Implementing Red Hat Identity Management (IPA) for Improved Identity Management and Access Control
Discover how BNL addressed challenges with individual Kerberos realms by migrating to Red Hat Identity Management (IPA) for streamlined SSO and federated access. Learn about the benefits of IPA architecture, user migration from OpenLDAP, and the successful implementation of IPA in a production environment with over 5200 Linux clients.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
BNL activities on federated access and SSO. Tejas Rao Spring HEPIX, San Diego, CA March 26th2019. In collaboration with : Jamal Irving, Mizuki Karasawa.
Motivation Individual experiments were having individual Kerberos realms. RHIC, ATLAS, SDCC. Management of individual realms was getting difficult. Some users had multiple accounts and passwords. Shibboleth configuration and management is complex. There was a desire for SSO and Federated access for applications like Invenio, Indico, Jupyter, BNLbox and various other web services. Needs Single source of Identities. (duplication = confusion) Single point of management (comprehensive view) Single Sign on /Single password. No single point of failure. Automated synchronization and integration. Integrated management interfaces. Easy distribution of data and credentials. We decided to migrate to RedHat Identity management solution (IPA) and completed migration in late 2018. For SSO, we will likely switch to Keycloak from Shibolleth. 2
RedHat - Identity Management (IPA) Integrated into Red Hat Enterprise Linux for versions 6.2 and later. Easy installation and setup ipa-{server,replica,client}-install commands. Redundancy - multi-master replication, read-only replicas. Manages users/user groups, hosts/host groups, services in a central location. Defines Policies, HBAC (host-based access control) rules. Rich CLI & Web UI for the ease of identity management. MFA (Multi-Factor-Authentication) enabled. Utilizes SSSD as client-side tool for federation including cross-realm trust with Active Directory (AD), identity operations, rule enforcement, caching, offline support etc. Cross-realm trust with Active Directory (AD). 3
IPA architecture KDC PKI HTTP LDAP DNS NTP CLI/UI Active Directory CLI Web UI JSON Kerberos Cross Realm Trust IPA Server Admin SSSD SSSD SSSD 4
USER MIGRATION FROM OpenLDAP TO IPA SDCC.BNL.GOV. Converted users/groups accounts from OpenLDAP into IPA based under new domain tree:dc=sdcc,dc=bnl,dc=gov. Modified user creation programs & user auditing programs to be IPA compliant. Reconfigured ldap client (nslcd & nscd) at the machine level (ex, Linux Farm nodes etc). Reconfigured existing Web authentication mechanism with Shibboleth to be IPA compliant. Created migration websites for user Kerberos password changing & enabled the same functions on SSH gateways. Ensured HPSS for data archival and retrieval continued to work. Merged multiple Kerberos domains (ex, RHIC, ATLAS etc) into one single domain: 5
IPA in Production Currently we have 12 IDM servers supporting about 5200 linux clients. IPA master,replicas, clients fully puppetized (PuppetForge). Tunning - /etc/dirsrv/slapd-SDCC-BNL-GOV/dse.ldif - nsslapd-maxdescriptors=32768 /etc/sysconfig/dirsrv.system - LimitNOFILE=32768 6
Keycloak Keycloak deals with authentication. Two factor authentication is very simple to setup. Single Sign On. Protocols OpenID connect SAML 2.0. Keycloak aims to be a out of the box service. Clustering. Scalability. High Availability. Theming of the authentication page. Identity brokering. 7
Keycloak Kerberos OpenID Connect SAML 2.0 Identity brokering KEYCLOAK Social Token OpenID connect SAML 2.0 User Federation Active Directory OpenLDAP RDBMS APIs & services 8
SHIBBOLETH VS KEYCLOAK Shibboleth is SAML based, Keycloak support both SAML 2.0 & OpenID Connect protocols for authentication. KeyCloak provides social network logins, acts as identify brokering authenticating with existing identity providers via SAML or OIDC Simple and agile application configuration management with KeyCloak. KeyCloak provides authorization services aside from AuthZ with Apache Identity management is required for Keycloak. 9
ENABLING MFA OPTION A: (USING IPA OTP) Passwords & QR codes 10
ENABLING MFA OPTION B: (USING KEYCLOAK OPT) LDAP+ Kerberos QR codes Passwords 11
Keycloak Workflow Keycloak Users Mobile App Service A Service B Web App Service C 12
Status Invenio test prototype now has federated access setup with CILogon and Keycloak. SDCC GPFS Globus endpoint has federated access setup with CILogon. Jupyter test instance has MFA access enabled using Keycloak QR codes. Will be implemented soon. Production instance of Keycloak server. BNLbox needs SSO and federated access enabled. Indico needs federated access enabled. Contact Mizuki Karasawa. mizuki@bnl.gov 13
Thank You 14