This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
AARNet Copyright 2013
Network Operations
OpenConext WorkshopDown-Under
Enabling Federated Team Management,
Group-Aware SPs, and SP Shop-Fronts
Neil Witheridge, AARNetAuthentication & Authorisation Services Technical Manager
Non-third-party-sourced content is under the Creative Commons “Attribution 3.0 Unported” license. This means that you are permitted to freely copy, distribute, display, present, or perform material on the wiki, and create derivative works from it, for either commercial or non-commercial purposes.
Group Information Retrieval • Authenticated user group information from “Group Providers”• Internal Group Provider “Grouper” + External Group Providers
– Registration of Group Providers = shared credentials
Overview
AARNet Copyright 2013
12
Group/Team Management • Types of Group Providers supported by OpenConext:
– Grouper– OpenSocial
• Group Management via “Teams” (interface to “Grouper”)– Need trust in both Group management side (cf. IdP & institutional idm)
and mechanism for group information retrieval (cf. attribute resolver)– Internet2’s Grouper is comprehensive group management solution
• Hierarchical groups, stems• Advanced delegation of authority to administer
– “stem”: string that forms the leading part of a Group's name
• Downloading OpenConext from Githubgit clone https://github.com/OpenConext/OpenConext-vm.gitorcurl https://codeload.github.com/OpenConext/OpenConext-vm/tar.gz/master
• Easy OpenConext installation by running installation scripts– Installation and setup will be covered in next session
• Mujina IdP – Installed and pre-configured as IdP in OpenConext– convenient ‘test’ and ‘bootstrap’ IdP’– provides default “admin” user– REST interface provided to create users e.g. “addjane”
– OpenConext admin user management– SAML Proxy configuration– Adding connections (IdP and SP)
• Manage– OpenConext usage, access to Engine metadata– Adding Group Providers (also to configure test External Group Provider)– Creating VOs (VO-based authZ described later)
• Other tools– Teams (creation and management of Teams) (and Grouper native UI)– API Playground (experiment with Group Info retrieval via “API” component)– Profile (basic identity management)
– Attribute requirements for Engine determine Nat Fed IdPs’ ARP– Attribute req’s for OpenConext SPs determine OpenConext IdP ARP– Only att’s received by Engine SP are available for release by Engine IdP– OpenConext SP requirements configured in Service Registry
Overview
AARNet Copyright 2013
22
SAML Proxy Technology• OpenConext Engine (Corto) & Service Registry (JANUS)
– Reuse of mature technology for SAML proxying, metadata admin– SURFnet responsible for JANUS development
• Corto https://sites.google.com/site/cortopages/
• JANUS http://code.google.com/p/janus-ssp/
Overview
Source: https://sites.google.com/site/cortopages/
Source: https://code.google.com/p/janus-ssp/
AARNet Copyright 2013
23
SAML Proxy: Power & Flexibility
“IdP A” a member of Nat SAML Fed butnot trusting/trusted by OpenConext(i.e. users can’t access “SP 1”, “SP-2”, “SP 3”)
“IdP 1”& “IdP 2” not members of Nat Fed but trusted by OpenConext(i.e. users can’t access “SP A” or “SP B”)
Overview
AARNet Copyright 2013
24
Group/Team Management
Overview
AARNet Copyright 2013
25
Group/Team Management• Groups/Teams
– Groups=Teams in OpenConext– Team types: private, public
• Group Providers– Source of user group information (cf IdP for SAML federation)– Built-in Group Provider: Internet2’s “Grouper”
• OpenConext groups/teams are flat– External Group Providers can be integrated
• Types of Group Provider: Grouper, OpenSocial• OpenConext “Teams” service, a GUI for Grouper
Team creation and admin• “Teams” provides for secure team creation and administration
– Delegation of responsibilities for team administration• User role requirements for team creation• Email workflow
– User added to team at manager’s invitation– User added to team at user’s request
• Adding Groups to Teams– tbd
• Using the Grouper GUI directly– Significance of ‘stem’
Overview
AARNet Copyright 2013
27
Group ProxyGroup Provider Integration
( for Group Information Retrieval)
Overview
AARNet Copyright 2013
28
Group Proxy Functionality• “API” component acts as Proxy to Group Providers for SPs
Overview
AARNet Copyright 2013
29
VOOT Protocol • From SP perspective, requests are issued via VOOT protocol• Retrieval of group and person information
– Standardised REST API based on OpenSocial Social API• Subset of OpenSocial + {voot_membership_role} attributes
• Supported Requests:– Information about authenticated user /people/@me– List of groups the user is a member of /groups/@me– List of people that are members of the user’s group /people/@me/<groupId>– OAuth 2.0 and OAuth 1.0a (for legacy SPs) authentication supported
– Client Registration with Authorisation Server (consumer key, secret) – Reliance on TLS (i.e. use of https) in requests to service end-points
• API Playground OAuth protocols supported– Version 1.0a 3-legged, 2-legged– Version 2.0 Authorization Code Grant, Implicit Grant
• API Playground workflow– OAuth Settings– Authorisation Request– API Request (changing the API Request to explore different VOOT requests)
Overview
AARNet Copyright 2013
33
OverviewPutting it together: SAML + Group Proxy
AARNet Copyright 2013
34
Virtual Organisations and
VO-based Authorisation
Overview
AARNet Copyright 2013
35
VO’s and VO-based AuthZ• In OpenConext, a Virtual Organisation is an group aggregator
– Defined in terms of groups, IdPs and stems• Creating a VO
– “Manage” component provides for VO creation– Types of VO: group(s), IdP(s), group(s)+IdP(s), stem
• Access to resources based on VO membership– Authorisation built into OpenConext engine– VO-based authorisation by virtue of Engine SAML IdP metadata
• Generate Engine IdP SAML metadata with VO suffix vo:<voName>• Provision protected SP with Engine IdP metadata• Only members of the VO (Groups, IdPs, stem) can access the service
Overview
AARNet Copyright 2013
36
VO-Based Authorisation Overview
AARNet Copyright 2013
37
OpenSocial Container, Portal and Gadget integration
Overview
AARNet Copyright 2013
38
JISC Conext / Jacson• Uptake of OpenConext by JISC
– Development of JISC Conext / Jacson (initially for JISCmail)• Integration of OpenSocial Container & Portal in OpenConext
– Initially intended to be an integral part of OpenConext• OpenSocial Container – Apache Shindig• OpenSocial Portal – Apache Rave
– OpenSocial Gadgets – e.g. Etherpad• Federated Authentication and Group Information retrieval
• Uptake of OpenSocial technology.– Key value of OpenSocial Portal infrastructure such as “Jacson”
• Potential for Australian HE&R Service Providers?
– SAML Proxy related, Group Proxy related (OpenSocial API)• OpenConext Security
– Analysis undertaken of SURFconext components by 3rd party• Australian HE&R focus on Group Information Retrieval
– VOOT/OAuth security• reliance on TLS
– Considerable work on Oauth Security undertaken• http://tools.ietf.org/html/draft-ietf-oauth-v2-threatmodel-01• Security Analysis of Double redirection protocols http://
OpenConext Sustainability• Continuing use for The Netherland’s National SAML Federation• Global uptake & collaboration (e.g. in deploying, documenting)