Run the TRESOR ecosystem as docker containers
0. Install docker and docker-compose.
# clone the tresor-ecosystem and its submodules
git clone --recursive https://github.com/TU-Berlin-SNET/tresor-ecosystem.git
# change into the directory
cd tresor-ecosystem
# build and deploy with docker-compose
docker-compose up
The TRESOR Ecosystem uses Claims-based Identities for consistent and secure federated authentication. The current implementation follows the Guide to Claims-Based Identity and Access Control and uses Microsoft Active Directory Federation Services. It is comparable to the Federated Identity with Multiple Partners scenario.
For authorization, the TRESOR Ecosystem uses the TRESOR XACML Policy Decision Point, which is based on the WSO2 Balana Engine.
This chapter details the authentication and authorization flow in the TRESOR ecosystem.
At first, the service consumer uses their browser to access a TRESOR service by entering a service URL, whose hostname maps to the IP address of the proxy. In the testbed, these hostnames match *.service.cloud-tresor.com.
The proxy receives the service request and redirects the unauthenticated user to the Federation Provider. This redirection can be seen in the RedirectToSSOFrontendHandler class in the TRESOR Proxy source.
Based on a special "home realm URL" sent by the proxy, the Federation Provider redirects the user to one of the supported authentication providers: a mock Identity Provider (used in the demonstrator), SkIDentity (secure Smart Card authentication), or a regular Active Directory.
The user authenticates themselves with the respective Identity Provider using username/password, a smartcard, or any other supported authentication method. After authentication, the Identity Provider issues a SAML token and redirects the user back to the Federation Provider.
Through the Identity Provider redirection, the Federation Provider gets the SAML token. As different Identity Providers provide different tokens and attributes, the Federation Provider maps them to a consistent set of SAML attributes and issues a new SAML token. After issuing this SAML token, the user is redirected back to the proxy.
After the user was authenticated, the XACML Policy Enforcement Point (PEP) contained in the proxy requests an XACML authorization decision from the Policy Decision Point (PDP). The XACMLv3 authorization request template can be found in the proxy sources.
The following information are contained in the authorization request:
The Policy Decision Point uses all of these information to retrieve the respective service access rule for the specified organization and to decide, if the request is to be allowed or denied.
After successful authentication and permitted authorization, the request/response is proxied to the upstream server, including information about the authenticated user. See here for all relayed information.
There are some scientific publications about the TRESOR authentication and authorization system:
docker exec -i -t tresorecosystem_broker_1 /bin/bash -c "source /usr/local/rvm/scripts/rvm && RAILS_ENV=production rake tresor:setup_environment"