Experimental OpenID Service for DOEGrids - DOEGrids Certificate ...

judgedrunkshipServers

Nov 17, 2013 (3 years and 8 months ago)

172 views

Experimental OpenID
Service for
DOEGrids

Summer Student Program 2008

Jan Durand

ESnet

08/06/08

ESnet OpenID Presentation

2

ESnet


ESnet is a high
-
speed network which is hosted at and managed by
Berkeley Lab and is funded by the DOE Office of Science to provide
network and collaboration services to thousands of Department of
Energy scientists and collaborators worldwide.


ESnet's ATF group supports identity and other secure collaboration

services and runs the DOEGrids CA, as well as

supports several Grid CA federations, including TAGPMA and IGTF.


ESnet is interested in emerging federation technologies such as

OpenID and Shibboleth.


My work is focused on the OpenID authentication protocol.

ESnet OpenID Presentation

3

OpenID Overview


OpenID is an authentication service for exchanging identity
information between endpoints using a digital identifier, typically an
OpenID URL.


Developed in May 2005 by Brad Fitzpatrick at Six Apart and dubbed
OpenID 1.0.


Eliminates need for multiple usernames across different websites.


Decentralized
-

anyone can use/provide OpenIDs.


Single Sign
-
On


one sign
-
on per browser session.


Relying Parties include LiveJournal, WikiSpaces


OpenID Providers include AOL, Yahoo!, Verisign


OpenID 2.0 specification released December 2007 with new
features (Yadis discovery, proper extension support).


ESnet OpenID Presentation

4

OpenID Overview

RP

(Web App.)

User Agent

(Browser)

OP

(Authentication

Service)

1. OpenID URL

6. Redirect user to RP
with Auth. response

7. Authentication response

OpenID

URL

2. Discovery

(Yadis/HTML)

3. Association (optional)

4. Redirect user to OP with
Authentication request

5. Authentication request

+

End user credentials

8. Verification (optional)

ESnet OpenID Presentation

5

Objectives


Experiment with OpenID protocol and available APIs
to assess feasibility of implementation.


OpenID 1.0 vs. OpenID 2.0
-

ESnet wants 2.0 but

needs to understand interoperability issues with 1.0.


Create OpenID Relying Party and Provider tailored
for DOEGrids/ESnet customer base.


Investigate user authentication using an LDAP
server as the source of truth.


Investigate certificate
-

based user authentication
(DOEGrids CA).

ESnet OpenID Presentation

6

Tools


We used the SXIP OpenID4Java API: supports
the OpenID 2.0 specification, open source,
online documentation, java language


Apache HTTP Server


open source, popular,
documentation


Apache Tomcat backend to Apache HTTP
Server to serve Java Servlets and JavaServer
Pages.

ESnet OpenID Presentation

7

Progress


Created basic Relying Party to display OpenID
Provider responses (parameters, attributes).


Used responses from commercial providers to
model our Provider’s behavior and set the standard
for its functionality.


Created OpenID Provider


authenticates against an
LDAP server, complies with OpenID 2.0
specification (i.e. supports Attribute Exchange
extension, Yadis protocol discovery)

ESnet OpenID Presentation

8

OpenID Overview

RP

(Web App.)

User Agent

(Browser)

OP

(Authentication

Service)

1. OpenID URL

6. Redirect user to RP
with Auth. response

7. Authentication response

OpenID

URL

2. Discovery

(Yadis/HTML)

3. Association (optional)

4. Redirect user to OP with
Authentication request

5. Authentication request

+

Username + Password

8. Verification (optional)

5. a)

Username

+

Password

5. b)

Auth. result

LDAP

Server

ESnet OpenID Presentation

9

1

ESnet OpenID Presentation

10

4

ESnet OpenID Presentation

11

5

ESnet OpenID Presentation

12

7

ESnet OpenID Presentation

13

7

ESnet OpenID Presentation

14

OpenID Overview

RP

(Web App.)

User Agent

(Browser)

OP

(Authentication

Service)

1. OpenID URL

6. Redirect user to RP
with Auth. response

7. Authentication response

OpenID

URL

2. Discovery

(Yadis/HTML)

3. Association (optional)

4. Redirect user to OP with
Authentication request

5. Authentication request

+

User certificate

8. Verification (optional)

5. a)

User
certificate

5. b)

Auth. result

LDAP

Server

ESnet OpenID Presentation

15

1

ESnet OpenID Presentation

16

4

ESnet OpenID Presentation

17

5

ESnet OpenID Presentation

18


5

ESnet OpenID Presentation

19

5

ESnet OpenID Presentation

20

5

ESnet OpenID Presentation

21

7

ESnet OpenID Presentation

22

Relying Party Issues
Encountered


Compiler errors and server crashes due to
missing libraries. Copied over sample app.
libraries.


