Transcript Document
AARNet Copyright 2013
OpenConext Workshop
Down-Under
Session 1: Overview
Network
Enabling Operations
Federated Team Management,
Group-Aware SPs,
and SP Shop-Fronts
Neil Witheridge, AARNet
Authentication & Authorisation Services Technical Manager
25th October 2013
AARNet Copyright 2013
Session 1: Overview - Topics
Overview
Session Topics:
• Federated Authentication & Authorisation Background
• OpenConext Features (SP Shopfront, Group/Team mgnt & Group info retrieval)
• Architecture & Components (Demo clean installed OpenConext)
• SAML Proxy: IdP and SP Integration (Demo integrated IdP and SP)
• Group/Team Management (Demo Team Creation & Management)
• Group Proxy: Group Provider Integration
2
(Demo API Playground)
AARNet Copyright 2013
Session 1: Overview - Topics
Overview
Session Topics cont’d
• Virtual Organisations & VO-based Authorisation (Demo VOs & AuthZ)
• OpenSocial Container, Portal & Gadget Integration
(Demo Shindig OpenSocial Container, Rave Portal & Etherpad gadget)
• Security, Sustainability & Usability
• OpenConext Roadmap
• Session Wrap-up
Non-third-party-sourced content is under the Creative Commons “Attribution 3.0 Unported” license.
This means that you are permitted to freely copy, distribute, display, present, or perform material on the wiki,
and create derivative works from it, for either commercial or non-commercial purposes.
3
AARNet Copyright 2013
Overview
Federated Authentication & Authorisation
Background
4
AARNet Copyright 2013
Federated Authentication
Overview
• SAML Federated Identity & Access ‘state of the art’
– Service Providers trust Identity Providers & vice versa (via SAML metadata)
– SPs requests user attributes from the user’s IdP (info stored in institution’s identity store)
– IdP delivers according to Attribute Release Policy (ARP), with optional user consent
• E.g. AAF
–
–
–
–
5
Metadata
Policy
Info
WAYF
AARNet Copyright 2013
Authorisation Post Federated AuthN
Overview
• Importance of group-based access for HE&R services
– Research Team access to federated services
– VOs for Grid Services
– Service licensing, restricted access to commercially sensitive info
• User information used by service for authorisation decision
– IdP user attributes
• IdP authoritative & owned, directory schema -> namespace
– Team-attributes (Research Teams, Virtual Organisations)
• Team authoritative & owned namespace (URN), bilateral agreement with services
– urn:collab:group:biolabs:au:genome-team
– Authorisation Rights (e.g. populated in eduPersonEntitlement)
• Service authoritative & owned namespace (URN), delegates authority to issue
6
– urn:service-x:entitlement:foo
AARNet Copyright 2013
Group-management Systems
Overview
Source: http://www.its.hku.hk/services/research/grid/egee/userguide
Source: http://www.internet2.edu/products-services/trust-identity-middleware/grouper/
Source: http://www.switch.ch/aai/support/presentations/installfest-2008/D2-P3-GMT.pdf
Source: http://www.eresearch.edu.au/docs/280607/James_Dalziel_Alan_Lin_Neil_Witheridge.pdf
Source: SURFnet
Source: SURFnet
Source: SURFnet
7
http://www.youtube.com/watch?v=kUpn568NSl0&feature=player_embedded
AARNet Copyright 2013
Overview
OpenConext Features
8
AARNet Copyright 2013
SAMLFed, IdP, SP Integration
• Federated authentication of users
9
Overview
AARNet Copyright 2013
SAML Proxy Benefits
• OpenConext Engine as an IdP/SP Proxy
– Hub&Spoke -> centralised admin
– Potential for attribute aggregation
– Enables Services Shopfront
10
Overview
AARNet Copyright 2013
Group Information Retrieval
Overview
• Authenticated user group information from “Group Providers”
• Internal Group Provider “Grouper” + External Group Providers
– Registration of Group Providers = shared credentials
11
AARNet Copyright 2013
Group/Team Management
Overview
• Types of Group Providers supported by OpenConext:
– Grouper
– OpenSocial
• Group Management via “Teams” (interface to “Grouper”)
– Need trust in both Group management side (cf. IdP & institutional idm)
and mechanism for group information retrieval (cf. attribute resolver)
– Internet2’s Grouper is comprehensive group management solution
