Presentation on Federated identity and Access Management

Federated Identity Management for
NRENs and access to eInfrastructures
Cletus Okolie
NOC Manager
Eko-Konnect Research and Education Initiative
okoliec@eko-konnect.net.ng
08023824246
09/11/2013

ngNOG VIII - University of Benin

Outline
• Participation in WACREN project: eI4Africa
• What are e-Infrastructures?
• Public Key Infrastructure – Certification
Authorities
• Federated Identity Services – Terms and
Principles
• What is a Science Gateway?
• NgREN Catch-All Identity Provider Deployment
• Demo
09/11/2013


eI4Africa
• A EU/FP7 project funded by the EC (DG CONNECT) under
the ‘Capacities Programme’
• Spanning 24 months (Nov. 2012 - Oct. 2014)
• With the aim of:
– Boosting the Research, Technological Development and
Innovation (RTDI) potential of African e-Infrastructures
– Supporting policy dialogues
– Enhancing Africa-EU cooperation

• In the framework of the joint Africa-EU Strategic
Partnership on
– Trade, regional integration and infrastructures (JAES Partnership
3)
– Science, information society and space (JAES Partnership 8)
03/07/2013

WACREN AGM - Abuja 2013

Objectives
• Outreach
– Build cooperation between Euro-African NRENs, RENs & user
communities
– Raise awareness at policy level on the benefits & value of REN
– Promote/strengthen Euro-African collaborative research on eInfrastructures & their applications

• Produce a state-of-the-art study of e-Infrastructure application
uptake in Africa
• Flagship demonstrations from other continents & illustrate their
relevance to the African context in order to stimulate policy
dialogue on e-Infrastructures

• Stimulate targeted policy and regulatory discussions

03/07/2013


Virtuous Circle of eI4Africa Activities

09/11/2013


e-Infrastructures
• ICT elements that support e-Science

• e-Science - novel, large-scale inter-disciplinary global collaborations
between scientists and researchers across many different areas.
• ICT Elements
– high-speed research communication networks
– powerful computational resources (dedicated high performance
computers, clusters, large numbers of commodity PCs)
– grid and cloud technologies, data infrastructures (data
sources, scientific literature),
– sensors, web-based portals, scientific gateways and mobile devices.

• When integrated together = e-Infrastructures

03/07/2013


A potential user of an e-infrastructure
needs ….
•
•
•
•
•
•
•
•
•
•

A more powerful computer to run an application
A great number of these computers to deliver results faster
Access to specialized High Performance Computing facilities
Access to large data sources
Access to software not available
To collaborate with other scientists across the world
Access to scientific literature resources
To connect to specialized instrumentation for analysis
To connect to sensors for data collection
Access to these facilities via a web-based portal or mobile
device

09/11/2013


Vision for African e-Infrastructure

The el4african vision is a standard-based fully interoperable ICT platform that will enable
Scientist to do better research with collaborators across Africa and in other regions.
New training and education programs will be available to form the new generation of African
e-researchers able to tackle problems affecting the region
09/11/2013


Technical Services Teams
• African organizations in the eI4Africa technical
services teams
– Eko-Konnect (Nigeria)
– JKUAT and Kenya (Kenya)
– MERAKA (South Africa)
– TERNET (Tanzania)
– MAREN (Malawi)
– More welcome!!
09/11/2013


Outputs
• Certification Authorities
– Nigeria, Kenya, Tanzania, South Africa, Malawi
– Deployed and issuing X.509 certificates tested on
GILDA t-Infrastructure

• Catch-All Identity Providers
– Nigeria, Kenya, South Africa, Tanzania

• Africa Grid Science Gateway
• Capacity building for resource sharing across
geographic and organisation boundaries with
established PKI Infrastructure
03/07/2013


Federated Identity
Services, Certification Authorities &
Science Gateways
Principles and Terminology

09/11/2013


Public Key Infrastructure
A public-key infrastructure (PKI) is a set of
hardware, software, people, policies, and
procedures needed to create, manage,
distribute, use, store, and revoke digital
certificates. The PKI creates digital
certificates which map public keys to
entities, securely stores these certificates
in a central repository and revokes them
if needed
09/11/2013


PKI Concepts
• Certification Authority – CA
- issues and verifies the digital certificates
• Registration Authority – RA
- verifies the identity of users requesting
information from the CA. Can be one or more
• Validation Authority – VA
- responsible for providing information on whether
certificates are valid or not. Can be one or more
• End Entity
- user, such as an e-mail client, a web server, a web
browser or a VPN-gateway.
09/11/2013


