Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

Difference between revisions of "VT AAI"

From EGIWiki
Jump to navigation Jump to search
 
(30 intermediate revisions by 9 users not shown)
Line 1: Line 1:
<!-- {{Template:Under_construction}} -->
{{EGI_Activity_groups_menubar}}
{{Menubar_VT}}
{{TOC_right}}
[[Category:Virtual_Teams]]


{{Template:Op menubar}} {{TOC_right}}


'''Coordinator''': Peter Solagna/EGI.eu<br>  
'''Coordinator''': Peter Solagna/EGI.eu<br>  
Line 21: Line 23:


== Mandate  ==
== Mandate  ==
The working group will test the technical services from October to December 2013. At the end of this period a short report with the outcomes and the technical suggestions will be prepared and potentially attached to the EGI-InSPIRE deliverables.
The working group will test the technical services from October to December 2015. At the end of this period a short report with the outcomes and the technical suggestions will be prepared and potentially attached to EGI-Engage project deliverables.


== Objectives  ==
== Objectives  ==
Line 41: Line 43:
* NGI_SI
* NGI_SI
* Okeanos/GRNET
* Okeanos/GRNET
Please note that as a IdP proxy, OpenConext itslef also acts as an SP towards connected IdPs


Identity providers:
Identity providers:
* SURFnet,
* SURFnet IdP
* GRNET AAI, Delos
* GRNET AAI, Delos
* OpenConext Proxy IdP (connecting to all SPs)


attribute providers:
Attribute providers:
OpenConext
* OpenConext
* Perun (CESNET)


== How to Join  ==
== How to Join  ==
Line 54: Line 60:
= Technical Information  =
= Technical Information  =


Summary of the technical information gathered by the working group.
Summary of the technical information gathered by the working group.  


== Metadata of service providers and identity providers ==
== Attributes needed by cloud stack  ==


=== Service providers ===
TODO: List of attributes required by the cloud stacks in order to do the authorization decision.


{| class="wikitable"
{| class="wikitable"
!Service provider
!Cloud stack
!Link to metadata
!Endpoint to the cloud service GUI
|-
|-
|INFN-Bari
! Attribute friendly name
|Openstack Icehouse
! SAML2 formal name
! Attribute syntax
! Example of value
|-
|eduPersonTargetedID
|urn:oid:1.3.6.1.4.1.5923.1.1.1.10
|xsd:anyURI
|urn:mace:uchicago.edu:classes:autumn2004:phys12100.003<
|-
|displayName
|urn:oid:2.16.840.1.113730.3.1.241
|xsd:string
|
|
|-
|mail
|urn:oid:0.9.2342.19200300.100.1.3
|xsd:string
|
|
|-
|-
|CESNET
|eduPersonPrincipalName
|OpenNebula 4.x
|urn:oid:1.3.6.1.4.1.5923.1.1.1.6
|
|
|
|
|-
|-
|LIP
|eduPersonEntitlement
|Openstack Icehouse
|URN:OID:1.3.6.1.4.1.5923.1.1.1.7
|
|
|
|urn:mace:egi.eu:EGIpilotCloud
|-
|virtual-organization
|http://dci-sec.org/saml/attribute/virtual-organization
|xsd:string
|<AttributeValue xsi:type="xsd:string">example.vo.org</AttributeValue>
|-
|group
|http://dci-sec.org/saml/attribute/group
|xsd:string
|<AttributeValue xsi:type="xsd:string">/atlas/it</AttributeValue>
|}
'''Note:''' VO attributes have been taken from a SAML profile defined within EMI: [https://twiki.cern.ch/twiki/bin/view/EMI/CommonSAMLProfileV102 CERN twiki].
== Metadata of service providers and identity providers  ==
=== Service providers  ===
{| class="wikitable"
|-
! Service provider
! Cloud stack
! Link to metadata
! Endpoint to the cloud service GUI
|-
| INFN-Bari
| Openstack Icehouse
| https://prisma-test.ba.infn.it:5000/egi-acs/Shibboleth.sso/Metadata
| https://prisma-test.ba.infn.it:5000/v3/OS-FEDERATION/identity_providers/egi-acs/protocols/saml2/auth
|-
| CESNET
| OpenNebula 4.x
| https://crebain2.ics.muni.cz/Shibboleth.sso/Metadata
| https://crebain2.ics.muni.cz
|-
| LIP
| Openstack Juno
| https://nimbus.ncg.ingrid.pt:5000/Shibboleth.sso/Metadata
|
|-
| Okeanos/GRNET
| Synnefo v0.15.2
| http://aai.grnet.gr/metadata.xml
| https://accounts.okeanos-global.grnet.gr/ui/login
|-
|-
|Okeanos/GRNET
| NGI_SI
|Synnefo v0.15.2
| OpenStack (Juno)
|http://aai.grnet.gr/metadata.xml
|  
|https://accounts.okeanos-global.grnet.gr/ui/login
|  
|-
|-
|NGI_SI
| OpenConext SP Proxy 
|
| SAML 2.0 SAML2INT profile
|
| https://wiki.surfnet.nl/download/attachments/47449729/OpenConextEGIPilot.xml
|
|
|-
|-
|RENAM
| RENAM  
|
| OpenNebula 4.x
|
|  
|
|  
|}
|}


