keystone and saml in multi tenant
play

Keystone and SAML in multi-tenant environments Two concepts get - PowerPoint PPT Presentation

Oct 19, 2022 •14 likes •294 views

Keystone and SAML in multi-tenant environments Two concepts get together Alex Alex Stel ellwag, Open Telekom Cloud Architect ,T-Systems Yue uefen eng Pan an, Senior Cloud Solutions Architect, Huawei Open Telekom Cloud 26.06.2017 1

  1. Keystone and SAML in multi-tenant environments – Two concepts get together Alex Alex Stel ellwag, Open Telekom Cloud Architect ,T-Systems Yue uefen eng Pan an, Senior Cloud Solutions Architect, Huawei Open Telekom Cloud 26.06.2017 1

  2. Agenda • SAML and Keystone – Generals and limitations • Open Telekom Cloud (OTC) – Use Cases and Challenges • Identity and Access Management Service on OTC Open Telekom Cloud 26.06.2017 2

  3. Agenda • SAML and Keystone – Generals and limitations • Open Telekom Cloud (OTC) – Use Cases and Challenges • Identity and Access Management Service on OTC Open Telekom Cloud 26.06.2017 3

  4. SAML V2 – the refresher • SAML V2 - Security Assertion Markup Language 2.0 • is a standard to exchange authentication/authorisation data between security domains • provides web based support for Single Sign On (SSO) scenarios • reduces administrative overhead for maintaining different identity providers • allows a services provider to accept an identity that was authenticated by an external IdP 1. Login request User Use (Cloud) Service Provider 3. User login at IdP SAML assertion 5. IdP returns 7. Service provider grants access ext extern rnal 4. IdP authenticates according to mapping rules IdP Id user Identity Provider Open Telekom Cloud 26.06.2017 4

  5. Keystone… and its limitations • native keystone • is able to be configured as a service provider (SP) • as an SP keystone is able to support the SAML protocol • supports one IdP per OpenStack domain only • needs to be configured by the OpenStack service administrator to support an external SAML based IdP on domain level • does not support APIs for federated token management and querying and importing of metadata for each tenant, respectively Keystone needs to be extended to support the requirements of federated identities in multitenant environments Open Telekom Cloud 26.06.2017 5

  6. Agenda • SAML and Keystone – Generals and limitations • Open Telekom Cloud (OTC) – Use Cases and Challenges • Identity and Access Management Service on OTC Open Telekom Cloud 26.06.2017 6

  7. Open Telekom Cloud (OTC) – Use Cases and challenges • Open Telekom Cloud (OTC) • an Openstack based (currently Mitaka) public cloud • specifically designed for business customers ACME1 IdP IdP IdP ACM CME1 IdP IdP IdP ACME2 IdP Use Case 1: Multiple business customers with own IdPs Use Case 2: Single business customer with multiple IdPs Requirements: Requirements: • support of more than one IdP per Openstack system • support of more than one IdP per domain • IdP support on domain level • IdP support on domain level • IdP management rights on domain level • IdP management rights on domain level • API support for metadata and token management • API support for metadata and token management Open Telekom Cloud 26.06.2017 7

  8. The Key to the limitations and challenges Ch Chal allenges Solu So lutions Identity federation configured by the Identity Federation configured by tenants OpenStack service administrator manually through console or API Several regions only one keystone service, Cached proxy bottleneck Keystone only supports one IDP per Keystone patch to support of more than one OpenStack domain IDPs per domain Open Telekom Cloud 26.06.2017 8

  9. Agenda • SAML and Keystone – Generals and limitations • Open Telekom Cloud (OTC) – Use Cases and Challenges • Identity and Access Management Service on OTC Open Telekom Cloud 26.06.2017 9

  10. Fe Federate derated d key keystone stone and IAM and IAM Identity Identity Fe Federation deration OTC C fr frontend Ho Horizon IAM fr frontend Apache Se Server IAM cac ached pr proxy Sh Shib ibboleth/Mell llon/ ... .. (SAML) (SAML) IAM Co Core re Ser Servic ice (Keystone/K /Keyston one-extension) Key eystone Open Telekom Cloud 26.06.2017 10