• Hierarchical groups, stems
• Advanced delegation of authority to administer
– “stem”: string that forms the leading
part of a Group's name
12
Source: http://www.internet2.edu/products-services/trust-identity-middleware/grouper/
AARNet Copyright 2013
Overview
OpenConext
Architecture and Components
13
AARNet Copyright 2013
OpenConext Architecture
14
Overview
Source: http://www.internet2.edu/products-services/trust-identity-middleware/grouper/
AARNet Copyright 2013
OpenConext Components
Overview
• Application components making up OpenConext
Grouper
JANUS
Mock
Group
Provider
15
API
Playground
Java
AARNet Copyright 2013
OpenConext Installation
Overview
• OpenConext Repository https://github.com/OpenConext
• Downloading OpenConext from Github
git clone https://github.com/OpenConext/OpenConext-vm.git
or
curl https://codeload.github.com/OpenConext/OpenConext-vm/tar.gz/master
• Easy OpenConext installation by running installation scripts
– Installation and setup will be covered in next session
• Mujina IdP
16
–
–
–
–
Installed and pre-configured as IdP in OpenConext
convenient ‘test’ and ‘bootstrap’ IdP’
provides default “admin” user
REST interface provided to create users e.g. “addjane”
AARNet Copyright 2013
Installed Components
Overview
• ServiceRegistry
– OpenConext admin user management
– SAML Proxy configuration
– Adding connections (IdP and SP)
• Manage
– OpenConext usage, access to Engine metadata
– Adding Group Providers (also to configure test External Group Provider)
– Creating VOs (VO-based authZ described later)
• Other tools
– Teams (creation and management of Teams) (and Grouper native UI)
– API Playground (experiment with Group Info retrieval via “API” component)
17
– Profile (basic identity management)
AARNet Copyright 2013
Overview
SAML Proxy:
IdP and SP Integration
18
AARNet Copyright 2013
SAML-Proxy functionality
Overview
• Engine proxies trusted SPs to trusted IdPs & vice versa
– Trusted IdPs metadata provisioned in Engine SP
– Engine IdP metadata provisioned in Trusted SPs
19
AARNet Copyright 2013
Integration with SAML Fed
Overview
• OpenConext in the national federation
– Registered as single SP (Engine)
• Federation IdPs release attributes to OpenConext Engine
• Proxy functionality -> “SP shopfront” or “Super SP”
20
AARNet Copyright 2013
Attribute Release Policy (ARP)
Overview
• OpenConext Engine deployed as SP in the National SAML Fed
–
–
–
–
–
–
21
Engine SP SAML metadata provisioned in Nat Fed IdPs (& vice versa)
OpenConext SPs provisioned with Engine IdP SAML metadata (& vice versa)
Attribute requirements for Engine determine Nat Fed IdPs’ ARP
Attribute req’s for OpenConext SPs determine OpenConext IdP ARP
Only att’s received by Engine SP are available for release by Engine IdP
OpenConext SP requirements configured in Service Registry
AARNet Copyright 2013
SAML Proxy Technology
Overview
• OpenConext Engine (Corto) & Service Registry (JANUS)
– Reuse of mature technology for SAML proxying, metadata admin
– SURFnet responsible for JANUS development
• Corto https://sites.google.com/site/cortopages/
• JANUS http://code.google.com/p/janus-ssp/
Source: https://code.google.com/p/janus-ssp/
22
Source: https://sites.google.com/site/cortopages/
AARNet Copyright 2013
SAML Proxy: Power & Flexibility Overview
“IdP A” a member of Nat SAML Fed but
not trusting/trusted by OpenConext
(i.e. users can’t access “SP 1”, “SP-2”, “SP 3”)
“IdP 1”& “IdP 2” not members of Nat Fed
but trusted by OpenConext
(i.e. users can’t access “SP A” or “SP B”)
23
AARNet Copyright 2013
Overview
Group/Team Management
24
AARNet Copyright 2013
Group/Team Management
Overview
• Groups/Teams
– Groups=Teams in OpenConext
– Team types: private, public
• Group Providers
Source: http://www.internet2.edu/products-services/trust-identity-middleware/grouper/
– Source of user group information (cf IdP for SAML federation)
– Built-in Group Provider: Internet2’s “Grouper”
• OpenConext groups/teams are flat
– External Group Providers can be integrated
• Types of Group Provider: Grouper, OpenSocial
• OpenConext “Teams” service, a GUI for Grouper
– Provision of GUI for External Group Providers ?