=== Identity providers ===
=== Identity providers ===


{| class="wikitable"
{| class="wikitable"
!IdP
!Protocol
!Link to metadata
|-
|-
|OpenConext
! IdP
|
! Protocol
|
! Link to metadata
|-
| OpenConext  
| SAML 2.0 SAML2INT profile
|The Public SAML metadata (the entity descriptor) of the IdP Proxy
 
        https://engine.egipilot.lab.surf.net/authentication/idp/metadata
 
The Public SAML metadata (the entities descriptor) for all the IdPs
 
        https://engine.egipilot.lab.surf.net/authentication/proxy/idps-metadata
 
 
|-
| EGI SSO
| Shibboleth IdP 2.3.8
| https://www.egi.eu/idp/shibboleth
|-
| HEXXA
|  
| https://metadata.eduid.hu/hexaa-for-egi.xml
|-
|-
|EGI SSO
| EduGAIN
|Shibboleth IdP 2.3.8
|  
|https://www.egi.eu/idp/shibboleth
|  
|-
|-
|HEXXA
| GRNET Delos
|
| Shibboleth IdP 2.4.χ
|
| http://aai.grnet.gr/metadata.xml
|}
 
=== Attribute providers  ===
 
{| class="wikitable"
|-
|-
|EduGAIN
! AA
|
! Software
|
! Link to metadata
! Query attribute
! Provided attributes about existing EGI FedCloud users
|-
|-
|GRNET Delos
| Perun
|Shibboleth IdP 2.4.χ
| Shibboleth IdP 2.4.0
|http://aai.grnet.gr/metadata.xml
| https://aa.cesnet.cz/metadata/aa-metadata.xml  
| eduPersonPrincipalName
| sn, cn, givenName, displayName, mail
|}
|}


== Cloud stack configuration tips ==
== Cloud stack configuration tips ==
=== OpenStack ===
References:


[http://docs.openstack.org/developer/keystone/configure_federation.html Configuring Keystone for Federation]
=== OpenStack  ===
 
References:
 
[http://docs.openstack.org/developer/keystone/configure_federation.html Configuring Keystone for Federation]  


[https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-federation-ext.md OpenStack Identity API v3 OS-FEDERATION Extension]
[https://github.com/openstack/identity-api/blob/master/v3/src/markdown/identity-api-v3-os-federation-ext.md OpenStack Identity API v3 OS-FEDERATION Extension]


=== OpenNebula ===
[http://openstack-in-production.blogspot.it/2014/10/kerberos-and-single-sign-on-with.html CERN setup using Icehouse]
 
=== OpenNebula ===
 
See [http://ssp-for-opennebula.sztaki.hu/ SSP for OpenNebula at MTA SZTAKI]
See [http://ssp-for-opennebula.sztaki.hu/ SSP for OpenNebula at MTA SZTAKI]
Additional info at [http://dev.opennebula.org/issues/1731 opennebula]
Plugin for 4.10.1: [https://github.com/burgosz/opennebula-sunstone-shib link]
=== Synnefo  ===
See [https://www.synnefo.org/docs/synnefo/latest/admin-guide.html#admin-guide  Synnefo Admin Guide]


= References  =
= References  =
[[Category:Task_forces]]

Latest revision as of 10:09, 22 June 2015

EGI Activity groups Special Interest groups Policy groups Virtual teams Distributed Competence Centres


EGI Virtual teams: Main Active Projects Closed Projects Guidelines


Coordinator: Peter Solagna/EGI.eu

Meetings page

Mailing list:


Overview

This wiki page contains the information about a proof of concept to enable SAML credentials on EGI services. This task is a joint activity between SURFnet and EGI.

Motivation

The goal of this activity is to use federated identity credentials, specifically SAML ones, directly in the services without using any X509 credential to bridge to EGI services. The main objective is to demonstrate that user communities can manage independently user membership and user authorization on the services in a coordinated way, with a similar workflow as it is done now with the VOMS services. The goal of this activity is not to deploy production services, but to test the technical feasibility of the integration of SAML technology in the EGI services, maintaining the features that user need to manage their communities in a distributed infrastructure.


