University of Stuttgart University of Murcia RadSec and DAMe University of Stuttgart University of Murcia Vienna, 18.02.2010 Sascha Neinert
Overview DAMe Project RadSec and DAMe: Dynamic Server Discovery DAMe Testbed Next Steps Vienna, 18.02.2010 Sascha Neinert
DAMe Project DAMe stands for: Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture Subproject of GÉANT2 Partners: DFN, RedIRIS, University of Murcia, University of Stuttgart Goals: Adding attribute-based Authorization to eduroam Unified Single Sign On, using eduToken in SAML format Vienna, 18.02.2010 Sascha Neinert
Attribute-based Authorization in eduroam Note: NO DIAMETER! Vienna, 18.02.2010 Sascha Neinert
Unified Single Sign On Vienna, 18.02.2010 Sascha Neinert
DAMe-2 Project Additional Goals: Support for Level of Assurance (LoA): Including LoA in the eduToken, in the AuthNContext Protocol extended for Re-Authentication with higher LoA Integration of RadSec Adding RadSec proxy servers in front of both remote (SP) and home (IdP) institution eduToken transport over RadSec Inclusion of Attribute Conversion in DAMe Vienna, 18.02.2010 Sascha Neinert
RadSec and DAMe: Dynamic Server Discovery RadSec: RADIUS over TCP and TLS Implementations: radsecproxy and Radiator eduroam with RadSec mutual authentication with valid server certificates from a trusted CA (eduGAIN CA / SCA, others) subjectAltName (URI) specifying the role of a server (e.g. urn:geant:eduroam:component:sp:ABC may act as a RadSec client, urn:geant:eduroam:component:idp:XYZ may act as a server) RadSec enables dynamic server discovery: Lookup for a RadSec server serving a specific home domain Mutual authentication using server certificates TLS connection is established Vienna, 18.02.2010 Sascha Neinert
RadSec and DAMe: Dynamic Server Discovery Dynamic Discovery can be done... Using DNS radsecproxy can query for _radsec._tcp.<domain-name> Radiator can also use this mechanism Using MDS radsecproxy calls radsec2mds tool SAML metadata is retrieved from eduGAIN MDS MDS is part of DAMe / eduGAIN already MDS is flexible + secure (efficient? reliable?) Vienna, 18.02.2010 Sascha Neinert
RadSec and DAMe: Dynamic Server Discovery (MDS) Vienna, 18.02.2010 Sascha Neinert
RadSec and DAMe: Dynamic Server Discovery (MDS) Meta data snippet: <md:EntityDescriptor ID=“…" entityID=“…"> <md:IDPSSODescriptor ID="USTUTT-RADSEC"> <md:SingleSignOnService Location="radsec (*) ://ksat124.rus.uni-stuttgart.de:2083"/> </md:IDPSSODescriptor> <md:Organization> <md:Extensions> <egmd:HLPattern egmd:MatchingAlgo="urn:geant:edugain:metadata:homelocator:matching- algo:exact" egmd:Type="HomeDomain">uni-stuttgart.de</egmd:HLPattern> </md:Extensions> </md:Organization> </md:EntityDescriptor> Vienna, 18.02.2010 Sascha Neinert
DAMe Testbed – Overall View DNS AP Client RADIUS RadSec Proxy RadSec Proxy RADIUS Shib IdP DAMe- BE XACML PDP Most test cases can be done in both directions: UMU USTUTT and USTUTT UMU eduGAIN MDS USTUTT („home“) UMU („remote“) Vienna, 18.02.2010 Sascha Neinert
DAMe Testbed – UMU Client Network SP wpa_supplicant FreeRADIUS 1.1.3 with dame-dictionary radsecproxy 1.3.1 eduGAINSCA certificate including eduroam URN (urn:geant:eduroam:component: ...) Testbed has been moved from freeradius 1 to freeradius 2 Vienna, 18.02.2010 Sascha Neinert
DAMe Testbed – USTUTT Network IdP SAML IdP FreeRADIUS 2.0.2 with dame-enabled peap-module and dame-dictionary radsecproxy 1.3.1 can be discovered querying DNS for _radsec._tcp.dame.uni-stuttgart.de eduGAINSCA certificate including eduroam URN (urn:geant:eduroam:component: ...) SAML IdP Shibboleth IdP 1.3.2 + DAMe-BE Issuing eduTokens Vienna, 18.02.2010 Sascha Neinert
Next Steps USTUTT: separate network SP and network IdP Finish deployment of DAMe including dynamic discovery components Publish metadata to mds.edugain.org Run federated tests UMU USTUTT Optimize radsec2mds tool Measure performance of DNS-based and MDS-based discovery Compare both methods Vienna, 18.02.2010 Sascha Neinert
Any questions or comments? DAMe website: http://dame.inf.um.es/ Vienna, 18.02.2010 Sascha Neinert