Dorian is open source federated identity management solution that enables single sign on for users and services in a Web/Grid services environment. A Web/Grid services environment generally spans across organizational boundaries and can be made up of hundreds of thousands of users and tens of thousands of services. Identity vetting, authentication, and provisioning user and service credentials in large distributed environments is extremely complex and challenging. Dorian alleviates these complexities and addresses these challenges by allowing organizations to integrate existing identity management systems into the Web/Grid services environment. This enables users of these organizations to use their existing credentials to authenticate to Web/Grid Services. In addition, Dorian provides a secure mechanism of issuing and provisioning credentials to Web/Grid services. This makes Dorian a complete identity management solution for the Web/Grid services environment. This guide provides a technical overview of many of the aspects of Dorian.
The Grid leverages the Public Key Infrastructure (PKI) for authentication. PKI is a set of hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital credentials. Under PKI, a user's credentials consist of a public X.509 certificate and a private key. These credentials are generally contained in two encoded files, one for the certificate and one for the private key. It is the responsibility of the party owning the credential to keep their private key a secret.
Dorian abstracts the complexities of PKI from users, allowing users that have accounts with an Identity Provider trusted by Dorian to use their existing credentials to obtain PKI credentials. For example, if Dorian trusts The Ohio State University as an Identity Provider, a user from The Ohio State University can use their username and password to obtain a user certificate and private key, which they can use to authenticate with Web/Grid Services. In this manner, Dorian is a federated identity management solution in that it is able to federate exisiting identities into a Web/Grid services architecture.
The Security Assertion Markup Language (SAML) is an XML standard for exchanging authentication and authorization data between security domains. Dorian leverages SAML to allow a user from a trusted identity provider to use any existing authentication method to obtain PKI credentials from Dorian so they can authenticate in the Web/Grid services environment. SAML enables Dorian to federate any existing identity management solution into the Web/Grid services environment.
The figure to the right illustrates an example usage scenario for Dorian. To obtain PKI credentials, users authenticate with their organization using the organization's conventional mechanism. Upon successfully authenticating the user, the local organization issues a digitally signed SAML assertion, vouching that the user has authenticated. The user then sends this SAML assertion to Dorian in exchange for PKI credentials. Dorian will only issue grid credentials to users that supply a SAML assertion from a Trusted Identity Provider. The figure to the right illustrates an example where a Georgetown user wishes to invoke a grid service that requires PKI credentials. To accomplish this they first supply the application with their username and password to the Georgetown Authentication Service, as they would normally do. The application client authenticates the Georgetown user with the Georgetown Authentication Service, which issues and returns a signed SAML assertion, which it subsequently passes to Dorian in exchange for PKI credentials. These credentials can then be used to invoke the Web/Grid services.
To facilitate smaller groups or organizations without an existing identity provider, Dorian also has its own internal identity provider. The Dorian Identity Provider allows users to authenticate to Dorian directly, thereby enabling them to obtain PKI credentials to authenticate to Web/Grid Services. The figure to the right illustrates a scenario of a client using the Dorian Identity Provider to authenticate to the Grid. In this scenario, the unaffiliated user wishes to invoke a Web/Grid service. Given that this user has registered and been approved for an account with the Dorian Identity Provider, she is able to authenticate with the Dorian Identity Provider by supplying their username and password. Upon successfully authenticating the user, the Dorian Identity Provider issues a SAML Assertion similiar to other organizational identity providers. The SAML Assertion issued by the Dorian Identity Provider can be presented to Dorian to obtain PKI credentials which can be used for authenticating with Web/Grid Services.
Dorian federates users with existing accounts into a Web/Grid services environment. This allows users to leverage the credentials that they use everyday for things such as email and web applications to authenticate to Web/Grid Services. In order for Dorian to allow a user to a use their existing credentials, the organization issuing the credentials must be registered with Dorian and trusted by Dorian. Organizations registered with and trusted by Dorian are referred to as Trusted Identity Providers (Trusted IdPs). By default, Dorian trusts its built-in identity provider, the Dorian Identity Provider . Before registering, an identity provider with Dorian, each organization must implement and operate an Authentication Service for their identity provider. The Authentication Service provides a standard Web/Grid service interface for authenticating with organizational identity providers in a Web/Grid service environment. This standard interface is very important when it comes to building applications since it allows applications to authenticate users with any identity provider without needing to know the specifics on how to interact with each type of identity provider. The Authentication Service accepts an authentication credential from Dorian, validates the credentials, and issues a SAML Assertion, which is later given to Dorian in exchange for PKI user credentials which can be used for authenticating to Web/Grid Services.
In order to establish a secure communication mechanism between client and services so that a service can authenticate with other services, Web/Grid services are required to have PKI credentials or host credentials. A host credential consists of a X.509 certificate and private key. Dorian provides the ability to issue host certificates to users, so they may operate Grid services. Dorian will only issue host certificates to users that have accounts with Dorian. User that have accounts with Dorian may request a host certificate for their services. Depending on Dorian's configuration, Dorian may immediately issue the host certificate or may require administrative approval, in which case the user will need to wait until an administrator approves their request. Host certificates that are issued by Dorian are bound to a specific user account. The user that the host certificate is bound to is referred to as the owner of the host certificate. The account status of a host certificate's owner affects the status of the host certificate. If the owner's account is suspended, the host certificate will be suspended. If the owner's account is removed, the host certificate will be revoked. The owner of a host certificate can be reassigned by a Dorian administrator.
In large production Web/Grid service deployments, it is anticipated that most users will leverage their existing user accounts for obtaining PKI credentials from Dorian. For supporting other scenarios, Dorian has its own built-in identity provider that allows users to register for and be granted local accounts with Dorian, so they may leverage Dorian in the same manner that users with existing accounts from registered identity providers may. These scenarios include: (1) smaller deployments; (2) deployments where there are no existing identity providers; (3) deployments where some users don't have an identity provider; (4) for users that may not be affiliated with an Identity Provider; and (5) development and testing purposes.
The Dorian IdP provides a method for prospective users to register for an account. When users register, they create a user id and password which they can subsequently use to authenticate with the Dorian IdP. When a user authenticates, the Dorian IdP provides the user with a SAML assertion, which can then be used to authenticate with Dorian to obtain a PKI credential. By default, the Dorian Identity Provider is registered as a trusted identity provider with Dorian.
For security purposes and to give administrators insight into all aspects of the system, Dorian maintains fine-grained auditing information on just about every transaction within the system. This information can be accessed by Dorian administrators. Complete details on the information being audited can be found in the Dorian administrators guide.