 Yn wneud yw'r gofyn yw'r cifai gnoedd eu pensio. Felly, mae'n clywb bod yn swyddfa, ac mae'n fi'n ddweud rhywbeth, mae'n ddiddorol yn y dweud ei ddweud, ac yn fyr dellwydd o'r pethau, mae'n tympio gweithio o'r sgrinio o'r ddwyllus yn sylwm, oedd mae'n ddweud iddyn nhw'n ffordd ac yn gyfddii ein bawb. Mae'n dod o'n dydag rhaid o'r project o'n ddweud o'r ydym yma yma yma. Ar hyn o'r ddweud, a dyfodill iawn o'r unigfyniadau ffordd yw Eucalyptus. A gennym am ein dweud o'r troes â'r ffordd yn y claw. Ychydig yn ymddi. Roedd y gallwn ni'n gynyddu y clywedd ar ei wneud, ond rwy'n meddwl ei wneud i gydig ar y slygoedd, ond rwy'n meddwl i chi'n ardal. It makes it easier for users. They have less credentials to manage and remember because if they've got one lot of credentials they can single sign on to lots of different services, it makes it easier for them. It makes it easier for system developers because you don't need to develop the secure authentication mechanisms in your application because you can trust an already established secure identity provider to do it for you. So it makes system developers job easier, provides more flexibility because the identity provider can have lots of different authentication mechanisms. It's out of scope of the federated domain, how it works, so it can be two-factor, three-factor, it can be biometrics, whatever and all we're requiring the federation domain is some assurance of the level that's been authenticated and we can then build that into our subsequent authorization mechanism. And it can actually be more secure than doing it yourself because the users now can have one set of strong credentials rather than lots of passwords that they replicate or use simple passwords so they can remember them all and you no longer a honeypot for credential attacks yourself because you're not storing any so they're not going to be attacking you to try and get all these credentials out and you only need to look on the internet and find how many of service providers have had their credentials stolen and credit cards stolen, passwords and everything like that. And it makes it a lot easier for operation staff because you no longer have to manage users, you don't have to register users, you don't have to replace their forgotten passwords or forgotten credentials when they're stolen, you don't have to remove old users because that's done by the identity provider for you. But there are some limitations because you still need a way to finally differentiate users for authorization purpose. So if you've got a federated domain and there are 1,000 users, let's say you're federated with the University of Kent, well you've instantly got 20,000 potential users coming into your system and you say well actually I don't want 20,000, I only actually want three academics that I'm working with so you still have to have some mechanism to differentiate between the three people from Kent that you do want and the 20,000 that actually can authenticate you successfully. So you still need to have the fine grained authorization, you still need to be able to ban abusive users as well and if the identity provider is actually authenticating them you've either got to then change your authorization system to ban them or ask him to ban them. You probably need to use a web browser, this is one of the limitations at the moment because most of the current existing identity providers, the authentication step is all via browsers. So we've had to build in the browser in our implementation because yeah. Pass, okay, I mean we looked at can we do command line and should we actually modify command line test but it becomes too complicated actually. The reason being because identity providers they all present different screens to the user so if you're going to actually pass the HTTP message and find out where in this post, a mae'r prosesio eich newydd fel ystafel, a mae'r ddechrau chi'n tynnu. A mae'r prosesio eich nowethaf gyda'r profiad newid, yn cael mwynhau. A mae'r brosesio eich nowethaf i un o'r Sefydl yn ei wneud i chi'n teimlo weithio, ond mae'n ddweud y ffawr. Rhaid. Mae'n meddwl chi'n gweld y webbwrawsau yma y tiaill ar gwlad yn gweithio, people that your everyday users will use these command line interfaces. The browser may very well become the first class citizen in the future. I show the ones where you do use a browser, if you read the specs, they don't require a browser. It's just that the current implementations... So, that's the reality. iawn.复 na'r bwrddach â trwyd angularau, ac mae'r bwrdd a'r tyngau ffasodol yn ddweud i'r bwysig. Mae'r bwrdd heb yn bod unrhyw o'r gwahanol, ac mae'r bwrdd yn ddechrau'n edrychwyr a'r bwysig yn ddwy i. Wysig os yw'r pen-fasodol yn dweud i'r ddechrau gwahanol, ac mae'r ddweud o'r caelwag yn ddweud. Felly, mae'n meddwl i sicr wideriair, i sicrhau rhoi ychydig. The fact that if you as a user go get tricked into going to the wrong service provider through spam, or spearfishing or whatever, and that service provider says, hey, I've got free gifts for you. All you need to do is authenticate and choose your identity provider and you say, well, University of Kent and it redirects you to a page that looks just like the University of Kent's page Llywodraeth Censwch, ond mae yna'r cyfrwadwyr yn cael ei fyddion, ac mae'r hyn yn gwneud ymweld i'w eu gwirio'r bwysig i'w rhan o'r llun. Mae'r bwysig i'w rhan o'u fod yn gwaelio i'w wawr, ond mae'r cyfrwadwyr yn ei wneud. Yn y tîm, mae'r ymddangos ym mhwyaf i'w ffordd yn cael eu ddeiligol. Mae'r ddeiligol yn ei wneud i'w ffordd yn cael eu ddeiligol. Dwi'n credu'r eich trofnod o'u sylwyddau. The reality is they are vulnerable to those. If you have a 0-knowledge proof, orientation mechanism by the IDP then it doesn't matter if you get tricked into going to a false IDP That looks like yours because, when I give them the authentication you give them the zero-knowledge so it doesn't matter? The IDP is using PKI for authenticating its user, doesn't really matter because you're not going to tell them anything or you're not going to send them your private key and you're going to send them something signed, So, zero noise proof will solve that, or you can have an intelligent client that doesn't require redirection, and it knows itself where to go to, so the work we've been doing in our lab is to build intelligence into the client, so