Contrail and Federated Identity Management
Philip Kershaw, RAL Space, STFC
Jens Jensen, e-Science, STFC
(and others: XLab, CNR, INRIA …)
contrail is co-funded by the EC
7th Framework Programme
1
Outline
•Contrail overview and goals
•Architecture
•Single sign-on
•Delegation requirements
•Delegation solutions
•OAuth flow
•Conclusions
•Collaborations
2
contrail-project.eu
Contrail Overview and Goals
• EC FP7 Project, led by INRIA, 36 month, completes
Sept 2013
• Federation of cloud providers
• Federation with external IdPs
• “Elastic” CAs for dynamically created services
• Autonomous SLA management from SLA@SOI project
• IaaS and PaaS integration
• Reuse of existing open standards:
OVF OCCI CDMI
WS-Security
SLA@SOI models
3
contrail-project.eu
Contrail Overview and Goals+
• EC FP7 Project, led by INRIA, 36 month, completes
Sept 2013
• Federation of cloud providers
• Federation with external IdPs
Federated access to
resources, building on
existing identity federations
• “Elastic” CAs for dynamically created services
• Autonomous SLA management from SLA@SOI project
• IaaS and PaaS integration
• Reuse of existing open standards:
OVF OCCI CDMI
WS-Security
SLA@SOI models
4
contrail-project.eu
Architecture
Federation CLI
Browser
Browser and rich
client access
Federation Web Portal
 REST API 
Online CA
Federation core
Federation Identity Provider
Federation of Cloud Providers
5
contrail-project.eu
Architecture – Single Sign-on
Federation CLI
Browser
Single Sign-on
Single Sign-on
Federation Web Portal
Credentials
mapping
 REST API 
Online CA
Federation core
Federation Identity Provider
Single Sign-on
Cloud Providers
6
contrail-project.eu
Architecture - Delegation
Federation CLI
Browser
Multiple delegation hops
Federation Web Portal
 REST API 
Online CA
Federation core
Federation Identity Provider
Cloud Providers
7
contrail-project.eu
Delegation … but how?
• Delegator, delegates authority to
another, a delegatee
• Rights that the delegatee inherits
can vary e.g.
• Identity-based – inherits all the rights of
the user
• Inherit rights to access a single resource
• Some technology options:
• GSI Proxy certificates
• OAuth 1.0 (CILogon), OAuth
2.0?
• Others…
8
contrail-project.eu
Delegation: technology options
• GSI Proxy certificates
•Delegatee inherits all the rights of the user
•Custom SSL extensions needed to support verification
• OAuth 1.0
•Gained traction in commercial environment: Twitter etc…
•Digital signature of HTTP header artifacts – canonicalisation can be
problematic
• OAuth 2.0
•Simplified flow
•Use SSL: no digital signature implementation necessary
•CILogon
•Use OAuth to protect a short-lived credential service (SLCS) but based on
OAuth 1.0
•Delegatees obtain a standard End Entity Certificate
•SLCS + OAuth 2.0 ✔
9
contrail-project.eu
OAuth Flow (1)
Browser
Objective: get delegated
credential for portal to make
onward requests to the
federation core
[OAuth Authorisation Server]
1. User request
Federation Web Portal
[OAuth Client]
Online CA
[OAuth Resource Server]
Federation Identity Provider
Federation core
Cloud Providers
10
contrail-project.eu
OAuth Flow (2  3)
Browser
2. Portal requests
authorisation for
delegation from
user
3. User is
redirected to
authorisation
server
[OAuth Authorisation Server]
Federation Web Portal
[OAuth Client]
Online CA
[OAuth Resource Server]
Federation Identity Provider
Federation core
Cloud Providers
11
contrail-project.eu
OAuth Flow (4)
Browser
4. User
authenticates and
approves the
delegation request
[OAuth Authorisation Server]
Federation Web Portal
[OAuth Client]
Online CA
[OAuth Resource Server]
Federation Identity Provider
Federation core
Cloud Providers
12
contrail-project.eu
OAuth Flow (5)
Browser
5. Return authorisation grant to portal
via a redirect
[OAuth Authorisation Server]
… redirect back to portal
Federation Web Portal
[OAuth Client]
Online CA
[OAuth Resource Server]
Federation Identity Provider
Federation core
Cloud Providers
13
contrail-project.eu
OAuth Flow (6)
Browser
6. Portal requests certificate (oauth access
token) passing authorisation grant as proof of
user approval
[OAuth Authorisation Server]
Federation Web Portal
[OAuth Client]
Online CA
[OAuth Resource Server]
Federation Identity Provider
Federation core
Cloud Providers
14
contrail-project.eu
OAuth Flow (7)
Browser
[OAuth Authorisation Server]
Federation Web Portal
[OAuth Client]
7. Online CA authenticates
portal and returns certificate
Online CA
[OAuth Resource Server]
Federation Identity Provider
Federation core
Cloud Providers
15
contrail-project.eu
OAuth Flow (8)
Browser
[OAuth Authorisation Server]
Federation Web Portal
[OAuth Client]
Online CA
[OAuth Resource Server]
8. Portal uses certificate to
authenticate with core services
Federation Identity Provider
Federation core
Cloud Providers
16
contrail-project.eu
OAuth Flow (9)
Browser
[OAuth Authorisation Server]
Federation Web Portal
[OAuth Client]
Online CA
[OAuth Resource Server]
Federation Identity Provider
Federation core
9. Further delegation needed: ‘2-legged’
OAuth
Cloud Providers
17
contrail-project.eu
Development Status
• Web portal and federation SSO demonstrated with
support for:
• SAML
• OpenID
•Command line SSO with shell script client to Short-Lived
Credential Service (X.509 EECs)
•Delegation with 2-legged OAuth-like interface, full OAuth
to be integrated
18
contrail-project.eu
Technology used
Federation Web


User interface: Python 2.7+ / Django 1.4 /
buildout / Apache2

SAML2: Djangosaml2 v0.5

OpenID: Django-authopenid
Federation IdP


IdP: SimpleSAMLphp 1.9 rc2

User DB: Java 6 / JPA subclipse / Tomcat
contrail-project.eu
Conclusion



Single sign-on support with:

Browser: SAML2 and OpenID

Other client: X.509 short-lived end entity certificates
Delegation with OAuth 2.0 protected Short-Lived
Credential Service
Can we offer Federation-in-a-box or federation-as-aservice ?
=> Federated access to resources, building on existing identity
federations.
contrail-project.eu
Contrail collaborations
• Contrail evaluation with:
• EUDAT, CLARIN, ENES
• EGI federated cloud task force
• Climate science and Earth Observation
communities: OAuth solution for workflows
• OGF groups
• FEDSEC-CG: federated identity for grids and clouds
• IDEL-WG: working group on identity delegation
• Cloud security activities
• ... Moonshot
contrail-project.eu
contrail is co-funded by the
EC 7th Framework Programme
Funded under: FP7 (Seventh Framework Programme)
Area: Internet of Services, Software & virtualization (ICT2009.1.2)
Project reference: 257438
Total cost: 11,29 million euro
EU contribution: 8,3 million euro
Execution: From 2010-10-01 till 2013-09-30
Duration: 36 months
Contract type: Collaborative project (generic)
22
contrail-project.eu