irods and federated identity authentication
play

IRODS AND FEDERATED IDENTITY AUTHENTICATION CURRENT LIMITATIONS AND - PowerPoint PPT Presentation

Dec 29, 2023 •317 likes •669 views

IRODS AND FEDERATED IDENTITY AUTHENTICATION CURRENT LIMITATIONS AND PERSPECTIVE Claudio Cacciari, claudio.cacciari@surfsara.nl SURF UGM 2020, June 10 th 2020 IRODS and SURF SURF is the collaborative organisation for ICT in Dutch education

  1. IRODS AND FEDERATED IDENTITY AUTHENTICATION CURRENT LIMITATIONS AND PERSPECTIVE Claudio Cacciari, claudio.cacciari@surfsara.nl SURF UGM 2020, June 10 th 2020

  2. IRODS and SURF SURF is the collaborative organisation for ICT in Dutch education and research. multiple organizations multiple services

  3. Federated Identity Management and Single Sign On Each organization would like that their users can log in with their organization's original credentials. Some of them consider this a mandatory requirement. SSO Identity Providers iRODS Federated Identity and Access Management c

  4. Research Data Management services SURF offers RDM services based on iRODS:  Each iRODS instance is dedicated for a specific organization  Sometimes the iRODS instance is hosted by the university and SURF hosts one or more resource servers University A University B resource resource resource University C

  5. Use case 1/5  George, Marc and Stefanie belong to the same research team.  Marc wants to access the data in George’s lab iRODS space through the Web interface

  6. Use case 2/5  Marc is redirected to his own institutional portal and logs in.

  7. Use case 3/5  Marc gets access to the George‘s archive folder, which is actually an iRODS folder. iRODS’s folder visible through the web UI

  8. Use case 4/5  Stefanie wants to access the data in George’s lab iRODS space through the command line interface, using the identity of her institution like Marc did

  9. Use case 5/5  Stefanie gets access via icommands and she can see the same data that Marc visualize through the Web UI

  10. iRODS behind a Web application (Marc): current solutions In this case the user logs in the Web App and the Web App gets access to iRODS on behalf of the user. How does the authentication work?  it is possible to create an iRODS user for the Web App with administrator privileges  or implementing sudo-like microservices.  Both would be transparent for the user, like a SSO

  11. iRODS behind a Web application: limitations  A Web App with administrator privileges would expose the whole iRODS server if it is compromised.  Sudo-like microservices are fjne to authorize specifjc users for specifjc actions, but not for general solutions or you end up with the same issue of administrator privileges.  None of them support FIAM  Problematic to keep a consistent audit track

  12. iRODS behind a Web application: token based protocols It is possible to use OpenID Connect authentication or SAML:  passing the token (OAuth2 access token or SAML assertion) as password in the PAM authentication plugin.  Validating the token with a PAM OAuth2 module and mapping the “global” identity of the user to the local one.  SAML and OIDC support FIAM and allow SSO.  Consistent audit track. Then solution found?! Not yet ...

  13. iRODS behind a Web application: token based protocol limitations  Tokens can expire.  IRODS is not aware of the token expiration.  Even if it were, only the Web App that has requested it, can refresh it.  iRODS scrambled password stored at client side would outlive the token creating a security breach.

  14. iRODS command line interface (Stefanie): iRODS can be used as front-end via icommands:  OIDC and SAML were not designed for command line clients.  However with the OpenId plugin it is possible to log in via OIDC. Problems:  This solution does not support the approach based on access token from a Web App  This solution requires to fjx the OIDC protocol client side, limiting the fmexibility of shared clients (for example Davrods)

  15. The problem of multiple authentication protocols  In our environment, not all the organizations are able to provides user identities via FIM protocols. Some have just LDAP, Active Directories, Kerberos, etc. Solution:  PAM: pluggable authentication modules  highly confjgurable: workfmows defjned by stack of modules  PAM allows to defjne a stack of modules, each one supporting a difgerent authentication mechanism, and the user authentication request falls through them until it is successful or reach the end of the stack.