  11. Architectur Architecture e of IAM of IAM Service Service IAM Frontend IAM Console Auth UI IAM Cached Proxy IAM Cached Proxy TCache IAM Core Service Keystone Keystone Patch Keystone V3 Native Interface KS-DB(MySQL) KSX-DB Keystone V3 Extend Interface Open Telekom Cloud 26.06.2017 11

  12. IAM IAM core core service service – key keystone stone ex extensions tensions More More th than one an one I IDPs DPs for for each t ach tenant nant IAM Core Service Keystone Keystone Patch KS-DB(MySQL) KSX-DB Acti ctive/ e/Standby KS-DB KS DB KSX-DB DB identityprovider ext-idp Mor ore tha han on one e IDPs for or eac each ten tenant protocol … mapping user project … Open Telekom Cloud 26.06.2017 12

  13. IAM IAM core core service service – key keystone stone ex extensions tensions create create a n a new identit w identity y provid provider r for for a a te tenant nant Check the for Ch format of of metadata fi file Register Re er an an IdP Register Re er a a Prot Protocal Create a Cr a Ma Mapping Import a Imp a Me Metadata A New A New IdP fo for r a a Tena Tenant URL : PUT /v3/OS- POST /v3-ext/OS- PUT /v3/OS- PUT /v3/OS- https://auth.otc.t- FEDERATION/identity_pr FEDERATION/identity_provide FEDERATION/identity_pr FEDERATION/mappi systems.com/authui/federatio oviders/{idp_id}/protocols rs/{idp_id}/protocols/{protocol oviders/{id} ngs/{id} n/websso?idp={idp- /{protocol_id} _id}/metadata name}&protocol={protocol}&se Default Mapping rules: rvice={otc-console-url} { "remote": [ { "type": "__NAMEID __“ } ], "local": [ {"user": {"name": "FederationUser" }}] } Open Telekom Cloud 26.06.2017 13

  14. IAM IAM core core service service – key keystone stone ex extensions tensions th the p proc rocess ss of of fe federat deration ion aut authe hentication ntication User OTC IAM(SP) Identity Provider User attempts to access a protected resource IdP Discovery Redirect to the IdP HTTP redirect endpoint Access the IdP HTTP redirect endpoint Validate SAML request Present a login form to the user Authenticate to the Identity Provider Validate credentials Generate SAML response Instruct browser to post the SAML response Post the SAML response to SP Verify the SAML assertion Return the protected resource to the user Mapping to local groups and users Open Telekom Cloud 26.06.2017 14

  15. IAM IAM core core service service – key keystone stone ex extensions tensions delete del te a a ident identity prov ity provider ider for for a a te tenant nant De Delete a a Ma Mappin ing Delet De ete e a a Pr Protoca cal De Delete a a Me Meta tadata One On e IDP de delet eted ed fo for r a Te Tena nant nt Delete an De an IDP DELETE /v3/OS- DELETE /v3-ext/OS- DELETE /v3/OS- DELETE /v3/OS- FEDERATION/identity_pr FEDERATION/identity_provide FEDERATION/mappings FEDERATION/identit oviders/{idp_id}/protocols rs/{idp_id}/protocols/{protocol /{id} y_providers/{id} /{protocol_id} _id}/metadata Open Telekom Cloud 26.06.2017 15

  16. IAM IAM core core service service – key keystone stone ex extensions tensions Identity Fe Ident ity Federat deration ion th through rough API API AP API UR URI Func unction POST /v3-ext/OS- Import a metadata file of a tenant FEDERATION/identity_providers/{idp_id}/protocols/{protoco l_id}/metadata GET /v3-ext/OS- Query the content of the metadata file imported by FEDERATION/identity_providers/{idp_id}/protocols/{protoco an IDP to the IAM system l_id}/metadata GET /v3-ext/auth/OS-FEDERATION/SSO/metadata Get metadata content of IAM federation. Open Telekom Cloud 26.06.2017 16

  17. IAM IAM cached cached proxy proxy - Acceleratio Acceleration n of Key of Keystone stone core core servic services es Reg Region1 Considerations: • Secure cached credential • Limit scope IAM Cached Proxy1 • Expiration IAM Cached Proxy TCache Open Telekom Cloud 26.06.2017 17

