TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

Copyright JNT Association 2006 The JANET Roaming Service.

Cotswolds International Middleware Meeting Upper Slaughter, UK, October 2004 Slides partially by John Martin, JISC; pictures by Ken Kingenstein.

EduRoam ESA workshop 17 December 2004 Utrecht.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

17 th TF-EMC2. Lyon, February 2011 On the Many Ways to Identity Exchange D i g i t a l i d e n t i t i e s a r e m o r e v a l u a b l e a s t h e y a.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

NRENs supporting Grids using current Grid technology TERENA NREN-GRID Workshop Amsterdam Milan Sova CESNET.

The TERENA Academic CA Repository. eIRG Meeting. Dublin, 16/04/2004 Diego R. Lopez – TF-AACE  Task Force on Authentication and.

Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.

SWITCHaai Team Federated Identity Management.

Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.

Michal Procházka, Jan Oppolzer CESNET.

EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.

Norman Wiseman JISC Head of Programmes Presentation to JISC Authentication Concertation Day March 1999 International Authentication Activities Joint Information.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

TERENA TF-EMC2 Workshop David Groep,

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Claudio Allocchio TERENA Technical Programme - Update General Assembly, 21 October 2005, Budapest 1 TERENA Technical Programme Update Claudio Allocchio.

ESnet RAF and eduroam ™ Tony J. Genovese ATF Team ESnet/Lawrence Berkeley National Laboratory.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Authentication and Authorisation for Research and Collaboration Licia Florio AARC Workshop The AARC Project Brussels, 26 October.

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.

Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.

NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.

Community PKIs Initiatives Updates TF-EMC2 Meeting Loughborough, UK 6-7 May, 2009 Licia Florio, TERENA

Programme ›TERENA ›Overview of the middleware initiatives in the European Higher Education ›What is eduroam: the technology and how to set up eduroam ›eduroam-in-a-box:

DICE: Authorizing Dynamic Networks for VOs Jeff W. Boote Senior Network Software Engineer, Internet2 Cándido Rodríguez Montes RedIRIS TNC2009 Malaga, Spain.

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.

Diego R. Lopez RedIRIS update Middleware activities at the South-western Border.

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

AAI Interconnection with an European style Diego R. Lopez RedIRIS.

Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Bob Jones EGEE Technical Director

Applying eduGAIN to network operations The perfSONAR case

First steps in federation peering: eduGAIN and eduroam

Federation peering à la European The eduGAIN way

Federation peering à la European The eduGAIN way

The DAMe’s First Steps: eduroam and NAS-SAML

Some data about the CBIC Federation

Multi-Domain User Applications Research (JRA3)

GN2 JRA5 Roaming and Authorisation Jürgen Rauschenbach, DFN-Verein

Presentation transcript:

TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS

TAC - Poznan, 6 June 2005 The European way (Too) many states, languages, national priorities/laws/prides/… Different systems and/or profiles of existing systems In different degrees of maturity and deployment Look for agreements, even when not fully satisfactory Several initiatives to fill the gaps eduroam: already and successfully running! GN2-JRA5: defining the architecture of an iter-federation AAI TF-EMC2: refining AA-RR and initiating its schema effort, SCHAC TACAR and SCS: new ways of approaching PKIs The Cotswolds Group Importing whatever is interesting from overseas Basic standards as Shibboleth and eduPerson And always with a sense of style and history Your humble speaker and many colleagues

TAC - Poznan, 6 June 2005 eduroam The inter-national roaming network access service Based on a hierarchy of RADIUS servers Institutional servers connect to root NREN servers NREN servers are aggregated at the eduroam central server RADIUS server Institution B RADIUS server Institution A Internet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest Student VLAN Guest VLAN Employee VLAN

TAC - Poznan, 6 June 2005 eduroam: Reaching further

TAC - Poznan, 6 June 2005 GÉANT2 AAI It is intended to be one of the basic services of the coming pan-European academic network Common to all services provided by and based on the network From network access, bandwidth management, etc. To application access (including Grids) Not a substitute of existing infrastructures Nation- or community-based A superstructure connecting them Based on (con-)federating the federations But able to build new federations where they do not exist And directly providing AuthN/AuthZ services access through specific interfaces

