Using externals idps on OpenStack: A security analysis of openid connect, facebook connect, and openstack authentication

Abstract

The installation and configuration of cloud environments has increasingly become automated and therefore simple. For instance, solutions such as RedHat RDO and Mirantis Fuel facilitate the deployment of popular computational clouds like OpenStack. Despite the advances in usability, effort is still required to create and manage multiple users. This is of particular relevance when dealing with sensitive information, a somewhat common case for private clouds. To alleviate this burden, many clouds have adopted federated Single Sign-On (SSO) mechanisms for authenticating their users in a more transparent manner. In this work we analyze the practical security of an OpenStack IaaS cloud when combined with either OpenID Connect (using Google as IdP) or Facebook Connect (using Facebook as IdP). The criteria used in the analysis comprise the ability to provide data encryption, the risks involved in the use of an external IdP, and improper access control. We identify potential issues regarding these solutions and we propose approaches to fix them.