Abstract
OpenStack is an open source cloud computing project that is enjoying wide. While many cloud deployments may be stand-alone, it is clear that secure federated community clouds, i.e., inter-clouds, are needed. Hence, there must be methods for federated identity management (FIM) that enable authentication and authorisation to be flexibly enforced across federated environments. Since there are many different FIM protocols either in use or in development today, this paper addresses the goal of adding protocol independent federated identity management to the OpenStack services. After giving a motivating example for secure cloud federation, and describing the conceptual design for protocol independent federated access, a detailed federated identity protocol sequence is presented. The paper then describes the implementation of the protocol independent system components, along with the incorporation of two different FIM protocols, namely SAML and Keystone proprietary. Finally performance measurements of the protocol independent components, and the two different protocols dependent components are presented, before the paper concludes with the current limitations.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
http://www.openstack.org/ (Accessed 26 Nov 2012)
Fielding, R.T.: Representational State Transfer (REST). Chapter 5 of Architectural Styles and the Design of Network-based Software Architectures. PhD Dissertation submitted to University of California, Irvine. Available from http://www.ics.uci.edu/~fielding/pubs/dissertation/rest_arch_style.htm (2000)
Badger, L., et al.: NIST US Government Cloud Computing Technology Roadmap, vol. I, Release 1.0, SP 500-293 (2011)
Lee, C.: Cloud Federation—Establishing Trust, NIST Cloud Computing Forum and Workshop V. Washington DC. http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/ForumVAgenda/5_NIST-Forum-V-Lee-v4.pdf (2012). Accessed 5 Jun 2012
Greer, M., Lee, C.A.: Cloud-Based Disaster Response, NIST Joint Cloud and Big Data Workshop. Gaithersburg, MD. http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/ForumCCBGIAgenda (2002). Accessed 15 Jan 2013
The Networking and Information Technology Research and Development (NITRD) Program. http://www.nitrd.gov/nitrdgroups/images/5/5a/Disaster_Response%3B_Craig_Lee_CCWG.pdf (2002). Accessed 6 Feb 2013
Naqvi, S., et al.: From Grids to Clouds—Shift in Security Services Architecture, CGW’09—Cracow Grid Workshop. Krakow, Poland (2009)
Nunez, D., et al.: Identity Management Challenges for Intercloud Applications, 1st International Workshop on Security and Trust for Applications in Virtualised Environments (STAVE 2011) (2011). doi:10.1007/10.1007/978-3-642-22365-5_24
Bernstein, D., Vij, D.: Intercloud Security Considerations, 2nd IEEE International conference on Cloud Computing Technology and Science, pp. 537–544 (2010)
Emig, C., et al.: Identity as a service—Towards a service-oriented identity management architecture. In: EUNICE’07 Proceedings of the 13th Open European Summer School and IFIP TC6.6 Conference on Dependable and Adaptable Networks and Services, pp. 1–8 (2007)
Rak, M., et al.: Security Issues in Cloud Federations, Chapter 10 in Achieving Federated and Self-Manageable Cloud Infrastructures. Theory and Practice, IGI-Global (2012). doi:10.4018/978-1-4666-1631-8.ch010
Neuman, B.C., Ts’o, T.: Kerberos: An authentication service for computer networks. IEEE Commun. 32(9), 33–38 (1994)
Foster, I., et al.: A security architecture for computational Grids I. In: Foster, et al. (ed.) 5th ACM Conference on Computer and Communication Security (1998)
Housley, R., et al.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile http://www.ietf.org/rfc/rfc3280.txt (2002)
Tuecke, S., et al.: Internet X.509 Public Key Infrastructure (PKI) Proxy Certificate Profile, IETF RFC 3820. http://www.ietf.org/rfc/rfc3820.txt (2004)
Barton, T., Basney, J., Freeman, T., Scavo, T., Siebenlist, F., Welch, V., Ananthakrishnan, R., Baker, B., Goode, M., Keahey, K.: Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy. 5th Annual PKI R&D Workshop.NIST, Gaithersburg MD. Avai lable from http://middleware.internet2.edu/pki06/proceedings/welch-idfederation.pdf (2002). Accessed 4–6 April 2006
OASIS: Assertions and Protocol for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard (2005)
The Shibboleth Consortium. http://shibboleth.net
InCommon, http://incommon.org
UK Access Management Federation, see http://www.ukfederation.org.uk/
eduGAIN membership status, see http://www.edugain.org/technical/status.php
Details of the Shebangs project: http://www.rcs.manchester.ac.uk/research/shebangs
Goodner, M., et al.: Understanding WS-Federation. msdn.microsoft.com/enus/library/bb498017.aspx (2007). Accessed 28 May 2007
OpenID Authentication 2.0 – Final. Available from http://openid.net/specs/openid-authentication-2_0.html (2007). Accessed 5 Dec 2007
