6/12/2016 AEB/Yleisesittely WLAN roaming experiences using Shibboleth TNC 2004, Rhodes 7th of June, 2004 Mikael Linden, Viljo Viitanen,

Slides:

Advertisements

Similar presentations

Federation management A mess? Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science.

Advertisements

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

Shibbolising UK Census and ESDS services Lucy Bell Associate Director, Head of Information Systems and Preservation, UKDA 26 May 2005.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data Services Josh Howlett & Nick Skelton Information Services,

5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.

EduRoam ESA workshop 17 December 2004 Utrecht.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

Kalmar Union Mikael Linden CSC, the Finnish IT Center for Science.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

The EC PERMIS Project David Chadwick

Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

Flexible Network Access Overview. Flexible Access an Integral part of Universal Access Policy Universal Access to Campus IT Resources Managed LAN portsFlexible.

Lecture 12: WLAN Roaming Communities EDUROAM TM. eduroam TM eduroam (education roaming) is the secure, world-wide roaming access service developed for.

EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.

Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

Eduroam Louis Twomey HEAnet Library Services Day 20 th November 2014.

Education roaming Secure Wireless Service for Research and Education.

Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Supporting further and higher education Middleware and AA within the JISC Environment Nicole Harris, JISC Development Group.

Update Finland TF-EMC Mikael Linden CSC, the Finnish IT Center for Science.

HAKA project HAKA User administration inside Finnish Higher Education Institutes results from the KATO project Barbro Sjöblom EDS 2003 Uppsala.

Shibboleth in Finnish Higher Education Organisations E-ICOLC 2005 Poznan, Poland.

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

Kalmar Union, a Conferedation of Nordic Identity Federations TNC2009 Mikael Linden, CSC Andreas Solberg, UNINETT.

10/25/2015 AEB/Yleisesittely Organising Federated Identity in Finnish Higher Education TNC2005 Mikael Linden June 8th, 2005.

LGfL Update Stewart Duncan LGfL Technical Manager Ian Lehmann LGfL Operations Manager.

Shibboleth: An Introduction

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

TERENA TF-Mobility: Roaming for WLANs Tim Chown University of Southampton TF-Mobility WG & UKERNA Wireless Advisory Group.

Federations round table Haka federation of Finland EuroCAMP Mikael Linden CSC, the Finnish IT Center for Science.

LIN and Shibboleth: Where do application and network access control systems meet? Tim Chown University of Southampton (UK) JISC Core.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.

New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

/ 8 FEIDHE Electronic Identification in Finnish Higher Education Janne Kanner FEIDHE Electronic Identification in Finnish Higher Education.

NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

6 June 2004TF-Mobility meeting 6 June TF-Mobility meeting Agenda TF-Mobility Meeting, June Welcome and Update on TF-Mobility to date Discussion.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

Jakob Gadegaard Bendixen, Shibboleth protected proxy servers a case study from the Danish library sector.

Adding Distributed Trust Management to Shibboleth Srinivasan Iyer Sai Chaitanya.

Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.

1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

Project Moonshot Daniel Kouřil EGI Technical Forum

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

e-Infrastructure Workshop 28th March 2006, University of Leeds

Shibboleth Deployment Overview

KC-ROLO Project Kidderminster College – Repository Of Learning Objects

Presentation transcript:

6/12/2016 AEB/Yleisesittely WLAN roaming experiences using Shibboleth TNC 2004, Rhodes 7th of June, 2004 Mikael Linden, Viljo Viitanen,

6/12/2016 AEB/Yleisesittely Background: AA issues in TERENA Terena TF-Mobility work on roaming access on network level deliverable G: Preliminary selection for inter-NREN roaming –802.1X & RADIUS hierarchy –VPN & complete list of VPN gateways –web redirection & RADIUS hierarchy –ROAMNODE & RADIUS hierarchy Terena TF-AACE work on inter-institutional application level access multitude of AAI technologies being deployed –Shibboleth, PAPI, FEIDE, A-select… In GN2 AA issues to be bridged in JRA5

6/12/2016 AEB/Yleisesittely Background: University of Helsinki (UoH) Largest university in Finland: students (total in Finland) Campus in downtown of Helsinki University of Helsinki deliberate to join WLAN roaming –would not be fair for UoH: probably considerably more visitors coming in than going out?  costs would accumulate for UoH UoH could allow roaming access for some smaller subgroup (e.g. staff in other universities)  authentication not enough, role based authorisation needed role attributes need to be passed from the home institution that’s what AAI technologies are made for

6/12/2016 AEB/Yleisesittely How it works Helsinki university public access network (HUPnet) Access control device (shibboleth target) WAYF Shibboleth origin University of Helsinki University of Tampere (UTa) Bob, a lecturer at UTa SSL Port 443 open to: WAYF: UTa: … ACD redirects user to WAYF 2. User selects his home institution from web form in WAYF 3. UTa Shibboleth origin authenticates the user 4. Shibboleth attribute exchange passes user’s role to ACD 5. Based on the role, ACD grants or denies access to Internet 1. ACD redirects user to WAYF 2. User selects his home institution from web form in WAYF 3. UTa Shibboleth origin authenticates the user 4. Shibboleth attribute exchange passes user’s role to ACD 5. Based on the role, ACD grants or denies access to Internet

6/12/2016 AEB/Yleisesittely Benefits makes role based authorisation easy –visiting institution makes access control decision based on the user’s role provided by the her home institution preserves privacy –user’s identity need not to be revealed to the visiting institution (only her role and home institution is revealed) better security than plain ”web redirection & RADIUS” model –user’s uid and password passed in SSL tunnel between her browser and her home institution’s Shibbolet origin –visiting institution never sees user’s password brings together network and application level access architecture –no need for overlapping architecture

6/12/2016 AEB/Yleisesittely Disadvantages In Europe, cross-organisational and cross-national AAI infrastructure in not so mature as RADIUS based hierarchy –Shibboleth used in Switzerland and Finland, UK starts piloting To allow user enter her uid&pwd to her shibboleth origin site, the access controller needs to maintain exhaustive list of shibboleth origin sites in the federation –new list have to be updated regularly –however, the list have to be maintained by WAYF in any case

6/12/2016 AEB/Yleisesittely Practical experiences: HUPnet HUPnet (Helsinki University Public network) has been available for UoH staff&students since 2001 –for WLAN and wired (ethernet) public access in UoH premises –ACD is a Linux box with web end-user UI UoH has demonstrated shibbolized Access control device (ACD) –previously: AA was based on RADIUS –now: Shibboleth Planned to start piloting between University of Helsinki and other Finnish Shibboleth universities before autumn implementation to be publicly available

6/12/2016 AEB/Yleisesittely Conclusions WLAN roaming based on Shibboleth provides role-based access control to public access network increased privacy WLAN roaming based on Shibboleth requires operational Shibboleth federation maintaining list of home institutions in each access controller WLAN roaming based on Shibboleth could be a way to unify network and application level remote access