Upload
elfrieda-cole
View
215
Download
0
Embed Size (px)
Citation preview
1
Earth System Grid Center for Enabling Technologies
ESG-CET Security
April 21, 2023
Frank Siebenlist
Rachana Ananthakrishnan
Neill MillerESG-CET All-Hands Meeting
Boulder, Colorado
2
Single Sign On (SSO) Solutions
3
Earth System Grid Center for Enabling Technologies: (ESG-CET)
Single Sign On Solutions
PKI SSO• Single Sign On for non-browser applications• MyProxy Online CA• Auto-provisioning of trust configuration
Web SSO• Single sign on for http/https applications• OpenID
4
Online-CAAuthN Svc
Application Client + PKIClient
App Svc
MyProxyLogin with Provisioning
1.LoginUsername/Password
0. Trusted CA/CRLs
AuthenticationDB
ProvisioningDatabase
Attribute Service
5
Online-CAAuthN Svc
Application Client + PKIClient
App Svc
MyProxyLogin with Provisioning
2. Authentication and Attributes retrieval
0. Trusted CA/CRLs
AuthenticationDB
ProvisioningDatabase
Attribute Service
6
Online-CAAuthN Svc
Application Client + PKIClient
App Svc
MyProxyLogin with Provisioning
3. Short term X509 credentials with
attributes, CAs, CRLs
0. Trusted CA/CRLs
AuthenticationDB
ProvisioningDatabase
Attribute Service
7
Online-CAAuthN Svc
Application Client + PKIClient
App Svc
MyProxyLogin with Provisioning
0. Trusted CA/CRLs
Authentication DB
ProvisioningDatabase
Attribute Service
4. Access using X509 Credentials
8
Online-CAAuthN Svc
Application Client + PKIClient
App Svc
MyProxyLogin with Provisioning
0. Trusted CA/CRLs
Authentication DB
ProvisioningDatabase
Attribute Service
5. Update trust roots
9
Browser
Web SSO using OpenID
Application
ServerService
Provider (SP)
IdentityProvider
(IdP)Authentication
DB
Site Attribute Service
10
Browser
Web SSO using OpenID
Application
ServerService
Provider (SP/RP)
1. Client access application
server
IdentityProvider
(IdP)Authentication
DB
Site Attribute Service
11
Browser
Web SSO using OpenID
Application
ServerService
Provider (SP)
2. Redirected to Identity Provider
IdentityProvider
(IdP)Authentication
DB
Site Attribute Service
12
Browser
Web SSO using OpenID
Application
ServerService
Provider (SP)
3. User authenticates
with IdP
IdentityProvider
(IdP)Authentication
DB
Site Attribute Service
13
Browser
Web SSO using OpenID
Application
ServerService
Provider (SP)
4. AuthN completed,
user identity.
IdentityProvider
(IdP)Authentication
DB
Site Attribute Service
14
Browser
Web SSO usign OpenID
4. Authenticated Call.
IdentityProvider
(IdP)Authentication
DB
Site Attribute Service
Application
ServerService
Provider (SP)
15
Earth System Grid Center for Enabling Technologies: (ESG-CET)
AuthNDB
unamepasswor
d
PKIClient
MyProxyOnline-CAAuthN Svc
OpenIDIdP
BrowserClient
Web SvcPKI App Svc
u/p => X509 creds u/p => cookie
http-redirect+ cookie
X509 PK-authN
trusts CA => <= trusts IdP
Integrated WebSSO & PKI-SSO
16
SSO Integration
17
Earth System Grid Center for Enabling Technologies: (ESG-CET)
Gateway Integration: PKI SSO
PKI SSO• Tested MyProxy Online CA with ESG user database
Next steps:• Install MyProxy on Gateway• Plan integration/shipping with Gateway software• Bootstrap of MyProxy CA certificate
Download from ESG portal Part of ESG client download Investigate pre-configured web start application
18
Earth System Grid Center for Enabling Technologies: (ESG-CET)
Gateway Integration: OpenID SP
OpenID Service Provider (SP)• Provides SSO for gateway portal• Prototyped Acegi filter (Gateway team)
Next steps:• Session management in the portal?• Configuration of trusted IdPs
Add support to OpenID4Java
19
Earth System Grid Center for Enabling Technologies: (ESG-CET)
Gateway Integration: OpenID IdP
OpenID Identity Provider (IdP)• IdP front-end to username/password database• Must comply with following requirements:
SSL should be used for communication Identifiers should be Yadis IDs
Next steps:• Design and develop IdP service to host on gateway
IdP service shell (Gateway team) OpenID specifics (Argonne team)
• Integrate with ESG user database
20
Gateway Integration: Open Issues
Approved list of IdPs• Propagate and update white list of IdPs
Enforced at ESG-VO’s SPs• Support for external IdPs?
Maybe commercial IdP with right “signing-policy” Register with ESG?
Attribute handling• Integrate with IdP
21
Earth System Grid Center for Enabling Technologies: (ESG-CET)
Data Publishing Integration: OpenID SP
Desktop application to publish data Two phase publishing• Desktop application is unaware of OpenID
Integrated desktop application• Handle OpenID redirect to IdP• OpenID Python libraries • Issue with IdP login page
Could be added to IdP profile Would PKI based authentication be easier?• PKI client authentication can be built in• Investigate dual-client authN option on SPs?
22
Earth System Grid Center for Enabling Technologies: (ESG-CET)
Data node Integration: PKI SSO
OPeNDAP server• Integrate with PKI SSO solution and GridFTP• Prototype integration completed (Jose/Stephan)
Next steps:• MyProxy client/library added to ESG distribution• Trusted CA installation
MyProxy to provision Is OpenID integration required?• Issue with delegation of rights for GridFTP?
SRM: • user access to data servers that don’t trust ESG
CA?
23
Earth System Grid Center for Enabling Technologies: (ESG-CET)
Product server Integration: OpenID SP
Components: LAS and F-TDS Use case: access via portal• Token-authentication solutions can be adopted
(Gateway team) Use case: direct client access?• OpenID SP tomcat filter
Integration with backend applications• Identity push from LAS to OPeNDAP?
24
Attribute-based Authorization
25
Question
Current status:• If a gateway is down, the user cannot access ESG
infrastructure Requirement• It is acceptable for 24-48 hours down time
What does the single sign on solution buy?
26
Earth System Grid Center for Enabling Technologies: (ESG-CET)
Attributes and Authorization
Two types of attributes:• VO and Site attributes• Maybe distinguish VO-Gateway attributes?• Is the distinction needed for ESG?
VO attributes important with non-ESG IdP Attribute service options• Centralized, Gateway, VO level?
Attribute retrieval options:• Push site attributes with authentication• Pull VO attributes post-authentication• Pull VO attributes during authorization
2727
VOAttr
grouprole
Client
GatewayESG-VO
Svcs
Site IdP
IdPAttr
openIDpasswordaffiliation
Gateway
Attrgrouprole
Client’s Domain
Gateway’sDomain
VO’sDomain
Attributes and Domains
28
Attributes
October Test-bed target:• Only site attributes• Attribute store with IdP• Push site attributes with authentication
OpenID and MyProxy allow for that Post-test bed• Define transition path to include external IdPs and
VO attributes
29
Earth System Grid Center for Enabling Technologies: (ESG-CET)
Attributes and Authorization
SAML Attribute format• Signed SAML Assertions with Attribute Statements• Can be independently sent on wire• OpenSAML, open source library for SAML
processing Configuration of attribute release policy
30
Earth System Grid Center for Enabling Technologies: (ESG-CET)
Attributes and Authorization
Push attributes as a part of authentication• OpenID protocol allows push of attributes• MyProxy Online CA can embed attributes in issued
certificates SAML Attribute format• Signed SAML Assertions with Attribute Statements• Can be independently sent on wire• OpenSAML, open source library for SAML
processing
31
Gateway Integration: SSO & Attributes
Attribute Provider• Remote interface to pull down attributes• SAML Attribute Query Interface?
PKI SSO• Integrate to pull attributes from site attribute provider• Embed in certificate• SAML attribute assertion or X509 attribute cert?
Web SSO• Pull from site attribute provider• Interface in OpenID4Java to callout to attribute provider
SAML?
32
Gateway Integration: SSO & Attributes
PKI SSO• Integrate to pull attributes from site attribute provider• Embed in certificate• SAML attribute assertion or X509 attribute cert?
Web SSO• Pull from site attribute provider• Interface in OpenID4Java to callout to attribute
provider SAML?
33
Gateway Integration: Open Issues
VO attributes• Either if external IdPs are used or used in addition to
site attributes• Attribute service hosted by gateways• Central ESG-VO attributes and attribute service?• SPs pull down attributes from Attribute Service
Configuration of attribute release policy?• Not required if IdP is set up for ESG use only
VO membership of SPs is implicit white-list
34
Service Providers and Attributes
Product services SP:• Only relevant in direct access use case• Might have to push attributes through to back end
applications Other SPs:• Relevant for authorization filters only
35
Earth System Grid Center for Enabling Technologies: (ESG-CET)
Attributes and Authorization
Authorization policy• Centralized policy (or)• Per gateway with only policy on resources owned by
gateway’s site (or)• Combination of both?
Centralized policy• Replicate to gateway
Partitioned policy• Gateway stores policy only about the resources it
owns• Does this improve reliability?
36
Earth System Grid Center for Enabling Technologies: (ESG-CET)
Attributes and Authorization
Authorization policy• How is it implemented today?
37
Attributes and Authorization
Authorization service interface for remote access• Web services? • Protocol needed?
Configuration for trusted authorization service(s) in application callbacks• Endpoint of service• Identity of service• Trusted certificate
38
Service Providers and Authorization
Gateway Integration• Acegi filter to callback to authorization service (embedded?)
Data node Integration• Callback to authorization service• Do we need to push attributes?• GridFTP authorization callout can be used
Product services Integration• Access through portal
Token based authorization• Direct user access
Not relevant for now Define transition path for post-test bed
39
Security Configuration for Deployment
OpenID Identity Providers:• Attribute service endpoint• White-list of SPs
OpenID Service Providers:• White-list of IdPs• Authorization (and Attribute) service endpoints
MyProxy server• CA and CRLs• Attribute service endpoint
PKI Service Providers:• MyProxy server endpoint • CA and CRLs • Authorization service endpoints
PKI Clients:• MyProxy Server endpoint and bootstrap trust-root • VO’s CAs and CRLS
40
Attribute an Metadata Replication Breakout Session
41
Attribute and meta data replication
Meta data replication service• Search meta data replication • If gateway serves multiple VOs• No replication
Remote query Performance issues Partial search results.
• Database based replication No gateway dependency
• Replication Service (ISI)
42
Attribute and meta data replication
Security meta data- Replicate user membership and resource authz
policies- Metrics reporting issues- Exchange all information except user credentials
- Explore JMS as solution- Event driven system- Transaction based system
- Eliminates gateway dependency