A presentation at the October 2015 Internet2 Technology Exchange.
Enabling researchers to provision and manage their own collaborations in a straightforward manner is the goal of the FEDUSHARE project. To provide investigator self-managed collaboration, we undertake the design of a middleware architectural framework that turns current models upside down by modeling collaboration from the user’s perspective rather than from the organizational/administrative perspective. We leverage existing federated campus Identity and Access Management (IAM) infrastructure and expertise to accomplish the desired transparent access. We call this framework “FeduShare”. During our presentation, we will demonstrate an in-production ssh console logon across campuses using Shibboleth ECP and updated GSS-ECP client/server components. We will also describe an open source ECP based mobile authentication solution that occurred as a side effect of our work. This work is funded by NSF Grant No. ACI-1440609 and includes participants from Clemson, U Utah, NCSA/XSEDE, and BBN (GeNi office).
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
FeduShare TechEx15
1. FeduShare
A User-Managed Collaboration Framework
This material is based upon work supported by the National Science Foundation
under Grant No. ACI-1440609. Any opinions, findings, and conclusions or
recommendations expressed in this material are those of the author(s) and do not
necessarily reflect the views of the National Science Foundation.
2. • Jill Gemmill, CTO Middleware (PI)
• Billy Cook, Director Software Dev. & IAM
• Nick Watts, Software Developer
• Tyler Thompson, Mobile App Developer
• Subhasish Mitra, Director IAM Strategy & Co-PI
● Jim Basney, Senior
Research Scientist,
NCSA & Co-PI
Panelists:
3. Outline
•FeduShare: What and Why ? (Jill, Clemson)
•Non-web logon using Shibboleth: Options (Jim, NCSA@Illinois)
•Demo
•Technical Details (Nick, Clemson)
•Accounts and Provisioning (Billy, Clemson)
•Campus Partnerships Required (Subhasish, UUtah)
•Happy Side Effects: Open Source Mobile Logon (Tyler, Clemson)
•Q&A
4. Collaborators wants an environment where
managing members & access to resources is
FAST and EASY
This! Not This!
5. The FeduShare Framework
We have been modeling and
designing campus infrastructure
as a closed system with
identities and resources we own
What if we modeled and designed for open,
multi-directional collaboration instead?
6. What National Research Infrastructure Provides
for Collaboration
•XSEDE, OSG, GENi, Science Gateways have
been built by a handful of highly skilled
experts
● Challenges:
(1) How to share campus resources
(2) How to integrate campus with national resources
(3) Are there enough experts to get the work done?
•These models are certificate based
which does not match most campus
infrastructures
S
A
M
L
7. Fluid, Transparent, Federated and Secure
access to Distributed Resources is HARD
University Campus IT have highly talented
Identity and Access Management (IAM) and
systems integration staff
IDENTITIES
BUT……
1. They may not have been asked to solve the
problem “Build Infrastructure to support
Collaboration everywhere”
2. They may still be designing from a perspective
that is inside the campus silo -- “add another
guest user”
8. Actors
1. Researcher: a faculty member, student, employee, or other person involved in
the collaboration.
2. Principal Investigator role:
a. designates VO membership
b. conducts out-of-band arrangements to obtain approved use of the remote
resource(s)
c. is responsible for behavior of the VO members regarding their use of these
resources.
3. VO Manager: manages VO membership and access to shared resources under the
PIs direction.
4. Resource Manager operates the remote resource and provides access according
to local policy.
9. Assumptions
•Actors and resource providers are InCommon members.
•All support InCommon Research and Scholarship (R&S) Profile*
•Shibboleth 2.4+ and can provide the required SAML assertions.
•There exists a Virtual Organization Management service(s).
•Access is controlled at the resource
• where multiple resources are being shared by a single VO, there
may be a single resource manager component between the user
and each federated resource.
*IdP releases EPPN, name, email address
10. Event Flow
1. Create the Virtual Organization
2. List the collaborators*.
3. If and when the VO requires use of resources, a PI must be designated**.
4. PI makes a request to one of more Resource Managers, is apprised of their
responsibilities as PI, and is accepted by the Resource Manager as a trusted PI.
5. VO Members can begin to access resources through a Resource Request
Protocol, with authorization based on their local campus authentication (EPPN)
and VO Membership info.
* Ideally, via an invitation approved by each member.
**Note -- in OSG and Science Gateways, this is Step 1. Access is authorized based on VO membership, only,
communicated in these cases via a VOMS-issued X.509 attribute certificate OR by membership in a science
gateway portal; in this case all VO members may run as a single userid.
