Mechanisms for Distributed Global Authentication David R Newman

The Problem But And / Or Users need to authenticate to use a service The service provider does not want to manage user credentials And / Or The user already has credentials they want to use

The Solutions

Versions of OpenID Mechanisms for OpenID and OpenID Connect somewhat similar. OpenID Does not require any configuration for the service provider on the identity provider. Service provider decides which identity providers to trust. Most identity providers have either been discontinued (e.g. MyOpenID) or deprecated in preference to OpenID Connect (e.g. Google) OpenID Connect Uses OAuth 2.0 to register service as an application on the identity provider.

OpenID

OpenID Providers

OpenID Connect

Shibboleth Commonly used by higher education institutions. Requires greater co-operation between service provider and identity provider stakeholders to setup. Provides a shim on top of existing user and authentication services. Explicitly designed to support third party discovery services. Access to user attributes controlled by the identity provider rather than the user

Setting up a Shibboleth Service Provider 1. Download IdP metadata including certificate Shibboleth Service Provider (SP) Shibboleth Identity Provider (IdP) 4. Get IdP to download SP metadata including certificate 2. Edit SP configuration to reference IdP metadata 5. Edit IdP configuration to reference SP metadata 3. Generate key and certificate for SP and reference in configuration

Shibboleth Authentication User 4. User requests IdP login service 3. SP tell user to authenticate on the IdP 1. User requests restricted resource 9. Service returns resource or forbidden 6. User provides login credentials 5. IdP provides login page 2. Service detects login required Shibboleth Service Provider (SP) Service Shibboleth Identity Provider (IdP) 8. SP tells Service whether user can access resource 7. IdP provides authentication results and user attributes to SP (via User)

Sharing User Attributes with Shibboleth Shibboleth Service Provider (SP) Shibboleth Identity Provider (IdP) 2. IdP checks which attributes SP can be given 3. SP maps the attributes of interest and passes them onto the service 1. LDAP attributes mapped to SAML Service LDAP Server

Shibboleth with Discovery

Eduroam International Wi-Fi roaming service Predominantly available at higher education institutions Users can login using their institutional username and password Easily configurable on Windows, Linux, MacOS, Android and iOS Uses RADIUS to enable 802.1x authentication

How RADIUS Works

RADIUS Peering Allows authentications beyond your domain. Peer directly with another RADIUS server using a “shared secret” This RADIUS server can then peer with others Rules in RADIUS configuration determine whether to attempt local authentication or to which server to relay.

How Eduroam Works

SOWN’s RADIUS Peering ECS SOWN Soton Jisc (Janet) GEANT DFN Münster

SOWN’s RadMatrix

Further Reading OpenID Shibboleth Eduroam/RADIUS http://openid.net/connect/ http://openid.net/developers/specs/ https://developers.google.com/identity/protocols/OpenIDConnect Shibboleth https://wiki.shibboleth.net/confluence/display/SHIB2/Software+Concepts https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPLinuxRPMIns tall https://wiki.shibboleth.net/confluence/display/IDP30/Home Eduroam/RADIUS https://www.eduroam.us/node/10 http://www.sown.org.uk/radmatrix https://monitor.eduroam.org/mon_direct.php https://www.eduroam.org/downloads/docs/eduroam_Compliance_Stateme nt_v1_0.pdf

Administering the SOWN Network – David Newman and Chris Malton Next SOWN Talk Administering the SOWN Network – David Newman and Chris Malton Probably 2nd March

Questions?