The DAMe’s First Steps: eduroam and NAS-SAML

Slides:

Advertisements

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Advertisements

Lousy Introduction into SWITCHaai

Centralized Application Permissions Privilege Management Nate Klingenstein 30 January 2007 OGF 19 Chapel Hill.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Why eduroam sucks, and how to fix it.

Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

EduRoam ESA workshop 17 December 2004 Utrecht.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

WebFTS as a first WLCG/HEP FIM pilot

18 th TF-EMC2. WebEx, June 2011 Diego R. Lopez, RedIRIS On the Many Ways to Identity Exchange (Again) Digital identities are more valuable as they are.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.

Michal Procházka, Jan Oppolzer CESNET.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

Shibboleth: An Introduction

MagicNET: Security System for Protection of Mobile Agents.

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Connect. Communicate. Collaborate Federated peering the NREN way: eduGAIN and eduroam Diego R. Lopez (RedIRIS) Klaas Wierenga (SURFnet)

Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Welcome to the Grid Middleware Workshop ☆ Joint workshop of Grid WG and Middleware WG Middleware Working Group at a glance 20 th APAN (Taipei, Aug. 2005)

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.

Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

Welcome to 3 rd EuroCAMP Diego R. Lopez RedIRIS. Welcome to 3 rd EuroCAMP What Is All This About The third step in our Domination Conspiracy Supported.

Connect communicate collaborate An Infocard-based proposal for unified SSO to eduroam Enrique de la Hoz, Antonio García, Diego López, Samuel Muñoz University.

INDIGO – DataCloud Security and Authorization in WP5 INFN RIA

Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)

Project Moonshot Daniel Kouřil EGI Technical Forum

In Vivo Imaging Middleware — Phase 6 Ashish Sharma, Tony Pan, Y. Nadir Saghar.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Copyright © 2009 Trusted Computing Group An Introduction to Federated TNC Josh Howlett, JANET(UK) 11 June, 2009.

Applying eduGAIN to network operations The perfSONAR case

LIGO Identity and Access Management

Extending Authentication to Members of Social Networks

University of Stuttgart University of Murcia

First steps in federation peering: eduGAIN and eduroam

Identity Federations - Overview

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

ESA Single Sign On (SSO) and Federated Identity Management

TF-Mobility update TF-EMC2, Barcelona 9 September 2005.

Multi-Domain User Applications Research (JRA3)

What’s going on at your friendly neighbourhood

A(nother) view on federation issues

A Grid Authorization Model for Science Gateways

Presentation transcript:

The DAMe’s First Steps: eduroam and NAS-SAML Diego R. Lopez - RedIRIS

Deploying Authorization Mechanisms for Federated Services in eduroam (DAMe) DAME is a project that builds upon: eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, Shibboleth and eduGAIN NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards. [1st =] Usually, those proposals don’t explain how certificates are issued by the authorities (it is usually application-dependent) [2nd =] In complex environments, a structured and distributed system must be provided (and application independent)

First Goal: extNA First Goal: Extension of eduroam using NAS-SAML Connect. Communicate. Collaborate First Goal: extNA First Goal: Extension of eduroam using NAS-SAML Policy Decision Point Source Attribute Authority XACML RADIUS server University B University A eduroam Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Gast piet@university_b.nl User mobility controlled by assertions and policies expressed in SAML and XACML Signaling data SAML

Second Goal: eduGAIN as AuthN and AuthR Backend First Goal: extNA Connect. Communicate. Collaborate Second Goal: eduGAIN as AuthN and AuthR Backend First Goal: extNA Link between the AAA servers (now acting as Service Providers) and eduGAIN

Third Goal: Universal Single Sign On Connect. Communicate. Collaborate Users will be authenticated once, during the network access control phase The eduGAIN authentication would be bootstrapped from the NAS-SAML New method for delivering authentication credentials and new security middleware 4th goal: integrating applications, focusing on grids.

eduroam + NAS-SAML Independent AuthR Connect. Communicate. Collaborate

eduroam + NAS-SAML Merged AuthR Connect. Communicate. Collaborate

eduroam+NAS-SAML in Context The proposal is functionally equivalent to the one discussed in SALSA-FWNA for RADIUS-SAML integration Compatibility and convergence are the natural way forward NAS-SAML is From the inter-realm view, a Diameter binding for SAML Already available, thus allowing for fast evaluation of ideas Agree in the basics Data (NameIdentifier?) exchanged in RADIUS space Relevant attributes