when the service provider says you need to authenticate, you and your intelligent client say I'm going to go here and he doesn't redirect you, the service provider does not redirect you, and that's another way to solve it. Okay, so all the components that we've got in our system, the green ones are really what today is Keystone, but I've not called it Keystone even though it is Keystone, it's really Keystone broken down into its fundamental components, into its functional components, and I've called it the OpenStack gateway, okay, just so that you think well that's Keystone, well it is, but it isn't, so think of it as an OpenStack gateway, what do all these acronyms stand for? Well at the bottom we've got the token issue in service and the token validation service, so that's the one that issues the token, either a scoped token or unscoped token, and the validation service is the one that validates the scoped token or the unscoped token, and by making those separate components it means you can actually plug and play and put in different token issue in service, so you can token can be in different format. I mean we've already got who we're talking today about having two different token formats, one based on SMIME and PKI and another one based on simple UUIDs, well having this as clearly defined with interfaces separate tokens you can actually plug and play and put in different services there. AM is the attribute mapping service, why do we need an attribute mapping service? Well down at the bottom we have all our cloud services, and those cloud services are role based and they have roles that give permissions to perform particular actions. Now those cloud services will have a limited set of roles, they might have an admin role, they might have, we were talking today about a teacher role and a student role and very short of that, but it will be a limited set of roles that they have. Now in the big outside federated world there's literally hundreds of thousands of identity providers and maybe thousands or millions of attributes and it would be unreasonable to expect service providers to understand all the identity providers and all their attributes and to build their policies according to the outside world. So they build their policies according to their own local set of roles and the attribute mapping service is capable of mapping between what the outside world provides in terms of identity attributes and what the local cloud service requires and it can do the mapping. We'll see how it works when we go through the swim lane diagrams. So that functionality really takes some attributes from the outside world and maps them into the attributes that are required for the inside world. Yeah, exactly. So in today's keystone, keystone is the identity provider and keystone issues the attributes for the user and so the attributes it issues for the user are already the ones that the cloud provider wants. So what we have to have now is a mapping step that when we introduce federation, we get in a whole different bunch of attributes and we map them into the ones that you're issuing today and we still issue them today because in this model, as you'll see, the cloud service provider sends the user to the OpenStack gateway and it tells the OpenStack gateway what it wants in terms of attributes, which are the ones it wants today and that could be hard coded in or it could be dynamically sending protocol. That's a choice. Yeah. Yeah, absolutely. Federated authorizing. Well, the thing is, ask the question, what is identity management? Then you ask the simple, more simple question, what is identity? And identity is a set of attributes, basically. Your identity is a set of attributes. Okay. No, no, no. In the generic sense, identity is a set of attributes. So if I want to identify you, I'll say, well, it's the guy who used to work for Microsoft. He developed passport. He's now got his own company. He's aged about 40 and he's a vision of and he wears glasses. Right? No, no, no, no. But the point is that identifies you within the audience. Yeah? But the identity might be an employee of Rackspace. I might have a system which says any employee of Rackspace gets access. So in terms of identity management, all I need is to know you're an employee of Rackspace and that can be sufficient. Okay. So in general, an identity is a set of attributes. Now, attributes have to come from somewhere. I mean, we're going into a different lecture now. We're going into a lecture on identity management, which I didn't want to go into. But attributes have to come from somewhere. You do not generally trust a user to assert his own attributes. Because if you did, and I know that Rackspace has got some really nice, juicy service there, and all you need to do is say you're a member of an employee of Rackspace to get access, then I'll go and say, oh, I'm an employee of Rackspace. I'll say, oh, welcome, come on in and have access to our nice, juicy service. So clearly you can't allow the user to assert his own identity attributes. You have to have attribute authorities. And so up here we've got attribute authorities, and attribute authorities assert attributes. And also we've got authentication services, which can authenticate users but don't assert attributes. They will just assert some random identifier. And an identity provider is actually a combination of an authentication service and an attribute authority. So functionally, an identity provider is both an authentication service and an attribute authority. So it's capable of authenticating the user and returning a set of identity attributes about the user. Now, where most identity management models are flawed today and why a lot of them have failed is they assume that the user has one identity provider and all these attributes are asserted by that one identity provider. And in the general case, that is fallacious. So if I want to go and purchase something from Amazon, I have to provide a credit card. Now, who's going to assert that I've got a credit card, the bank? I also may want to assert a name. Who's going to assert my name? Well, the bank might, but I might assert my own name. If I'm buying from Amazon, I might want to assert a postal address where it's to be delivered to, so they would probably allow me to assert that. They may give a discount to academics. Who are