Mandate

The working group will test the technical services from October to December 2015. At the end of this period a short report with the outcomes and the technical suggestions will be prepared and potentially attached to EGI-Engage project deliverables.

Objectives

  • Connect cloud services to the SURFnet OpenConext service to retrieve SAML assertions containing user identities and attributes that describe the user capabilities.
  • Cloud stacks to be integrated:
    • OpenNebula
    • OpenStack
    • Synnefo
  • Connect attribute providers to OpenConext
  • Test the feasibility of solutions not including the aggregator (OpenConext)

Milestones/Timeline

Members

Currently the following sites are participating to the proof of concept:

  • INFN-Bari
  • LIP
  • CESNET
  • NGI_SI
  • Okeanos/GRNET

Please note that as a IdP proxy, OpenConext itslef also acts as an SP towards connected IdPs

Identity providers:

  • SURFnet IdP
  • GRNET AAI, Delos
  • OpenConext Proxy IdP (connecting to all SPs)

Attribute providers:

  • OpenConext
  • Perun (CESNET)

How to Join

Contact: peter.solagna@egi.eu

Technical Information

Summary of the technical information gathered by the working group.

Attributes needed by cloud stack

TODO: List of attributes required by the cloud stacks in order to do the authorization decision.

Attribute friendly name SAML2 formal name Attribute syntax Example of value
eduPersonTargetedID urn:oid:1.3.6.1.4.1.5923.1.1.1.10 xsd:anyURI urn:mace:uchicago.edu:classes:autumn2004:phys12100.003<
displayName urn:oid:2.16.840.1.113730.3.1.241 xsd:string
mail urn:oid:0.9.2342.19200300.100.1.3 xsd:string
eduPersonPrincipalName urn:oid:1.3.6.1.4.1.5923.1.1.1.6
eduPersonEntitlement URN:OID:1.3.6.1.4.1.5923.1.1.1.7 urn:mace:egi.eu:EGIpilotCloud
virtual-organization http://dci-sec.org/saml/attribute/virtual-organization xsd:string <AttributeValue xsi:type="xsd:string">example.vo.org</AttributeValue>
group http://dci-sec.org/saml/attribute/group xsd:string <AttributeValue xsi:type="xsd:string">/atlas/it</AttributeValue>


Note: VO attributes have been taken from a SAML profile defined within EMI: CERN twiki.

Metadata of service providers and identity providers

Service providers

Service provider Cloud stack Link to metadata Endpoint to the cloud service GUI
INFN-Bari Openstack Icehouse https://prisma-test.ba.infn.it:5000/egi-acs/Shibboleth.sso/Metadata https://prisma-test.ba.infn.it:5000/v3/OS-FEDERATION/identity_providers/egi-acs/protocols/saml2/auth
CESNET OpenNebula 4.x https://crebain2.ics.muni.cz/Shibboleth.sso/Metadata https://crebain2.ics.muni.cz
LIP Openstack Juno https://nimbus.ncg.ingrid.pt:5000/Shibboleth.sso/Metadata
Okeanos/GRNET Synnefo v0.15.2 http://aai.grnet.gr/metadata.xml https://accounts.okeanos-global.grnet.gr/ui/login
NGI_SI OpenStack (Juno)
OpenConext SP Proxy SAML 2.0 SAML2INT profile https://wiki.surfnet.nl/download/attachments/47449729/OpenConextEGIPilot.xml
RENAM OpenNebula 4.x

Identity providers

IdP Protocol Link to metadata
OpenConext SAML 2.0 SAML2INT profile The Public SAML metadata (the entity descriptor) of the IdP Proxy
       https://engine.egipilot.lab.surf.net/authentication/idp/metadata

The Public SAML metadata (the entities descriptor) for all the IdPs

       https://engine.egipilot.lab.surf.net/authentication/proxy/idps-metadata


EGI SSO Shibboleth IdP 2.3.8 https://www.egi.eu/idp/shibboleth
HEXXA https://metadata.eduid.hu/hexaa-for-egi.xml
EduGAIN
GRNET Delos Shibboleth IdP 2.4.χ http://aai.grnet.gr/metadata.xml

Attribute providers

AA Software Link to metadata Query attribute Provided attributes about existing EGI FedCloud users
Perun Shibboleth IdP 2.4.0 https://aa.cesnet.cz/metadata/aa-metadata.xml eduPersonPrincipalName sn, cn, givenName, displayName, mail

Cloud stack configuration tips

OpenStack

References:

Configuring Keystone for Federation

OpenStack Identity API v3 OS-FEDERATION Extension

CERN setup using Icehouse

OpenNebula

See SSP for OpenNebula at MTA SZTAKI

Additional info at opennebula

Plugin for 4.10.1: link

Synnefo

See Synnefo Admin Guide

References