  16. SURF proposed solution: OIDC with PAM  Stefanie authenticates via iinit, but using the OIDC protocol Copy the following URL in a web browser: https://my.OpenIdProvider.org/oauth2/authorize? Please enter the callback URL: https://localhost:8080/?code=&state=

  17. SURF proposed solution: OIDC with PAM

  18. SURF proposed solution mapped to a canonical OIDC fmow

  19. SURF proposed solution: namespace consistency

  20. A solution with a problem: current iRODS PAM support  Stefanie authenticates via iinit, but using the OIDC protocol Copy the following URL in a web browser: https://my.OpenIdProvider.org/oauth2/authorize? Please enter the callback URL: https://localhost:8080/?code=&state=

  21. A solution with a problem: current iRODS PAM support

  22. A solution with a problem: current iRODS PAM support  The current PAM authentication plugin does not support a full PAM conversation, which is an exchange of an arbitrary number of messages between the client and server.  The current iRODS client assumes that a scrambled password is stored locally and it is available for the other icommands, because there is no concept of a “session”.  What should we store in case of tokens? Or other PAM modules with multiple responses?

  23. SURF proposed solution: PAM enhanced

  24. SURF proposed solution: PAM enhanced  It is a Proof of Concept  It has been necessary to modify the core iRODS server and client code  Good to start testing with our users However  We have no intention to maintain a patched version of iRODS  We aim to converge towards a general solution with the iRODS consortium

  25. A general solution: iRODS Auth WG new API endpoint  The iRODS Working Group: https://github.com/irods-contrib/irods_working_group_authentication   proposed a new approach: defjning a new iRODS API endpoint, which has the fmexibility to support an arbitrary exchange of messages.

  26. A general solution: iRODS Auth WG new API endpoint  The messages are json documents  A Proof of Concept has been developed by Jason Coposky  It supports the native authentication, so to test PAM, OIDC, etc. further development is needed from the community  How storing the responses handled by plugin still to be defjned  Since the plugin is client driven, then each client will have to be explicitly enabled: each protocol needs to be implemented in each required client library (icommands, python API, Java API, etc.)

  27. Next steps

  28. Thanks to  Stefan Wolfsheimer  Hylke Koers  Gerben Venekamp  Arthur Newton  Matthew Saum  Tasneem Rahaman-Khan

  30. Questions for you Do you need to connect multjple organizatjons to your services, using FIM?   Yes, no

  31. Questions for you Which authentjcatjon protocols do you use with iRODS?   OIDC, LDAP, Kerberos, Natjve, others

  32. Questions for you Do you need to support multjple authentjcatjon protocols in each iRODS instance?   Yes, no

  33. Optional slides

  34. Optional slides

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Federated Identity, SSO and Multifactor Authentication June 23 rd , 2017 Computing Services and

Federated Identity, SSO and Multifactor Authentication June 23 rd , 2017 Computing Services and

Computing Services and Systems Development Federated Identity, SSO and Multifactor Authentication June 23 rd , 2017 Computing Services and Systems Development F EDERATED I DENTITY , SSO AND MFA @ THE U NIVERSITY OF P ITTSBURGH Tony Carra

542 views • 12 slides
#7 Thinking in possibilities for federated log out. Marcel den Reijer & Fouad Makioui

#7 Thinking in possibilities for federated log out. Marcel den Reijer & Fouad Makioui

#7 Thinking in possibilities for federated log out. Marcel den Reijer & Fouad Makioui February 7, 2017 Supervised by Thijs Kinkhorst & Joost van Dijk Introduction Authentication & Authorization Federated identity SAML 2.0 and

288 views • 24 slides
iRODS UGM 2019 Michele Carpen - m.carpen@cineca.it iRODS UGM 2019 26-27 June 2019, Utrecht,

iRODS UGM 2019 Michele Carpen - m.carpen@cineca.it iRODS UGM 2019 26-27 June 2019, Utrecht,

