Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Slides:



Advertisements
Similar presentations
0 McLean, VA August 8, 2006 SOA, Semantics and Security.
Advertisements

Identity Network Ideals – Heterogeneity & Co-existence
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
The ICAR Federated Identity Model Massimiliano Pianciamore, CEFRIEL Francesco Meschia, CSI-Piemonte
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
WebFTS as a first WLCG/HEP FIM pilot
Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.
SWITCHaai Team Introduction to Shibboleth.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Digital Object Architecture
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.
Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.
Virtual Data Grid Architecture Ewa Deelman, Ian Foster, Carl Kesselman, Miron Livny.
An XML based Security Assertion Markup Language
Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
Semantic Web Technologies Research Topics and Projects discussion Brief Readings Discussion Research Presentations.
State of e-Authentication in Higher Education August 20, 2004.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Payment in Identity Federations David J. Lutz Universitaet Stuttgart.
Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Connect. Communicate. Collaborate Federated peering the NREN way: eduGAIN and eduroam Diego R. Lopez (RedIRIS) Klaas Wierenga (SURFnet)
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Géant-TrustBroker Project Overview Daniela Pöhn 7 th FIM4R meeting Frascati, Italy April 24 th, 2014.
Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure.
1 Earth System Grid Center for Enabling Technologies ESG-CET Security January 7, 2016 Frank Siebenlist Rachana Ananthakrishnan Neill Miller ESG-CET All-Hands.
Diego R. Lopez, RedIRIS TF-EMC2, Umea SIR, FedSSH and more to come…
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.
Providing web services to mobile users: The architecture design of an m-service portal Minder Chen - Dongsong Zhang - Lina Zhou Presented by: Juan M. Cubillos.
Globus: A Report. Introduction What is Globus? Need for Globus. Goal of Globus Approach used by Globus: –Develop High level tools and basic technologies.
April, 2005 ebSOA Based on FERA Reference Model Vasco Drecun Collaborative Product Development Associates, LLC Goran Zugic ebXMLsoft Inc.
Campuses New to Shibboleth: WebSSO Barry Johnson
PAPI 2 Distributed trust model and AA interoperability.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.
Welcome to 3 rd EuroCAMP Diego R. Lopez RedIRIS. Welcome to 3 rd EuroCAMP What Is All This About The third step in our Domination Conspiracy Supported.
Connect communicate collaborate An Infocard-based proposal for unified SSO to eduroam Enrique de la Hoz, Antonio García, Diego López, Samuel Muñoz University.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)
CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014.
Access Policy - Federation March 23, 2016
Applying eduGAIN to network operations The perfSONAR case
Federation Systems, ADFS, & Shibboleth 2.0
University of Stuttgart University of Murcia
First steps in federation peering: eduGAIN and eduroam
HMA Identity Management Status
Identity Federations - Overview
Géant-TrustBroker Dynamic inter-federation identity management
The GEMBus Architecture and Core Components
Federation peering à la European The eduGAIN way
Federation peering à la European The eduGAIN way
The DAMe’s First Steps: eduroam and NAS-SAML
Multi-Domain User Applications Research (JRA3)
Update on a few activities And many things to do
Presentation transcript:

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS

Connect. Communicate. Collaborate As Federations Grow The risk of dying of success –Do we really need to go on selling the federated idea? Different communities, different needs –Not even talking about international collaboration –Different (but mostly alike) solutions –Grids and libraries as current examples –And many to come: Governments, professional associations, commercial operators,… Don’t hold your breath waiting for the Real And Only Global Federation

Connect. Communicate. Collaborate Confederations Federate Federations Same federating principles applied to federations themselves –Own policies and technologies are locally applied Independent management –Identity and authentication-authorization must be properly handled by the participating federations Commonly agreed policy –Linking individual federation policies –Coarser than them Trust fabric entangling participants –Whitout affecting each federation’s fabric –E2E trust must be dynamically built

Connect. Communicate. Collaborate Applying Confederation Concepts in eduGAIN An eduGAIN confederation is a loosely-coupled set of cooperating federations –That handle identity management, authentication and authorization using their own policies Trust between any two participants in different federations is dynamically established –Members of a participant federation do not know in advance about members in the other federations Syntax and semantics are adapted to a common language –Through an abstract service definition

Connect. Communicate. Collaborate The eduGAIN Model Connect. Communicate. Collaborate Id Repository(ies) Resource(s) MDS R-FPP Metadata Publish R-BE Metadata Query AA Interaction H-FPP Metadata Publish H-BE AA Interaction AA Interaction