they going to trust the same academic, the University of Kent? Okay, they're not going to trust the bank. They're not going to trust me. So you see, in a generic infrastructure, we need ultimately to get assertions from multiple authorities. And so what we're building in, in the more sophisticated swimlines, which I'm not going to cover today because we don't have time, will be the amalgamation of attributes from different authorities. No. No, but the trainline.com does. So if you go to the trainline.com and buy train tickets, you can say you're a student and you'll get a discount on your ticket. And you can actually say you're over 60 years old and you get a discount on your ticket as well. Well, interesting what happens there because you have to physically turn up and travel on the train. The internet will sell you the reduced price ticket and then the ticket inspector, when you're travelling, will say, can I see your student ID card now, please? Or can I see your old age pensioner card, please? And if you haven't got it, then you're in stuck because you've cheated the system and then you'll get fined. So it will sell it to you without the assertion. But that's because online they have no way today of actually getting that assertion other than you telling them. OK, but we envisage a world where they will be able to get genuine assertion and they wouldn't sell you the ticket without the assertion. That's an aside. So back to these components. We've been through those components. The next one is the request issue in service. So if we're going to be doing identity management and federated management, we have to have a protocol conversation between the client and the identity provider. It has to authenticate and it has to send an assertion back here to say that this use has been authenticated. Now there are many different protocols for identity management and so what we want to build into OpenStack is a generic infrastructure that will support OpenID, that will support SAML, that will support OAuth, et cetera. And therefore we say let's have a separate module which is a request issue in service and you will configure into that what protocol you're going to talk between the OpenStack gateway and identity provider and then the request issue in service will produce the request in the right protocol. So if that module is pluggable and switchable you can actually then plug your system into different identity federations. Issuing service. No, it's asking for the identity attributes of the user. So it wants the user to be authenticated and get the attributes of the user. Sorry. No, no, no. That is something you don't have in Keystone today. The client manufactures. In other words there's an implicit knowledge of what the protocol is between the client and Keystone and the client manufactures the HTTP message using the implicit knowledge of what Keystone is. Keystone requires and it sends it to Keystone. What you do have today is the credential validation service which is the component in the pipeline which takes that request and validates it and says whether it's right or not. Well, yeah, but today the request issue in service is done by the client that creates and sends it to Keystone and then Keystone passes it in the pipeline to the credential validation service and says validate this. Is it okay or not? Yeah, yeah, yeah, it could. It could. So that component could actually be a standalone or it could be a library. It could be a library that you plug into Keystone and you plug into clients and you, yeah, okay. But I've drawn it out because I see it as being a separate module of piece of functionality that is specific to the identity management protocol you're using and therefore we want to be plugged and replaced as you move from SAML to OR or whatever. Yeah, because yeah, because if you've got a dumb client, if you've got a dumb client, the client cannot manufacture that message. So talking about the client, we've got the client which is a dumb client and doesn't do anything. It just gets messages in, passes them back and gets answers and passes them back. So the dumb client is given the message by the request issue in service which it passes on to the IDP. It then authenticates the user and then it gets a response from the IDP. It's got no idea what that response is. It's just some binary blob which it gives over to the gateway and the gateway gives it a differential validation service and that says, okay, is this the blob that I'm expecting? So you replace those two components as a pair because they have to match up with each other. Now, Atag, I think something has gone wrong here. Atag is an intelligent component that builds into the client which performs several important pieces of functionality. One is it allows the client not to be phished. It will actually determine itself where the identity provider is by contacting the directory service. Well, attribute aggregation, attribute aggregation because it also is capable of going to multiple attribute authorities and getting assertions from multiple places and aggregating them together and giving them to Keystone. So that's the answer. And it also, sorry, could you use the microphone? I didn't quite get that. Sometimes you don't need all the attributes, right? You might just want to know your credit card information that you don't need your age or your nationality. Correct, correct, correct. So there's like a lazy model collecting attribute on a new boot? Correct, correct. So what I've got built into the model is policy which you'll come when we see the swim lanes. So each of these has a policy for what it wants. And so that policy is given to the OpenStack Gateway and said, that's my policy for what I want. The OpenStack Gateway uses the attribute mapper to convert the policy from the local terms such as the admin and whatever into the terms that are required by the remote IDP. And then to do the reverse mapping. So the client and the IDP or ATAG are only told what's wanted by the particular service provider. So you don't go collecting every single attribute you've got and giving your entire identity out. You just give the three or four attributes that are required by the service. So that's built into the design. Well, it's not the lazy fashion actually. No, the lazy fashion was described as being just grab everything you