Hart, D.: The OAuth 2.0 Authorization Framework, RFC 6749 (2012)
Sakimura, N., et al.: OpenID Connect Standard 1.0—draft 13. Available from http://openid.net/specs/openid-connect-standard-1_0.html (2012). Accessed 16 Aug 2012
Howlett, J., et al.: Application Bridging for Federated Access Beyond Web (ABFAB) Architecture, IETF. http://tools.ietf.org/html/draft-ietf-abfab-arch-06 (2013). Accessed 18 April 2013
Rigney, C., et al.: Remote Authentication Dial In User Service (RADIUS), IETF RFC 2865 (2000)
Florio, L., Wierenga, K.: Eduroam, Providing Mobility for Roaming Users. Proceedings of the EUNIS 2005 Conference, Manchester (2005)
Open Science Grid, Virtual Organization Summary, http://myosg.grid.iu.edu/vosummary?all_vos=on&active=on&active_value=1&datasource=summary
Foster, I., Kesselman, C., Tuecke, S.: The anatomy of the Grid: enabling scalable virtual organizations. Int. J. High Perform. Comput. Appl. 15(3), 200–222 (2001). doi:10.1177/109434200101500302
Nasser, B., Laborde, R., Benzekri, A., Barrère, F., Kamel, M.: Access control model for inter-organizational Grid virtual organizations. In: Meersman, R., Tari, Z., Herrero, P. (eds.) Proceedings of the 2005 OTM Confederated International Conference on On the Move to Meaningful Internet Systems (OTM’05), pp. 537–551. Springer-Verlag, Berlin (2005). doi:10.1007/11575863_73
Cummings, J., Finholt, T., Foster, I., Kesselman, C., Lawrence, K.: Beyond Being There: A Blueprint for Advancing the Design, Development, and Evaluation of Virtual Organizations, Final report from the NSF workshops on Building Effective Virtual Organizations. http://www.ci.uchicago.edu/events/VirtOrg2008/VO_report.pdf
The Enabling Grids for E-SciencE (EGEE) Team: EGEE User’ Guide—VOMS Core Services. http: //egee.cesnet.cz/en/voce/voms-guide.pdf (2005)
Coppola, M., Jégou, Y., Matthews, B., Morin, C., Prieto, L.P., Sánchez, Ó.D., Yang, E.Y., Yu, H.: Virtual organization support within a Grid-wide operating system. IEEE Internet Computing 12(2), 20–28 (2008). doi:10.1109/MIC.2008.47
The European Grid Infrastructure (EGI), http://operations-portal.egi.eu/vo
Scott Cantor. NativeSPAttributeResolver, available from https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAttributeResolver
Chadwick, D.W., Inman, G.: Attribute Aggregation in Federated Identity Management. IEEE Computer, pp. 46–53 (2000)
Watt, J., Sinnott, R.O., Inman, G., Chadwick, D.: Federated Authentication and Authorisation in the Social Science Domain. Sixth International Conference on Availability. Reliability and Security (ARES), pp. 541–548 (2011)
Chadwick, D.W., Inman, G.: The Trusted Attribute Aggregation Service (TAAS)—Providing an attribute aggregation layer for federated identity management. In: Proceedings of the Eight International Conference on Availability, Reliability and Security (ARES 2013), Regensberg (2013)
Rochwerger, B., et al.: The reservoir model and architecture for open federated cloud computing. IBM J. Res. Dev. 53(4), 4:1–4:11 (2009)
Celesti, A., et al.: Security and Cloud Computing: InterCloud Identity Management Infrastructure. In: Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises, pp. 263–265 (2010)
Ferrari, T.: On behalf of P. Solagna/EGI.eu, EGI Services for Distributed e-Infrastructure Access, ISGC 2013, Taipei (2013)
Drescher, M., Collier, I.: EGI Federated Clouds: Task Force & Infrastructure, OGF37, Cloud Federation BoF (2013)
The EU Contrail Project, http://contrail-project.eu
The National Strategy for Trusted Identity in Cyberspace, http://www.nist.gov/nstic/index.html
Hogben, G.: Privacy, Security and Identity in the Cloud, http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/Cloud_Identity_Hogben.pdf
Cloud Security Alliance, http://cloudsecurityalliance.org
The Kantara Initiative. http://kantarainitiative.org
Camenisch, J., et al.: H2.1—ABC4Trust Architecture for Developers. https://abc4trust.eu/download/ABC4Trust-H2.1-Architecture-for-Developers.pdf (2012). Accessed 22 Nov 2012
OASIS, Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0. OASIS Standard (2005)
OASIS, SAML Enhanced Client or Proxy (ECP) Profile. Version 2.0. https://www.oasis-open.org/committees/download.php/41209/sstc-saml-ecp-v2.0-wd02.pdf (2011). Accessed 19 Feb 2011
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Open Access This article is distributed under the terms of the Creative Commons Attribution License which permits any use, distribution, and reproduction in any medium, provided the original author(s) and the source are credited.
About this article
Cite this article
Chadwick, D.W., Siu, K., Lee, C. et al. Adding Federated Identity Management to OpenStack. J Grid Computing 12, 3–27 (2014). https://doi.org/10.1007/s10723-013-9283-2
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10723-013-9283-2