Bruno Bompastor: CERN Cloud Report 1

EduGain Federation – Web SSO

EduGainCERN SSO

Bruno Bompastor: CERN Cloud Report 2

Horizon’s View of EduGain• Presents Web SSO to user• Login successful with attributes

• e.g. email=alvise.dorigo@pd.infn.it

• Map attributes to groups• e.g. grouplist=indigo-dataclouds-admin

• Map groups to roles• e.g. project member of “EU Indigo DataClouds”

Bruno Bompastor: CERN Cloud Report 3

Federation using SAML

• Works with CLI access using SAML/ECP

Bruno Bompastor: CERN Cloud Report 4

Keystone to Keystone Federation

• Needs Kilo+ for Keystone to become an IdP• Administrator

• Establishes trust between CERN cloud and INFN cloud

• Defined mappings

• INFN User• Authenticates against INFN cloud Keystone• CERN cloud Keystone accepts his token for

defined roles in a project

Bruno Bompastor: CERN Cloud Report 5

Public cloud support• 30 public cloud vendors and distributions

announced support by EOY 2015• Rackspace• IBM• HP• …

Bruno Bompastor: CERN Cloud Report 6

Multiple authentication protocols

Bruno Bompastor: CERN Cloud Report 7

X.509, Kerberos and VOMS• OS_AUTH_TYPE end user variable in unified CLI

• v3Kerberos• v3x509

• CERN cloud supports X.509 and Kerberos using REMOTE_USER• Environment variable set to give authentication method• Apache authenticates for the URL and passes user id

etc to the Keystone service

• Potential to support VOMS via same mechanism• Alvaro Garcia (CSIC) will update EGI FC support in

Keystone during the summer