Politecnico di Torino (logo)

Federated Identity within Single Sign-On Systems, Authentication & Authorization for LEXIS Project

Alessandro Colucci

Federated Identity within Single Sign-On Systems, Authentication & Authorization for LEXIS Project.

Rel. Antonio Lioy. Politecnico di Torino, Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering), 2020

PDF (Tesi_di_laurea) - Tesi
Licenza: Creative Commons Attribution Non-commercial No Derivatives.

Download (1MB) | Preview

The Large-scale EXecution for Industry and Society (LEXIS) Project aims at building an advanced, geographically-distributed, HPC infrastructure for Big Data analytics that will support the execution of large-scale test-beds in various industrial sectors. This work contains my contribution to the creation of the AAI system securing the whole LEXIS infrastructure. After comparing several Single Sign-On solutions based on various Analysis criteria, the Keycloak system was chosen representing the best fit for the project, thanks to its security features. The server was deployed through the implementation of an Ansible Playbook, in charge of installing all the system requirements and configuring the basic setup over the server or cluster nodes specified. Further studies were done on the Authentication and Authorization mechanisms supported by Keycloak, in particular on the configuration of the Keycloak Clients and the usage of JWT Tokens. An hybrid approach was adopted to handle the Authorization in Keycloak for LEXIS: an RBAC Matrix was designed to provide the right set of permissions for users and groups in the system, merged with an ABAC approach for building up a finer-grained Access Control scheme. Finally, some research was done towards the assessment of possible vulnerabilities in the Identity and Access Tokens management through Token Forgery, eventually not identifying any flaw.

Relators: Antonio Lioy
Academic year: 2019/20
Publication type: Electronic
Number of Pages: 65
Corso di laurea: Corso di laurea magistrale in Ingegneria Informatica (Computer Engineering)
Classe di laurea: New organization > Master science > LM-32 - COMPUTER SYSTEMS ENGINEERING
Ente in cotutela: TELECOM ParisTech - EURECOM (FRANCIA)
Aziende collaboratrici: OUTPOST24 France
URI: http://webthesis.biblio.polito.it/id/eprint/14363
Modify record (reserved for operators) Modify record (reserved for operators)