ARCHER’s Security Requirementswithin the AAF
2
Research Repository Requirements(relevant to AAF)• Identity Management provided by the Federation
Single-sign-on for Federation services• Federation members can access services
For accessing and managing datasets in a Research Repository Accessible from either desktop or web applications
• Federation members can define groups of Federation members which can access their datasets
Groups membership defined autonomously by the group• Research Repository accessible by other Federation services
including Grid services• Privileges for content owners and groups managed by the Research Repository• Consistent Identity and Group Management across Shibboleth and PKI protected
services
3
Consistent Identity & Group Management
Shibboleth-protected Services
Identity Managem
ent
Group M
anagement
PKI-protected Services
4
Status of Repository Requirements• Identity Management provided by the Federation
Single-sign-on for Federation services• Federation members can access services
For accessing and managing datasets in a Research Repository Accessible from either desktop or web applications
• Federation members can define groups of Federation members which can access their datasets
Groups membership defined autonomously by the group• Research Repository accessible by other Federation services
Including Grid services• Privileges for content owners and groups managed by the Research
Repository• Consistent Identity and Group Management across Shibboleth and PKI
protected services
Legend• Available• Under Development• Not available
5
Objective Access a Federation service (e.g. a research repository) using Shibboleth from either a web or desktop application
Research Repository
Problem Shibboleth was never designed to be used from desktop applications
6
Solution: Accessing a Federation Service from the Desktop using Federation’s Identity Management
Fed Service(PKI-protected)
IdP Desktop App
Desktop
CredentialManager
CertificateProvider
1. Request Cert. 2. Authenticate
3. Shib. Token
4. Shib Token7. Short-lived Cert.9. Short-lived Cert. 10. Success/Fail
8. Short-lived Cert.
5.Shib Token
6.Attributes
7
Credential Manager Requirements
• Must be able to authenticate with an Identity Provider• Must be able to be trusted by the user, as they will be authenticating with
their institution through it• Must be able to cache the user’s credentials• Must query the user for confirmation, if an application requests a credential• Must be available for Win, Mac, and Linux boxes
8
Certificate Provider Requirements
• Must generate certificates which: Are short-term Maintain a consistent identity for the user Are approved by IGTF Are signed by the Federation Transport only those shibboleth attributes that are essential for
accessing PKI protected services• Service must be managed by the Federation• Desirable to have an interface which allows Grid Certificates to be
refreshed
9
Useful Security Components
• SWITCH’s SLCS, for the Certificate Provider Shibboleth protected web application Generates IGTF approved certificates from Shibboleth attributes
• Bandit-Project’s DigitalMe, for the Credential Manager Similar to Microsoft’s InfoCard/Cardspace solution Written in Java
• Red Hat’s CA To be used by the AAF
10
Cert. Provision with Cert.available from MyProxy Certificate User
IdPCertificate Provider(Service Provider)
Certificate Provider
Certificate Generator
MyProxy
2. Shib Token
3. Attributes
1. Shib Token
6. Short-lived Cert.
4. Attributes
External interface available to MyProxy to refresh certificates
5. Short-lived Cert
11
Cert. Provider with Cert.not available from MyProxy Certificate User
IdPCertificate Provider
(SLCS)
Certificate Provider
Certificate Generator
MyProxy
2. Shib Token
3. Attributes
1. Shib Token
12. Short-lived Cert.
4. Attributes
5.Fail
External interface available to MyProxy to refresh certificates
10. Attributes
11.Short-lived Cert.
6. Attributes
9. Success
7. Attributes and Medium-lived Cert.
8. Success
12
Web PortalIdP
Certificate Provider
Certificate Provider
Red Hat CA MyProxyExternal interface available to MyProxy to refresh certificates
SLCS
Post Back
Request Shor-term CertPost back Cert.
Desktop App DigitalMe
Shib Module
13
Prototypes: Shib Desktop Access & Shib Cert Provider
SVN:https://dev.archer.edu.au/projects/archer-data-activities/svn/security/current
In this folder, there are three separated projects as follows:
ArcherCertProvider: The front end Webapps to manage certificate.CardSpace: The desktop module for local certificate management.Desktop Shibboleth: The desktop module for shibboleth authentication.
Installation of each module is provided in README files available ineach project.
To run the demonstration:
1. Deploy the ArcherCertProvider to a J2EE application (tested withTomcat 5.14+ and 6.*)- an existing war file can be found athttps://dev.archer.edu.au/downloads/ArcherCertProvider.war
2. Start the CardSpace: ant LocalCertManager
3. Run a HelloWorld example of an GSI application: ant GSIApp
Top Related