EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

Appropriate Access InCommon Identity Assurance Profiles David L. Wasley Campus Architecture and Middleware Planning workshop February 2008.

Trends in Identity Management Nate Klingenstein Internet2 EDUCAUSE Security Professional 2007.

Functional component terminology - thoughts C. Tilton.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Policy, Trust and Technology Mitigating Risk in the Digital World David L. Wasley Camp 2006 © David L. Wasley, 2006.

SWITCHaai Team Federated Identity Management.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Functional Model Workstream 1: Functional Element Development.

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Identity Management Report By Jean Carreon and Marlon Gonzales.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Michal Procházka, Jan Oppolzer CESNET.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

Levels of Assurance in Authentication Tim Polk April 24, 2007.

Ning Zhang, the University of Manchester, UK David Groep, National Institute for Nuclear and High Energy Physics, NL Blair Dillaway, OGF Security Area.

An XML based Security Assertion Markup Language

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Credentialing in Higher Education Michael R Gettes Duke University CAMP, June 2005, Denver Michael R Gettes Duke University

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Attribute Aggregation in Federated Identity Management David Chadwick, George Inman, Stijn Lievens University of Kent.

The UK Access Management Federation John Chapman Project Adviser – Becta.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)

Project Moonshot Daniel Kouřil EGI Technical Forum

Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Access Policy - Federation March 23, 2016

Applying eduGAIN to network operations The perfSONAR case

Cross-sector and user-centric AAI

Levels of Assurance OGF Activity

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

The DAMe’s First Steps: eduroam and NAS-SAML

AARC Blueprint Architecture and Pilots

Appropriate Access InCommon Identity Assurance Profiles

Presentation transcript:

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated Environments

EuroPKI 2008 Agenda Introduction Level of Assurance eduGAIN Use Case Infrastructure for re-authentication Support for different Levels of Assurance Related work Conclusions

EuroPKI 2008 Introduction Issue 1: Organizations offer more and more on-line authenticated services Level of Security based on the consequences derived from an authN error and misuse of credentials (Newspaper vs bank accounts) Definition of the authentication strength required to assure that an entity is the claimed entity Level of Assurance (LoA) Issue 2: Emergence of federated approaches to resource sharing Organizations granting users in any of them access to resources with a single identity stated by the organization the user belongs to Federations make use of SSO to avoid re-authentication Service Providers (SP) and Identity Providers (idP). InCommon, HAKA and SWITCH (Shibboleth), eduroam

EuroPKI 2008 Introduction But there are situations where the user needs to re-authenticate: Example 1: Alice is browsing the Web at home, using the idP by the ISP, She wants to access site restricted to users belonging to his work organization She needs to authN again against her organization Example 2: Several authN mechanisms with different LoAs are available For example: Login/pwd  access the network or read an PKC to digitally sign electronic documents

EuroPKI 2008 Introduction This work presents an infrastructure for re-authN process in federations SSO is used and authN is required initially to access the network Necessary to manage multiple user’s identities and LoAs Important : this functionality should be added without modifying the existing IdMs, such as Shibboleth, PAPI, etc.. New services should be included at a confederation level Connecting different existing federations Without modifying their internal protocols We make use of the eduGAIN middleware Work developed under the DAMe project Goal: to define a unified authN and authZ system for federated services hosted in the eduroam network

EuroPKI 2008 Agenda Introduction Level of Assurance eduGAIN Use Case Infrastructure for re-authentication Support for different Levels of Assurance Related work Conclusions

EuroPKI 2008 Level of Assurance Strength of authentication required for a relying party to be assured that an entity is indeed the claimed entity Two factors: Degree of trust to which the credential being presented actually represents the entity named in it  identity proofing Degree of confidence to which the represented entity actually is the entity engaging the electronic transaction  identity binding For IdP  Discrete assurance indicators that quantify the degree of protection the organization provides in the identity management For SP  Measures of the authN trustworthiness required to authorize the access to resources Higher LoAs are required to mitigate higher levels of risk

EuroPKI 2008 Level of Assurance US federal government (continuation of a UK gov. framework): minimal assurance of identity moderate assurance of identity substantial assurance of identity high assurance of identity Each LoA is appropriate for a different kind of electronic transaction National Institute of Standards and Technology (NIST) contributed with supplementary guidelines technical authentication requirements for the authentication simple password challenge-response  level 1 password through a secure authN protocol  level 2 soft cryptographic tokens  level 3 hard cryptographic tokens  level 4

EuroPKI 2008 Agenda Introduction Level of Assurance eduGAIN Use Case Infrastructure for re-authentication Support for different Levels of Assurance Related work Conclusions

EuroPKI 2008 eduGAIN eduGAIN: GÉANT Authorisation INfrastructure for the research and education community Defined by the TERENA GN2 project Objective: to build an interoperable AuthN and AuthZ Infrastructure (AAI) to interconnect different existing federations eduGAIN is responsible for: To find the federation where a roaming user belongs to To translate the messages between the federation internal protocols and eduGAIN and vice versa To establish the trust fabric among the participating institutions

EuroPKI 2008 eduGAIN Architecture overview

EuroPKI 2008 Agenda Introduction Level of Assurance eduGAIN Use Case Infrastructure for re-authentication Support for different Levels of Assurance Related work Conclusions

