R. Malta1, J. Faísca1, J. Quintino Rogado2

1ECATI - Computer Engineering, Universidade Lusófona (PORTUGAL)
2ECATI - Computer Engineering, Universidade Lusófona and CICANT Research Center (PORTUGAL)
This document describes a task of the Virtlab[1] project taking place at the “Universidade Lusófona de Humanidades e Tecnologia” (ULHT), which aims at providing a framework for federated access to modular and configurable virtual network laboratories, based solely on open source technologies.

The paper reports on the first implementation of an essential Virtlab concept, the Secure Authentication Broker, which enforces secure authentication and authorization to the virtual resources. This module allows students to access remotely, by means of a seamless e-Learning web interface, various virtual environments (Virtual Machines, Networks and Storage) which are configured according to their academic enrollment profiles.

The first goal achieved with this work was to implement a module acting as a mediator (or broker) between the Web interface and the virtualization environment. This module intercepts the authentication flow established between the virtual desktop and the virtual environment, which is generally achieved using specific protocols, and replaces it by an alternative scheme based on the HTTP protocol. This introduces a more flexible and extensible mechanism, which allows the adoption of various authentication models. In a first phase, a basic authentication scheme was introduced, which performed against credentials stored in a local repository, while the final plan (which is currently under development) is to provide an authentication scheme based on the Shibboleth federated environment.

The second goal achieved with the work described in the paper was to provide full control of the virtual environment through the same web interface, so the access becomes seamless and the authentication scheme security is not compromised. This has been achieved by embedding the remote machine console Java applet and the virtual machine administration controls in an HTML page, which communicates with the virtual environment by means a Web Service interface which the Broker also provides.

To summarize, the Secure Authentication Broker implements the following functionality:

· Intercepting the communication between users and virtual environments;
· Interpreting and validating the user credentials;
· Retrieving the user profile and validating their access to the resources requested;
· Creating and managing the user authentication session;
· Providing web access to the virtual environments requested, via the libvirt[2] API;
· Management of heterogeneous virtual environments.

The paper will provide a detailed description of the current Authentication Broker architecture and implementation choices, and will explain how the mediation mechanism introduced with this module can be further used to enable the adoption of more sophisticated authenticated schema.

[1] Quintino Rogado, J., 2009, “VirtLab: Virtual Laboratories in Federated Environments”, V International Conference on Multimedia, Information and Communication Technologies in Education, Lisboa, Portugal, April 2009 ( .

[2] The virtualization API,