25
AARNet Copyright 2013
Team creation and admin
Overview
• “Teams” provides for secure team creation and administration
– Delegation of responsibilities for team administration
• User role requirements for team creation
• Email workflow
– User added to team at manager’s invitation
– User added to team at user’s request
• Adding Groups to Teams
– tbd
• Using the Grouper GUI directly
– Significance of ‘stem’
26
AARNet Copyright 2013
Overview
Group Proxy
Group Provider Integration
( for Group Information Retrieval)
27
AARNet Copyright 2013
Group Proxy Functionality
Overview
• “API” component acts as Proxy to Group Providers for SPs
28
AARNet Copyright 2013
VOOT Protocol
Overview
• From SP perspective, requests are issued via VOOT protocol
• Retrieval of group and person information
– Standardised REST API based on OpenSocial Social API
• Subset of OpenSocial + {voot_membership_role} attributes
• Supported Requests:
–
–
–
–
29
Information about authenticated user /people/@me
List of groups the user is a member of /groups/@me
List of people that are members of the user’s group /people/@me/<groupId>
OAuth 2.0 and OAuth 1.0a (for legacy SPs) authentication supported
AARNet Copyright 2013
VOOT Request/Response e.g.
Overview
GET /groups/@me?sortBy=title HTTP/1.1
30
HTTP/1.1 200 OK
Content-Type: application/json
{
"entry": [
{
"description": "Group containing employees.",
"id": "employees",
"title": "Employees",
"voot_membership_role": "admin"
},
{
"description": "Group containing everyone at this institute.",
"id": "members",
"title": "Members",
"voot_membership_role": "member"
}
],
"itemsPerPage": 2, "startIndex": "0", "totalResults": 2
}
Source: http://www.internet2.edu/products-services/trust-identity-middleware/grouper/
AARNet Copyright 2013
OAuth Authentication
• OAuth v2.0, Authorisation Code Grant
31
Source (reproduced in): http://www.bubblecode.net/en/2013/03/10/understanding-oauth2/
AARNet Copyright 2013
API Playground
Overview
• OpenConext provides an ‘API playground’ for testing OAuth/VOOT calls
• OAuth actors
– Resource, Resource Owner, Resource Server, Client, Authorisation Server
• OAuth security
– Client Registration with Authorisation Server (consumer key, secret)
– Reliance on TLS (i.e. use of https) in requests to service end-points
• API Playground OAuth protocols supported
– Version 1.0a 3-legged, 2-legged
– Version 2.0 Authorization Code Grant, Implicit Grant
• API Playground workflow
– OAuth Settings
– Authorisation Request
– API Request (changing the API Request to explore different VOOT requests)
32
AARNet Copyright 2013
Putting it together: SAML + GroupOverview
Proxy
33
AARNet Copyright 2013
Overview
Virtual Organisations
and
VO-based Authorisation
34
AARNet Copyright 2013
VO’s and VO-based AuthZ
Overview
• In OpenConext, a Virtual Organisation is an group aggregator
– Defined in terms of groups, IdPs and stems
• Creating a VO
– “Manage” component provides for VO creation
– Types of VO: group(s), IdP(s), group(s)+IdP(s), stem
• Access to resources based on VO membership
– Authorisation built into OpenConext engine
– VO-based authorisation by virtue of Engine SAML IdP metadata
• Generate Engine IdP SAML metadata with VO suffix vo:<voName>