Understanding the details of the OpenID
specification was helpful in debugging, even
with sample code. e.g. Nonce Verification.
Hosts should synchronize with NIST time
server.

ESnet OpenID Presentation

23

OpenID Provider Issues
Encountered


Yadis Discovery initially did not work.


Despite API documentation some details had
to be learned through experience.


The API methods or sample code did not
perform direct communication.


Initial SSL configuration on Apache HTTP
Server interfered with OpenID protocol.


ESnet OpenID Presentation

24

Why certificate
-
based
authentication?


ESnet has over 2500 DOEGrids CA customers with
X509 certificates.


Integration with OpenID service.


Automatic enrollment.


Service can be extended to international grid
community and customers of commercial CAs e.g.
Thawte, VeriSign.


OpenID allows for attribute exchange and may be
easier to use than certificate
-
based authentication.


ESnet OpenID Presentation

25

Interests/Future Considerations


Extension support/Attribute Exchange
extension


Directed Identity


sign in with OP URL


Security concerns e.g. Phishing


Delegation


You choose your OpenID


Roadmap/Recommendations to ESnet ATF

ESnet OpenID Presentation

26

Attribute Exchange


OpenID 2.0 feature, allows for exchange of
attributes as UTF
-
8 strings with no newlines.


Each attribute must have an associated attribute
type URI which MAY be dereferenced to an attribute
description.


No central authority on attribute schema definitions.
SXIP hosts community project
www.axschema.org
.


For Yadis discovery, the attribute exchange
namespace "http://openid.net/srv/ax/1.0" SHOULD
be listed as a <Type> child element of the <Service>
element in the XRDS discovery document.



ESnet OpenID Presentation

27

Directed Identity


OpenID 2.0 feature, user can enter an OP Identifier
at the Relying Party instead of their OpenID URL.


The Relying Party does discovery on the OP
Identifier and redirects the end user to the RP with a
claimed ID of
http://specs.openid.net/auth/2.0/identifier_select
.


At the OP, the user selects their actual OpenID URL
to return to the Relying Party.


The Relying Party is then required to perform
discovery on this URL to ensure that the provider is
entitled to authenticate it.


ESnet OpenID Presentation

28

Security Concerns


Phishing is a major concern in the OpenID
community.


Association prevents tampering of signed
fields.


The SSL certificate
-
based authentication
approach eliminates this threat.


However, on a general scope, Man
-
in
-
the
-
Middle attacks and other security threats can
still be investigated.


ESnet OpenID Presentation

29

Delegation


Allows an end user to use a URL to authenticate at any OpenID
provider.


End user can maintain a consistent OpenID URL while switching
between OpenID providers.


E.g. to use
www.jan.com

as OpenID URL, add:



<link rel=“openid2.server” href=“
http://myopenid.com/server
” />



<link rel=“openid2.local_id” href=“http://jandurand.myopenid.com” />


in the <head> tags of the html page.


Specifying an “X
-
XRDS
-
Location” to an XRDS document via:



<meta http
-
equiv=“X
-
XRDS
-
Location” content=“
location
”>


allows for specification of multiple OpenIDs and Providers,
catering for load balancing, fallback and prioritization.


The end user will be authenticated as the Claimed Identifier
specified at the Relying Party.


ESnet OpenID Presentation

30

Recommendations to ESnet
ATF


Ensure all OpenID communication is on SSL
including discovery, association, and direct
verification.


OpenID 1.x compatibility for the RP removes a lot of
functionality. OpenID 1.x compatibility not costly to
implement for OP.


Recommend delegation to prevent identity
‘correlation’ as opposed to issuing multiple OpenIDs
per user account.


Long unsightly OpenID URLs can be mitigated with
Directed Identity. E.g. titanium.es.net/provider


ESnet OpenID Presentation

31

Information

For more information on OpenID visit:


http://openid.net


http://wiki.openid.net/FAQ


http://www.doegrids.org/OpenID



ESnet OpenID Presentation

32

Contact


Dhiva Muruganantham <dhiva@es.net>


Jan Durand <
durand@es.net
>


Mike Helm <helm@fionn.es.net>