• RegApp - Federated Login Services (FeLS)

  • The Federated Login Services, FeLS for short, provide a secure, central access point (single sign-on) for services that are also used by members of other research institutions. Using the federated open-source identity management system RegApp, registered users from the different institutions are enabled to securely log on to various services. The persons can use the account provided by their home institution.

RegApp - Community AAI

sprungmarken_marker_19173

RegApp Logo

RegApp - Community Authentication and Authorization Infrastructure (CAAI)

RegApp is a federated open-source identity management system that is being developed primarily at the Scientific Computing Center ( SCC ) at KIT. The currently deployed solution enables more than 38,000 registered users from various research institutions, including the Helmholtz Association and universities, to log in to various services, secured by two-factor authentication (2FA). Users can use the account provided by their home institution.

Identity proxy for single sign-on environments

  • Provisioning and deprovisioning of user identities
  • Transparent integration of SAML federations
  • SSO protocol proxy: OIDC ↔ SAML
  • Infrastructure proxy for LDAP services

The core functionality of RegApp is to connect services to an authentication and authorization infrastructure (AAI) in a variety of ways. Various integration technologies are available for this purpose: A typical use case, for example, would be when a service is unable to communicate directly with SAML-federated identity providers. In this scenario, a so-called IdP-SP proxy can hide both the federated authentication protocol and the complexity of the federation itself, by providing the service with a suitable SSO access point and, as the service provider in the SAML federation, redirecting users to their home IdPs for authentication. To expand the options for connecting services, RegApp offers both SAML and OpenID Connect endpoints. As a protocol translation service, the system maps SAML assertions to OpenID Connect claims. LDAP-based access is also supported to accommodate local accounts with username-password authentication. This addresses all typical SSO scenarios for web-based applications.

Additional Features

  • End-user portal for service registration
  • Storing/administration/provisioning SSH keys
  • Multifactor authentication for web and non-web services

Another use case is accessing non-web HPC systems with command-line interfaces under enhanced security requirements. To support this, the RegApp system offers a portal where authenticated users (e.g., from DFN-AAI-federated organizations) can view a list of all available services and register for them. Depending on the service, a service password must be set, and SSH keys with different usage profiles (login vs. remote command execution) can be uploaded. An integrated MFA service (based on LinOTP) is used to verify two-factor TANs and to allow users to register TOTP-based smartphone authenticators via the portal. To enable web-based and command-line authentication, several specialized HTTP-REST endpoints are available in addition to the SAML, OIDC, and LDAP protocols. The SAML and OIDC endpoints are used for web-based logins. The LDAP endpoint is used to verify service passwords, while the REST endpoints are used to verify the second-factor code and to download the user’s SSH keys.

With these building blocks, virtually any service can be securely connected to the DFN-AAI user federation, including step-up authentication with a second factor, even if the user’s home IdP does not support it.

Architektur der RegApp

RegApp architecture in the context of Identity Providers (IdP), Service Providers (SP), Authentication and Authorization Infrastructures (AAI), and, in the future, communities and project groups

Community Management

  • Authorization functions based on project groups
  • Integration of external research communities

RegApp provides a self-service solution for the administration of communities or project groups and their composition. A project group should be viewed here as a virtual network of user identities or accounts—a so-called research community. The focus is on implementing the associated processes, such as the (de)provisioning of project groups, and the design and implementation of a meaningful rights/roles concept for the administration of the groups and their members. Since membership in a project group forms the basis for authorization decisions, these memberships should be passed on to the corresponding service or community. Since not every connected service is capable of performing user authorization—particularly with regard to communities—user authorization will ultimately also be available on the proxy side based on account properties or group memberships.

Modern Community AAI 

RegApp is being further developed in line with the AARC Blueprint Architecture to facilitate the integration of research communities. Following this approach, the implementation of token translation services will enable expanded service integration through modern authentication methods and protocols such as OpenID Connect, an increasingly established standard. This ensures the system’s openness and the future-proof integration of additional data services. The establishment of appropriate account linking procedures within RegApp enables the assignment of unique identities to HPC clusters and any other connected service in a consistent and uniform manner, regardless of the access method used. Finally, RegApp lays the groundwork for cross-institutional integration of services and establishes group/role management for supraregional and national communities with delegation mechanisms. The software is already being used and further developed as part of the Helmholtz project HIFIS and the current bwIDM project of the State of Baden-Württemberg.

Source Code and Availability

The RegApp source code is available via Git. It is possible to launch a demo instance as a Docker container. The documentation is linked in the respective Git projects.

Documentation: https://gitlab.kit.edu/groups/kit/reg-app/-/wikis/home
GitLab:
https://gitlab.kit.edu/kit/reg-app/regapp-parent Mailing list: regapp-users∂lists.kit.edu

References - RegApp in Use

Referenzen der RegApp-Installationen

Further Information

bwIDM : https://login.bwidm.de
Helmholtz-AAI : https://fels.scc.kit.edu
NFDI : https://regapp.nfdi-aai.de
NHR : https://www.nhr.kit.edu/297.php


SCC News Article bwIDM2 – Security & Communities
SCC News Article RegApp Community Management Controls Access to HPC Resources

 

Login Helmholtz-AAI
bwIDM registration portal
Adminoberfläche der RegApp
Statistical data from the RegApp administration interface