Keystone and SAML in multi-tenant environments Two concepts get - - PowerPoint PPT Presentation

Open Telekom Cloud 26.06.2017 1

Keystone and SAML in multi-tenant environments – Two concepts get together

Alex Alex Stel ellwag, Open Telekom Cloud Architect ,T-Systems Yue uefen eng Pan an, Senior Cloud Solutions Architect, Huawei

Open Telekom Cloud 26.06.2017 2

Agenda

• SAML and Keystone – Generals and limitations
• Open Telekom Cloud (OTC) – Use Cases and Challenges
• Identity and Access Management Service on OTC

Open Telekom Cloud 26.06.2017 3

Agenda

• SAML and Keystone – Generals and limitations
• Open Telekom Cloud (OTC) – Use Cases and Challenges
• Identity and Access Management Service on OTC

Open Telekom Cloud 26.06.2017 4

SAML V2 – the refresher

• SAML V2 - Security Assertion Markup Language 2.0
• is a standard to exchange authentication/authorisation data between security domains
• provides web based support for Single Sign On (SSO) scenarios
• reduces administrative overhead for maintaining different identity providers
• allows a services provider to accept an identity that was authenticated by an external IdP

ext extern rnal Id IdP

(Cloud) Service Provider Identity Provider

Use User

• 1. Login request
• 3. User login at IdP
• 4. IdP authenticates

user

• 5. IdP returns

SAML assertion

• 7. Service provider grants access

according to mapping rules

Open Telekom Cloud 26.06.2017 5

Keystone… and its limitations

• native keystone
• is able to be configured as a service provider (SP)
• as an SP keystone is able to support the SAML protocol
• supports one IdP per OpenStack domain only
• needs to be configured by the OpenStack service administrator to support an external SAML

based IdP on domain level

• does not support APIs for federated token management and querying and importing of metadata

for each tenant, respectively Keystone needs to be extended to support the requirements of federated identities in multitenant environments

Open Telekom Cloud 26.06.2017 6

Agenda

• SAML and Keystone – Generals and limitations
• Open Telekom Cloud (OTC) – Use Cases and Challenges
• Identity and Access Management Service on OTC

Open Telekom Cloud 26.06.2017 7

Open Telekom Cloud (OTC) – Use Cases and challenges

• Open Telekom Cloud (OTC)
• an Openstack based (currently Mitaka) public cloud
• specifically designed for business customers

ACME1

IdP

ACME2

IdP

Use Case 1: Multiple business customers with own IdPs Requirements:

• support of more than one IdP per Openstack system
• IdP support on domain level
• IdP management rights on domain level
• API support for metadata and token management

ACM CME1

IdP IdP IdP IdP IdP

Use Case 2: Single business customer with multiple IdPs Requirements:

• support of more than one IdP per domain
• IdP support on domain level
• IdP management rights on domain level
• API support for metadata and token management

Open Telekom Cloud 26.06.2017 8

The Key to the limitations and challenges

Ch Chal allenges So Solu lutions Identity federation configured by the OpenStack service administrator manually Identity Federation configured by tenants through console or API Several regions only one keystone service, bottleneck Cached proxy Keystone only supports one IDP per OpenStack domain Keystone patch to support of more than one IDPs per domain

Open Telekom Cloud 26.06.2017 9

Agenda

• SAML and Keystone – Generals and limitations
• Open Telekom Cloud (OTC) – Use Cases and Challenges
• Identity and Access Management Service on OTC

Open Telekom Cloud 26.06.2017 10

Fe Federate derated d key keystone stone and IAM and IAM Identity Identity Fe Federation deration

Ho Horizon Apache Se Server Sh Shib ibboleth/Mell llon/ ... .. (SAML) Key eystone OTC C fr frontend IAM fr frontend IAM cac ached pr proxy (SAML) IAM Co Core re Ser Servic ice (Keystone/K /Keyston

• ne-extension)

Open Telekom Cloud 26.06.2017 11

Architectur Architecture e of IAM

• f IAM Service

Service

IAM Console Auth UI

IAM Frontend

IAM Cached Proxy

IAM Cached Proxy

TCache Keystone

IAM Core Service

KS-DB(MySQL) Keystone Patch KSX-DB

Keystone V3 Native Interface Keystone V3 Extend Interface

Open Telekom Cloud 26.06.2017 12

IAM IAM core core service service – key keystone stone ex extensions tensions

More More th than one an one I IDPs DPs for for each t ach tenant nant

Keystone

IAM Core Service

Keystone Patch

KSX-DB

KS-DB(MySQL) Acti ctive/ e/Standby KS KS-DB DB identityprovider protocol mapping user project … KSX-DB DB ext-idp …

Mor

• re tha

han on

• ne

e IDPs for

• r eac

each ten tenant

Open Telekom Cloud 26.06.2017 13

IAM IAM core core service service – key keystone stone ex extensions tensions

create create a n a new identit w identity y provid provider r for for a a te tenant nant

PUT /v3/OS- FEDERATION/identity_pr

• viders/{id}

PUT /v3/OS- FEDERATION/identity_pr

• viders/{idp_id}/protocols

/{protocol_id} PUT /v3/OS- FEDERATION/mappi ngs/{id}

POST /v3-ext/OS- FEDERATION/identity_provide rs/{idp_id}/protocols/{protocol _id}/metadata

Re Register er an an IdP Re Register er a a Prot Protocal

Cr Create a a Ma Mapping Imp Import a a Me Metadata

A A New New IdP fo for r a a Tena Tenant

Default Mapping rules: { "remote": [ { "type": "__NAMEID__“ } ], "local": [ {"user": {"name": "FederationUser" }}] }

Ch Check the for format of

• f metadata fi

file

URL： https://auth.otc.t- systems.com/authui/federatio n/websso?idp={idp- name}&protocol={protocol}&se rvice={otc-console-url}

Open Telekom Cloud 26.06.2017 14

IAM IAM core core service service – key keystone stone ex extensions tensions

th the p proc rocess ss of

• f fe

federat deration ion aut authe hentication ntication

User OTC IAM(SP) Identity Provider

User attempts to access a protected resource Validate SAML request Redirect to the IdP HTTP redirect endpoint Access the IdP HTTP redirect endpoint Authenticate to the Identity Provider Validate credentials Generate SAML response IdP Discovery Present a login form to the user Instruct browser to post the SAML response Post the SAML response to SP Return the protected resource to the user Verify the SAML assertion Mapping to local groups and users

Open Telekom Cloud 26.06.2017 15

IAM IAM core core service service – key keystone stone ex extensions tensions

del delete te a a ident identity prov ity provider ider for for a a te tenant nant

DELETE /v3/OS- FEDERATION/mappings /{id} DELETE /v3/OS- FEDERATION/identity_pr

• viders/{idp_id}/protocols

/{protocol_id} DELETE /v3/OS- FEDERATION/identit y_providers/{id}

DELETE /v3-ext/OS- FEDERATION/identity_provide rs/{idp_id}/protocols/{protocol _id}/metadata

De Delete an an IDP De Delet ete e a a Pr Protoca cal

De Delete a a Ma Mappin ing De Delete a a Me Meta tadata

On One e IDP de delet eted ed fo for r a Te Tena nant nt

Open Telekom Cloud 26.06.2017 16

AP API UR URI Func unction POST /v3-ext/OS- FEDERATION/identity_providers/{idp_id}/protocols/{protoco l_id}/metadata Import a metadata file of a tenant GET /v3-ext/OS- FEDERATION/identity_providers/{idp_id}/protocols/{protoco l_id}/metadata Query the content of the metadata file imported by an IDP to the IAM system GET /v3-ext/auth/OS-FEDERATION/SSO/metadata Get metadata content of IAM federation.

IAM IAM core core service service – key keystone stone ex extensions tensions

Ident Identity Fe ity Federat deration ion th through rough API API

Open Telekom Cloud 26.06.2017 17

IAM IAM cached cached proxy proxy - Acceleratio Acceleration n of Key

• f Keystone

stone core core servic services es

IAM Cached Proxy

IAM Cached Proxy1

TCache

Reg Region1 Considerations:

• Secure cached credential
• Limit scope
• Expiration

Open Telekom Cloud 26.06.2017 18

IAM IAM cached cached proxy proxy - Acceleratio Acceleration n of Key

• f Keystone

stone core core servic services es

IAM Cached Proxy

IAM Cached Proxy2

TCache

Reg Region2 ecs.region1.com

API Gateway IAM Cached Proxy

IAM Cached Proxy1

TCache

Reg Region1

API Gateway

IAM Core Service (Keystone) ecs.region2.com

Open Telekom Cloud 26.06.2017 19

IAM IAM frontend frontend – cons console

• le

Ident Identity ity Fe Federat deration ion functions functions Identity Provider

Create Delete Edit Query

Metadata File ile

Upload Download

Map apping Rul ules

Create Delete Edit Query

Open Telekom Cloud 26.06.2017 20

10 10 ide identity ty pr provide ders rs of f eac each te tenants

IAM IAM frontend frontend – cons console

• le

Ident Identity ity Fe Federat deration ion th through rough co conso nsole le

Open Telekom Cloud 26.06.2017 21

Logi

• gin li

link nk for

• r IDP

IDP Uplo pload d metad etadata a fi file le of

• f IDP

IDP

Map apping of

• f IDP ac

acce cess ss rul ules es to

• OTC ac

acce cess s rul ules es

IAM IAM frontend frontend – cons console

• le

Ident Identity ity Fe Federat deration ion th through rough co conso nsole le

Open Telekom Cloud 26.06.2017 22

IAM IAM frontend frontend – cons console

• le

Ident Identity ity Fe Federat deration ion th through rough co conso nsole le

Open Telekom Cloud 26.06.2017 23

IAM IAM Service Service

Ident Identity Fe ity Federat deration ion security security

Enterprise-level security management Cloud Trace Prev even ention Foren ensics cs SAML Assertion Hardening

Open Telekom Cloud 26.06.2017 24

Open Telekom Cloud 26.06.2017 25

Open Telekom Cloud 26.06.2017 26

questions questions and discussion and discussion

HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential

questions questions

• 1. Can we also benefit from two-factor authentication for federated IdP managed users? I.E. customer

comes preauthenticated via SAML and then OTC asks for the second factor? Answer: No. Federated IdP managed users don’t ever exist in OTC. Two-factor authentication should be processed in IdP login.

• 2. Can federated users call the OpenStack APIs?

Answer: Yes. Token API is to enable federated users for OpenStack API use. As an alternative to using a web browser, you can use Enhanced Client or Proxy (ECP)

• 3. Will this patch be contributed to the OpenStack community?

Answer: Yes, of course. But we still have a lot of work to enhance it. When it is fit for community, it will be.

Thank you