This document discusses federated identity management for research and education networks (NRENs) and access to e-infrastructures in Africa. It covers the following key points:
- Participation in the eI4Africa project, which aims to boost African e-infrastructure research potential through cooperation between African and European NRENs.
- What e-infrastructures are and how they support e-science through high-speed networks, computing resources, data infrastructures, and more.
- How public key infrastructure (PKI) and federated identity services using standards like SAML and Shibboleth can provide single sign-on access to resources through a catch-all identity provider deployed for the Ng
How to do quick user assign in kanban in Odoo 17 ERP
Presentation on Federated identity and Access Management
1. Federated Identity Management for
NRENs and access to eInfrastructures
Cletus Okolie
NOC Manager
Eko-Konnect Research and Education Initiative
okoliec@eko-konnect.net.ng
08023824246
09/11/2013
ngNOG VIII - University of Benin
2. Outline
• Participation in WACREN project: eI4Africa
• What are e-Infrastructures?
• Public Key Infrastructure – Certification
Authorities
• Federated Identity Services – Terms and
Principles
• What is a Science Gateway?
• NgREN Catch-All Identity Provider Deployment
• Demo
09/11/2013
ngNOG VIII - University of Benin
3. eI4Africa
• A EU/FP7 project funded by the EC (DG CONNECT) under
the ‘Capacities Programme’
• Spanning 24 months (Nov. 2012 - Oct. 2014)
• With the aim of:
– Boosting the Research, Technological Development and
Innovation (RTDI) potential of African e-Infrastructures
– Supporting policy dialogues
– Enhancing Africa-EU cooperation
• In the framework of the joint Africa-EU Strategic
Partnership on
– Trade, regional integration and infrastructures (JAES Partnership
3)
– Science, information society and space (JAES Partnership 8)
03/07/2013
WACREN AGM - Abuja 2013
4. Objectives
• Outreach
– Build cooperation between Euro-African NRENs, RENs & user
communities
– Raise awareness at policy level on the benefits & value of REN
– Promote/strengthen Euro-African collaborative research on eInfrastructures & their applications
• Produce a state-of-the-art study of e-Infrastructure application
uptake in Africa
• Flagship demonstrations from other continents & illustrate their
relevance to the African context in order to stimulate policy
dialogue on e-Infrastructures
• Stimulate targeted policy and regulatory discussions
03/07/2013
WACREN AGM - Abuja 2013
5. Virtuous Circle of eI4Africa Activities
09/11/2013
ngNOG VIII - University of Benin
6. e-Infrastructures
• ICT elements that support e-Science
• e-Science - novel, large-scale inter-disciplinary global collaborations
between scientists and researchers across many different areas.
• ICT Elements
– high-speed research communication networks
– powerful computational resources (dedicated high performance
computers, clusters, large numbers of commodity PCs)
– grid and cloud technologies, data infrastructures (data
sources, scientific literature),
– sensors, web-based portals, scientific gateways and mobile devices.
• When integrated together = e-Infrastructures
03/07/2013
WACREN AGM - Abuja 2013
7. A potential user of an e-infrastructure
needs ….
•
•
•
•
•
•
•
•
•
•
A more powerful computer to run an application
A great number of these computers to deliver results faster
Access to specialized High Performance Computing facilities
Access to large data sources
Access to software not available
To collaborate with other scientists across the world
Access to scientific literature resources
To connect to specialized instrumentation for analysis
To connect to sensors for data collection
Access to these facilities via a web-based portal or mobile
device
09/11/2013
ngNOG VIII - University of Benin
8. Vision for African e-Infrastructure
The el4african vision is a standard-based fully interoperable ICT platform that will enable
Scientist to do better research with collaborators across Africa and in other regions.