can, just send everything you can. Oh, wasn't it? That was the what? Eager. Ah, okay. Ah, right. Well, this supports the lazy. I mean, I think that's the wrong term lazy. I would have said, I would have said, privacy preserving fashion if you like, where you only actually release the attributes that are required to access the service. I don't give them superfluous information. Okay. And then, oops. Sorry. Provider one decides. Provider one has a policy. Provider, the policy is here. Okay. The policy is here. It's been externalised, but it could be internal. It doesn't matter. The point is the cloud service provider has some interface which we're talking about earlier on today. An interface to call the policies in point to say, here's a user. Does he get access or not? Now it knows what its policy is and it knows what it requires from the user. So we call the policy gives an attributes requirements policy. No, no, no. Now listen. Correct. Now, so, yeah. Correct. No, no, but, but correct. No, let me tell you how I see it. The service provider requires attributes for you to get access to the service. Okay. It says in its requirements policy, which gets passed through to the user client. This is what I want. Okay. The user can be given access to that. And the user can say, well, I'm not going to give you that, so I won't have the service. Or the user will decide, yeah, I'm happy to give those attributes. I want the service. And then he goes and asks the IDP. Now, in my opinion, an IDP should always give me my attributes. An IDP should not say, no, I'm not giving you them because I have in my pocket a whole bunch of attributes from a whole bunch of different places. And I can give them to the who the hell I like. And if the bank says, well, you can't give your credit card to him there, well, how the bank can't stop me. So really, I should be in charge of who gets my attributes. The IDP shouldn't be saying I'm not giving them out. I say, I want them to my attributes. And I want them to go there for the service. So that seems a perfectly reasonable model in my mind. Yeah. Yeah, yeah, yeah, exactly. Exactly. Exactly. Yeah. That's right. Yeah. I mean, that's the right way. That's the right way it should be. The user should decide whether he wants his attributes to go or not. Well, okay. I mean, we're talking user interface issues. But at the protocol level, there should be the full visibility. If the interface just wants to make it a tick, are you happy or not, to continue, that's the interface. But if in the protocol it actually says the policy is that I require these attributes, then the interface can say we're going to, you know, we are going to release these attributes so you have to release all of these attributes. Correct. Yeah. And so in that case, what will happen is that you won't have enough attributes for authorization. So it will have to go back to the client, it will have to go and collect them. Now, because you've done a single sign on, you shouldn't need to enter your credentials again. You should just click yes, I'm happy to release them, and the system should just go and pick them up and send them. Yeah. And then finally, this is a component that doesn't exist today. Although talking to you, I think it was you in the, it does sort of exist in Keystone. Yeah. Yeah. I think you call it the catalogue. Is that right? Yeah. So what I envisage there is some sort of federation directory service where when OpenStack has found out from the user which IDP is chosen, it goes to the federation directory services, get me all the metadata and all the information I need in order to be able to make a connection to that IDP. Now, in today's federation world, certainly in the shiblith one, all of this metadata is sent in some massive gigabyte XML file which is distributed every couple of, I mean, it's a completely brain dead system, right? But they ship out these gigabytes of metadata every day and you change one line in it and the whole two gigs is shipped, you know, it's a completely naff system. What you really need is some directory service where people can update their metadata as and when and you can just go and add it. And it turns out, I didn't know this, but you've actually got this catalogue in Keystone which records the equivalent of the metadata. It has information about the access points and how you connected access points. So that's the sort of system we need. We need that built in so that you can make a query of it and say, I now want to make a connection to this point. I need not to create a message. And then after it's contacted directory service, it can then go to request issuing services. Here's all the metadata I've got for this component from the directory service. Now you can create the message in the right protocol, et cetera. So, the guiding principles in the design is keep it simple. What's happening here now? Going the wrong way. Yeah, it was for identity providers, yes. But I mean, it's the same concept. It's exactly the same concept. Yeah, yeah, yeah, exactly. Yeah, yeah, yeah. Exactly. Yeah, exactly. So it's really good to know you've actually got that component already in there. Okay, so keep it simple for the cloud service providers. They need something excellent for them that does the bulk of the security work. And so that's going to be this gateway and the identity providers and all the things. It's all going to be done outside. So the people who are writing cloud services don't need to worry about it. They've got good software written by skilled security professionals that have covered all the bugs, fixed all the problems, and it just works nicely for them. So that's the first thing. Okay. And each cloud service provider keeps its existing tenants and accounts because it knows what they are and it knows it needs an admin role and it knows it needs a professor role or whatever. And it trusts the gateway to get these from external sources and do the mapping. So it's because there are thousands of these things, it's going to trust that the gateway will map correctly between external identity providers and the roles that it needs. So that's a conflict. So the mapping function is a configurable function that will have to be dynamically configurable. It will have to, as you set up federations, you will have to configure the attribute mapping function to map