  18. IAM IAM cached cached proxy proxy - Acceleratio Acceleration n of Key of Keystone stone core core servic services es ecs.region1.com ecs.region2.com Region2 Reg Region1 Reg API Gateway API Gateway IAM Cached Proxy1 IAM Cached Proxy2 IAM Cached Proxy IAM Cached Proxy TCache TCache IAM Core Service (Keystone) Open Telekom Cloud 26.06.2017 18

  19. IAM IAM frontend frontend – cons console ole Ident Identity ity Fe Federat deration ion functions functions Create Delete Edit Query Identity Provider Metadata File ile Upload Download Create Delete Edit Query Map apping Rul ules Open Telekom Cloud 26.06.2017 19

  20. IAM frontend IAM frontend – cons console ole Identity Ident ity Fe Federat deration ion th through rough co conso nsole le 10 10 ide identity ty pr provide ders rs of f eac each te tenants Open Telekom Cloud 26.06.2017 20

  21. IAM IAM frontend frontend – cons console ole Ident Identity ity Fe Federat deration ion th through rough co conso nsole le Logi ogin li link nk for or IDP IDP Uplo pload d metad etadata a fi file le of of IDP IDP Map apping of of IDP ac acce cess ss rul ules es to o OTC ac acce cess s rul ules es Open Telekom Cloud 26.06.2017 21

  22. IAM IAM frontend frontend – cons console ole Identity Ident ity Fe Federat deration ion th through rough co conso nsole le Open Telekom Cloud 26.06.2017 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Operating Multi-Tenant Kafka Services for Developers Data Council SF 2019 Ali Hamidi - Heroku

Operating Multi-Tenant Kafka Services for Developers Data Council SF 2019 Ali Hamidi - Heroku

Operating Multi-Tenant Kafka Services for Developers Data Council SF 2019 Ali Hamidi - Heroku Data Agenda Intro Motivation Single Tenant Dedicated Multi-tenancy Configuration & Tuning Testing Automation

1.09k views • 90 slides
Google<-SAML->Zscaler Integration Agenda n What is SAML? n AAA, Testing,

Google<-SAML->Zscaler Integration Agenda n What is SAML? n AAA, Testing,

Summer Webinar Series Google<-SAML->Zscaler Integration Dianne Dunlap (ddunlap@mcnc.org, 919-248-8439) Client Network Engineering Webinar Links: www.mcnc.org/cne-webinars Google<-SAML->Zscaler Integration Agenda n What is

899 views • 63 slides
Greening multi-tenant data center demand response with

Greening multi-tenant data center demand response with

Greening multi-tenant data center demand response with parameterized supply function bidding Niangjun Chen Xiaoqi Ren, Shaolei Ren, and Adam Wierman 9/26/16 1 2 stories

508 views • 23 slides
MTOB ae senior thesis april 26, 2013 multi-tenant advisor: dr. boothby office building

MTOB ae senior thesis april 26, 2013 multi-tenant advisor: dr. boothby office building

MTOB ae senior thesis april 26, 2013 multi-tenant advisor: dr. boothby office building victoria interval [struc] pennsylvania MTOB ae senior thesis introduction proposal april 26, 2013 multi-tenant redesign mechanical advisor: dr.

732 views • 49 slides
Feasibility of ILA as Network Virtualisation Overlay in multi-domain, multi-tenant Cloud Tako

Feasibility of ILA as Network Virtualisation Overlay in multi-domain, multi-tenant Cloud Tako

Feasibility of ILA as Network Virtualisation Overlay in multi-domain, multi-tenant Cloud Tako Marks Bsc. 04-07-2017 System and Network Engineering University of Amsterdam 1 Introduction A Network Virtualisation Overlay (NVO) is a collection

614 views • 29 slides
Distributed multi-tenant cloud/fog and heterogeneous SDN/NFV orchestration for 5G services Ricard

Distributed multi-tenant cloud/fog and heterogeneous SDN/NFV orchestration for 5G services Ricard