New training and education programs will be available to form the new generation of African
e-researchers able to tackle problems affecting the region
09/11/2013
ngNOG VIII - University of Benin
9. Technical Services Teams
• African organizations in the eI4Africa technical
services teams
– Eko-Konnect (Nigeria)
– JKUAT and Kenya (Kenya)
– MERAKA (South Africa)
– TERNET (Tanzania)
– MAREN (Malawi)
– More welcome!!
09/11/2013
ngNOG VIII - University of Benin
10. Outputs
• Certification Authorities
– Nigeria, Kenya, Tanzania, South Africa, Malawi
– Deployed and issuing X.509 certificates tested on
GILDA t-Infrastructure
• Catch-All Identity Providers
– Nigeria, Kenya, South Africa, Tanzania
• Africa Grid Science Gateway
• Capacity building for resource sharing across
geographic and organisation boundaries with
established PKI Infrastructure
03/07/2013
WACREN AGM - Abuja 2013
12. Public Key Infrastructure
A public-key infrastructure (PKI) is a set of
hardware, software, people, policies, and
procedures needed to create, manage,
distribute, use, store, and revoke digital
certificates. The PKI creates digital
certificates which map public keys to
entities, securely stores these certificates
in a central repository and revokes them
if needed
09/11/2013
ngNOG VIII - University of Benin
13. PKI Concepts
• Certification Authority – CA
- issues and verifies the digital certificates
• Registration Authority – RA
- verifies the identity of users requesting
information from the CA. Can be one or more
• Validation Authority – VA
- responsible for providing information on whether
certificates are valid or not. Can be one or more
• End Entity
- user, such as an e-mail client, a web server, a web
browser or a VPN-gateway.
09/11/2013
ngNOG VIII - University of Benin
14. PKI Access Flow
• A user applies for a certificate with his public key
at a Registration Authority (RA)
• User identity is confirmed and certificate is issued
• The user digitally signs the new certificate
• The Validation authority checks the identity of
the issued certificate
• Implemented in software CA = https://ngca.ekokonnect.net.ng/CA VA = https://ngca.ekokonnect.net.ng/CA/mgt/scert.php
09/11/2013
ngNOG VIII - University of Benin
17. Identity Federations
An identity federation is a group of
institutions and organisations that
sign up to an agreed set of policies
for exchanging information about
users and resources to enable
access via authentication
09/11/2013
ngNOG VIII - University of Benin
18. Service Provider (SP)
• Used to describe anyone who has a service,
resource or set of content that they want to
make available to users via a login.
• Login may be to limit access to subscribers or
specialist groups, or for personalisation
• The SP do not hold information about users.
They rely on Identity Providers i.e. the
institution or organisation that a user belongs
to get user information
09/11/2013
ngNOG VIII - University of Benin
19. Identity Provider (IdP)
An Identity Provider or 'IdP' is a
term used to describe any
institution or organisation that
manages information about its
users and wants to provide access
to resources for these users.
09/11/2013
ngNOG VIII - University of Benin
20. Access Control
After the successful authentication the
identity provider will release a certain
amount of attributes to the service
provider
Access control is performed by matching
these attributes supplied by IdPs against
rules defined by SPs.
09/11/2013
ngNOG VIII - University of Benin
21. Authentication vs Authorization
• Authentication establishes the user’s
identity, done by identity provider
– To get authenticated by an IdP people have to be
enrolled on it and registered, upon proper
identification, on the registry connected to the IdP
• Authorization defines the user’s permission
within the application, done at service provider
– The fact that you are the one you claim to be (i.e., you
are authenticated by an IdP) does not imply, by portal
policy, that you are automatically authorised to access
and use the SP e.g Africa Grid Science Gateway. To do
so people have to fill the authorisation request.
09/11/2013
ngNOG VIII - University of Benin
22. SAML
• Security Assertion Markup Language – XML standard
for exchanging the information
• Used for Web browser Single Sign-On (SSO)
• three roles: the principal (typically a user), the identity
provider (IdP), and the service provider (SP)
• does not specify the method of authentication at the
identity provider. You can choose authentication
source. LDAP, Active Directory, SQL, Custom
• Shibboleth (Java) and SimpleSAMLphp (PHP)- popular
SAML implementations used with OpenLDAP and
EduERP in Eko-Konnect.
