Integrating an AAA‐based federation mechanism for OpenStack—The CLASSe view

Identity federations enable users, service providers, and identity providers from different organizations to exchange authentication and authorization information in a secure way. In this paper, we present a novel identity federation architecture for cloud services based on the integration of a cloud identity management service with an authentication, authorization, and accounting infrastructure. Specifically, we analyse how this type of authentication, authorization, and accounting–based federation can be smoothly integrated into OpenStack, the leading open source cloud software solution, using the Internet Engineering Task Force (IETF) Application Bridging for Federated Access Beyond web specification for authentication and authorization. We provide details of the implementation undertaken in GÉANT's CLASSe project and show its validation in a real testbed.

[1]  Alexey Melnikov,et al.  Simple Authentication and Security Layer (SASL) , 2006, RFC.

[2]  Gabriel López Millán,et al.  Providing efficient SSO to cloud service access in AAA-based identity federations , 2016, Future Gener. Comput. Syst..

[3]  David W. Chadwick,et al.  Adding Federated Identity Management to OpenStack , 2013, Journal of Grid Computing.

[4]  Saber Zrelli,et al.  Problem Statement on the Cross-Realm Operation of Kerberos , 2010, RFC.

[5]  Sam Hartman,et al.  A GSS-API Mechanism for the Extensible Authentication Protocol , 2013, RFC.

[6]  Simon Josefsson,et al.  Using Generic Security Service Application Program Interface (GSS-API) Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family , 2010, RFC.

[7]  Simon Josefsson,et al.  SAML Enhanced Client SASL and GSS-API Mechanisms , 2019 .

[8]  Stefan Paetow Application Bridging for Federated Access Beyond web (ABFAB) Credential Forwarding and Delegation , 2015 .

[9]  Larry Zhu,et al.  SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows , 2006, RFC.

[10]  Wolfgang Hommel,et al.  Using XACML for Privacy Control in SAML-Based Identity Federations , 2005, Communications and Multimedia Security.

[11]  Jeff Hodges,et al.  Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2. 0 , 2001 .

[12]  寺岡 文男,et al.  Protocol for carrying Authentication for Network Access (PANA) を利用したネットワークアクセス認証システムの実装と検証 , 2007 .

[13]  Sam Ruby,et al.  RESTful Web Services , 2007 .

[14]  John T. Kohl,et al.  The Kerberos Network Authentication Service (V5 , 2004 .

[15]  Bernard Aboba,et al.  Extensible Authentication Protocol (EAP) , 2004, RFC.

[16]  Gabriel López Millán,et al.  A cross-layer SSO solution for federating access to kerberized services in the eduroam/DAMe network , 2012, International Journal of Information Security.

[17]  Nicolas Williams,et al.  On the Use of Channel Bindings to Secure Channels , 2007, RFC.

[18]  John Linn,et al.  Generic Security Service Application Program Interface, Version 2 , 1997, RFC.

[19]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 1997, RFC.

[20]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 2000, RFC.

[21]  Victor Fajardo,et al.  Diameter Base Protocol , 2003, RFC.

[22]  Sam Hartman,et al.  Internet Engineering Task Force (ietf) Name Attributes for the Gss-api Extensible Authentication Protocol (eap) Mechanism , 2013 .

[23]  Dan Forsberg,et al.  Protocol for Carrying Authentication for Network Access (PANA) , 2008, RFC.

[24]  John G. Myers Simple Authentication and Security Layer (SASL) , 1997, RFC.

[25]  Gabriel López Millán,et al.  Providing EAP-based Kerberos pre-authentication and advanced authorization for network federations , 2011, Comput. Stand. Interfaces.

[26]  Gabriel López Millán,et al.  Out-of-band federated authentication for Kerberos based on PANA , 2013, Comput. Commun..

[27]  Simon Blake-Wilson,et al.  EAP Tunneled TLS Authentication Protocol (EAP-TTLS) , 2004 .

[28]  Sam Hartman,et al.  A RADIUS Attribute, Binding, Profiles, Name Identifier Format, and Confirmation Methods for the Security Assertion Markup Language (SAML) , 2016, RFC.

[29]  Leon Gommans,et al.  Generic AAA Architecture , 2000, RFC.

[30]  D. Recordon,et al.  The OAuth 2.0 Authorization Protocol: Bearer Tokens draft-ietf-oauth-v2-bearer-10 , 2012 .

[31]  Gabriel López Millán,et al.  Identity Federations Beyond the Web: A Survey , 2014, IEEE Communications Surveys & Tutorials.

[32]  Jim Sermersheim,et al.  Lightweight Directory Access Protocol (LDAP): The Protocol , 2006, RFC.