PKI Access Flow
• A user applies for a certificate with his public key
at a Registration Authority (RA)
• User identity is confirmed and certificate is issued
• The user digitally signs the new certificate
• The Validation authority checks the identity of
the issued certificate
• Implemented in software CA = https://ngca.ekokonnect.net.ng/CA VA = https://ngca.ekokonnect.net.ng/CA/mgt/scert.php

09/11/2013


PKI Access Flow

09/11/2013


09/11/2013


Identity Federations
An identity federation is a group of
institutions and organisations that
sign up to an agreed set of policies
for exchanging information about
users and resources to enable
access via authentication
09/11/2013


Service Provider (SP)
• Used to describe anyone who has a service,
resource or set of content that they want to
make available to users via a login.
• Login may be to limit access to subscribers or
specialist groups, or for personalisation
• The SP do not hold information about users.
They rely on Identity Providers i.e. the
institution or organisation that a user belongs
to get user information
09/11/2013


Identity Provider (IdP)
An Identity Provider or 'IdP' is a
term used to describe any
institution or organisation that
manages information about its
users and wants to provide access
to resources for these users.
09/11/2013


Access Control
After the successful authentication the
identity provider will release a certain
amount of attributes to the service
provider
Access control is performed by matching
these attributes supplied by IdPs against
rules defined by SPs.
09/11/2013


Authentication vs Authorization
• Authentication establishes the user’s
identity, done by identity provider
– To get authenticated by an IdP people have to be
enrolled on it and registered, upon proper
identification, on the registry connected to the IdP

• Authorization defines the user’s permission
within the application, done at service provider
– The fact that you are the one you claim to be (i.e., you
are authenticated by an IdP) does not imply, by portal
policy, that you are automatically authorised to access
and use the SP e.g Africa Grid Science Gateway. To do
so people have to fill the authorisation request.
09/11/2013


SAML
• Security Assertion Markup Language – XML standard
for exchanging the information
• Used for Web browser Single Sign-On (SSO)
• three roles: the principal (typically a user), the identity
provider (IdP), and the service provider (SP)
• does not specify the method of authentication at the
identity provider. You can choose authentication
source. LDAP, Active Directory, SQL, Custom
• Shibboleth (Java) and SimpleSAMLphp (PHP)- popular
SAML implementations used with OpenLDAP and
EduERP in Eko-Konnect.
09/11/2013


SAML – Web SSO Example

Sourced from
Wikipedia
09/11/2013


NgREN Federation
• There is only one CA and IdF per country except
in some countries like US
• Currently a “Catch-All” IdP for NgREN is
maintained by Eko-Konnect as part of eI4Africa.
at https://ngidp.eko-konnect.net.ng
• Used by UNN and LionGRID users in their
workshops
• With a database of users, any institution can
setup an IdP and participate in the evolution of
policies and framework for the NgREN federation.
09/11/2013


What are Science gateways?
• A Science Gateway is a community-developed set of
tools, applications, and data that are integrated via a portal or a suite of
applications, usually in a graphical user interface, that is further
customized to meet the needs of a specific community.
• Gateways allow science teams to access data, perform shared
computations and generally work on resources together.
• Gateways provide access to a variety of capabilities including
–
–
–
–
–
–
–

Workflows
General or domain-specific analytic and software visualization
Collaborative interfaces
resource discovery
Job submission tools
job execution services.
Education modules

• Different SGW exists e.g African Grid Science Gateway

09/11/2013


Africa Grid Science Gateway
• The Africa Grid Science Gateway is a standardbased web 2.0 demonstrative platform to
show the lighthouse applications identified by
the el4africa project and execute them on a
worldwide e-infrastructure.

09/11/2013


Problems accessing the Science
Gateways?
• Some applications in a Science Gateway are
freely accessible but others are not and
require user authentication
• GRIDS and the diverse middleware have been
difficult for scientists to grasp
• access to the Africa Science Gateway requires
federated credentials issued by an Identity
Provider.
09/11/2013


Problems with Access contd.
• PKI and Personal Certs have been barrier to
access to e-infrastructure
• This is what IdF seeks to solve.

