Presentation on Federated identity and Access Management

ngNOG VIII - University of Benin

Federated Identity Management for NRENs and access to e-

InfrastructuresCletus OkolieNOC Manager

Eko-Konnect Research and Education [email protected]

08023824246

09/11/2013

mailto:[email protected]


Outline

• Participation in WACREN project: eI4Africa • What are e-Infrastructures?• Public Key Infrastructure – Certification

Authorities• Federated Identity Services – Terms and

Principles• What is a Science Gateway?• NgREN Catch-All Identity Provider Deployment• Demo09/11/2013

WACREN AGM - Abuja 2013

eI4Africa

• A EU/FP7 project funded by the EC (DG CONNECT) under the ‘Capacities Programme’

• Spanning 24 months (Nov. 2012 - Oct. 2014)• With the aim of:

– Boosting the Research, Technological Development and Innovation (RTDI) potential of African e-Infrastructures

– Supporting policy dialogues – Enhancing Africa-EU cooperation

• In the framework of the joint Africa-EU Strategic Partnership on – Trade, regional integration and infrastructures (JAES Partnership 3) – Science, information society and space (JAES Partnership 8)

03/07/2013


Objectives• Outreach

– Build cooperation between Euro-African NRENs, RENs & user communities– Raise awareness at policy level on the benefits & value of REN– Promote/strengthen Euro-African collaborative research on e-

Infrastructures & their applications • Produce a state-of-the-art study of e-Infrastructure application

uptake in Africa

• Flagship demonstrations from other continents & illustrate their relevance to the African context in order to stimulate policy dialogue on e-Infrastructures

• Stimulate targeted policy and regulatory discussions

03/07/2013


Virtuous Circle of eI4Africa Activities

09/11/2013


e-Infrastructures• ICT elements that support e-Science

• e-Science - novel, large-scale inter-disciplinary global collaborations between scientists and researchers across many different areas.

• ICT Elements – high-speed research communication networks– powerful computational resources (dedicated high performance computers,

clusters, large numbers of commodity PCs)– grid and cloud technologies, data infrastructures (data sources, scientific

literature), – sensors, web-based portals, scientific gateways and mobile devices.

• When integrated together = e-Infrastructures

03/07/2013


A potential user of an e-infrastructure needs ….

• A more powerful computer to run an application• A great number of these computers to deliver results faster• Access to specialized High Performance Computing facilities• Access to large data sources• Access to software not available• To collaborate with other scientists across the world• Access to scientific literature resources• To connect to specialized instrumentation for analysis• To connect to sensors for data collection• Access to these facilities via a web-based portal or mobile

device09/11/2013


Vision for African e-Infrastructure

09/11/2013

The el4african vision is a standard-based fully interoperable ICT platform that will enableScientist to do better research with collaborators across Africa and in other regions.New training and education programs will be available to form the new generation of Africane-researchers able to tackle problems affecting the region


Technical Services Teams

• African organizations in the eI4Africa technical services teams– Eko-Konnect (Nigeria)– JKUAT and Kenya (Kenya)– MERAKA (South Africa)– TERNET (Tanzania)– MAREN (Malawi)– More welcome!!

09/11/2013


Outputs• Certification Authorities– Nigeria, Kenya, Tanzania, South Africa, Malawi– Deployed and issuing X.509 certificates tested on

GILDA t-Infrastructure• Catch-All Identity Providers– Nigeria, Kenya, South Africa, Tanzania

• Africa Grid Science Gateway • Capacity building for resource sharing across

geographic and organisation boundaries with established PKI Infrastructure

03/07/2013


Federated Identity Services, Certification Authorities & Science Gateways

Principles and Terminology

09/11/2013


Public Key Infrastructure

A public-key infrastructure (PKI) is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. The PKI creates digital certificates which map public keys to entities, securely stores these certificates in a central repository and revokes them if needed

09/11/2013


PKI Concepts

• Certification Authority – CA

- issues and verifies the digital certificates• Registration Authority – RA

- verifies the identity of users requesting information from the CA. Can be one or more

• Validation Authority – VA- responsible for providing information on whether certificates are valid or not. Can be one or more

• End Entity- user, such as an e-mail client, a web server, a web browser or a VPN-gateway.

