1 / 13

ARCHER’s Security Requirements within the AAF

ARCHER’s Security Requirements within the AAF. Research Repository Requirements (relevant to AAF). Identity Management provided by the Federation Single-sign-on for Federation services Federation members can access services For accessing and managing datasets in a Research Repository

acton
Download Presentation

ARCHER’s Security Requirements within the AAF

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ARCHER’s Security Requirementswithin the AAF

  2. Research Repository Requirements(relevant to AAF) • Identity Management provided by the Federation • Single-sign-on for Federation services • Federation members can access services • For accessing and managing datasets in a Research Repository • Accessible from either desktop or web applications • Federation members can define groups of Federation members which can access their datasets • Groups membership defined autonomously by the group • Research Repository accessible by other Federation services • including Grid services • Privileges for content owners and groups managed by the Research Repository • Consistent Identity and Group Management across Shibboleth and PKI protected services

  3. Consistent Identity & Group Management Identity Management Group Management Shibboleth-protected Services PKI-protected Services

  4. Legend • Available • Under Development • Not available Status of Repository Requirements • Identity Management provided by the Federation • Single-sign-on for Federation services • Federation members can access services • For accessing and managing datasets in a Research Repository • Accessible from either desktop or web applications • Federation members can define groups of Federation members which can access their datasets • Groups membership defined autonomously by the group • Research Repository accessible by other Federation services • Including Grid services • Privileges for content owners and groups managed by the Research Repository • Consistent Identity and Group Management across Shibboleth and PKI protected services

  5. Objective • Access a Federation service (e.g. a research repository) using Shibboleth • from either a web or desktop application • Problem • Shibboleth was never designed to be used from desktop applications

  6. 1. Request Cert. 2. Authenticate 3. Shib. Token 8. Short-lived Cert. 10. Success/Fail 9. Short-lived Cert. 7. Short-lived Cert. 4. Shib Token 5.Shib Token 6.Attributes Solution: Accessing a Federation Service from the Desktop using Federation’s Identity Management Desktop IdP Credential Manager Desktop App Certificate Provider Fed Service (PKI-protected)

  7. Credential Manager Requirements • Must be able to authenticate with an Identity Provider • Must be able to be trusted by the user, as they will be authenticating with their institution through it • Must be able to cache the user’s credentials • Must query the user for confirmation, if an application requests a credential • Must be available for Win, Mac, and Linux boxes

  8. Certificate Provider Requirements • Must generate certificates which: • Are short-term • Maintain a consistent identity for the user • Are approved by IGTF • Are signed by the Federation • Transport only those shibboleth attributes that are essential for accessing PKI protected services • Service must be managed by the Federation • Desirable to have an interface which allows Grid Certificates to be refreshed

  9. Useful Security Components • SWITCH’s SLCS, for the Certificate Provider • Shibboleth protected web application • Generates IGTF approved certificates from Shibboleth attributes • Bandit-Project’s DigitalMe, for the Credential Manager • Similar to Microsoft’s InfoCard/Cardspace solution • Written in Java • Red Hat’s CA • To be used by the AAF

  10. 6. Short-lived Cert. 1. Shib Token 2. Shib Token 3. Attributes 4. Attributes 5. Short-lived Cert Certificate User Cert. Provision with Cert.available from MyProxy Certificate Provider IdP Certificate Provider (Service Provider) Certificate Generator MyProxy External interface available to MyProxy to refresh certificates

  11. 12. Short-lived Cert. 1. Shib Token 2. Shib Token 6. Attributes 3. Attributes 9. Success 11.Short-lived Cert. 5.Fail 4. Attributes 10. Attributes 8. Success 7. Attributes and Medium-lived Cert. Certificate User Cert. Provider with Cert.not available from MyProxy Certificate Provider IdP Certificate Provider (SLCS) Certificate Generator MyProxy External interface available to MyProxy to refresh certificates

  12. Web Portal IdP DigitalMe Desktop App Post Back Shib Module Request Shor-term Cert Post back Cert. Certificate Provider Certificate Provider SLCS MyProxy Red Hat CA External interface available to MyProxy to refresh certificates

  13. Prototypes: Shib Desktop Access & Shib Cert Provider • SVN:https://dev.archer.edu.au/projects/archer-data-activities/svn/security/currentIn this folder, there are three separated projects as follows:ArcherCertProvider: The front end Webapps to manage certificate.CardSpace: The desktop module for local certificate management.Desktop Shibboleth: The desktop module for shibboleth authentication.Installation of each module is provided in README files available ineach project.To run the demonstration:1. Deploy the ArcherCertProvider to a J2EE application (tested withTomcat 5.14+ and 6.*)- an existing war file can be found athttps://dev.archer.edu.au/downloads/ArcherCertProvider.war2. Start the CardSpace: ant LocalCertManager3. Run a HelloWorld example of an GSI application: ant GSIApp

More Related