

– …enables non web-based services to join SAML-federations. – …aims to be easily deployable for existing service providers. – …makes active use of the SAML-ECP and AssertionQuery profile. – …offers users a high usability in trustworthy federations. – …has been successfully applied to federate SSH services.

  • We are planning to…

– …federate an operational cluster by the end of the year. – …federate additional services based on FACIUS.

17.09.2012 Integrating non web-based services with identity federations

slide-11
SLIDE 11

bwIDM

How does FACIUS fit into the EGI federated identity management platform?

FACIUS

SSH-Server (SP)

17.09.2012 Integrating non web-based services with identity federations