09/11/2013


SG Access Workflow
• a user wants to sign in or requires a service that
requires authentication and authorisation
• the portal redirects the user to an IdP and user details
is checked in an LDAP server
• the portal contacts a service called eToken Service
where a proxy is created from a robot certificate
installed on a special USB-shape smartcard
• the action is done on the grid
• the output is retrieved back to the portal machine
• the user is notified that the output is ready and she
can download it
09/11/2013


Deploying the NgREN Catch-All
Identity Provider
Shibboleth and OpenLDAP

09/11/2013


Overview
• Installation and configuration of Shibboleth
based IdP with LDAP backend
• Shibboleth is an open-source project that
provides Single Sign-On (SSO) capabilities and
allows sites to make informed authorization
decisions for individual access of protected
online resources in a privacy-preserving
manner.
09/11/2013


How Shibboleth works?
• It works the same way as other web-based
single sign on system
• The major difference its adherence to
standard and its ability to provide SSO support
to services outside of a user's organization
while still protecting their privacy

09/11/2013


Web-based SSO system
• The main elements are
• Web Browser - represents the user within the
SSO process
• Resource - contains restricted access content
that the user wants
• Identity Provider (IdP) - authenticates the
user
• Service Provider (SP) - performs the SSO
process for the resource
09/11/2013


Single Sign-On steps
• Step 1- User accesses the resources
• Step 2- Service provider issues Authentication
request
• Step 3- User authenticated at identity provider
• Step 4- Identity provider issues Authentication
response
• Step 5- Service provider checks authentication
response
• Step 6- Resource returns content
09/11/2013


How Shibboleth works?
• Identity provider Discovery, User attributes and Metadata
• Identity Provider Discovery: This what an SP working with multiple IdPs
uses to prompt the user for authentication.
• User attributes: this gives the system the ability to receive data about the
user from the IdP e.g email or phone number etc.
• Metadata: this gives the IdP and SP the ability to know which url to use
when communicating with each other.
– A unique identifier know as entity id
– A human readable name and description
– A list of urls to which messages should be delivered and some information
about when each should be used
– Cryptographic information used when creating and verifying information

• A common function of the Federation is to publish a file that contains all
the Metadata for IdP and SP that have agreed to work together

09/11/2013


Reference and Prerequisite
•
•
•
•

Linux Operating System (Centos)
OpenLDAP: http://www.openldap.org
Shibboleth: http://www.shibboleth.net
Host Certificates
– For both machines from installing on separate
machines
– Certificate signed by a CA

09/11/2013


Installation of Shibboleth
• Shibboleth consist of several individual
components which includes
– Identity Provider (IdP)
– Service Provider (SP)
– Discovery Service

• Installation requires Java based web servertomcat
• Follow the installation process on your
preferred platform
09/11/2013


Installation and configuration of ldap
• LDAP configuration
– Add modules to LDAP server
– Configure the root of the tree and superuser
– Add organisation

• Add and configure users, groups and services
• Secure the host
– Enable secure communication to the ldap server
– Add the host certificate
09/11/2013


IdP Configuration
• The IdP is a shibboleth service running on a
java container. This container is based on
tomcat6
• The IdP configuration refers to the
– Configuration of the firewall on tomcat server
– Configuration of the shibboleth components.

• The components includes a series of xml files
in the conf directory
09/11/2013


Shibboleth xml files
• attribute-filter xml- the attributes that will be filtered
from ldap server
• attributes-resolver- how the idp will resolve these
attributes
• handler.xml- what kind of authentication schemes are
allowed
• logging.xml- level and location of logging
• relaying-party.xml- parties that will be able to use the
IdP
• Configuration of the host security and logging
• Configuration and authentication/login screen
09/11/2013


NgREN Catch-All Identity
Provider
Demonstration
http://ngidp.eko-konnect.net.ng

09/11/2013


• Ngca.eko-konnect.net.ng
• Ngidp.eko-konnect.net.ng
• African Grid Science Gateway

09/11/2013


Steps
•
•
•
•

Register
Step #2: Accept email confirmation
Step #3: mail notification sent to Admin
Step #4: Admin authorises account and notifies
the user by email
• Step # 5: User gets mail
• You can now access all the service providers that
can be authenticated with the NgREN catch-all
09/11/2013


What can we do?
• NgNOG task force to complement efforts at NUC
level to evolve an IdF http://ngren.edu.ng/news/ngren-hands-ontraining-for-dicts-and-staff
• Evolve projects to collate user information in the
community in a central database. Can be
spreadsheets per unit and aggregated.
• Join Eko-Konnect to increase demand and
resources on the Africa Grid Science Gateway.
• Use lessons learned to from these functional
demonstrations to do similar in NgREN
09/11/2013


Thank you for listening
Questions?

09/11/2013


Presentation on Federated identity and Access Management

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (14)

Similar to Presentation on Federated identity and Access Management

Similar to Presentation on Federated identity and Access Management (20)

Recently uploaded

Recently uploaded (20)

Presentation on Federated identity and Access Management

Editor's Notes