5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.

Slides:

Advertisements

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Advertisements

Lousy Introduction into SWITCHaai

Federation management A mess? Nordunet Conference Mikael Linden CSC, the Finnish IT Center for Science.

Welcome to the 24th NORDUnet Conference Kimmo Koski Managing Director CSC, the Finnish IT Centre for Science.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

Resource Entitlement Management System Manne Miettinen Mikael Linden Janne Lauros CSC – IT Center for Science.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

10 October 2003 Internet2 members meeting 1 An update on the work of JANET Wireless Advisory Group & The Terena Mobility Taskforce James Sankar UKERNA.

The Nomadic Network Providing Secure, Scalable and Manageable Roaming, Remote and Wireless Data Services Josh Howlett & Nick Skelton Information Services,

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

Kalmar Union Mikael Linden CSC, the Finnish IT Center for Science.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

CSC – Tieteen tietotekniikan keskus Oy CSC – IT Center for Science Ltd. The Language Bank of Finland User Authentication and Authorization Service

CSC Grid Activities Arto Teräs HIP Research Seminar February 18th 2005.

ITGS Networks Based on the textbook “Information Technology in a Global Society for the IB Diploma” by Stuart Gray.

EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.

Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science

Eduroam Louis Twomey HEAnet Library Services Day 20 th November 2014.

Shibboleth and Grids Oxford Internet Institute, Oxford e-Science Centre and e-Horizons Institute Mark Norman 10 May 2006.

Michal Procházka, Jan Oppolzer CESNET.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Update Finland TF-EMC Mikael Linden CSC, the Finnish IT Center for Science.

HAKA project HAKA User administration inside Finnish Higher Education Institutes results from the KATO project Barbro Sjöblom EDS 2003 Uppsala.

Shibboleth in Finnish Higher Education Organisations E-ICOLC 2005 Poznan, Poland.

Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.

Kalmar Union, a Conferedation of Nordic Identity Federations TNC2009 Mikael Linden, CSC Andreas Solberg, UNINETT.

Introduction Moonshot workshop

European Life Sciences Infrastructure for Biological Information Life science community update for the 7 th Federated Identity Management.

10/25/2015 AEB/Yleisesittely Organising Federated Identity in Finnish Higher Education TNC2005 Mikael Linden June 8th, 2005.

Campus Identity Management Requirements (=IAP) REFEDs meeting Mikael Linden,

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

Schac attributes and common vocabularies TF-EMC Mikael Linden CSC, the Finnish IT Center for Science.

Comité Réseau des Universités News from CRU activities: Identity federation, eduroam, PKI, SCS, Sympa, security policies cru.fr 7th.

TERENA TF-Mobility: Roaming for WLANs Tim Chown University of Southampton TF-Mobility WG & UKERNA Wireless Advisory Group.

Federations round table Haka federation of Finland EuroCAMP Mikael Linden CSC, the Finnish IT Center for Science.

LIN and Shibboleth: Where do application and network access control systems meet? Tim Chown University of Southampton (UK) JISC Core.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Center for Scientific Computing Ltd. Development of Funding Models for FUNET Markus Sadeniemi CSC - Center for Scientific Computing Ltd

University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.

New Developments in Access Management: Setting the Scene Alan Robiette JISC Development Group JISC-CNI Conference, June 2002.

Federations, the Data Protection Directive and WP29 TF-EMC2 Mikael Linden, CSC, the Finnish IT Center for Science.

Refeds update TF-EMC2 Utrecht 3-Dec 2008 Mikael Linden CSC – the Finnish IT Center for Science.

CARSI: Federated Identity and Resource Sharing over CERNET Dr. PING CHEN Peking University( 北京大学 ) Jan, 24 th, 2008.

/ 8 FEIDHE Electronic Identification in Finnish Higher Education Janne Kanner FEIDHE Electronic Identification in Finnish Higher Education.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Clain update TF-EMC Mikael Linden, CSC.

6 June 2004TF-Mobility meeting 6 June TF-Mobility meeting Agenda TF-Mobility Meeting, June Welcome and Update on TF-Mobility to date Discussion.

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

Jakob Gadegaard Bendixen, Shibboleth protected proxy servers a case study from the Danish library sector.

