1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands

1

Earth System Grid Center for Enabling Technologies

ESG-CET Security

April 21, 2023

Frank Siebenlist

Rachana Ananthakrishnan

Neill MillerESG-CET All-Hands Meeting

Boulder, Colorado

2

Single Sign On (SSO) Solutions

3

Earth System Grid Center for Enabling Technologies: (ESG-CET)

Single Sign On Solutions

PKI SSO• Single Sign On for non-browser applications• MyProxy Online CA• Auto-provisioning of trust configuration

Web SSO• Single sign on for http/https applications• OpenID

4

Online-CAAuthN Svc

Application Client + PKIClient

App Svc

MyProxyLogin with Provisioning

1.LoginUsername/Password

0. Trusted CA/CRLs

AuthenticationDB

ProvisioningDatabase

Attribute Service

5

Online-CAAuthN Svc


App Svc


2. Authentication and Attributes retrieval

0. Trusted CA/CRLs

AuthenticationDB


Attribute Service

6

Online-CAAuthN Svc


App Svc


3. Short term X509 credentials with

attributes, CAs, CRLs

0. Trusted CA/CRLs

AuthenticationDB


Attribute Service

7

Online-CAAuthN Svc


App Svc


0. Trusted CA/CRLs

Authentication DB


Attribute Service

4. Access using X509 Credentials

8

Online-CAAuthN Svc


App Svc


0. Trusted CA/CRLs

Authentication DB


Attribute Service

5. Update trust roots

9

Browser

Web SSO using OpenID

Application

ServerService

Provider (SP)

IdentityProvider

(IdP)Authentication

DB

Site Attribute Service

10

Browser


Application

ServerService

Provider (SP/RP)

1. Client access application

server

IdentityProvider

(IdP)Authentication

DB


11

Browser


Application

ServerService

Provider (SP)

2. Redirected to Identity Provider

IdentityProvider

(IdP)Authentication

DB


12

Browser


Application

ServerService

Provider (SP)

3. User authenticates

with IdP

IdentityProvider

(IdP)Authentication

DB


13

Browser


Application

ServerService

Provider (SP)

4. AuthN completed,

user identity.

IdentityProvider

(IdP)Authentication

DB


14

Browser

Web SSO usign OpenID

4. Authenticated Call.

IdentityProvider

(IdP)Authentication

DB


Application

ServerService

Provider (SP)

15


AuthNDB

unamepasswor

d

PKIClient

MyProxyOnline-CAAuthN Svc

OpenIDIdP

BrowserClient

Web SvcPKI App Svc

u/p => X509 creds u/p => cookie

http-redirect+ cookie

X509 PK-authN

trusts CA => <= trusts IdP

Integrated WebSSO & PKI-SSO

16

SSO Integration

17


Gateway Integration: PKI SSO

PKI SSO• Tested MyProxy Online CA with ESG user database

Next steps:• Install MyProxy on Gateway• Plan integration/shipping with Gateway software• Bootstrap of MyProxy CA certificate

Download from ESG portal Part of ESG client download Investigate pre-configured web start application

18


Gateway Integration: OpenID SP

OpenID Service Provider (SP)• Provides SSO for gateway portal• Prototyped Acegi filter (Gateway team)

Next steps:• Session management in the portal?• Configuration of trusted IdPs

Add support to OpenID4Java

19


Gateway Integration: OpenID IdP

OpenID Identity Provider (IdP)• IdP front-end to username/password database• Must comply with following requirements:

SSL should be used for communication Identifiers should be Yadis IDs

Next steps:• Design and develop IdP service to host on gateway

IdP service shell (Gateway team) OpenID specifics (Argonne team)

• Integrate with ESG user database

20

Gateway Integration: Open Issues

Approved list of IdPs• Propagate and update white list of IdPs

Enforced at ESG-VO’s SPs• Support for external IdPs?

Maybe commercial IdP with right “signing-policy” Register with ESG?

Attribute handling• Integrate with IdP

21


Data Publishing Integration: OpenID SP

Desktop application to publish data Two phase publishing• Desktop application is unaware of OpenID

Integrated desktop application• Handle OpenID redirect to IdP• OpenID Python libraries • Issue with IdP login page

Could be added to IdP profile Would PKI based authentication be easier?• PKI client authentication can be built in• Investigate dual-client authN option on SPs?

22


Data node Integration: PKI SSO

OPeNDAP server• Integrate with PKI SSO solution and GridFTP• Prototype integration completed (Jose/Stephan)

Next steps:• MyProxy client/library added to ESG distribution• Trusted CA installation

MyProxy to provision Is OpenID integration required?• Issue with delegation of rights for GridFTP?

SRM: • user access to data servers that don’t trust ESG

CA?

