Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.

Experimental OpenID Service for DOEGrids

Summer Student Program 2008Jan Durand

ESnet08/06/08

ESnet OpenID Presentation 2

ESnet

ESnet is a high-speed network which is hosted at and managed by Berkeley Lab and is funded by the DOE Office of Science to provide network and collaboration services to thousands of Department of Energy scientists and collaborators worldwide.

ESnet's ATF group supports identity and other secure collaboration services and runs the DOEGrids CA, as well as supports several Grid CA federations, including TAGPMA and IGTF.

ESnet is interested in emerging federation technologies such as OpenID and Shibboleth.

My work is focused on the OpenID authentication protocol.


OpenID Overview OpenID is an authentication service for exchanging identity

information between endpoints using a digital identifier, typically an OpenID URL.

Developed in May 2005 by Brad Fitzpatrick at Six Apart and dubbed OpenID 1.0.

Eliminates need for multiple usernames across different websites. Decentralized - anyone can use/provide OpenIDs. Single Sign-On – one sign-on per browser session. Relying Parties include LiveJournal, WikiSpaces OpenID Providers include AOL, Yahoo!, Verisign OpenID 2.0 specification released December 2007 with new

features (Yadis discovery, proper extension support).


OpenID Overview

RP(Web App.)

User Agent(Browser)

OP(Authentication

Service)

1. OpenID URL

6. Redirect user to RP with Auth. response

7. Authentication response

OpenID URL

2. Discovery

(Yadis/HTML)

3. Association (optional)

4. Redirect user to OP with Authentication request

5. Authentication request+

End user credentials

8. Verification (optional)


Objectives

Experiment with OpenID protocol and available APIs to assess feasibility of implementation.

OpenID 1.0 vs. OpenID 2.0 - ESnet wants 2.0 but needs to understand interoperability issues with 1.0.

Create OpenID Relying Party and Provider tailored for DOEGrids/ESnet customer base.

Investigate user authentication using an LDAP server as the source of truth.

Investigate certificate - based user authentication (DOEGrids CA).


Tools

We used the SXIP OpenID4Java API: supports the OpenID 2.0 specification, open source, online documentation, java language

Apache HTTP Server – open source, popular, documentation

Apache Tomcat backend to Apache HTTP Server to serve Java Servlets and JavaServer Pages.


Progress Created basic Relying Party to display OpenID

Provider responses (parameters, attributes). Used responses from commercial providers to

model our Provider’s behavior and set the standard for its functionality.

Created OpenID Provider – authenticates against an LDAP server, complies with OpenID 2.0 specification (i.e. supports Attribute Exchange extension, Yadis protocol discovery)


OpenID Overview

RP(Web App.)

User Agent(Browser)

OP(Authentication

Service)

1. OpenID URL



OpenID URL

2. Discovery

(Yadis/HTML)




Username + Password


5. a)Username

+ Password

5. b) Auth. result

LDAPServer


1


4


5


7


7


OpenID Overview

RP(Web App.)

User Agent(Browser)

OP(Authentication

Service)

1. OpenID URL



OpenID URL

2. Discovery

(Yadis/HTML)




User certificate


5. a)User

certificate

5. b) Auth. result

LDAPServer


1


4


5


5


5


5


7


Relying Party Issues Encountered

Compiler errors and server crashes due to missing libraries. Copied over sample app. libraries.

Understanding the details of the OpenID specification was helpful in debugging, even with sample code. e.g. Nonce Verification. Hosts should synchronize with NIST time server.


OpenID Provider Issues Encountered

Yadis Discovery initially did not work. Despite API documentation some details had

to be learned through experience. The API methods or sample code did not

perform direct communication. Initial SSL configuration on Apache HTTP

Server interfered with OpenID protocol.


Why certificate-based authentication? ESnet has over 2500 DOEGrids CA customers with

X509 certificates. Integration with OpenID service. Automatic enrollment. Service can be extended to international grid

community and customers of commercial CAs e.g. Thawte, VeriSign.

OpenID allows for attribute exchange and may be easier to use than certificate-based authentication.


Interests/Future Considerations

Extension support/Attribute Exchange extension

Directed Identity – sign in with OP URL

Security concerns e.g. Phishing

Delegation – You choose your OpenID

Roadmap/Recommendations to ESnet ATF


Attribute Exchange

OpenID 2.0 feature, allows for exchange of attributes as UTF-8 strings with no newlines.

Each attribute must have an associated attribute type URI which MAY be dereferenced to an attribute description.

No central authority on attribute schema definitions. SXIP hosts community project www.axschema.org.

For Yadis discovery, the attribute exchange namespace "http://openid.net/srv/ax/1.0" SHOULD be listed as a <Type> child element of the <Service> element in the XRDS discovery document.


Directed Identity

OpenID 2.0 feature, user can enter an OP Identifier at the Relying Party instead of their OpenID URL.

The Relying Party does discovery on the OP Identifier and redirects the end user to the RP with a claimed ID of http://specs.openid.net/auth/2.0/identifier_select.

At the OP, the user selects their actual OpenID URL to return to the Relying Party.

The Relying Party is then required to perform discovery on this URL to ensure that the provider is entitled to authenticate it.


Security Concerns

Phishing is a major concern in the OpenID community.

Association prevents tampering of signed fields.

The SSL certificate-based authentication approach eliminates this threat.

However, on a general scope, Man-in-the-Middle attacks and other security threats can still be investigated.


Delegation Allows an end user to use a URL to authenticate at any OpenID

provider. End user can maintain a consistent OpenID URL while switching

between OpenID providers. E.g. to use www.jan.com as OpenID URL, add:

<link rel=“openid2.server” href=“http://myopenid.com/server” /><link rel=“openid2.local_id” href=“http://jandurand.myopenid.com” />

in the <head> tags of the html page. Specifying an “X-XRDS-Location” to an XRDS document via:

<meta http-equiv=“X-XRDS-Location” content=“location”>

allows for specification of multiple OpenIDs and Providers, catering for load balancing, fallback and prioritization.

The end user will be authenticated as the Claimed Identifier specified at the Relying Party.


Recommendations to ESnet ATF

Ensure all OpenID communication is on SSL including discovery, association, and direct verification.

OpenID 1.x compatibility for the RP removes a lot of functionality. OpenID 1.x compatibility not costly to implement for OP.

Recommend delegation to prevent identity ‘correlation’ as opposed to issuing multiple OpenIDs per user account.

Long unsightly OpenID URLs can be mitigated with Directed Identity. E.g. titanium.es.net/provider


Information

For more information on OpenID visit: http://openid.net http://wiki.openid.net/FAQ http://www.doegrids.org/OpenID


Contact

Dhiva Muruganantham <[email protected]> Jan Durand <[email protected]> Mike Helm <[email protected]>

Experimental OpenID Service for DOEGrids Summer Student Program 2008 Jan Durand ESnet 08/06/08.

Documents

openid protocol

verisign openid

openid authentication

experimental openid

wikispaces openid providers

durand esnet

redirect user

yadis protocol discovery