Introduction

Background information is available at: https://indico.cern.ch/getFile.py/access?contribId=7&resId=0&materialId=slides&confId=190743 (general presentation in the MB) https://indico.cern.ch/getFile.py/access?contribId=18&resId=0&materialId=slides&confId=155069 (more specific presentation about the pilot service in the GDB)

It is expected that the working group will work on different aspects:

  • Proof of concept
  • Architecture design and integration in WLCG
  • Pilot service
A more detailed work plan will be provided once the working group is formed.

As far as communication is concerned:

  • The working group will coordinate via a mailing list
  • Remote and possibly face-to-face meetings (e.g. pre-GDB) will also be organised
  • Regular status reports will be provided via the GDB

EMI STS ECP Use case

The following sequence diagram describes an EMI STS use case of converting federation credentials into a Grid proxy. The sequence contains user interaction, but it can be avoided by communicating the required data to the UI for instance as command-line parameters.

STS-Sequence.png

The sequence can be divided into three phases, that are explained in the following subsections. The use case has the following requirements:

  • The STS and the home IdP trust each other
  • The IdP supports ECP profile
  • The user is registered to the VOMS with the subject DN corresponding to the certificate issued in the sequence

User authentication phase

The sequence is the following, as defined in the SAML 2.0 ECP specification:

  • UI initiates the SAML ECP profile by accessing the STS's ECP endpoint
  • STS generates a SAML authentication request, containing a list of its trusted IdPs
  • STS returns the SAML authentication request to the UI
  • UI asks the user to choose his home IdP from the list
  • The user chooses his home IdP
  • UI sends the SAML authentication request to the user's home IdP
  • IdP validates the SAML authentication request
  • IdP asks for the user authentication (e.g. HTTP Basic authentication)
  • UI asks for the user credentials
  • User gives his home IdP credentials
  • Credentials are communicated to the home IdP
  • IdP validates the credentials and issues a SAML assertion (targeted to STS) if the authentication was successful
  • IdP returns the SAML assertion to the UI

Grid identity issuance phase

The goal of this phase is to transform the SAML assertion obtained from the previous phase into a Grid proxy.

The sequence is the following:

  • UI generates a keypair (let's call it keypair 1) and generates the RST (WS-Trust request security token -message) containing the public key of the keypair 1.
  • UI sends the RST message to STS, containing the SAML assertion, and requesting a Grid proxy. If the user wants to have VO attributes inside the proxy, the desired VO-related information needs to be included in the request message (like to voms-proxy-init -tool).
  • STS process the RST and validates the SAML assertion. It generates a new keypair (let's call it keypair 2) and generates a certificate signing request, containing the public key from the keypair 2. Attributes from the SAML assertion are used for generating the subject DN and possible extensions to the CSR.
  • STS sends the CSR to an online CA, currently the CMP protocol is supported for this communication. For instance, an open source CA implementation called EJB CA supports the CMP protocol.
  • CA validates the CSR and issues an X.509 end-entity certificate.
  • CA returns the X.509 certificate back to the STS, as defined in the CMP protocol.
  • If VOMS proxy was requested, STS requests the VOMS attribute certificates from the VOMS server. The X.509 certificate that was just issued, and its corresponding private key from the keypair 2 are used.
  • VOMS server validates the request and issues the attribute certificates.
  • VOMS server returns the attribute certificates back to STS.
  • STS generates the proxy certificate, optionally containing the VOMS attribute certificates. The X.509 certificate that was issued earlier in the sequence, together with its corresponding private key from the keypair 2 are used. STS can delete the keypair 2 after this. STS also generates the RSTR message: WS-Trust request security token response -message.
  • STS returns to the initial RST request by sending the RSTR message back in the response.
  • UI process the RSTR message and extracts the proxy certificate chain: it contains the end-entity certificate that was issued in the sequence, and the proxy certificate that was issued after that. The private key from the keypair 1 corresponds to the proxy certificate.
  • UI informs the user that his Grid proxy is ready to be used.

Grid access phase

As the user's proxy is stored into the filesystem, it can be exploited by the existing Grid UI tools for accessing Grid services.

EMI STS ADFS Use Case

The use case described above requires the support for the ECP profile from the Identity Provider. Among others, ADFS 2.0 is not supporting the ECP profile at the moment, but is still capable of issuing the required SAML assertion using the WS-* protocol stack. The following sequence diagram describes the similar use case as above, except that an ADFS 2.0 is used as the IDP:

STS-Sequence-ADFS.png

The use case has the following requirements:

  • The STS and the ADFS trust each other (SAML metadata is shared)
  • usernamemixed endpoint is enabled in ADFS (by default it is)
  • The user is registered to the VOMS with the subject DN corresponding to the certificate issued in the sequence

The only difference is in the User authentication phase, which in this case is the following:

  • UI asks for the user credentials
  • User gives his ADFS credentials
  • UI generates a Username/Password token, and attaches it into an RST message that requires SAML assertion
  • UI sends the RST message to ADFS
  • ADFS validates the credentials and issues a SAML assertion (targeted to STS) if the authentication was successful
  • ADFS return the SAML assertion to the UI in an RSTR message

CILogon ECP

The following sequence diagram illustrates the current CILogon ECP functionality. SAML ECP is used just like the EMI STS above. However, after SAML ECP completes, the client simply POSTs a certificate request to CILogon, and CILogon returns a signed certificate. CILogon doesn't use WS-Trust and doesn't call-out to VOMS.

cilogon-ecp.png

Using CILogon ECP

To use CILogon ECP it is necessary to have an account at an ECP-enabled InCommon IdP supported by CILogon. Anyone can register for a ProtectNetwork UserID for this purpose. Once you have a ProtectNetwork UserID, the following example illustrates how to download and run the ecp.pl client:

$ curl -sSO https://cilogon.org/ecp.pl
$ perl ecp.pl --get cert -c create -k userkey.pem -o usercert.pem -t 12
Select an Identity Provider (IdP):
  1> LTER Network
  2> ProtectNetwork
  3> University of Chicago
  4> University of Washington
  5> Specify the URL of another IdP

Choose [2]: 2
Enter a username for the Identity Provider: jbasney
Enter a password for the Identity Provider: ********
$ openssl x509 -subject -noout < usercert.pem
subject= /DC=org/DC=cilogon/C=US/O=ProtectNetwork/CN=Jim Basney A685

Additional details about required Perl modules etc. are provided on the CILogon ECP page.

CILogon Browser Interfaces

CILogon also supports multiple interfaces that use SAML Browser Single Sign On (useful for comparison with SAML ECP):

Contact

wlcg-security-fedid-pilot-wg@cernNOSPAMPLEASE.ch

Meetings

https://indico.cern.ch/categoryDisplay.py?categId=4393

Set ALLOWWEBCHANGE = TWikiRegistrationAgent, RomainWartel

-- RomainWartel - 04-Oct-2012

Topic attachments
I Attachment History Action Size Date Who Comment
PNGpng STS-Sequence-ADFS.png r1 manage 69.9 K 2013-02-22 - 09:50 HenriMikkonen  
PNGpng STS-Sequence.png r1 manage 90.5 K 2012-10-09 - 16:02 HenriMikkonen  
PNGpng cilogon-ecp.png r1 manage 49.4 K 2012-10-17 - 20:02 JimBasneyExternal http://www.cilogon.org/ecp
Edit | Attach | Watch | Print version | History: r7 < r6 < r5 < r4 < r3 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r7 - 2013-02-22 - HenriMikkonen
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback