Federated Authentication with Web Services Clients
Transcript of Federated Authentication with Web Services Clients
Federated Authentication with Web Services Clients in the context of SAML based AAI federations
Thomas Lenggenhager [email protected]
Mannheim, 8. March 2011
© 2011 SWITCH
Overview
• SAML n-tier Delegation with ECP Profile
• Argus – A scalable Authorization Service
ECP Enhanced Client or Proxy (ECP) Profile http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf http://saml.xml.org/saml-specifications
2 Federated AuthN with Web Services Clients
© 2011 SWITCH
SAML n-tier Delegation with ECP Profile
• Allow a Web Portal to make use of delegation to access one or more Web Service Providers (WSP) • The Web Portal and each WSP is a SAML SP
• Configuration changes required at IdP: 1) Download and install delegation plug-in 2) Add a profile handler for LibertyIDWSFSSOS Profile 3) Change profile config to restrict delegation by Portal to its WSPs. 4) Add a new security policy for Liberty SSOS (a static explicit key signature
trust engine) 5) Add a new SingleSignOnService endpoint for the Liberty SSOS in the
metadata
…it is not as easy as you would like it to be!
3 Federated AuthN with Web Services Clients
© 2011 SWITCH
SAML n-tier Delegation with ECP Profile (2)
4 Federated AuthN with Web Services Clients
https://spaces.internet2.edu/display/ShibuPortal/Configuring+Shibboleth+Delegation+for+a+Portal
A single SAML entity
© 2011 SWITCH
Where is AuthN required, where AuthZ?
• Authentication could be moved to the edges • If inner components trust the outer components,
no further authentication may be required • Outer components with WebSSO support
could act as gateways to inner components. • Outer components to pass user attributes
to inner components for authorization decisions close to the data access.
• The Authorization Service Argus could play a role in such a scenario
5 Federated AuthN with Web Services Clients
© 2011 SWITCH
Argus – A scalable Authorization Service
• Argus is an authorization service developed by EGEE / EMI
• Argus answers the question
Is user X allowed to
perform action Y on resource Z ?
in the most general way
• Argus 1.2 was released in Nov 2010
• Argus 1.3 to be released for EMI-1 in April 2011
6 Federated AuthN with Web Services Clients
EMI European Middleware Initiative
© 2011 SWITCH
Argus – Integration & Interoperability
7 Federated AuthN with Web Services Clients
© 2011 SWITCH
Argus – Integration & Interoperability (2)
• Integration with lightweight PEP client API
• Interoperability with direct XACML authorization request (SOAP)
• Common XACML Authorization Profile
8 Federated AuthN with Web Services Clients
© 2011 SWITCH
Argus Deployment
9 Federated AuthN with Web Services Clients
© 2011 SWITCH
PAP: Policy Administration Point
• Manages the XACML policies
• Tools for administrators to manage policies
• Simple Policy Language (SPL) hides XACML complexity
• Hierarchical deployment of PAP servers
• e.g. for global banning
10 Federated AuthN with Web Services Clients
© 2011 SWITCH
PDP: Policy Decision Point
• XACML engine
• Retrieves policies from PAP
• Receives authorization request from PEP daemon
• Evaluates authorization requests against the policies
11 Federated AuthN with Web Services Clients
© 2011 SWITCH
PEP daemon: Policy Enforcement Point
• Client/Server architecture
• Processes the client requests
• Applies PIP to incoming requests
• Extracts data from end-entity certificate
• Processes the client responses
• Applies obligation handler to outgoing responses
• Determines user and group mapping
12 Federated AuthN with Web Services Clients
© 2011 SWITCH
PEP client libraries
• Lightweight client libraries to communicate with the PEP daemon
• ANSI C and Java client libraries
• Hides the complexity of XACML
13 Federated AuthN with Web Services Clients
© 2011 SWITCH
Argus – A Grid Example
• Argus answers the question
Is user X allowed
to perform action Y on resource Z ?
in the most general way
• A Grid example: • Is ‘CN=Peter Pan, DC=example,DC=org’ allowed
to submit a job to Computing Element ce.example.com ?
14 Federated AuthN with Web Services Clients
© 2011 SWITCH
Argus – A Grid Example (2)
• Authorization rules (policies) are expressed in XACML • For most use cases XACML is too abstract • Argus CLI supports a “simplified policy language”
e.g.: allow user Peter to perform any action on resource my_resource
• Parameterize Policies with attributes, e.g. DN, subject, CA, …
• Manage Policies locally or import from remote repositories • Combination possible: e.g. local policy & global black list
15 Federated AuthN with Web Services Clients
resource ”my_resource" {! action ".*" {! rule permit { subject="/DC=org/DC=example/CN=Peter Pan" }! }!}
© 2011 SWITCH
Argus Summary
+ Service management on the command line + Pluggable architecture, written in Java + easy to add new features and deploy + Client has simple API in C & Java
with virtually no dependencies + easy to integrate into new clients + All Argus components can be deployed
on one single host or on distributed hosts
• Argus Documentation <[email protected]> https://twiki.cern.ch/twiki/bin/view/EGEE/AuthorizationFramework https://twiki.cern.ch/twiki/bin/view/EGEE/SimplifiedPolicyLanguage https://twiki.cern.ch/twiki/bin/view/EGEE/AuthZPAPCLI
16 Federated AuthN with Web Services Clients
© 2011 SWITCH
What's missing?
• A System Security Architect
should be tasked to draft
a Middleware Architecture for CLARIN
17 Federated AuthN with Web Services Clients