09/11/2013
ngNOG VIII - University of Benin
23. SAML – Web SSO Example
Sourced from
Wikipedia
09/11/2013
ngNOG VIII - University of Benin
24. NgREN Federation
• There is only one CA and IdF per country except
in some countries like US
• Currently a “Catch-All” IdP for NgREN is
maintained by Eko-Konnect as part of eI4Africa.
at https://ngidp.eko-konnect.net.ng
• Used by UNN and LionGRID users in their
workshops
• With a database of users, any institution can
setup an IdP and participate in the evolution of
policies and framework for the NgREN federation.
09/11/2013
ngNOG VIII - University of Benin
25. What are Science gateways?
• A Science Gateway is a community-developed set of
tools, applications, and data that are integrated via a portal or a suite of
applications, usually in a graphical user interface, that is further
customized to meet the needs of a specific community.
• Gateways allow science teams to access data, perform shared
computations and generally work on resources together.
• Gateways provide access to a variety of capabilities including
–
–
–
–
–
–
–
Workflows
General or domain-specific analytic and software visualization
Collaborative interfaces
resource discovery
Job submission tools
job execution services.
Education modules
• Different SGW exists e.g African Grid Science Gateway
09/11/2013
ngNOG VIII - University of Benin
26. Africa Grid Science Gateway
• The Africa Grid Science Gateway is a standardbased web 2.0 demonstrative platform to
show the lighthouse applications identified by
the el4africa project and execute them on a
worldwide e-infrastructure.
09/11/2013
ngNOG VIII - University of Benin
27. Problems accessing the Science
Gateways?
• Some applications in a Science Gateway are
freely accessible but others are not and
require user authentication
• GRIDS and the diverse middleware have been
difficult for scientists to grasp
• access to the Africa Science Gateway requires
federated credentials issued by an Identity
Provider.
09/11/2013
ngNOG VIII - University of Benin
28. Problems with Access contd.
• PKI and Personal Certs have been barrier to
access to e-infrastructure
• This is what IdF seeks to solve.
09/11/2013
ngNOG VIII - University of Benin
29. SG Access Workflow
• a user wants to sign in or requires a service that
requires authentication and authorisation
• the portal redirects the user to an IdP and user details
is checked in an LDAP server
• the portal contacts a service called eToken Service
where a proxy is created from a robot certificate
installed on a special USB-shape smartcard
• the action is done on the grid
• the output is retrieved back to the portal machine
• the user is notified that the output is ready and she
can download it
09/11/2013
ngNOG VIII - University of Benin
30. Deploying the NgREN Catch-All
Identity Provider
Shibboleth and OpenLDAP
09/11/2013
ngNOG VIII - University of Benin
31. Overview
• Installation and configuration of Shibboleth
based IdP with LDAP backend
• Shibboleth is an open-source project that
provides Single Sign-On (SSO) capabilities and
allows sites to make informed authorization
decisions for individual access of protected
online resources in a privacy-preserving
manner.
09/11/2013
ngNOG VIII - University of Benin
32. How Shibboleth works?
• It works the same way as other web-based
single sign on system
• The major difference its adherence to
standard and its ability to provide SSO support
to services outside of a user's organization
while still protecting their privacy
09/11/2013
ngNOG VIII - University of Benin
33. Web-based SSO system
• The main elements are
• Web Browser - represents the user within the
SSO process
• Resource - contains restricted access content
that the user wants
• Identity Provider (IdP) - authenticates the
user
• Service Provider (SP) - performs the SSO
process for the resource
09/11/2013
ngNOG VIII - University of Benin
34. Single Sign-On steps
• Step 1- User accesses the resources
• Step 2- Service provider issues Authentication
request
• Step 3- User authenticated at identity provider
• Step 4- Identity provider issues Authentication
response
• Step 5- Service provider checks authentication
response
• Step 6- Resource returns content
09/11/2013
ngNOG VIII - University of Benin
35. How Shibboleth works?
• Identity provider Discovery, User attributes and Metadata
• Identity Provider Discovery: This what an SP working with multiple IdPs
uses to prompt the user for authentication.
