Do you like to puzzle? …build an AA Infrastructure! DELAMAN Access Group Workshop November, 30th, 2004 xxx
2 Presentation contents Drivers for an AAI; The pieces of the AAI-puzzle; –network and application access, login, authentication, authorisation, identity management; Federations; Shibboleth; E2E Middleware Diagnostics; Standards; Developments;
3 Authentication and Authorisation Infrastructure (AAI) The Authentication and Authorisation Services, components for Identity and Privilege Management and the entities responsible for these services - constitute an Authentication and Authorisation Infrastructure.
4 Why AAI? Personalised service provisioning
5 Why AAI? Educational mobility
6 Why AAI? Network mobility
7 Why AAI? Reduce the digital key ring X X X
8 Login (web)Application Administration AuthorisationNetwork Authentication Ingredients of an AAI
9 Network access: RADIUS proxy hierarchy Organisational RADIUS Server B Organisational RADIUS Server B Organisational RADIUS Server C Organisational RADIUS Server C National RADIUS Proxy Server National RADIUS Proxy Server National RADIUS Proxy Server National RADIUS Proxy Server European RADIUS Proxy Server European RADIUS Proxy Server European RADIUS Proxy Server European RADIUS Proxy Server Organisational RADIUS Server A Organisational RADIUS Server A network
10 Network access: User-controlled light path provisioning Application AAA Broker SURFnet6 Applications Broker NetherLight Application Broker OMNInet Applications Broker Starlight Services AAA UDDI/ WSIL A-Select token network
11 Application access: centralise intelligence applications
12 Application access: centralise intelligence applications
13 Login server: intermediary between application and AA: provide SSO login
14 Authentication: choose your own method (and strength) IP address Username / password –LDAP / Active Directory –RADIUS –SQL Passfaces PKI certificate OTP through SMS OTP through internet banking Tokens (SecurID, Vasco, …) Biometrics … authentication
15 Authentication: solutions for webenvironments Web Initial Sign-on (WebISO) –A-Select, SURFnetA-Select, SURFnet –CAS, YaleCAS, Yale –Cosign, MichiganCosign, Michigan –Distauth, UC DavisDistauth, UC Davis –eIdentity Web Authentication, Colorado StateeIdentity Web Authentication, Colorado State –PAPI, RedIRISPAPI, RedIRIS –PubcookiePubcookie –Web AuthN/AuthZ, Michigan TechWeb AuthN/AuthZ, Michigan Tech –WebAuth, StanfordWebAuth, Stanford –... Etcetera... authentication
16 Authorisation: Policy engines authorisation
17 Authorisation: Policy engines: f.e. use ‘roles’ authorisation
18 Authorisation: 3 scenario’s 1.Authentication = authorisation (‘simple’) 2.Identity plus a few attributes (‘commonly used’) 3.Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’) authorisation
19 Authorisation: privilege management authorisation
20 Administration: Identity Management How to record the identities (schema’s), credentials (attributes or roles), and privileges? Enterprise (or meta) directory to glue all sources of information together; Quality of registration is CRUCIAL for AuthN and AuthZ; It’s the underlying basis for an AAI; …and it’s a hype… administration
21 SAP/HR Local Admin LDAP ADS Admin. layer ExchangeW2K/XPRADIUSCAB Directory layer Application layer Portfolio Administration: Identity Management - layers example administration Network layer802.1x WLANDial-UP
22 Presentation contents Drivers for an AAI; The pieces of the AAI-puzzle; network and application access, login, authentication, authorisation, identity management; Federations; Shibboleth; E2E Middleware Diagnostics; Standards; Developments;
23 Federations: A Federation is a group of organisations, whose members have agreed to cooperate in an area such as operating an inter-organisational AAI - a Federated AAI or an AAI Federation. Group AGroup B
24 Cross-domain AA: Ingredients for a federation Policies (e.g. InCommon* from Internet2): –Federation Operating Practices and Procedures –Participant Agreement –Participant Operating Practices Technologies: –Protocols / language –Schema’s –Trust / PKI * Group AGroup B
25 Cross-domain AA: Federation organisational Group AGroup B
26 Birdseye view of Shibboleth Suite What is Shibboleth? –An Internet2/MACE project than provides a framework and technology for inter institutional authorisation for (web) resources. A major feature is to offer authorisation without compromising the users privacy. Trust relations are created within a federation; What does Shibboleth offer? –authorisation, attribute gathering and privacy safe transport of attributes; What doesn’t Shibboleth do? –Out of the box authentication, choose a WebISO (f.e. A-Select) Results at a protected resource after Shibboleth process: –user ID-x with the attributes X,Y wants access to resource Z
27 Shibboleth mapping of AAI components Group AGroup B
28 Shibboleth components terminology explained The user makes an initial request to the resource provider (also referred to as ‘Target’ in Shibboleth terms), which is protected by a Shibboleth Indexical Reference Establisher (SHIRE). The SHIRE redirects the user either directly to a Handle Service (HS), or to the Where Are You From (WAYF) service that locates the HS associated with the user. The SHIRE or WAYF requests a handle for the user from the HS. The HS invokes the Authentication System (AS), and returns a handle to the authenticated user. This handle refers to the user, but does not directly identify him/her. Only the HS knows which user is associated with a certain handle. The Shibboleth Attribute Requestor (SHAR) queries the AA for attributes using the handle it obtained in step 4. Attributes are exchanged using SAML (Security Assertion Markup Language). The SHAR receives the attributes it requested from the AA. The Resource Manager (RM) then decides whether or not to grant access to the user based on these attributes. Attribute Release Policies (ARP) are the rules that define which attributes are released to which resource providers (targets). The most basic ARP consists of a destination SHAR name and a list of attributes and values that should be released to the SHAR. Attribute Acceptance Policies (AAP) define which attributes and values are accepted by the SHAR. Only those attributes that are accepted are passed on to the RM, the rest are filtered out. Examples of attributes that might be rejected are attributes that are only trusted by specific AAs (origins), or attributes which value is expected to be from a small set of enumerated choices (if the value is not in this set, it is discarded).
29 E2E Middleware diagnostics: what if there’s an error? Security Related Events Middleware Related Events Network Related Events Collection and Normalization of Events Dissemination Network X Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets Group AGroup B
30 Archive and Network Forensics Archive Netflow Host 7 Network Devices Host 3 Host 1 Host 2 Combined Forensics and Reporting Host 5 Host 8 General Forensics And Reporting Host 6 User Diag App Host 9 Application, System or Security Events LDAP, DNS Web-App EnterpriseFederation Network Events E2E Middleware diagnostics: what if there’s an error? X Group AGroup B
31 What about… …standards? Currently many proprietary solutions (sockets, cookies, redirects, …) Webservices (SOAP, XML RPC, WSDL, WS-*) SAML For federations: –WS-Federation (Microsoft, IBM) –SAML (OASIS: 150 companies, Internet2) –Liberty Alliance (Sun, 170 companies) ? ? ? ? ??
32 What about… …developments (in the research world)? Australia: start with Shibboleth Europe: combination of Shibboleth and ‘home-grown’ USA: Shibboleth European Project Geant2: –GN2-JRA5: focus on European AAI, SSO for network and applications Need for: –Converging or dominant standard(s), means better interoperability between the pieces of the puzzle –Universal Single Sign-On across network and application domain –Attention to non-web-based applications ? ? ? ? ??
33 References Identity Management AAI Terminology EduRoam A-Select weblogin Privilege Management Intro on federations Internet2 Federation Swiss Federation End-to-end diagnostics
Questions ?
35 Advisory Committee Operations Committee Board of Founders Delaman Foundation Central AAI Services Foundation Members Service Provider Delaman Federation To conclude: a possible future: DELAMAN Federation based on Shibboleth? Institutes, Research, Universities, Libraries Home organi- sation resource Home organi- sation Foundation Partners resource Service subscription Resource registration