12. The Project: Two Use Cases + a Catalog
Use Case 1: Federated access to a campus HPC cluster via console
logon -- in PRODUCTION SYSTEMS (Year 1)
Use Case 2: Federated access to multiple clouds/SDN testbeds (eg:
GeNi and CloudLab ) (Year 2)
Catalog: Open Source Software candidates to use for FeduShare
framework components (Years 1 & 2)
https://sites.google.com/site/fedushare/
13. Outcomes so far
• In production use of Shibboleth ECP at Clemson and Utah
• SAML Enhanced Client SASL and GSS-API Mechanisms
https://tools.ietf.org/html/draft-ietf-kitten-sasl-saml-ec-13
• Enhanced collaboration intra-IT organizations
• Documentation: https://sites.google.com/site/fedushare/
• Software:
• mech_saml_ec library https://github.com/fedushare/mech_saml_ec
• Apple Native Mobile AuthN: https://github.com/OpenClemson/SwiftECP
• Work force development
14. Outline
•FeduShare: What and Why ? (Jill, Clemson)
•Non-web logon using Shibboleth: Options (Jim, NCSA@Illinois)
•Demo
•Technical Details (Nick, Clemson)
•Accounts and Provisioning (Billy, Clemson)
•Campus Partnerships Required (Subhasish, UUtah)
•Happy Side Effects: Open Source Mobile Logon (Tyler, Clemson)
•Q&A
32. CUVault
• Banner
• Peoplesoft
• Blackboard
• Photo
• Other authoritative sources
Credentials
(User accounts)
Self Service &
Administration CUID
Directory
CUVault
External
Interface
to vault
• Clemson login
• Other authentication
• Applications
Provisioning
Unique
Directory
Vetted Unique Identities
VisitorIDs
33. Challenge Summary
How do we mix identities with a lower level of
assurance with campus identities that have a high level
of assurance?
- researchers
- campus guests
- alumni
- summer campers
34. Outline
•FeduShare: What and Why ? (Jill, Clemson)
•Non-web logon using Shibboleth: Options (Jim, UICU)
•Demo
•Technical Details (Nick, Clemson)
•Accounts and Provisioning (Billy, Clemson)
•Integration with Campus Partnerships & Strategy (Subhasish,
UUtah)
•Happy Side Effects: Open Source Mobil Logon (Tyler, Clemson)
•Q&A
35. University Of Utah - CHPC and IAM
Partnership
The Team at Utah
• Robert Roll, IAM Sys Consultant - IAM - FeduShare Shib SME
• Steve Harper, Sr Sys Admin - CHPC - FeduShare ECP/SSH SME
• Subhasish Mitra, Assoc Dir - IAM/Info Sec - FeduShare CO PI
At our Campus
• Enabled ECP in Shib 2.4 IDP (Robert, IAM)
• Complied ECP SSH - openMoonShot (Steve, CHPC)
36. University Of Utah - CHPC and IAM
Partnership
Current Story
• CHPC is soley responsible for managing on-boarding and off-
boarding of users to their HPC clusters, however they leverage
Campus central identities for their processes & accounts
Goal
• FeduShare enables IAM and CHPC to gain/allow access to local HPC
resources using external entity credentials
37. Outline
•FeduShare: What and Why ? (Jill, Clemson)
•Non-web logon using Shibboleth: Options (Jim, UICU)
•Demo
•Technical Details (Nick, Clemson)
•Campus Partnerships Required (Subhasish, UUtah)
•Accounts and Provisioning (Billy, Clemson)
•Happy Side Effects: Open Source Mobile Logon (Tyler, Clemson)
•Q&A
38. my.Clemson Native Login
• We’re in the process of converting our hybrid mobile
web app into a native iOS app
• We wanted to build a native login screen that adds the
option to save credentials in the iOS keychain (login-once
paradigm)
• We needed to integrate native login with Shibboleth
since the web portion of our app (as well as other
campus services) use it
• We wanted to provide instant progress, success, and
error messages without redirects or going out to the
browser
39. Shibboleth ECP
• ECP allows us to authenticate through Shibboleth with HTTP
requests instead of browser redirects
• The previous FeduShare work at Clemson ensured that our IDP
supported ECP and was configured properly
• Only our SPs needed extra configuration (a simple ECP=”true”
attribute)
• Client support remained the major blocker
• Clients available for Python, Java, and Perl but not for Objective-C
or Swift
40. SwiftECP
• Open-source ECP client for iOS
• https://github.com/OpenClemson/SwiftECP
• Abstracts ECP details away from library user
• Supports simplest use case (no delegation, channel bindings, or
holder-of-key support)
• Production-tested
• Updating to Swift 2.0 in the near future
• Adding attribute extraction soon
• Pull requests/bug reports/audits welcome and encouraged
41.
42. Pitfalls
• If any of the three ECP requests fails, the entire login fails with it.
This can be a problem on high-latency cellular networks
• Major systems we integrate with, such as Blackboard, use
homegrown Clemson token cookies
• The usefulness of an ECP client is directly proportional to how many
university systems adopt Shibboleth over legacy auth