SPP Authentication and Authorisation Issues

1
SPP Authentication and Authorisation Issues

• Francisco Queiros Pinto, Humbul
• Jan Grant, ILRT

2
Overview

• SPP Portal Framework
• Based on JetSpeed and its own Security System
• Authentication/Authorisation (A/A) Issues
• Multiple Mechanisms
• Multiple Scenarios
• SPP Solution
• Account Management (UML Diagram Demos)
• Local Authentication System (LAS)
• National Authentication System (NAS)
• SPP A/A Plugin
• Athens SSO Issues
• Integration Problems
• Proposed Fix

3
Portal Framework

• JetSpeed
• Supplies much of the support code
• Has an A/A mechanism
• Based on Turbine/JDBC
• SPP A/A Plug-In
• Takes care of JetSpeed specifics
• We provide framework-neutral plug-ins for A/A

4
Portal Framework
5
Portal Framework
6
Portal Framework
7
Multiple A/A Mechanisms
Authentication
Traditional
SSO
Passwords
Tickets
X.509 Certificates
Future
Now
Groups/Roles
Realms
ACLs
Authorisation

• A/A Issues
• Technologies Evolve (e.g. security reasons)
• Portal as a Virtual DSP Resource User
• A User may have different Authorisation during
  the Time

8
Multiple A/A Scenarios
????
(e.g. Shibboleth)
?International?
(e.g. Athens, Others)
JISC
National
RDN
(e.g. RDN A/A Shared Services)
Local
Hubs
Hubs
Hubs
(e.g. MyHumbul)

• A/A Issues
• Different Mechanism, Scope, User Overlap
• Limited Life

9
SPP Account Management

• A/A Mechanisms
• Independence, Interoperability and Flexibility
• Plugable Login Modules based on Standards
• Loaded On-the-fly
• Able to deal with any kind of Credentials
• A/A Scenarios
• Transparency for Local, National and
  ?International?
• Easy via Traditional A/A Mechanisms
• Difficult via SSO

10
Local A/A System

• LDAP Implementation
• Bind Authentication based on MD5 digested
  credentials (e.g. passwords, certificates)
• Built-in Hierarchical ACL Authorisation
• SSL Access
• Server Identity Guaranteed
• Encrypted Connection

11
Local A/A System

• Demo
• Authentication Glued Portal Framework
• LAS Servlet
• Integration
• Easy

12
National A/A System

• Athens Access Management System
• Past
• Client API with Passwords (deprecated)
• Present
• SSO with Passwords/Tickets (Cookies)
• Future
• X.509 Certificates
• SSO with Authentication Autonomy via DA

13
National A/A System

• Demo
• Authentication Glued Portal Framework
• Client API
• NAS Servlet
• SSO
• Direct SSO
• Integration
• Easy with Client API (but vulnerable)
• Difficult with Athens SSO (also via DA)

14
Supporting SSO

• Current plug-in framework supports traditional
  mechanisms only
• Framework extension to early interception of
  requests
• Cookie-based remember my details
• X.509 Certificates
• Trapping SSO-backed requests

15
Supporting SSO
16
Problems with Athens SSO

• All or nothing
• No way to tell if someones already authenticated
  without losing control
• No way to jump into the authentication process
• Gives rise to confusing user experience

17
Athens SSO Proposed Fix

• Two simple extensions to Athens considered
• They address the problems raised
• Costs and benefits highlighted

18
Athens SSO

• Programmatic check of logged-in status
• Guarantee immediate return to the DSP (SPP
  portal)
• Pro
• UI remains under SPP control
• No security impact
• Con
• Small addition to Athens required

19
Athens SSO

• Programmatic submission of credentials gathered
  elsewhere
• Pro
• UI remains under SPP control
• Single login form can be multiplexed
• Consistent user experience
• Con
• Credential leak to DSP

20
Future Work

• Parallel Threads
• Integrate the current version of the Servlet
  Prototype in JetSpeed
• Implement Remaining Account Management
  Functionality
• Towards the Hubs Expectations for Integration,
  Additional Functionality, Wider Community
• Be In-line with the RDN Shared Services
• Be prepared for the Future JISC Security
  Architecture (e.g. PKI)
• Propose Protocol Extensions to Athens
• Be involved in JetSpeed Security Provider Work