An authentication solution for iRODS based on the OpenID Connect protocol iRODS UGM 2019 Michele Carpen - m.carpen@cineca.it iRODS UGM 2019 26-27 June 2019, Utrecht, The Netherlands Acronyms PAM Pluggable Authentication Module . Provides

486 views • 13 slides
Lets get a federated identity Do you have access to your email? Youll need a valid email

Lets get a federated identity Do you have access to your email? Youll need a valid email

Lets get a federated identity Do you have access to your email? Youll need a valid email address Intro to Federated Identity Do you have an account from Protect Network or Twitter You can skip ahead! EuroCAMP Training for

104 views • 7 slides
External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal

External Identity and Authentication Providers For Apache HTTP Server Jan Pazdziora Principal Software Engineer Identity Management Engineering, Red Hat 17 th November 2014 Basic Authentication The only authentication option in 1996 when

393 views • 21 slides
2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current

2nd Meeting of ICAC Federated Identity Status & Plans Mine Altunay October 15, 2019 Current Status Adoption of Federated Identity and Access Control is one of the top priorities for the lab Crucial for our success with DUNE,

403 views • 13 slides
UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity

UCSB Identity and LDAP The central campus directory and authentication system UCSB Identity System UCSBnetID authentication UCSB-wide student and employee info http://www.identity.ucsb.edu/ LDAP Overview Lightweight Directory Access Protocol

604 views • 24 slides
Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S.

Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S.

Using Digital Certificates to Establish Federated Trust chris.brown@enspier.com U.S. E-Authentication Interoperability Lab Engineer Agenda U.S. Federal E-Authentication Background Current State of PKI in E-Authentication Future of

675 views • 52 slides
Authoritative Quality From Campus Identity Management to a Federated Solution EuroCAMP, Porto,

Authoritative Quality From Campus Identity Management to a Federated Solution EuroCAMP, Porto,

Authoritative Quality From Campus Identity Management to a Federated Solution EuroCAMP, Porto, 2005-11-07 Ingrid Melve, FEIDE manager From campus identity management to a federated solution Case: FEIDE Campus Identity Management 2

655 views • 30 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Mobile Provided Identity Authentication on the Web tle pt by Jonas Hgberg, Ericsson for W3C

Mobile Provided Identity Authentication on the Web tle pt by Jonas Hgberg, Ericsson for W3C

Mobile Provided Identity Authentication on the Web tle pt by Jonas Hgberg, Ericsson for W3C s WS on Identity in the Browser tle pt 24-5th May 11 Mountain View, CA, USA Mobile Provided Identity Authentication itle on the Web pt

298 views • 13 slides
EUDAT: Towards a pan-European Collaborative Data Infrastructure Federated Identity Management and

EUDAT: Towards a pan-European Collaborative Data Infrastructure Federated Identity Management and

EUDAT: Towards a pan-European Collaborative Data Infrastructure Federated Identity Management and Access Control Mark van de Sanden SARA, The Netherlands Terena VAMP workshop Utrecht, 6-7 September 2012 Outline Project Core Services

435 views • 16 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities

Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities

Strong Authentication without Tamper-Resistant Hardware and Application to Federated Identities Zhenfeng Zhang , Yuchen Wang , Kang Yang Institute of Software, Chinese Academy of Sciences; The Joint Academy of Blockchain

869 views • 25 slides
OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing

OpenID Connect Authentication in iRODS Kyle Ferriter kferriter@renci.org Renaissance Computing Institute (RENCI) UNC - Chapel Hill Context and Use Case NIH Data Commons Web application - CommonsShare.org Compute Platform and

318 views • 11 slides
User Authentication for Emerging Interfaces Nasir Memon Tandon School of Engineering New York

User Authentication for Emerging Interfaces Nasir Memon Tandon School of Engineering New York

User Authentication for Emerging Interfaces Nasir Memon Tandon School of Engineering New York University Identity Identity and Authentication What is identity? A computers representation of an unique entity (principal). What is

