Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Europe Latin America Collaborative e ‑ Infrastructure for Research Activities A Model for Federated Services Brook Schofield, TERENA ● Sofia, Bulgaria.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Belnet Antispam Pro A practical example Belnet – Aris Adamantiadis BNC – 24 November 2011.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

FIM-ig Federated Identity Management Interest Group.

SWITCHaai Team Federated Identity Management.

AAI with simpleSAMLphp

ESA EO Federated Identity Management Initiatives A. Baldi ESA: M. Leonardi RHEA:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

EduGAIN Code of Conduct Workshop, , Brussels GEANT eduGAIN Data Protection "Code of Conduct" Workshop Dieter Van Uytvanck

SWITCHaai Team Introduction to Shibboleth.

The InCommon Federation The U.S. Access and Identity Management Federation

I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

Federated or Not: Secure Identity Management Janemarie Duh Identity Management Systems Architect Chair, Security Working Group ITS, Lafayette College.

The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Kalmar Union, a Conferedation of Nordic Identity Federations TNC2009 Mikael Linden, CSC Andreas Solberg, UNINETT.

Social Identity Working Group Steve Carmody. Agenda Intro to Using Social Accounts Status and Recent News –Current UT Pilot –Current InCommon Pilot with.

Current list of common attributes of the EDIT federation Single Sign-On for the EDIT platform Lutz Suhrbier¹, Andreas Kohlbecker², Andreas Müller² 1 Freie.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

State of e-Authentication in Higher Education August 20, 2004.

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Belnet R&E Federation Belnet – Mario Vandaele BNC 2011 – 24 November 2011.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.

Authentication and Authorisation for Research and Collaboration Christos Kanellopoulos GRNET Proposed Pilots for Libraries and eGov.

Workshop roaming services: eduroam / govroam

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

E-Authentication October Objectives Provide a flexible, easy to implement authentication system that meets the needs of AES and its clients. Ensure.

Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

CERN IT Department CH-1211 Genève 23 Switzerland t Single Sign On, Identity and Access management at CERN Alex Lossent Emmanuel Ormancey,

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

1 Name of Meeting Location Date - Change in Slide Master Authentication & Authorization Technologies for LSST Data Access Jim Basney

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

The FederID project The First Identity Management and Federation Free Software.

Access Policy - Federation March 23, 2016

Using Your Own Authentication System with ArcGIS Online

Mechanisms of Interfederation

Analyn Policarpio Andrew Jazon Gupaal

Federation made simple

Extending Authentication to Members of Social Networks

An authorization service for Virtual Organizations (VO)

Identity Federations - Overview

John O’Keefe Director of Academic Technology & Network Services

InCommon Steward Program: Community Review

Federated Identity Management for Researchers (FIM4R)

Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)

ESA Single Sign On (SSO) and Federated Identity Management

Community AAI with Check-In

Shibboleth 2.0 IdP Training: Introduction

Baseline Expectations for Trust in Federation

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014

Agenda Presentation of Belnet R&E federation IdPs / SPs / DS Technical framework eduGAIN Belnet Federation services Antispam Pro Mconf Filesender Viabel.net Personal Certificate 12/06/2014Workshop Belnet R&E Federation 2

Belnet R&E Federation

4 What is a federation? Why a federation? “Evolving to streamlined access for web services” 12/06/2014Workshop Belnet R&E Federation 4

What is a federation? “A federation is an association of organizations that use a common set of attributes, practices and policies to exchange information about their users and resources in order to enable collaboration and transactions” ( Internet2, 2012) 12/06/2014Workshop Belnet R&E Federation 5

6 What is Belnet R&E Federation Identity & Access Management Research & Education Community Identity Providers Federated Partners CommercialNon-profit Government Agencies Other Federations Service Providers 12/06/2014Workshop Belnet R&E Federation 6

7 What is Belnet R&E Federation 7 Identity & Access Management Research & Education Community Identity Providers Federated Partners Service Providers Administration? Legal? Technical? Trusted Mediator 12/06/2014Workshop Belnet R&E Federation 7

8 What is Belnet R&E Federation 8 Identity & Access Management Research & Education Community Identity Providers Federated Partners Service Providers Trusted Mediator 12/06/2014Workshop Belnet R&E Federation 8