between the identity providers. The providers that you're going to trust and the roles that your cloud service providers work because we don't want to be changing the cloud service providers. They've got this system set up, they work with a set of roles. All they're doing now is switching to external identity providers. But from their perspective, they just trust the gateway. They just trust Keystone or whatever to do it all for them. No, in what way? What do you see as the alternative? Exactly. That's why I don't think the standard approach works. The alternative is all of these customers have to go and change their systems to give that. Exactly. So this is the only way I see that you can do it. So it's proxying through. Exactly. We have proxy built into the current implementation. Now this is a change to what the way it works at the moment. The user knows which cloud service he wishes to use so that's his first port of call. Now in the current clients, the first port of call is Keystone. You type in the address of Keystone, don't you? But I think, I mean this can be discussed, but it seems that normally you go to where you want the service, say I want some service, and then it all starts from there. And that gives more flexibility because the service can say, well, I'm going to use that Keystone or that Keystone. I'm not going to use Keystone or whatever. And it can tell the user where it wants to go to. So that is a change from the existing scheme. Exactly. It's not a big issue of that, but it allows also, by going to the service provider first, it allows the service provider to dynamically change its requirements in terms of attributes as well. That's right. Now we've talked about the phishing and the intelligent client will solve that. So let's look at the swim lane for the, I could do with a, sure. The intelligent client performs several functions. One function it performs is it will not allow the client to be redirected to the IDP by the service provider or by Keystone. Because that is, when you use a username and password, it's a way that phishing attacks work in all of the current identity provider system. Okay. So the user goes to a service provider, and the service provider happens to be an evil one, but the user doesn't know that because it's been tricked into it. And the service provider says, authenticate, go to your open ID or go to Google or go to University of Kent or wherever. And the user sees the screen and the user doesn't notice that the URL ends in .cn or .ru or something because it's gone off the end of the screen or whatever. He just thinks he's talking to his normal identifier and he types in his username and password and he's phished. Okay. So the intelligent one, when the service provider says, I want you to authenticate with Google or wherever, he says, well, I know where Google is or I know where the University of Kent is. I'm not going to rely on you to send me there. I will go to the directory service myself and I'll get the information I'll create and I'll sort it out myself. That's the first thing it does. The second thing it does, no, I'm saying that it knows where the identity provider is, and it's not going to be told, go there. That's the first thing. The second thing it does is when you've got multiple attributes for your identity for multiple providers, it will actually go and aggregate. The third thing it will do, the current identity systems work in what's called bare credentials. So the identity provider creates an assertion which says I've authenticated this user and he's got the following attributes and this is a digitally signed assertion which you say good digitally signed assertion, but it doesn't actually say who the user is. It goes to the browser and the browser then sends it off to the service provider. Now that token is capturable and replayable because it's a bare credential. Anybody who's got it can use it. There's a function called holder of key where you can actually create a key pair and again another function of the intelligent client is to create the key pair and to sign things so it can prove that it's my public key in there and I'm capable of signing it so you know that that token was made for me because I've got the private key and I can prove it. So that's a third function that it does. Okay so I don't know if this is a, it is. I don't know where it is. So the first thing is the user types in the command. So I've got an example of that from the live demo. So the first thing you type in is this is an example of using Swift and you'll see there there's a minus F. So those of you familiar with what the Swift command looks like, which is probably most of you, you'll know that there isn't normally a minus F and you normally put a username and password in, but here we're saying we want federated login. So I'm not, I'm not telling the Swift client what my username and password is because I'm going to tell that to the identity provider. I'm just saying I want federated login. Client then sends that command to the cloud service provider and the cloud service provider sends back its policy of attributes. So it says these are the attributes I want in order for you to access me and you have to get them from the gateway. So it's telling about its local attributes in terms of the gateway that's going to issue them because the gateway is its trusted issuer. So the user is redirected to the gateway, but that's perfectly secure because the user is not going to do anything there. And if the cloud service provider is an evil one and redirects it to an evil gateway, it still won't, it still won't break anything at this point in time. Okay, so when it gets to the gateway, right, the gateway then goes to the attribute mapper and says this cloud service is asking for these attributes, but we're configured up to trust external identity providers. Okay, and there might be three or four or five or six. And can you tell me who they are? And it says, yeah, you can get the attributes from these, you can get it from Google or Facebook or University of Kent or wherever. And it then sends that to the user, back to the client, and the client displays to the user where he can go. So we call these realms in the documentation. But what comes back is you have access to the following realms. Now, these are identity providers. You can do your wording