Integrating Liberty IDFF and GSI SSO

About This Presentation

Title:

Description:

Number of Views:24

Avg rating:3.0/5.0

Slides: 14

Provided by: henrimi

Category:

more less

Transcript and Presenter's Notes

Title: Integrating Liberty IDFF and GSI SSO

1
Integrating Liberty ID-FF and GSI SSO

2
Agenda

3
Liberty Alliance Project

An alliance of more than 150 companies, nonprofit
and government organizations from around the
world.
Their mission is to serve as the premier open
standards organization for federated identity
management and services (http//www.projectliberty
.org/).
Three sets of specifications are defined
Identity Federation Framework (ID-FF)
Identity Web Services Framework (ID-WSF)
Identity Services Interface Specifications
(ID-SIS)
All the specifications are publicly available.

4
Liberty ID-FF (1/3)

Enables SSO to WWW services via identity
federation
Federation is a link between the user account at
the Identity Provider (IDP) and a Service
Provider (SP)

5
Liberty ID-FF (2/3)

The SSO process in practise (after identity
federation)
The SP redirects the user to the IDP for
authentication
ltAuthnRequestgt -message is included in the HTTP
header
The IDP authenticates the user (if he hasnt
already authenticated)
The authentication request may include
requirements for certain authentication methods
The user is redirected back to the SP together
with an ltAuthnResponsegt
The response message contains SAML 1.1 assertion
about the authentication
The SP validates the assertion and the user is
logged in
The IDPs and SPs trusting each other form Liberty
Circles of Trust (CoT).

6
Liberty ID-FF (3/3)

7
Grid Security Infrastructure (GSI)

Enables SSO to Grid Services via Grid Proxies
Proxies are implemented with proxy certificates
(RFC 3820)
User proxy proxy certificate plaintext
privatekey signer cert chain
Proxy Delegation
The delegatee generates a keypair
The delegatee attaches the public key to a
certificate request and sends it to the delegator
The delegator signs the certificate request and
thus generates a proxy certificate
The delegator sends the proxy certificate to the
delegatee

8
Motivation for the Integration

GSI requires a certificate from the users
Obtaining a certificate requires relatively
complex user intervention
Secure private key management is demanding
Grid portals offer an easy-to-use GUI, but the
portal should somehow get the user proxy
Proxy Delegation process is not supported by WWW
browsers
Initialization of the user proxy requires
additional software installations
Conclusion a start of using Grid services is
currently far too demanding for an average
Internet user

9
Integration Scenario
10
Liberty ID-FF Proxy Extension

Enables Grid proxy delegation from the Identity
Broker (IDB) to the GridSP
IDB IDP with proxy extensions delegator
functionality
GridSP SP with proxy extensions delegatee
functionality
The IDB manages its users long-term credentials
The private keys never leave the server
The protocol extension definitions and the
prototype implementation were done in the NetGate
project
A paper will be published at the ICNS06 in July
2006.

11
Future Work

SAML 2.0 provides Liberty ID-FF functionality by
default
The mechanisms for enabling the proxy delegation
functionality with SAML 2.0 should be
investigated
The GridShib project is working on the
integration of Shibboleth and Globus Toolkit
Like Liberty, Shibboleth is based on SAML
Instead of identity federations, SAML assertions
are used for distributing user attributes
The IDB service could add thse attributes to the
delegated proxy certs
Also other attributes like VOMS could be supported

12
References