675 views • 56 slides
SBIRT IN VARIOUS SETTINGS: DIFFERENCES & COMMON THREADS Tracy McPherson, PhD Senior Research

SBIRT IN VARIOUS SETTINGS: DIFFERENCES & COMMON THREADS Tracy McPherson, PhD Senior Research

5/4/17 Webinar Moderator SBIRT IN VARIOUS SETTINGS: DIFFERENCES & COMMON THREADS Tracy McPherson, PhD Senior Research Scientist Public Health Department PRESENTED BY: NORC at the University of Chicago Pam Pietruszewski, Integrated

202 views • 8 slides
Unified Authentication, Authorization, and User Administration An Open Source Approach Ted

Unified Authentication, Authorization, and User Administration An Open Source Approach Ted

Unified Authentication, Authorization, and User Administration An Open Source Approach Ted C. Cheng, Howard Chu, Matthew Hardin Symas Corporation Outline Evolution of Related Technologies Unified AAA Architecture Provisioning AAA

396 views • 27 slides
Network measurement using Akamai's infrastructure Mike P. Wittie 1 Overview Akamai has lots of

Network measurement using Akamai's infrastructure Mike P. Wittie 1 Overview Akamai has lots of

Network measurement using Akamai's infrastructure Mike P. Wittie 1 Overview Akamai has lots of servers close to users and lots of users close to servers Lets put their hands together (Of course were not the first) Clever

454 views • 22 slides
The Impact of Delivering Personalised Care Dr Karen Eastman, Clinical Director Horsham and Mid

The Impact of Delivering Personalised Care Dr Karen Eastman, Clinical Director Horsham and Mid

The Impact of Delivering Personalised Care Dr Karen Eastman, Clinical Director Horsham and Mid Sussex CCG What we know 60-70% of premature deaths are caused by behaviors that can be changed 35-50% of the population have the lowest

407 views • 23 slides
Kerberos and PAM Russ Allbery May 1, 2007 Russ Allbery (rra@stanford.edu) Stanford University

Kerberos and PAM Russ Allbery May 1, 2007 Russ Allbery (rra@stanford.edu) Stanford University

Stanford University July 26, 2014 1 Kerberos and PAM Russ Allbery May 1, 2007 Russ Allbery (rra@stanford.edu) Stanford University July 26, 2014 2 Contents What is PAM? The PAM Groups PAM for Login PAM for Screen Savers

476 views • 11 slides
Decoupling Address Generation from Loads and Stores to Improve Data Access Energy Efficiency

Decoupling Address Generation from Loads and Stores to Improve Data Access Energy Efficiency

Motivation Background Decoupled Mem Access Pipeline Mods Evaluation Results Decoupling Address Generation from Loads and Stores to Improve Data Access Energy Efficiency Michael Stokes, Ryan Baird, Zhaoxiang Jin , David Whalley, Soner

684 views • 24 slides
Evidence, Governance, Performance 2 nd Conference of International Society for EBHC November, 2013

Evidence, Governance, Performance 2 nd Conference of International Society for EBHC November, 2013

Assessing Patient Activation A Proximal Measure of Service Provision Evidence, Governance, Performance 2 nd Conference of International Society for EBHC November, 2013 Taormina, Italy Patrick McGowan, PhD University of Victoria - Increased

419 views • 11 slides
At an Energy Hackathon in Brooklyn Pam Roach, CEO, and Larry Glover, Partner, Breakthrough

At an Energy Hackathon in Brooklyn Pam Roach, CEO, and Larry Glover, Partner, Breakthrough

At an Energy Hackathon in Brooklyn Pam Roach, CEO, and Larry Glover, Partner, Breakthrough Marketing Technology, with PUFs Steve Mitnick at the AABE Hackathon, at National Grid and NYU Tandon School of Engineering 30 P UBLIC U TILITIES F

760 views • 6 slides

More recommend