Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Developments and challenges in authentication and authorisation Klaas Wierenga Berlin, 23 May 2006.
AARC Overview Licia Florio, David Groep 21 Jan 2015 presented by David Groep, Nikhef.
An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.
Michal Procházka, Jan Oppolzer CESNET.
Identity Federation Policy Marina Vermezović, AMRES Federated Identity Technology Workshop Sofia, Bulgaria, 20. Jun 2014.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005
Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.
An XML based Security Assertion Markup Language
Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
Shibboleth: An Introduction
State of e-Authentication in Higher Education August 20, 2004.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Connect. Communicate. Collaborate Federated peering the NREN way: eduGAIN and eduroam Diego R. Lopez (RedIRIS) Klaas Wierenga (SURFnet)
Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
Programme ›TERENA ›Overview of the middleware initiatives in the European Higher Education ›What is eduroam: the technology and how to set up eduroam ›eduroam-in-a-box:
DICE: Authorizing Dynamic Networks for VOs Jeff W. Boote Senior Network Software Engineer, Internet2 Cándido Rodríguez Montes RedIRIS TNC2009 Malaga, Spain.
Creating a European entity Management Architecture for eGovernment Id GUIDE Keiron Salt
IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.
1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)
Connect communicate collaborate An Infocard-based proposal for unified SSO to eduroam Enrique de la Hoz, Antonio García, Diego López, Samuel Muñoz University.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
AAI Interconnection with an European style Diego R. Lopez RedIRIS.
Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)
Project Moonshot Daniel Kouřil EGI Technical Forum
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
Applying eduGAIN to network operations The perfSONAR case
University of Stuttgart University of Murcia
First steps in federation peering: eduGAIN and eduroam
Federation peering à la European The eduGAIN way
Federation peering à la European The eduGAIN way
TF-Mobility update TF-EMC2, Barcelona 9 September 2005.
The DAMe’s First Steps: eduroam and NAS-SAML
Multi-Domain User Applications Research (JRA3)
A(nother) view on federation issues
GN2 JRA5 Roaming and Authorisation Jürgen Rauschenbach, DFN-Verein
Presentation transcript:

Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS

Connect. Communicate. Collaborate Contents The drivers for (con-)federations The eduroam case The eduGAIN case Universal single sign-on, a.k.a. DAMe

Connect. Communicate. Collaborate As Federations Grow The risk of dying of success –Do we really need to go on selling the federated idea? Different communities, different needs –Not even talking about international collaboration –Different (but mostly alike) solutions –Grids and libraries as current examples –And many to come: Governments, professional associations, commercial operators,… Don’t hold your breath waiting for the Real And Only Global Federation

Connect. Communicate. Collaborate Confederations Federate Federations Same federating principles applied to federations themselves –Own policies and technologies are locally applied Independent management –Identity and authentication-authorization must be properly handled by the participating federations Commonly agreed policy –Linking individual federation policies –Coarser than them Trust fabric entangling participants –Without affecting each federation’s fabric –E2E trust must be dynamically built

Connect. Communicate. Collaborate First Steps Simplifying user collaboration across whatever border is an excellent selling argument –Making the whole promise of the VO idea –eduroam fast worldwide success is a clear example Lingua franca –Syntax: SAML profiles Converging to 2.0 –Semantics: eduPerson, SCHAC Trust fabric –Public key technologies (if not infrastructures) –Component identifiers and registries –Metadata repositories

Connect. Communicate. Collaborate Policy and Legal Matters The PMA model has proven extremely useful –Consensual set of guidelines –Peer-reviewed accreditation Legal matters: Hic sunt leones –For techies like us –Privacy –Liability –More or less manageable in the case of (national) federations

Connect. Communicate. Collaborate eduroam Confederation avant-la-lettre A simple goal: “open your laptop and be online” The GN2 roaming mission: “To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources” Based on reciprocal (free) access For the academic and research community Authentication at home Authorization at visited institution

Connect. Communicate. Collaborate eduroam: Ubiquitous Network Access Connect. Communicate. Collaborate RADIUS server University B RADIUS server University A GÉANT2 Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Gast Student VLAN Commercial VLAN Employee VLAN data signalling Trust based on RADIUS plus policy documents 802.1X (VLAN assignment)

Connect. Communicate. Collaborate eduroam Confederations Regions have their own stage of development and pace Regions have their own regional policies (with delegation to national federations) Policies will be aligned as much as possible