or user interface however you want. But that's basically saying to the user, you can log in via big bank, who's an IDP. You can either log in via your bank or you can log in via the Kent proxy identity service. You choose which of your identity providers do you want to use, okay? So the user chooses one. So after the user's chosen one, that goes back to OG. And OG now knows which identity provider has been chosen. So it goes to the directory service, which is the catalogue, says, give me all the metadata information so that I can actually create a request to call this identity provider. So the directory service returns all the metadata information or your catalogue that you've got now returns the information. And then it goes to request issuing service and says, here's all the metadata information. I don't know what protocol it talks to or anything about it, but here's all packages stuff. Give me back a message. Give me back a request message that will request these attributes that I require in the right format of OOR for open ID or whatever language it is. Don't care. Just give me a blob. And it gets back a blob. And it gives the blob to the client. The client is a dumb client. Doesn't need to look at the blob. It just says, here's a blob. Pass it off. And it just passes the blob to the identity provider. The identity provider gets this blob in the language it knows and understands. It decodes. It checks the signature. And it says, all right. I need to authenticate you. Now this bit of the protocol here, number 12, is not standardised. That's out of scope because that's the way the identity provider authenticates the user. This can be two factor, three factor, biometrics, PKI, Kerberos, you name it, you can have it. We don't care. Time. Okay. We'll give it another 10 minutes. That will be fine. And so looking at what that looks like. Sorry. Right. So we're okay then. We'll continue. So that's, I chose big. Yeah. Eight o'clock. We got eight o'clock. Yeah. Okay. I've got a deadline flag. So I've got a cycle an hour before it gets dark. So that's the login screen from big bank because I decided I was going to log in via big bank. So I go to big bank. And what's happened here now is the client has called up the browser and the browser. Has displayed its login screen and the user knows where to put his username and where to put his password. And so that's the authentication bit. Something went wrong in my return. I obviously didn't quite get my screen right. Okay. So that goes back to the IDP. And what the IDP then it sends an assertion in the protocol language could be a well, could be open idea. Whether it sends this assertion back to say, yep. Okay. We've authenticated this guy now. And here's his attributes. And the client passes that to the gateway. And the gateway passes it to credential validation service, which is the pair of the request issuing service. It knows how to pause it. It knows how to validate it. And it says, okay, this is a good message. Here are all the attributes and it can give the attributes back to the gateway. And the gateway can then go to the mapper and say, okay, I got all these attributes from this external IDP. How do they map into the local ones that the service provider wants? And of course it knows because it did the reverse mapping on the way going out. So it gives them the attributes. And then it goes to the token issuing service to issue an unscope token. Because at this point in time in this particular flow, we don't know which tenant because the user didn't say which tenant he wanted. So it gets an unscope token. And the unscope token goes to the client. And this is what happens next. It says, you have access to the following tenants. And because I chose big bank, I've got access to the visa user cloud services. So I've only got one particular tenant in this particular case, but there could have been six or whatever. And I choose which I want. So I choose my tenant. And then you know what's going to happen next? The unscope token is going to get converted into the scope token. So that goes back there to OG. It sends it to the validation service. It validates the unscope token and then it sends it to the issue in which issue is a scope token. And then the scope token goes back to the user. The client passes it to the service. The service has now got the scope token, which it passes back to the gateway and sends it for validation. And then the client gets back all its attributes and everything. And then it calls the PDP with the attributes and says, does the guy get access with these attributes? And of course the tenant comes back granted. And then he gets the information that he wants. And next step. Okay. Do you want a live demo? If you want, we can live dangerously. Yeah? Okay. Let's do a live demo then. So. I'll tell you what then. Let's do the other bits first and we'll do the live demo at the end for those who want it. Yeah? Yeah. Oh, yeah, I know. I know. Yeah. Yeah. Yeah. Yeah, but that's a PKI company, for goodness sake. Open stack and Pstone will be a PKI if they want to get it right. And that is the right way to do it. No, it isn't because PKI gives you nothing except it tells you that the guy's been authenticated. It doesn't tell you anything about his privileges and permissions. Well, X.509 is extensible. You can put what you can. Well, yeah, if you use attribute certificates, yeah. Their age, their mother's maiden name, you can put whatever. Yeah, but you don't. You do not load PKI certificates up with all these attributes. You use attribute certificates with that. Exactly right there. All identity tokens, SAML. Yeah, yeah. They're all based on X.509 attribute certificates, I know. Well, they are because the people who wrote SAML said, told me that it was based on X.509 attributes. SAML, yes. Passport cookies, no. NT tokens and Kerberos tokens, no. So there are a bunch of tokens which are authentication tokens which give some base identity information and potentially a couple of base attributes which are sufficient for certain kinds of authorization but not others. Well, certainly for access control is an ID sufficient. But the point I'm really making is, and this might not be even the forum and I just want to know if you've thought about it. Identity has failed in large part. I know because I was there. Yeah, yeah. It failed