Difference between revisions of "VT AAI"
Line 124: | Line 124: | ||
| CESNET | | CESNET | ||
| OpenNebula 4.x | | OpenNebula 4.x | ||
| | | https://crebain2.ics.muni.cz/Shibboleth.sso/Metadata | ||
| | | | ||
|- | |- |
Revision as of 11:48, 5 February 2015
Main | EGI.eu operations services | Support | Documentation | Tools | Activities | Performance | Technology | Catch-all Services | Resource Allocation | Security |
Coordinator: Peter Solagna/EGI.eu
Meetings page:
Mailing list:
Overview
This wiki page contains the information about a proof of concept to enable SAML credentials on EGI services. This task is a joint activity between SURFnet and EGI.
Motivation
The goal of this activity is to use federated identity credentials, specifically SAML ones, directly in the services without using any X509 credential to bridge to EGI services. The main objective is to demonstrate that user communities can manage independently user membership and user authorization on the services in a coordinated way, with a similar workflow as it is done now with the VOMS services. The goal of this activity is not to deploy production services, but to test the technical feasibility of the integration of SAML technology in the EGI services, maintaining the features that user need to manage their communities in a distributed infrastructure.
Mandate
The working group will test the technical services from October to December 2013. At the end of this period a short report with the outcomes and the technical suggestions will be prepared and potentially attached to the EGI-InSPIRE deliverables.
Objectives
- Connect cloud services to the SURFnet OpenConext service to retrieve SAML assertions containing user identities and attributes that describe the user capabilities.
- Cloud stacks to be integrated:
- OpenNebula
- OpenStack
- Synnefo
- Connect attribute providers to OpenConext
- Test the feasibility of solutions not including the aggregator (OpenConext)
Milestones/Timeline
Members
Currently the following sites are participating to the proof of concept:
- INFN-Bari
- LIP
- CESNET
- NGI_SI
- Okeanos/GRNET
Please note that as a IdP proxy, OpenConext itslef also acts as an SP towards connected IdPs
Identity providers:
- SURFnet IdP
- GRNET AAI, Delos
- OpenConext Proxy IdP (connecting to all SPs)
Attribute providers:
- OpenConext
- Perun (CESNET)
How to Join
Contact: peter.solagna@egi.eu
Technical Information
Summary of the technical information gathered by the working group.
Attributes needed by cloud stack
TODO: List of attributes required by the cloud stacks in order to do the authorization decision.
Attribute friendly name | SAML2 formal name | Attribute syntax | Example of value |
---|---|---|---|
eduPersonTargetedID | urn:oid:1.3.6.1.4.1.5923.1.1.1.10 | xsd:anyURI | urn:mace:uchicago.edu:classes:autumn2004:phys12100.003< |
displayName | urn:oid:2.16.840.1.113730.3.1.241 | xsd:string | |
urn:oid:0.9.2342.19200300.100.1.3 | xsd:string | ||
eduPersonPrincipalName | urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | ||
virtual-organization | http://dci-sec.org/saml/attribute/virtual-organization | xsd:string | <AttributeValue xsi:type="xsd:string">example.vo.org</AttributeValue> |
group | http://dci-sec.org/saml/attribute/group | xsd:string | <AttributeValue xsi:type="xsd:string">/atlas/it</AttributeValue> |
Note: VO attributes have been taken from a SAML profile defined within EMI: CERN twiki.
Metadata of service providers and identity providers
Service providers
Service provider | Cloud stack | Link to metadata | Endpoint to the cloud service GUI |
---|---|---|---|
INFN-Bari | Openstack Icehouse | https://prisma-test.ba.infn.it:5000/egi-acs/Shibboleth.sso/Metadata | https://prisma-test.ba.infn.it:5000/v3/OS-FEDERATION/identity_providers/egi-acs/protocols/saml2/auth |
CESNET | OpenNebula 4.x | https://crebain2.ics.muni.cz/Shibboleth.sso/Metadata | |
LIP | Openstack Icehouse | ||
Okeanos/GRNET | Synnefo v0.15.2 | http://aai.grnet.gr/metadata.xml | https://accounts.okeanos-global.grnet.gr/ui/login |
NGI_SI | |||
OpenConext SP Proxy | SAML 2.0 SAML2INT profile | https://wiki.surfnet.nl/download/attachments/47449729/OpenConextEGIPilot.xml | |
RENAM | OpenNebula 4.x |
Identity providers
IdP | Protocol | Link to metadata |
---|---|---|
OpenConext | SAML 2.0 SAML2INT profile | The Public SAML metadata (the entity descriptor) of the IdP Proxy
https://engine.egipilot.lab.surf.net/authentication/idp/metadata The Public SAML metadata (the entities descriptor) for all the IdPs https://engine.egipilot.lab.surf.net/authentication/proxy/idps-metadata
|
EGI SSO | Shibboleth IdP 2.3.8 | https://www.egi.eu/idp/shibboleth |
HEXXA | https://metadata.eduid.hu/hexaa-for-egi.xml | |
EduGAIN | ||
GRNET Delos | Shibboleth IdP 2.4.χ | http://aai.grnet.gr/metadata.xml |
Attribute providers
AA | Software | Link to metadata | Query attribute | Provided attributes about existing EGI FedCloud users |
---|---|---|---|---|
Perun | Shibboleth IdP 2.4.0 | https://aa.cesnet.cz/metadata/aa-metadata.xml | eduPersonPrincipalName | sn, cn, givenName, displayName, mail |
Cloud stack configuration tips
OpenStack
References:
Configuring Keystone for Federation
OpenStack Identity API v3 OS-FEDERATION Extension
OpenNebula
See SSP for OpenNebula at MTA SZTAKI
Additional info at opennebula
Plugin for 4.10.1: link