Shibboleth for Middle Schools James Burger -

1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)

6/12/2016 AEB/Yleisesittely WLAN roaming experiences using Shibboleth TNC 2004, Rhodes 7th of June, 2004 Mikael Linden, Viljo Viitanen,

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

e-Infrastructure Workshop 28th March 2006, University of Leeds

Agenda Introductions Brief review of our project charge

CSC, the Finnish IT Center for Science

Shibboleth Deployment Overview

Presentation transcript:

5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004 Mikael Linden, CSC, the Finnish IT Center for Science, Finland

5/25/2015 AEB/Yleisesittely Isn’t it a little bit exotic… …to use application layer technology for access control in the network layer? Link layer Network layer Transport layer Application layer Shibboleth TCP IP WLAN (802.11)

5/25/2015 AEB/Yleisesittely CSC, the Finnish IT center for Science Non-profit company owned by the ministry of education in Finland to provide national IT infrastructure for research and education –expertise in scientific computing –supercomputing –Funet (Finnish university and research network) Federated identity a new way for CSC to support higher education –national HAKA federation on Shibboleth –currently in pilot phase (3 IdPs, 4 SPs) –to be in production in 2004

5/25/2015 AEB/Yleisesittely Background: AA issues in European higher education Roaming network access technologies: X & RADIUS proxy hierarchy 2.VPN & complete list of VPN gateways 3.web redirection & RADIUS proxy hierarchy 4.ROAMNODE & RADIUS proxy hierarchy –more information: TERENA TF-Mobility, deliverable G Application level access technologies: several federating softwares being used, some of them national –Shibboleth, PAPI, FEIDE, A-select…

5/25/2015 AEB/Yleisesittely Background: University of Helsinki (UH) The largest university in Finland A campus in downtown of Helsinki University of Helsinki deliberate to join WLAN roaming –would not be fair for UH: probably considerably more visitors coming in than going out?  costs would accumulate for UH UH could allow roaming access for some smaller subgroup (e.g. staff&faculty in other universities)  authentication not enough, role based authorisation needed role attributes need to be passed from the home institution that’s what Shibboleth is made for

5/25/2015 AEB/Yleisesittely Internet How it works Docking network (HUPnet) Access control device (ACD) (shibboleth target) WAYF Shibboleth origin University of Helsinki University of Tampere (UTa) Bob, a researcher at UTa SSL Port 443 open to: WAYF: UTa: … The user activates his WLAN card and web browser. ACD (a shib target) captures the initial HTTP request The browser is redirected to WAYF The user selects his IdP. Shib origin authenticates him IdP provides user attributes to ACD 5. ACD decides, if the user may access (the rest of) the Internet

5/25/2015 AEB/Yleisesittely Benefits Makes role based authorisation easy –visiting institution makes access control decision based on the user’s role provided by the her home institution Preserves privacy –user’s identity need not to be revealed to the visited institution (only her role and home institution is revealed) Single sign-on –to shibbolized network and application level services Brings together network and application level access architecture –no need for overlapping architecture

5/25/2015 AEB/Yleisesittely Downsides In Europe, cross-organisational and cross-national AAI infrastructure in not so mature as RADIUS based hierarchy –Shibboleth used in Switzerland, Finland, UK… To allow user enter her uid&pwd to her shibboleth origin site, the access controller needs to maintain extensive list of shibboleth origin sites in the federation –new list have to be updated regularly –however, the list have to be maintained by the federation anyway –CASG (see Terena TF-Mobility deliverable E) can make the maintenance easier

5/25/2015 AEB/Yleisesittely Practical experiment: HUPnet HUPnet (Helsinki University Public network) has been available for UH staff&students since 2001 –for WLAN and wired (ethernet) public access in UH premises –ACD is a Linux box with web end-user UI UH has started piloting shibbolized Access control device (ACD) –previously: AA was based on RADIUS –now: Shibboleth implementation to be publicly available

5/25/2015 AEB/Yleisesittely More information Mikael Linden, Viljo Viitanen. ”Roaming network access using Shibboleth”, an article in Terena Networking Conference ow.php?pres_id=165