because the banks were unwilling to make assertions about their customers to any third party for liability reasons. Banks have this interesting property that when they undertake any risk, they have to set money aside. It's called capitalization and they hate it. They don't like setting money aside. It's unproductive money. They want to lend it out and get interest on it, right? So same thing happened in Passport. You seem to have a history. Okay, so what are you in now then? What should we avoid? Keystone. I mean businesses do things if they think they're going to make money. Correct, correct. So the travel industry is a federation. Hertz is willing to federate with Marriott or Delta Airlines because it's a customer referral system. I know, I understand. Yeah, I understand. Exactly right. Yeah. Nobody signs up and says, hey, come on, come on. If you want to know somebody's age, I'll tell you. They don't do that. No, no, I understand that. I understand that. My only question was, have you thought about who will be the IDPs who will provide rich attributes that are typically used in businesses like purchasing limits? Like whether or not you're allowed to edit grades for students, things like that. Ah, yes. So thank you. I'm very good with the plan that, hey, we're implementing a solution of which the technology layer has been thought through and the business layer is up to the business people. Maybe it'll work. I personally hesitate to get into it. Yeah. A lot of the issues that you're bringing up is that a lot of service providers, they collect a lot of personal information about us already. And I have no idea who they're sharing my business information, my age. Yeah, right. So there's a lot of policy issues there about how this stuff is going to be managed that just isn't there yet. So I actually wanted to take this discussion in a slightly different direction in that what David has proposed is a completely general solution to the sort of federated identity management and into the federated resource management discussion. Now, in terms of use cases that would drive what is really needed here, I would think that there are many different situations and use cases where you could get by with something that is somewhat de-scope. It doesn't have everything in here that is described because this is the completely general solution. For the 60% or 70% or 80% solution that would address a lot of markets, where could we make this simpler and maybe prioritize which ones that we bite off and work through some of these policy issues about how you actually manage the distribution of your attributes and so forth. I mean, I have my own reasons for being here, but I wanted to get a notion from the rest of the room what's important about federated clouds. One of the last points is that in the NIST federal cloud strategy documents, they have the volume one that has the 10 recommendations for cloud adoption number five is cloud federation. Okay, so there is distinct interest to address it. A couple of months ago, I wrote a blueprint called Federation and next time I checked on it, there were a couple paragraphs at the bottom by this gentleman from the University of Kent. Of course, it was the first thing I did there. The Google one said, okay, this guy kind of knows something about security. This is not out of the blue. We started battling back and forth. One of the first things that I realized was that what I was calling Federation was a subset that came to what we're calling delegation now. One of the use cases there is that the HPE has a cloud offering and they don't want to have to manage each individual user, each individual group from the people who are purchasing space in their cloud. So it's going to be a very deliberate setup between two organizations, a cloud provider, a public cloud provider today, and an organization to use space there and for them to be able to do that. So I can see, for instance, the role of the mapper being done by the current LDAP mechanisms. Assuming that we get them, so that they actually work in a better case, you run your own keystone service in your company instead of a token on hold. So in that case, you have taken this abstraction done there and done it completely within the realm of keystone, where keystone is now playing the job of a mapper. Take your LDAP schema and get it into what I call roles in service catalog and let me send that on to the centralized, let's say centralized one on the HPE. So we know that the idea of being able to push down to the end organizations the ability to manage their own users, something that's in demand. And it may be that it's within a, even within a single cloud. Take the DoD case, it may be that the DoD runs a single cloud, but Army, Navy, Air Force, Marines, each have their own individual system that they manage themselves, but they have to be able to access each other's resources. So this is a great, I think this is probably the most important thing, as I say, is what I would call pattern language. We have a way that we can discuss it. We know how the general concepts here map the keystone, you know, and that's why Joe and I have asked these things, you know, how do these things map to what we really have here? Because we do need to apply to a real problem domain, right? And it's not going to be your Facebook, but we do know that there are identity management systems out there. And probably LDAP pattern directory is the number one, if we solve it for that, we probably drive it down. I mean, what I would like to push for is clearly defined interfaces within keystone. So you've got the functionality, but it may be spaghettily, you know, LinkedIn. Make a clean interface, use your existing code then that exists. It may have reduced functionality, but it doesn't matter, because once you've got a clean interface, guys can innovate and they can rip out and put in sophisticated and much more general purpose ones. But if we don't have the interfaces and we don't have the concepts and the functionality, you've just got a big blob of spaghetti that you can't do anything with. So that's what I'd be asking for. Make it simple. Make the first implementation simple. You know, you might not have a directory. In fact, we've implemented a directory service, but only via the interface. What it actually does is it gets the UK Access