• User attributes: this gives the system the ability to receive data about the
user from the IdP e.g email or phone number etc.
• Metadata: this gives the IdP and SP the ability to know which url to use
when communicating with each other.
– A unique identifier know as entity id
– A human readable name and description
– A list of urls to which messages should be delivered and some information
about when each should be used
– Cryptographic information used when creating and verifying information
• A common function of the Federation is to publish a file that contains all
the Metadata for IdP and SP that have agreed to work together
09/11/2013
ngNOG VIII - University of Benin
36. Reference and Prerequisite
•
•
•
•
Linux Operating System (Centos)
OpenLDAP: http://www.openldap.org
Shibboleth: http://www.shibboleth.net
Host Certificates
– For both machines from installing on separate
machines
– Certificate signed by a CA
09/11/2013
ngNOG VIII - University of Benin
37. Installation of Shibboleth
• Shibboleth consist of several individual
components which includes
– Identity Provider (IdP)
– Service Provider (SP)
– Discovery Service
• Installation requires Java based web servertomcat
• Follow the installation process on your
preferred platform
09/11/2013
ngNOG VIII - University of Benin
38. Installation and configuration of ldap
• LDAP configuration
– Add modules to LDAP server
– Configure the root of the tree and superuser
– Add organisation
• Add and configure users, groups and services
• Secure the host
– Enable secure communication to the ldap server
– Add the host certificate
09/11/2013
ngNOG VIII - University of Benin
39. IdP Configuration
• The IdP is a shibboleth service running on a
java container. This container is based on
tomcat6
• The IdP configuration refers to the
– Configuration of the firewall on tomcat server
– Configuration of the shibboleth components.
• The components includes a series of xml files
in the conf directory
09/11/2013
ngNOG VIII - University of Benin
40. Shibboleth xml files
• attribute-filter xml- the attributes that will be filtered
from ldap server
• attributes-resolver- how the idp will resolve these
attributes
• handler.xml- what kind of authentication schemes are
allowed
• logging.xml- level and location of logging
• relaying-party.xml- parties that will be able to use the
IdP
• Configuration of the host security and logging
• Configuration and authentication/login screen
09/11/2013
ngNOG VIII - University of Benin
45. Steps
•
•
•
•
Register
Step #2: Accept email confirmation
Step #3: mail notification sent to Admin
Step #4: Admin authorises account and notifies
the user by email
• Step # 5: User gets mail
• You can now access all the service providers that
can be authenticated with the NgREN catch-all
09/11/2013
ngNOG VIII - University of Benin
46. What can we do?
• NgNOG task force to complement efforts at NUC
level to evolve an IdF http://ngren.edu.ng/news/ngren-hands-ontraining-for-dicts-and-staff
• Evolve projects to collate user information in the
community in a central database. Can be
spreadsheets per unit and aggregated.
• Join Eko-Konnect to increase demand and
resources on the Africa Grid Science Gateway.
• Use lessons learned to from these functional
demonstrations to do similar in NgREN
09/11/2013
ngNOG VIII - University of Benin
47. Thank you for listening
Questions?
09/11/2013
ngNOG VIII - University of Benin
Editor's Notes
See https://refeds.org/resources/resources_info.html for talking notes
EduERP already set up with faculty and groupings useful in attribute mapping but can be created in OpenLDAP or other directory.
I identity provider for every campus to be plugged into the catch-all