09/11/2013


PKI Access Flow

• A user applies for a certificate with his public key at a Registration Authority (RA)

• User identity is confirmed and certificate is issued• The user digitally signs the new certificate• The Validation authority checks the identity of

the issued certificate• Implemented in softwareCA =

https://ngca.eko-konnect.net.ng/CAVA = https://ngca.eko-konnect.net.ng/CA/mgt/scert.php

09/11/2013

https://ngca.eko-konnect.net.ng/CA

https://ngca.eko-konnect.net.ng/CA

https://ngca.eko-konnect.net.ng/CA/mgt/scert.php

https://ngca.eko-konnect.net.ng/CA/mgt/scert.php


PKI Access Flow

09/11/2013

ngNOG VIII - University of Benin 09/11/2013


Identity Federations

An identity federation is a group of institutions and organisations that sign up to an agreed set of policies for exchanging information about

users and resources to enable access via authentication

09/11/2013

Service Provider (SP)

• Used to describe anyone who has a service, resource or set of content that they want to make available to users via a login.

• Login may be to limit access to subscribers or specialist groups, or for personalisation

• The SP do not hold information about users. They rely on Identity Providers i.e. the institution or organisation that a user belongs to get user information

09/11/2013 ngNOG VIII - University of Benin


Identity Provider (IdP)

An Identity Provider or 'IdP' is a term used to describe any

institution or organisation that manages information about its

users and wants to provide access to resources for these users.

09/11/2013


Access Control

After the successful authentication the identity provider will release a certain

amount of attributes to the service provider

Access control is performed by matching these attributes supplied by IdPs against

rules defined by SPs.

09/11/2013


Authentication vs Authorization

• Authentication establishes the user’s identity, done by identity provider– To get authenticated by an IdP people have to be enrolled on it

and registered, upon proper identification, on the registry connected to the IdP

• Authorization defines the user’s permission within the application, done at service provider– The fact that you are the one you claim to be (i.e., you are

authenticated by an IdP) does not imply, by portal policy, that you are automatically authorised to access and use the SP e.g Africa Grid Science Gateway. To do so people have to fill the authorisation request.

09/11/2013


SAML

• Security Assertion Markup Language – XML standard for exchanging the information

• Used for Web browser Single Sign-On (SSO)• three roles: the principal (typically a user), the identity

provider (IdP), and the service provider (SP)• does not specify the method of authentication at the

identity provider. You can choose authentication source. LDAP, Active Directory, SQL, Custom

• Shibboleth (Java) and SimpleSAMLphp (PHP)- popular SAML implementations used with OpenLDAP and EduERP in Eko-Konnect.

09/11/2013


SAML – Web SSO Example

09/11/2013

Sourced from Wikipedia


NgREN Federation

• There is only one CA and IdF per country except in some countries like US

• Currently a “Catch-All” IdP for NgREN is maintained by Eko-Konnect as part of eI4Africa. at https://ngidp.eko-konnect.net.ng

• Used by UNN and LionGRID users in their workshops

• With a database of users, any institution can setup an IdP and participate in the evolution of policies and framework for the NgREN federation.

09/11/2013

https://ngidp.eko-konnect.net.ng/




What are Science gateways?• A Science Gateway is a community-developed set of tools, applications, and

data that are integrated via a portal or a suite of applications, usually in a graphical user interface, that is further customized to meet the needs of a specific community.

• Gateways allow science teams to access data, perform shared computations and generally work on resources together.

• Gateways provide access to a variety of capabilities including – Workflows– General or domain-specific analytic and software visualization – Collaborative interfaces– resource discovery– Job submission tools– job execution services.– Education modules

• Different SGW exists e.g African Grid Science Gateway

09/11/2013

Africa Grid Science Gateway

• The Africa Grid Science Gateway is a standard-based web 2.0 demonstrative platform to show the lighthouse applications identified by the el4africa project and execute them on a worldwide e-infrastructure.

09/11/2013 ngNOG VIII - University of Benin


Problems accessing the Science Gateways?

• Some applications in a Science Gateway are freely accessible but others are not and require user authentication

• GRIDS and the diverse middleware have been difficult for scientists to grasp

• access to the Africa Science Gateway requires federated credentials issued by an Identity Provider.

09/11/2013


Problems with Access contd.

• PKI and Personal Certs have been barrier to access to e-infrastructure

• This is what IdF seeks to solve.