• Provision protected SP with Engine IdP metadata
• Only members of the VO (Groups, IdPs, stem) can access the service
35
AARNet Copyright 2013
VO-Based Authorisation
36
Overview
AARNet Copyright 2013
Overview
OpenSocial Container, Portal
and Gadget integration
37
AARNet Copyright 2013
JISC Conext / Jacson
Overview
• Uptake of OpenConext by JISC
– Development of JISC Conext / Jacson (initially for JISCmail)
• Integration of OpenSocial Container & Portal in OpenConext
– Initially intended to be an integral part of OpenConext
• OpenSocial Container – Apache Shindig
• OpenSocial Portal – Apache Rave
– OpenSocial Gadgets – e.g. Etherpad
• Federated Authentication and Group Information retrieval
• Uptake of OpenSocial technology.
– Key value of OpenSocial Portal infrastructure such as “Jacson”
• Potential for Australian HE&R Service Providers?
38
AARNet Copyright 2013
Overview
Security, Sustainability and
Ease-of Use
39
AARNet Copyright 2013
OpenConext Security
Overview
• OpenConext Security Mechanisms
– SAML Proxy related, Group Proxy related (OpenSocial API)
• OpenConext Security
– Analysis undertaken of SURFconext components by 3rd party
• Australian HE&R focus on Group Information Retrieval
– VOOT/OAuth security
• reliance on TLS
– Considerable work on Oauth Security undertaken
• http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01
• Security Analysis of Double redirection protocols
http://pomcor.com/techreports/DoubleRedirection.pdf
40
AARNet Copyright 2013
OpenConext Sustainability
Overview
• Continuing use for The Netherland’s National SAML Federation
• Global uptake & collaboration (e.g. in deploying, documenting)
JISC
Internet2
41
Source: http://conext.jiscconext.org.uk/cgi-bin/greeting?instanceID=1
Source: https://spaces.internet2.edu/download/attachments/10732/2012-COmanage-info-rev.pdf
AARNet Copyright 2013
Ease of Use
Overview
• Deployment
– Open Source, supported, growing development & user community, maillists
– Focus on documentation, ease of installation
• Development
– OpenSocial / OAuth Client libraries available for most languages
• Java (e.g. Scribe)
• PHP (e.g. zend_oauth)
• Python (e.g. rauth)
• Workshops & conferences
– Active topic at technical conferences
– Workshops being created & delivered
42
AARNet Copyright 2013
Overview
OpenConext Roadmap
43
AARNet Copyright 2013
OpenConext Roadmap
Overview
• Niels van Dijk to describe current priorities and future plan for
OpenConext development
• Also (depending on time) report on
–
–
–
–
44
Global Uptake
Documentation effort
Commitment of SURFnet to support for global uptake
Keeping informed and contributing to development
AARNet Copyright 2013
Wrapping Up, Questions ?
Overview
[email protected]
[email protected]
45
AARNet Copyright 2013
Preparation for Session 2
Overview
• Session 2 to go into technical detail, building on Session 1
– SP development work will be undertaken during afternoon sessions
• Preparation for Session 2:
– Preparation section
• Confirm connectivity
• Virtual Machines
–
–
–
–
46
Assigned to participants – add initials on VM list to reserve
Note IP address, domain name
Username and password on whiteboard
Access via SSH