TAC - Poznan, 6 June 2005 GÉANT2 AAI components A local AAI Instance at each federation/domain/realm Providing the interfaces to the federations or services in it Common Services Home Location Service Others possible: certificate verification, common diagnostics,… Connectors Common for a federation (the Local Federation Connector) Local Connectors for resources allowed to interact directly Service Access Points In charge of adapt AAI interfaces to the (isolated) services AA queries/responses Interfaces and operations WS and SAML based

TAC - Poznan, 6 June 2005 GEANT-2 AAI general diagram

TAC - Poznan, 6 June 2005 TF-EMC2 and AA-RR Able to impersonate general AAI components Attribute sources Attribute requesters Authorization engines Driven by profiles Entity and protocol aspects Attributes and values Protocol agnostic A rule engine (defined in the profile) connect to protocol adaptors Applications GÉANT2 AAI Connectors Diagnostic tool Interoperability assessment

TAC - Poznan, 6 June 2005 TF-EMC2 and SCHAC An extension to the eduPerson schema Taking into account European idiosyncrasy Based on a collection of national extensions so far Croatia (hrEdu) Finland (funetEdu) France (supAnn) Norway/Sweden (norEdu) Poland (plEdu) Spain (iris) Switzerland (swissEdu) Common requirements have been quickly identified Personal (unique) identifiers Other personal attributes (citizenship, languages,…) Privacy definition and entitlements

TAC - Poznan, 6 June 2005 SCHAC current status Initial proposal being discussed Release Candidate 1 for the individual attributes has been presented at TF-EMC2 meeting on Sunday Protocol neutral LDAP XML One of its main drivers is ECTS The European Credit Transfer (and Accumulation) System Enable students to complete their curricula across Europe It has made schema harmonization key to IT practitioners in the European universities Close cooperation between TERENA/TF-EMC2 and EUNIS

TAC - Poznan, 6 June 2005 TACAR The TERENA Academic CA Repository A PKI-based web of trust among the European academic and research community (and beyond!) Built and maintained by out-of-band methods Without the technical and administrative burdens of a common root CA or a bridge Adopted as trust repository by the EUGridPMA Endorsed by the eIRG Based on two basic principles Keep it simple Let it happen 22 certificates from NRENs and Grid communities Exploring further applications From on-line verification to simpler direct trust links among PKIs

TAC - Poznan, 6 June 2005 TACAR: What does it offer A single authoritative source for certificates and policies Able to simplify maintenance procedures Mechanisms to extend (and strengthen) trust links The Grid communities Other geographical areas A model to experiment with Lighter than a common root, simpler than a bridge Distribution of certificate packages Peer-review based models (a-la-EUGridPMA) Qualified or not PKI operation servers Simplified trust exchange The brand new 1SCP proposal

TAC - Poznan, 6 June 2005 SCS: A novel certificate service Enable the use of server certificates Allow the use of encrypted channels whenever necessary Avoid the pop-up problem And the cost associated with its avoidance The proposal A service outsourced to a commercial provider that takes care of the root installation procedures in major browsers Provided in adequate technical conditions to NRENs And in reasonable economic terms As flat as possible Coordinated through TERENA Current status Agreement signed by most participant NRENs (Promising) conversations with several providers

TAC - Poznan, 6 June 2005 The Cotswolds Group initiative Hosted by JISC (UK) Representatives invited from countries which have committed funding to a comprehensive national programme Attended by representatives from Australia, Finland, Netherlands, Spain, Switzerland, UK, US and CERN Aims: to establish framework for further international collaboration of AA systems, leading to interoperable user mechanisms, and to help other countries develop similar large-scale systems

TAC - Poznan, 6 June 2005 The Cotswolds Group conclusions Global inter-working of local/national schemes is possible The network peering model is relevant to extending coverage Set of criteria needed to judge whether to accept a candidate federation Production of a cookbook to describe the criteria and the selection process A facilitator (Secretary) of the activities of the group Dissemination of the results on a broad front