Connect. Communicate. Collaborate An Adaptable Model From centralized structures... Connect. Communicate. Collaborate MDS FPP BE FPP BE SP IdP SP

Connect. Communicate. Collaborate An Adaptable Model...to fully E2E ones... Connect. Communicate. Collaborate MDS SP BE IdP BE SP BE SP BE SP BE SP BE IdP BE IdP BE IdP BE SP BE IdP BE IdP BE IdP BE SP BE SP BE SP BE

Connect. Communicate. Collaborate An Adaptable Model...including any mix of them Connect. Communicate. Collaborate MDS SP BE IdP BE IdP BE IdP BE SP BE SP BE SP BE FPP BE SP IdP BE FPP

Connect. Communicate. Collaborate A General Model for eduGAIN Interactions Connect. Communicate. Collaborate RequesterResponder Id Repository Resource TLS Channel(s) MDS TLS Channel ?cid=someURN <EntityDescriptor... entityID= ”urn:geant2:..:responder">... <SingleSignOnService... Location= “ />... <samlp:Request... RequestID=”e70c3e9e6…” IssueInstant=“ …”>... <samlp:Response... ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”>...  urn:geant2:...:responder urn:geant2:...:requester 

Connect. Communicate. Collaborate A Layered Model for Implementation Connect. Communicate. Collaborate Component logic eduGAINBase + eduGAINVal + eduGAINMeta SAML toolkit (OpenSAML) SOAP/TLS/XMLSig libraries eduGAINBase Profile Access

Connect. Communicate. Collaborate The eduGAIN APIs: Trust Evaluation Connect. Communicate. Collaborate eduGAINVal Configuration Key Store Trust Store Is this trust material (cert/signature) valid? Does it correspond to component X*? Valid/not valid Corresponds to component X Sign this piece of XML Signature Which trust material to use for connecting Trust material

Connect. Communicate. Collaborate The eduGAIN APIs: Metadata Access Connect. Communicate. Collaborate eduGAINMeta Configuration Publish these metadata through MDS server Component metadata Give me metadata about this part of eduGAIN Metadata eduGAINVal Publishing result Which component(s) can be queried to retrieve data about someone with these Home Locators?

Connect. Communicate. Collaborate The eduGAIN APIs: Abstract Service Connect. Communicate. Collaborate eduGAINBase Configuration Create/manipulate an abstract service object Abstract service object or Protocol element Send ASO: (AuthN/Attr/AuthR) request (Vanilla profile) Corresponding ASO responseAbstract service object Transform these abstract service object to/from wire protocol eduGAINMeta eduGAINVal

Connect. Communicate. Collaborate The eduGAIN APIs: Profile Access Connect. Communicate. Collaborate eduGAIN Profile API Configuration Is this AuthN/Attr material valid? Valid/not valid Provide data from the requester Data Create/modify a security token Token eduGAINBase eduGAINMeta eduGAINVal Is this request authorized? Authorization response

Connect. Communicate. Collaborate eduGAIN Profiles Oriented to –Enable direct federation interaction –Enable services in a confederated environment Four profiles discussed so far –WebSSO (Shibboleth browser/POST) –AC (automated cilent: no human interaction) –UbC (user behind non-Web client: use of SASL-CA) –WE (WebSSO enhanced client: delegation) Others envisaged –Extended Web SSO (allowing the send of POST data) –eduGAIN usage from roaming clients (DAMe) Based on SAML 1.1 –Mapping to SAML 2.0 profiles along the transition period

Connect. Communicate. Collaborate The WebSSO Profile Connect. Communicate. Collaborate

The AC Profile Connect. Communicate. Collaborate

The UbC Profile Connect. Communicate. Collaborate

The WE Profile Connect. Communicate. Collaborate

The Paved Way The first eduGAIN enabled resource is already available – –As a result of the implementation of the WebSSO profile Prototypes for –The MDS –The component ID registry –The PKI components eduGAIN base APIs available at the GN2 SVN server Cookbook and reference material

Connect. Communicate. Collaborate The Road Ahead Implementing the rest of initial profiles –Direct collaboration with initial user activities –And initial liaisons with some others Migration to SAML2 –Plans to align as much as possible with Shibboleth 2 Building stable support services –Many component IDs foreseen –Web-based and extensible PKI services Keeping coolness –CardSpace –OpenID And policy!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.