Connect. Communicate. Collaborate The European eduroam Policy Mutual access Home institutions are/remain responsible for their users abroad Members are European NRENs Members guarantee required security levels by their participants Members promote eduroam in their countries European eduroam may peer with other regions

Connect. Communicate. Collaborate National Policies Mutual access Members are connected institutions Home institution is/remains responsible for its users behavior. Home institution is responsible for proper user management Home and visited institution must keep sufficient log data Appropriate security levels

Connect. Communicate. Collaborate eduGAIN AAI peering à la European The GN2 AAI mission: “To build an interoperable authentication and authorisation infrastructure that will be used all over Europe enabling seamless sharing of e-science resources” We started from –Scattered AAI (pilot) implementations in the EU and abroad –The basic idea of federating them, preserving hard- won achievements

Connect. Communicate. Collaborate Applying Confederation Concepts An eduGAIN confederation is a loosely-coupled set of cooperating identity federations –That handle identity management, authentication and authorization using their own policies Trust between any two participants in different federations is dynamically established –Members of a participant federation do not know in advance about members in the other federations Syntax and semantics are adapted to a common language –Through an abstract service definition

Connect. Communicate. Collaborate The eduGAIN Model Connect. Communicate. Collaborate Id Repository(ies) Resource(s) MDS R-FPP Metadata Publish R-BE Metadata Query AA Interaction H-FPP Metadata Publish H-BE AA Interaction AA Interaction

Connect. Communicate. Collaborate The (X.509) Trust Fabric Validation procedures include – Normal certificate validation Trust path evaluation, signatures, revocation,… –Peer identification Certificates hold the component identifier It must match the appropriate metadata Applicable to –TLS connections between components Two-way validation is mandatory –Verification of signed XML assertions

Connect. Communicate. Collaborate A general model for eduGAIN interactions Connect. Communicate. Collaborate RequesterResponder Id Repository Resource TLS Channel(s) MDS TLS Channel ?cid=someURN <EntityDescriptor... entityID= ”urn:geant2:..:responder">... <SingleSignOnService... Location= “ />... <samlp:Request... RequestID=”e70c3e9e6…” IssueInstant=“ …”>... <samlp:Response... ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”>...  urn:geant2:...:responder urn:geant2:...:requester 

Connect. Communicate. Collaborate Metadata Service Based on REST interfaces transporting SAML 2.0 metadata –Usable by non-eduGAIN components Metadata are published through POST operations Metadata are retrieved through GET operations URLs are built as MDSBaseURL/FederationID/entityID?queryString –Using component names –The query string transports data intended to locate the appropriate home BE (Home Locators) Hints provided by the user Contents of certificate extensions ( SubjectInformationAccess )

Connect. Communicate. Collaborate eduGAIN Profiles Oriented to –Enable direct federation interaction –Enable services in a confederated environment Four profiles discussed so far –WebSSO (Shibboleth browser/POST) –AC (automated cilent: no human interaction) –UbC (user behind non-Web client: use of SASL-CA) –WE (WebSSO enhanced client: delegation) Others envisaged –Extended Web SSO (allowing the send of POST data) –eduGAIN usage from roaming clients (DAMe) Based on SAML 1.1 –Mapping to SAML 2.0 profiles along the transition period

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in eduroam (DAMe) DAMe is a project that builds upon: –eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, –Shibboleth and eduGAIN –NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on the SAML (Security Assertion Markup Language) and the XACML (eXtensible Access Control Markup Language) standards.

Connect. Communicate. Collaborate First Goal: extNA First Goal: Extension of eduroam using NAS-SAML Connect. Communicate. Collaborate Gast RADIUS server University B RADIUS server University A eduroam Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant data User mobility controlled by assertions and policies expressed in SAML and XACML XACML Policy Decision Point SAML Source Attribute Authority Signaling

Connect. Communicate. Collaborate First Goal: extNA Second Goal: eduGAIN as AuthN and AuthR Backend Connect. Communicate. Collaborate Link between the AAA servers (now acting as Service Providers) and eduGAIN

Connect. Communicate. Collaborate Third Goal: Universal Single Sign On Connect. Communicate. Collaborate Users will be authenticated once, during the network access control phase The eduGAIN authentication would be bootstrapped from the NAS-SAML New method for delivering authentication credentials and new security middleware 4th goal: integrating applications, focusing on grids.

Connect. Communicate. Collaborate Summary Educational federations are happening –And suffering their first growing pains Convergence to (small number of) standards –In the SAML orbit International confederations are emerging –eduroam –Géant2 AAI (eduGAIN) –The twain will ever meet –Using the same principles and standards

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.