Distributed multi-tenant cloud/fog and heterogeneous SDN/NFV orchestration for 5G services Ricard Vilalta, A. Mayoral, Raul Muoz, Ramon Casellas, Ricardo Martnez The need for generic control functions and a Transport API The NBI of the

679 views • 15 slides
DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect

DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect

DEVELOPING A MULTI-TENANT SAAS USING CLOJURE Ari-Pekka Viitanen ME Programmer Architect VINCIT Working for ari-pekka.viitanen@vincit.com @apviitanen CASE BXX STACK DATA PERSISTENCE AND MULTI-TENANCY SINGLE TENANCY MULTI-TENANCY -

522 views • 28 slides
WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest /

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest /

WebRTC Identity in SAML Federations Mihly Mszros May 19, 2015 NIIF Institute Budapest / Hungary Agenda Education & Research Identity Federations SAML Terminology Overview of SAML auth call flow WebRTC Identity model

1.09k views • 52 slides
HyperLoop: NIC Offloaded Primitives to Accelerate Replicated Transactions in Multi-tenant Storage

HyperLoop: NIC Offloaded Primitives to Accelerate Replicated Transactions in Multi-tenant Storage

HyperLoop: NIC Offloaded Primitives to Accelerate Replicated Transactions in Multi-tenant Storage Systems Daehyeok Kim Amirsaman Memaripour, Anirudh Badam, Yibo Zhu, Hongqiang Harry Liu Jitendra Padhye, Shachar Raindel, Steven Swanson, Vyas

463 views • 20 slides
Gatekeeper: Supporting Bandwidth Guarantees for Multi-tenant Datacenter Networks Henrique

Gatekeeper: Supporting Bandwidth Guarantees for Multi-tenant Datacenter Networks Henrique

Gatekeeper: Supporting Bandwidth Guarantees for Multi-tenant Datacenter Networks Henrique Rodrigues , Yoshio Turner , Jose Renato Santos , Paolo Victor , Dorgival Guedes HP Labs WIOV 2011, Portland, OR The Problem: Network Performance

846 views • 37 slides
Highly resilient, multi-region Keystone deployments Michael Richardson // 22 May 2018 1 2.1 3

Highly resilient, multi-region Keystone deployments Michael Richardson // 22 May 2018 1 2.1 3

Highly resilient, multi-region Keystone deployments Michael Richardson // 22 May 2018 1 2.1 3 Purpose Caveats SQL-backed deployment All regions are considered equal "Standard" regions, not singular Edge nodes 4 Compute Storage

528 views • 52 slides
SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline

SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline

Fondation RESTENA euroCAMP 04 April 2006 SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline SAML 1.1 overview Abstract operations vs. SAML profile Abstract operations: changes since

165 views • 14 slides
Reducing Latency in Multi-Tenant Data Centers via Cautious Congestion Watch The 49th

Reducing Latency in Multi-Tenant Data Centers via Cautious Congestion Watch The 49th

Reducing Latency in Multi-Tenant Data Centers via Cautious Congestion Watch The 49th International Conference on Parallel Processing (ICPP) 2020 Ahmed M. Abdelmoniem, Hengky Susanto, and Brahim Bensaou Outline Introduction and background

498 views • 31 slides
Institute for Cyber Security Multi-Tenant Access Control for Cloud Services PhD Dissertation

Institute for Cyber Security Multi-Tenant Access Control for Cloud Services PhD Dissertation

Institute for Cyber Security Multi-Tenant Access Control for Cloud Services PhD Dissertation Defense Bo Tang Committee Members: Dr. Ravi Sandhu, Chair Dr. Kay Robbins Dr. Gregory White Dr. Weining Zhang Dr. Jaehong Park 07/31/2014

539 views • 51 slides
Categorizing container escape methodologies in multi-tenant environments Rik Janssen

Categorizing container escape methodologies in multi-tenant environments Rik Janssen

Categorizing container escape methodologies in multi-tenant environments Rik Janssen rik.janssen@os3.nl Research Project 1 MSc Security and Network Engineering (SNE/OS3) University of Amsterdam Supervisor: Max Hovens KPMG Cyber Security