Management Federation, two gigabits of, you know, plumbing metadata and just stores it in a file and then just skims through it and scans through and picks up the information and returns it. It's a completely naff implementation, but it's got the functionality that's needed. I mean, what we'd like to do is have it as a sophisticated LDAP directory service and store all the skimmers in there, you know, in the future. But at least the interface is there and it provides the functionality you need. The functional decomposition, as described here, has actually already started. We're already starting to do the setup. Token issuing service is one of the things with the PKI token. We're talking about being able to push down the ability to sign a token to some other service. One of the primary use cases driving this is Horizon needs to be able to take these secure authentication mechanisms such as Kerberos PKI and it can't pass that on through to Keystone, right? You can't say, okay, here's the private key that this guy is using is a valve. You don't do that in PKI. If you do client certificate authentication, it has to be done between the web server that you're calling and the client's browser. So we're going to say, well, if you're doing that validation, you sign a token and then you can send that token over to Keystone that might, again, go from an unscoped to a scoped token. We also say, okay, well, why don't we say every, say we have three Horizon servers, give them separate certificates so we can invalidate them separately. At that point it says, yeah, let me, that way I only have to invalidate the tokens for the one that gets violated when those attacks happen. So we're already starting that functional decomposition there. The credential validation policy, that's off the middle way. That's why the conversation is really centered around the ones that will let clear what they meant and get what RIS said. Request issue in service. That's the one that creates the request of the identity provider. And that's the one that frightens me. That's the one that, yes, I know if it's Horizon or if it's Python Keystone client that we can do correctly. Well, that's all you need to do. End of there, as long as you've got a clean interface, just do it and leave it at that. And some other guys like us will come along and say, well, here's the SAML one. Right, exactly. So getting that such that other people get it right, we should be able to do the whole thing such that they can't get it wrong. They can just get it so that it doesn't work. They can't get it so that they violated. They can just get it so that it doesn't work. It doesn't work. I mean, yeah, exactly. And you just deny access, so that's secure. Yeah, so the push towards federation was already happening from a purely extend the open staff mechanism, the Keystone mechanisms to make it work. And when I found out about this effort, which had obviously been under way for a little bit of time since I think it presented on this a year ago, you could look at this one. So we're on to how do we incorporate this into. At the moment, what I've got is Word documents and PowerPoint slides, and we've got a complete disconnect between the way you work and the way I'm used to working. And so my stuff is not getting distributed to you because I don't even know how to do it. I mean, I've got a learning curve to learn how to even make my documents available. Yeah, yeah. So there are some basic simple things that I need to do in the next month or so to get this stuff to you to get feedback and comment. Adam kindly took my initial design document and turned that into the right format as a blueprint. But I need to, you know, get myself gend up to do this. And I've got these PowerPoint pictures and swim lanes. How do I get those swim lanes so that people can see them and comment on them? So there's stuff like that. And we've actually got the code. So the code exists. How do I get the code to you so that you can actually start to use it and play with it and test it. And, you know, create a new branch and quality, sure, et cetera. So there are a number of practical steps we'd like to do in the next few hours, days, weeks. You know, so it's possible, really. Yeah. Yeah. Yeah. Okay. Yeah. I mean, we're using SVN and CVS at the moment. Yeah. Right. Yeah. Okay. Okay. So I'll get my research to start on that next week. Yeah. If it can do, yeah. Yeah. So that's good. And also we'd like to get some feedback testing, you know, people try it out and testing and tell us. We know there are some problems that we've got one problem which we haven't solved with some of the identity providers with the, when we actually call up the browser, the browser sends the request, then the user authenticates and then it sends the response back. Now we tell the identity provider to send it to local host and then the client software picks up the response from local host and then sends it to Keystone. There are a couple of identity providers will not send the response to local host. We don't know why at the moment. We don't know what's actually causing the problem. Google's okay. That works. OpenID works. But Facebook doesn't work. It will not send. I mean, that might not be interesting in Facebook anyway, but it won't actually send the response. Even though they know it's us and we've registered with them, we're trusted and we're a trusted service provider to them. That's right. It comes into local host, but the thing is that certainly in the shibleth and the academic world where, in that federation, they require the address they've published in the metadata. So you have to actually, the identity provider, sorry, the service provider has to publish the address that it wants it to come back to. So it has to be fixed in metadata. So we've published, fixed it as local host. So that's one of the restrictions that you can't dynamically change it either. Well, it's just going to send it to Keystone, that's all, but we've got to somehow get it from the browser to the client to send it to Keystone. Yeah, yeah, yeah, yeah, yeah. Oh, okay. Well, we'll have to talk about this offline and see. Yeah, okay. Okay. Okay, that might be the solution then. I know that's a bug with, that's a current bug in the current implementation with some of the identified, they don't like local host. Oh, okay, okay. No.