Federated Identity within Single Sign-On Systems, Authentication & Authorization for LEXIS Project

The Large-scale EXecution for Industry and Society (LEXIS) Project aims at building an advanced, geographically-distributed, HPC infrastructure for Big Data analytics that will support the execution of large-scale test-beds in various industrial sectors. This work contains my contribution to the creation of the AAI system securing the whole LEXIS infrastructure. After comparing several Single Sign-On solutions based on various Analysis criteria, the Keycloak system was chosen representing the best fit for the project, thanks to its security features. The server was deployed through the implementation of an Ansible Playbook, in charge of installing all the system requirements and configuring the basic setup over the server or cluster nodes specified. Further studies were done on the Authentication and Authorization mechanisms supported by Keycloak, in particular on the configuration of the Keycloak Clients and the usage of JWT Tokens. An hybrid approach was adopted to handle the Authorization in Keycloak for LEXIS: an RBAC Matrix was designed to provide the right set of permissions for users and groups in the system, merged with an ABAC approach for building up a finer-grained Access Control scheme. Finally, some research was done towards the assessment of possible vulnerabilities in the Identity and Access Tokens management through Token Forgery, eventually not identifying any flaw.