Upload
lorin-barnett
View
217
Download
0
Embed Size (px)
Citation preview
Bruno Bompastor: CERN Cloud Report 1
EduGain Federation – Web SSO
EduGainCERN SSO
Bruno Bompastor: CERN Cloud Report 2
Horizon’s View of EduGain• Presents Web SSO to user• Login successful with attributes
• e.g. [email protected]
• Map attributes to groups• e.g. grouplist=indigo-dataclouds-admin
• Map groups to roles• e.g. project member of “EU Indigo DataClouds”
Bruno Bompastor: CERN Cloud Report 3
Federation using SAML
• Works with CLI access using SAML/ECP
Bruno Bompastor: CERN Cloud Report 4
Keystone to Keystone Federation
• Needs Kilo+ for Keystone to become an IdP• Administrator
• Establishes trust between CERN cloud and INFN cloud
• Defined mappings
• INFN User• Authenticates against INFN cloud Keystone• CERN cloud Keystone accepts his token for
defined roles in a project
Bruno Bompastor: CERN Cloud Report 5
Public cloud support• 30 public cloud vendors and distributions
announced support by EOY 2015• Rackspace• IBM• HP• …
Bruno Bompastor: CERN Cloud Report 6
Multiple authentication protocols
Bruno Bompastor: CERN Cloud Report 7
X.509, Kerberos and VOMS• OS_AUTH_TYPE end user variable in unified CLI
• v3Kerberos• v3x509
• CERN cloud supports X.509 and Kerberos using REMOTE_USER• Environment variable set to give authentication method• Apache authenticates for the URL and passes user id
etc to the Keystone service
• Potential to support VOMS via same mechanism• Alvaro Garcia (CSIC) will update EGI FC support in
Keystone during the summer