09/11/2013


SG Access Workflow

• a user wants to sign in or requires a service that requires authentication and authorisation

• the portal redirects the user to an IdP and user details is checked in an LDAP server

• the portal contacts a service called eToken Service where a proxy is created from a robot certificate installed on a special USB-shape smartcard

• the action is done on the grid• the output is retrieved back to the portal machine• the user is notified that the output is ready and she can

download it09/11/2013


Deploying the NgREN Catch-All Identity Provider

Shibboleth and OpenLDAP

09/11/2013


Overview

• Installation and configuration of Shibboleth based IdP with LDAP backend

• Shibboleth is an open-source project that provides Single Sign-On (SSO) capabilities and allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

09/11/2013


How Shibboleth works?

• It works the same way as other web-based single sign on system

• The major difference its adherence to standard and its ability to provide SSO support to services outside of a user's organization while still protecting their privacy

09/11/2013


Web-based SSO system

• The main elements are• Web Browser - represents the user within the

SSO process• Resource - contains restricted access content

that the user wants• Identity Provider (IdP) - authenticates the user• Service Provider (SP) - performs the SSO

process for the resource

09/11/2013


Single Sign-On steps

• Step 1- User accesses the resources• Step 2- Service provider issues Authentication

request• Step 3- User authenticated at identity provider• Step 4- Identity provider issues Authentication

response• Step 5- Service provider checks authentication

response• Step 6- Resource returns content09/11/2013


How Shibboleth works?• Identity provider Discovery, User attributes and Metadata• Identity Provider Discovery: This what an SP working with multiple IdPs

uses to prompt the user for authentication.• User attributes: this gives the system the ability to receive data about the

user from the IdP e.g email or phone number etc.• Metadata: this gives the IdP and SP the ability to know which url to use

when communicating with each other. – A unique identifier know as entity id– A human readable name and description– A list of urls to which messages should be delivered and some information

about when each should be used– Cryptographic information used when creating and verifying information

• A common function of the Federation is to publish a file that contains all the Metadata for IdP and SP that have agreed to work together

09/11/2013


Reference and Prerequisite

• Linux Operating System (Centos)• OpenLDAP: http://www.openldap.org• Shibboleth: http://www.shibboleth.net• Host Certificates– For both machines from installing on separate

machines– Certificate signed by a CA

09/11/2013

http://www.openldap.org/

http://www.shibboleth.net/


Installation of Shibboleth

• Shibboleth consist of several individual components which includes– Identity Provider (IdP)– Service Provider (SP)– Discovery Service

• Installation requires Java based web server- tomcat

• Follow the installation process on your preferred platform

09/11/2013


Installation and configuration of ldap

• LDAP configuration– Add modules to LDAP server– Configure the root of the tree and superuser– Add organisation

• Add and configure users, groups and services• Secure the host– Enable secure communication to the ldap server– Add the host certificate

09/11/2013


IdP Configuration

• The IdP is a shibboleth service running on a java container. This container is based on tomcat6

• The IdP configuration refers to the– Configuration of the firewall on tomcat server– Configuration of the shibboleth components.

• The components includes a series of xml files in the conf directory

09/11/2013


Shibboleth xml files

• attribute-filter xml- the attributes that will be filtered from ldap server

• attributes-resolver- how the idp will resolve these attributes

• handler.xml- what kind of authentication schemes are allowed

• logging.xml- level and location of logging• relaying-party.xml- parties that will be able to use the IdP• Configuration of the host security and logging• Configuration and authentication/login screen

09/11/2013


NgREN Catch-All Identity Provider

Demonstrationhttp://ngidp.eko-konnect.net.ng

09/11/2013

http://ngidp.eko-konnect.net.ng/




• Ngca.eko-konnect.net.ng• Ngidp.eko-konnect.net.ng• African Grid Science Gateway

09/11/2013


Steps

• Register• Step #2: Accept email confirmation• Step #3: mail notification sent to Admin• Step #4: Admin authorises account and notifies

the user by email• Step # 5: User gets mail• You can now access all the service providers

that can be authenticated with the NgREN catch-all

09/11/2013


What can we do?

• NgNOG task force to complement efforts at NUC level to evolve an IdF - http://ngren.edu.ng/news/ngren-hands-on-training-for-dicts-and-staff

• Evolve projects to collate user information in the community in a central database. Can be spreadsheets per unit and aggregated.

• Join Eko-Konnect to increase demand and resources on the Africa Grid Science Gateway.

• Use lessons learned to from these functional demonstrations to do similar in NgREN

09/11/2013

http://ngren.edu.ng/news/ngren-hands-on-training-for-dicts-and-staff





Thank you for listening

Questions?

09/11/2013