23


Product server Integration: OpenID SP

Components: LAS and F-TDS Use case: access via portal• Token-authentication solutions can be adopted

(Gateway team) Use case: direct client access?• OpenID SP tomcat filter

Integration with backend applications• Identity push from LAS to OPeNDAP?

24

Attribute-based Authorization

25

Question

Current status:• If a gateway is down, the user cannot access ESG

infrastructure Requirement• It is acceptable for 24-48 hours down time

What does the single sign on solution buy?

26


Attributes and Authorization

Two types of attributes:• VO and Site attributes• Maybe distinguish VO-Gateway attributes?• Is the distinction needed for ESG?

VO attributes important with non-ESG IdP Attribute service options• Centralized, Gateway, VO level?

Attribute retrieval options:• Push site attributes with authentication• Pull VO attributes post-authentication• Pull VO attributes during authorization

2727

VOAttr

grouprole

Client

GatewayESG-VO

Svcs

Site IdP

IdPAttr

openIDpasswordaffiliation

Gateway

Attrgrouprole

Client’s Domain

Gateway’sDomain

VO’sDomain

Attributes and Domains

28

Attributes

October Test-bed target:• Only site attributes• Attribute store with IdP• Push site attributes with authentication

OpenID and MyProxy allow for that Post-test bed• Define transition path to include external IdPs and

VO attributes

29



SAML Attribute format• Signed SAML Assertions with Attribute Statements• Can be independently sent on wire• OpenSAML, open source library for SAML

processing Configuration of attribute release policy

30



Push attributes as a part of authentication• OpenID protocol allows push of attributes• MyProxy Online CA can embed attributes in issued

certificates SAML Attribute format• Signed SAML Assertions with Attribute Statements• Can be independently sent on wire• OpenSAML, open source library for SAML

processing

31

Gateway Integration: SSO & Attributes

Attribute Provider• Remote interface to pull down attributes• SAML Attribute Query Interface?

PKI SSO• Integrate to pull attributes from site attribute provider• Embed in certificate• SAML attribute assertion or X509 attribute cert?

Web SSO• Pull from site attribute provider• Interface in OpenID4Java to callout to attribute provider

SAML?

32

Gateway Integration: SSO & Attributes

PKI SSO• Integrate to pull attributes from site attribute provider• Embed in certificate• SAML attribute assertion or X509 attribute cert?

Web SSO• Pull from site attribute provider• Interface in OpenID4Java to callout to attribute

provider SAML?

33

Gateway Integration: Open Issues

VO attributes• Either if external IdPs are used or used in addition to

site attributes• Attribute service hosted by gateways• Central ESG-VO attributes and attribute service?• SPs pull down attributes from Attribute Service

Configuration of attribute release policy?• Not required if IdP is set up for ESG use only

VO membership of SPs is implicit white-list

34

Service Providers and Attributes

Product services SP:• Only relevant in direct access use case• Might have to push attributes through to back end

applications Other SPs:• Relevant for authorization filters only

35



Authorization policy• Centralized policy (or)• Per gateway with only policy on resources owned by

gateway’s site (or)• Combination of both?

Centralized policy• Replicate to gateway

Partitioned policy• Gateway stores policy only about the resources it

owns• Does this improve reliability?

36



Authorization policy• How is it implemented today?

37


Authorization service interface for remote access• Web services? • Protocol needed?

Configuration for trusted authorization service(s) in application callbacks• Endpoint of service• Identity of service• Trusted certificate

38

Service Providers and Authorization

Gateway Integration• Acegi filter to callback to authorization service (embedded?)

Data node Integration• Callback to authorization service• Do we need to push attributes?• GridFTP authorization callout can be used

Product services Integration• Access through portal

Token based authorization• Direct user access

Not relevant for now Define transition path for post-test bed

39

Security Configuration for Deployment

OpenID Identity Providers:• Attribute service endpoint• White-list of SPs

OpenID Service Providers:• White-list of IdPs• Authorization (and Attribute) service endpoints

MyProxy server• CA and CRLs• Attribute service endpoint

PKI Service Providers:• MyProxy server endpoint • CA and CRLs • Authorization service endpoints

PKI Clients:• MyProxy Server endpoint and bootstrap trust-root • VO’s CAs and CRLS

40

Attribute an Metadata Replication Breakout Session

41

Attribute and meta data replication

Meta data replication service• Search meta data replication • If gateway serves multiple VOs• No replication

Remote query Performance issues Partial search results.

• Database based replication No gateway dependency

• Replication Service (ISI)

42

Attribute and meta data replication

Security meta data- Replicate user membership and resource authz

policies- Metrics reporting issues- Exchange all information except user credentials

- Explore JMS as solution- Event driven system- Transaction based system

- Eliminates gateway dependency

Documents

1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands