(From Radius Hierarchy to AAI) Miroslav Milinović University Computing Centre - Srce EuroCAMP Ljubljana, March 2006.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Welcome to Middleware Joseph Amrithraj
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Federated access to e-Infrastructures worldwide
Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,
Copyright JNT Association 2006 The JANET Roaming Service.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
EuroCAMP Ljubljana, 3-5 March 2006 TERENA Server Certificate Service Towards the large-scale use of affordable popup-free server certificates for the European.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
EduShib VA What is EduShib VA? EduShib VA (Virtual Appliance) is a image based implementation tool for eduroam and Shibboleth.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Federated A(A(A))I Jens Jensen hepsysman, RAL,
EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.
SWITCHaai Team Federated Identity Management.
AAI with simpleSAMLphp
F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.
ID Management in University ID Management in University Kenzi Watanabe Saga University, Japan
CASE: Haka federation EuroCAMP, 3-5 April, 2006 CSC, the Finnish IT Center for Science
1 Web Server Administration Chapter 1 The Basics of Server and Web Server Administration.
Education roaming Secure Wireless Service for Research and Education.
Michal Procházka, Jan Oppolzer CESNET.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
A Practical Guide for Joining EduRoam EuroCAMP Torino A Practical Guide for Joining EduRoam 4 March 2005 Version 1.6.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005
Identity Management in the Environment of Mendel University in Brno Milan Šorm.
Implementing LDAP Client/Server System for Directory Service By Maochun Sun Project Advisor: Dr. Chung-E Wang Department of Computer Science California.
A Community of Learning SUNGARD SUMMIT 2007 | sungardsummit.com 1 Extending SSO – CAS in Luminis Presented by: Zachary Tirrell Plymouth State University.
Real Life Solution, Real Life Problems: A-Select, An Open Source Federated Identity Management Solution An Identity 1.0 story Maarten Koopmans SURFnet,
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Miroslav Milinović University Computing Centre - Srce TF-EMC2 meeting Zagreb, January 2005.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Comité Réseau des Universités News from CRU activities: Identity federation, eduroam, PKI, SCS, Sympa, security policies cru.fr 7th.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.
SAML to LDAP bridging developments Marcus Hardt Marcus kit.eduSteinbuch Centre for Computing (SCC) Motivation Allow linux logins,
Workshop roaming services: eduroam / govroam
Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.
Web Services Using Visual.NET By Kevin Tse. Agenda What are Web Services and Why are they Useful ? SOAP vs CORBA Goals of the Web Service Project Proposed.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
Scaling RADIUS to Support a Nationwide Network Access Infrastructure Kostas Kalevras NTUA Network Operations Centre.
Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.
EUDAT receives funding from the European Union's Horizon 2020 programme - DG CONNECT e-Infrastructures. Contract No B2ACCESS LSDMA.
Programme ›TERENA ›Overview of the middleware initiatives in the European Higher Education ›What is eduroam: the technology and how to set up eduroam ›eduroam-in-a-box:
IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)
Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.
University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.
Mobile Analyzer A Distributed Computing Platform Juho Karppinen Helsinki Institute of Physics Technology Program May 23th, 2002 Mobile.
Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)
Project Moonshot Daniel Kouřil EGI Technical Forum
Alain Bethuyne Web Security Architect BNPParibas Fortis
10 Years of eduroam (from an idea to a product)
Applying eduGAIN to network operations The perfSONAR case
Contents Software components All users in one location:
LIGO Identity and Access Management
What’s changed in the Shibboleth 1.2 Origin
University Computing Centre - Srce
M7: New Features for Office 365 Identity Management
Salesforce.com Salesforce.com is the world leader in on-demand customer relationship management (CRM) services Manages sales, marketing, customer service,
Presentation transcript:

(From Radius Hierarchy to AAI) Miroslav Milinović University Computing Centre - Srce EuroCAMP Ljubljana, March 2006

EuroCAMP, Ljubljana 2006: 2/23 Contents  History  hrEdu radius/LDAP hierarchy  project  hrEdu schemas  AOSI (adding AAI flavour)  today  Future development

EuroCAMP, Ljubljana 2006: 3/23 History  Directories and directory services   Netfind, Whois++, X.500  LDAP  killer application needed  Network access  AAA for dial-up access  introducing radius instead of tacacs+  (highly) distributed user community   200 member institutions (variable size of institution and amount of ICT resources)  expert knowledge is not equaly distributed/available

EuroCAMP, Ljubljana 2006: 4/23 We started with...  (hrEdu) radius/LDAP hierarchy  limited function, primarily for dial-up access  LDAP schema development started  AAI foreseen as a long-term goal / dial-up as a killer application for LDAP deployment  fully operational radius/LDAP hierarchy since Feb  eduroam member since the very begining

EuroCAMP, Ljubljana 2006: 5/23 hrEdu radius/LDAP hierarchy ≈ 200 (170) Home orgs ≈ users SW: FreeRadius & OpenLDAP Dial-up access (CMU) ID: user.realm (Lucent Navis) proxy radius server(s) central LDAP server for backup Home Org X Radius server LDAP server Radius server Radius server LDAP server Network Home Org ZHome Org YHome org X Radius proxy service user resource