EuroPKI 2008 Use Case Alice requests a Service 1 (network, web, etc) at a Remote Institution Alice is redirected and authenticated in her Home Institution She obtains an authN token with LoA=1 (login/pwd) Contains data about the authN process (idP, LoA, …) Then she tries to access Service 2 that requires LoA=2 (PKC) She presents her authN token Alice does not have a valid token She is redirected to the appropriate authN service for LoA=2 to be re-authenticated She obtains a new token Alice is redirected and she gains access to Service 2

EuroPKI 2008 Agenda Introduction Level of Assurance eduGAIN Use Case Infrastructure for re-authentication Support for different Levels of Assurance Related work Conclusions

EuroPKI 2008 Architecture Several organizations acting as idP and SP IdPs are equipped with different authN methods She can try to access the resources using different identities SP must check that Alice makes use of the proper identity An authZ process may be necessary Validation process proposed must be transparent to the SP SP only has to deal with authN and attribute queries to the appropriate BE

EuroPKI 2008 Architecture BE are responsible for: recovering token validating redirecting Alice to the appropriate authN service Decisions can be delegated to a PDP (policies required) Confederation Metadata Service (MDS) to locate authN services Validation of the token and the re-authentication processes are carried out at the (con)federation level  they depend on global agreements among all the organizations.

EuroPKI 2008 Communication profile Initial network authentication and token delivery (eduroam-based) 1. AuthN request 2. Forwarded to the home institution (AAA) 3. User is authN 4. AuthN token generated by BE (transparent to service) 5. Token (LoA) is sent back to the user

EuroPKI 2008 Communication profile Token SAML-based Extension defined for LoAs Included in SAML 2.0 AuthnStatement

EuroPKI 2008 Communication profile LoA message profile (Access and Validation) 1. User acceses protected service (LoA=2) 2. Service (through BE) requests available user’s authN token 3. Token is validated by PDP (XACML)

EuroPKI 2008 Communication profile LoA message profile (redirection and re-authentication) 1. SP looks for a valid user’s idP for LoA=2 2. User redirection to idP 3. User is authN by idP and a new token (LoA=2) is generated and sent back

EuroPKI 2008 Communication profile LoA message profile (Validation and optional Local AuthZ) 1. User acceses protected service with new token (LoA=2) 2. Optional local AuthZ based on user attributes from his home instit.

EuroPKI 2008 Agenda Introduction Level of Assurance eduGAIN Use Case Infrastructure for re-authentication Support for different Levels of Assurance Related work Conclusions

EuroPKI 2008 Metadata management Defined by eduGAIN (based on SAML 2.0) Each Auth Service (idP) is described by means of a EntityDescriptor

EuroPKI 2008 LoA related policies Defined via XACML LoA hierarchical definition: LoA(x) inherit permissions of LoA (x-1) Two kind of policies: LoA Definition Policy (global) LoA Validation Policy (local)

EuroPKI 2008 LoA related policies LoA Definition Policy example

EuroPKI 2008 LoA related policies LoA Validation Policy example

EuroPKI 2008 Agenda Introduction Level of Assurance eduGAIN Use Case Infrastructure for re-authentication Support for different Levels of Assurance Related work Conclusions

EuroPKI 2008 Related Work: FAME (Flexible Access Middleware Extension) Shibboleth extension  provides multi-level user authN (LoAs) Based on the cryptographic strength of the authN protocol LoA value is added to the set of user’s attributes in the idP Passed to authZ decision engine together with user’s attributes Issue 1: it is oriented to web-based resources it does not link the initial authN to access the network with the authN in the Shibboleth IdP Issue 2: SP obtains LoA value after querying the idP for attributes if only authN and not authZ is required, there is no need for this additional exchange of messages Issue 3: How to locate idPs based on LoAs

EuroPKI 2008 Related Work: Cardspace and Higgins When the user tries to access some service, information card (IC) client recovers the SP policy to determine service reqs (authN) IC app. displays to the user his ICs satisfying those reqs IC app. contacts IdP that issued that card  gets signed token Finally, token is sent to the SP to get access to the service From the LoA point of view the use a SP policy provides the same functionality that the infrastructure that is described in this work But: They are user-centric solutions  open user communities This work is based on the existence of previously established organizations with their own users Organization must control the process to guarantee the existence and value of certain attributes and must maintain the control of the identification process

EuroPKI 2008 Agenda Introduction Level of Assurance eduGAIN Use Case Infrastructure for re-authentication Support for different Levels of Assurance Related work Conclusions

EuroPKI 2008 Conclusions Existence of different situations in an SSO federated environment where it is necessary for a user to reauthenticate related LoA is not secure enough to access the service Proposal for improving SSO by means of an infrastructure for validation and re-generation of SSO credentials Extending eduGAIN, a middleware for confederations, with the necessary services, protocols and policies for managing the validation of the user’s identity and the redirection process Based on SAML and XACML standards Covering from network service to application services Different kinds of federations such as Shibboleth and PAPI can interact Specific profile to base the identity validation in the LoA is described

EuroPKI 2008 Questions? Levels of Assurance and Reauthentication in Federated Environments

EuroPKI 2008 eduroam

EuroPKI 2008 DAMe Network authZ profile

EuroPKI 2008 DAMe Token-Based Web AuthN profile