774 views • 17 slides
Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side

Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side

Why Some Like It Loud: Timing Power Attacks in Multi-tenant Data Centers Using an Acoustic Side Channel Mohammad A. Islam, Luting Yang, Kiran Ranganath, and Shaolei Ren Acknowledgement: This work was supported in part by NSF under grants

445 views • 31 slides
VENUE: VGO Conference room DATE: May 21, 2013 TIME: 9:30 am Agenda: A 1. EC/TS Population

VENUE: VGO Conference room DATE: May 21, 2013 TIME: 9:30 am Agenda: A 1. EC/TS Population

VENUE: VGO Conference room DATE: May 21, 2013 TIME: 9:30 am Agenda: A 1. EC/TS Population Updates G 2. EC/TS Issues and Concern E 3. IDP Training / Capacity building N D A S ummary of IDP Population in EC/ TS No. of Sites Fams. Ind.

438 views • 12 slides
Professional Development Requirement Student Orientation (Part 1) Deanna Davis, PhD Professional

Professional Development Requirement Student Orientation (Part 1) Deanna Davis, PhD Professional

Professional Development Requirement Student Orientation (Part 1) Deanna Davis, PhD Professional Development Instructional Design Specialist Graduate Teaching and Learning Level 3 Principal Instructor 1 Deanna Davis, PhD Professional

803 views • 51 slides
Integrated Distribution Planning (IDP) Curt Volkmann President, New Energy Advisors, LLC

Integrated Distribution Planning (IDP) Curt Volkmann President, New Energy Advisors, LLC

Integrated Distribution Planning (IDP) Curt Volkmann President, New Energy Advisors, LLC curt@newenergy-advisors.com www.newenergy-advisors.com November 27, 2018 1 DER Growth and its Implications Significant growth in distributed generation,

624 views • 17 slides
INCLUSIONARY DEVELOPMENT POLICY December 8, 2015 AGENDA 1. What is the Inclusionary Development

INCLUSIONARY DEVELOPMENT POLICY December 8, 2015 AGENDA 1. What is the Inclusionary Development

INCLUSIONARY DEVELOPMENT POLICY December 8, 2015 AGENDA 1. What is the Inclusionary Development Policy? 2. History 3. 2015 Inclusionary Development Policy Process 4. 2015 Inclusionary Development Policy 5. Implementation 6. Next steps

453 views • 30 slides
Forward-Looking Statements Forward-Looking Statements This information and other statements by

Forward-Looking Statements Forward-Looking Statements This information and other statements by

1 Forward-Looking Statements Forward-Looking Statements This information and other statements by the company may contain forward-looking statements within the meaning of the Private Securities Litigation Reform Act with respect to, among other

486 views • 10 slides
Employee Climate Survey Presented to the Mecklenburg Board of County Commissioners by the County

Employee Climate Survey Presented to the Mecklenburg Board of County Commissioners by the County

Employee Climate Survey Presented to the Mecklenburg Board of County Commissioners by the County Managers Strategic Planning & Evaluation Team October 23, 2018 Theme: Employee Insights: Moving the County from Vision to Action Background

237 views • 20 slides
GTRI GTRI Presentation Presentation to to IDESG TFTM IDESG TFTM Ma Matt tt Mo Moyer er

GTRI GTRI Presentation Presentation to to IDESG TFTM IDESG TFTM Ma Matt tt Mo Moyer er

GTRI GTRI Presentation Presentation to to IDESG TFTM IDESG TFTM Ma Matt tt Mo Moyer er 11 11 Jun un 2014 2014 Agenda Componentization of FICAM TFS into Trustmarks Sample FICAM Trustmark Definition Overview of Trustmark

170 views • 12 slides
Br Brea eakaway kaway se sess ssion: ion: St Strategi rategic c Pil illar lar 2 2 - A

Br Brea eakaway kaway se sess ssion: ion: St Strategi rategic c Pil illar lar 2 2 - A

Stakehold eholder er Summit it on the e ID IDP/Bu /Budg dget et for r 2018/ 18/19 19 Br Brea eakaway kaway se sess ssion: ion: St Strategi rategic c Pil illar lar 2 2 - A Ci City y tha hat t Ca Care res s for or Res

593 views • 31 slides

More recommend