EuroCAMP, Ljubljana 2006: 6/23 Missusing the radius attributes  Use of radius in AA(A) process:  AuthN  AuthZ = AuthN + “few simple attributes”  We use:  Connect-Info  hrEduPersonExpireDate  Class  hrEduPersonUniqueID (hrEduPersonUniqueNumber)  Configuration-Token  hrEduPersonPrimaryAffiliation  but actually... not good enough

EuroCAMP, Ljubljana 2006: 7/23 Project  raising demands (network access & applications)  Radius/LDAP hierarchy is not good enough  project started in May 2004  main goals:  define HrEdu schema(s)  set up IdPs  Set up the AAI for EduHr Shibboleth was found as too complex idea: add AAI flavour to the existing radius/LDAP infrastructure

EuroCAMP, Ljubljana 2006: 8/23 hrEdu hierarchy evolved ≈ 200 (170) Home orgs ≈ users SW: FreeRadius & OpenLDAP Dial-up access (CMU) StuDOM (8149 “student beds” connected) Wireless/wired access (Srce, CARNet,...) eduroam ( UNIX/Linux PAM (ID: user.realm) ID: (Lucent Navis) proxy radius server(s) (central LDAP server for backup) Home Org X Radius server LDAP server Radius server Radius server LDAP server Network Home Org ZHome Org YHome org X (radius)proxy service user resource

EuroCAMP, Ljubljana 2006: 9/23 hrEdu schemas  hrEduPerson  HrEduOrg  registry:  transition/migration from earlier versions  all LDAPs at the same version since Feb  more work to do: harmonisation (with SCHAC,...)

EuroCAMP, Ljubljana 2006: 10/23 AOSI – adding AAI flavour  AOSI is:  an application for maintaing the content of the LDAP directory  an access tool for LDAP (e.g. local AAI component)  AOSI has two parts:  web service (core AOSI)  client application (“only” proof of concept; any other client can be used localy)  FWS/HLS = central (AOSI) service  AOSI  “ShibLite”

EuroCAMP, Ljubljana 2006: 11/23 Home org AOSI System LDAP dir. AOSI-WS AOSI Client Schema (XML) Codes,... (XML) Data (XML) User access Administrator access

EuroCAMP, Ljubljana 2006: 12/23 Home org AOSI System (2) LDAP dir. AOSI-WS AOSI Client Schema (XML) Codes,... (XML) Data (XML) PHP.Net Java

EuroCAMP, Ljubljana 2006: 13/23 Organization A Application Federation WS FWS in Organization B AOSI Directory “routing” information

EuroCAMP, Ljubljana 2006: 14/23 Organization A Application Federation WS HLS in Organization B AOSI Directory “routing” information

EuroCAMP, Ljubljana 2006: 15/23 AOSI WS and FWS  Currently based on Perl; FWS to be implemented in Java  Local AOSI WS:  Local service is described in  Generally runs at  Client platforms working with service:  Perl  PHP .Net  Java  FWS/HLS:  Based on AOSI   Documentation:  

EuroCAMP, Ljubljana 2006: 16/23 Resource Entry Point AAI Component today Central Services (proxy, FWS/HLS...) User: Home Org AAI Component Directory 197 (166) Home orgs FreeRadius AOSI WS Open LDAP

EuroCAMP, Ljubljana 2006: 17/23 in real life  in full operation since Feb  basic monitoring (  197 Home organisations (IdPs)  number of services:  Network access: dial-up, wireless & wired (eduroam, 802.1x)  (fully operational by the end of April)  Application access: Web-based aplications, WebCT, Moodle,...

EuroCAMP, Ljubljana 2006: 18/23 PAP to EAP/TTLS Bridge  Improving security  multithreaded UDP server  based on TinyRadius Radius server API, ( and eapol_test (  works on Linux (we still work on Solaris version)

EuroCAMP, Ljubljana 2006: 19/23 PAP  EAP/TTLS NAS Bridge Radius proxy PAP Radius (PAP) Radius (EAP / TTLS) Converts PAP to EAP/TTLS and back

EuroCAMP, Ljubljana 2006: 20/23 An example: CARNet mobile service RADIUS server Mobile CARNet radius server CARNet radius proxy XYZ APN Mobile AAA DB LDAP dir. XYZ client Mobile CARNet AAAHome org.

EuroCAMP, Ljubljana 2006: 21/23 An example: CARNet mobile service (2) RADIUS server Mobile CARNet radius server CARNet radius proxy FWS/HLS Mobile AAA DB LDAP dir. HTTP client Mobile CARNet AAAHome org. Mobile CARNet Web

EuroCAMP, Ljubljana 2006: 22/23 Future work  become a “real” federation (policies, policies,...)  central (vs. local) login page in production  resource registry (based on SWITCH solution)  certficates for services from TERENA SCS (provided by CARNet)  improved monitoring  start “speaking” SAML  Add ARP functionality to AOSI  “Shib gateway” in production  interoperate with eduGAIN  SSO  (SX project)

EuroCAMP, Ljubljana 2006: 23/23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.