9 Why use a federation? - Philosophy - Technical aspect Let us briefly go back in time, when: - users were still new to the network - security & privacy concerns were minimal Why: Belnet R&E Federation 12/06/2014Workshop Belnet R&E Federation 9

LAN 10 Why: Belnet R&E Federation User = john Pwd = abc123 User = jane Pwd = abc456 User = jdoe1 Pwd = def123 User = jdoe2 Pwd = def456 User = johndoe Pwd = ghi123 User = jd456 Pwd = jkl123 User = john456 Pwd = mno123 User = jd123 Pwd = pqr123 User = jdoe Pwd = ghi456 User = jd123 Pwd = jkl456 User = jane123 Pwd = mno456 User = jd456 Pwd = pqr /06/2014Workshop Belnet R&E Federation 10

11 Why: Belnet R&E Federation User = john Pwd = abc123 Birth date Home address … User = jdoe Pwd = def123 Birth date Home address … User = john Pwd = abc123 Birth date Home address User = jdoe Pwd = def123 Birth date Home address User = jdoe Pwd = def123 Birth date User = john Pwd = abc123 Birth date 12/06/2014Workshop Belnet R&E Federation 11

12 Why: Belnet R&E Federation /06/2014Workshop Belnet R&E Federation 12

13 Why: Belnet R&E Federation Identity & Access Management Role- Based Acces Control Add Mod Del One account & password per user /06/2014Workshop Belnet R&E Federation 13

The Cloud 14 Why: Belnet R&E Federation Software as a Service or 1991? User = john Pwd = abc123 User = jane Pwd = abc456 User = jdoe1 Pwd = def123 User = jdoe2 Pwd = def456 User = johndoe Pwd = ghi123 User = jd456 Pwd = jkl123 User = john456 Pwd = mno123 User = jd123 Pwd = pqr123 User = jdoe Pwd = ghi456 User = jd123 Pwd = jkl456 User = jane123 Pwd = mno456 User = jd456 Pwd = pqr456 12/06/2014Workshop Belnet R&E Federation 14

15 Why: Belnet R&E Federation 15 Identity & Access Management Service Provider 1 Service Provider 2 Identity Provider 1 Identity Provider 2 One agreement One language: SAML2 1-time setup 1-time setup “Evolving to streamlined access for web services” One account & password per user Identity & Access Management 12/06/2014Workshop Belnet R&E Federation 15

In short: without federation 12/06/2014Workshop Belnet R&E Federation 16

In short: with federation 12/06/2014Workshop Belnet R&E Federation 17

Actors of a federation

Identity Providers Workshop Belnet R&E Federation12/06/

Service Providers 12/06/2014Workshop Belnet R&E Federation 20

Service Providers Workshop Belnet R&E Federation12/06/

Discovery service Workshop Belnet R&E Federation12/06/

Benefits For IdP: Access to wider range of services than available locally No extra administrative burden if you are already participating in a federation One user name and password For SP: Grow your audience Lower costs per user No local user database 12/06/2014Workshop Belnet R&E Federation 23

Technical framework

Software Components Identity Provider –Hosted on systems of organisation –Shibboleth IdP –simpleSAMLphp –Verifies user’s credentials (username/password): Bridge between Federation and user database –Knows user attributes, implements the attribute release policy 12/06/2014Workshop Belnet R&E Federation 25

Software Components Service Provider –Shibboleth SP –simpleSAMLphp –Integrates with IIS and/or Apache 12/06/2014Workshop Belnet R&E Federation 26

Attributes  All relevant information about user: −Name, First name, date of birth, … −Role (student, staff, alumni, …) − address, anonymized ID, …  Stored on LDAP or AD  Attribute Release Policy −Only a few attributes required to join the Federation −The IdP decides how and to whom to release attributes −Respect of the privacy of users 12/06/2014Workshop Belnet R&E Federation 27

Authentication process Identity Provider Service Provider User /06/2014Workshop Belnet R&E Federation 28

Authentication process 12/06/2014Workshop Belnet R&E Federation 29

Standardization : SAML2 SAML 2.0 standardized since 2005 −OASISXMLstandard −Using XML digital signature and encryption Implementations used in other R&E federations: −Shibboleth (supports SAML 2.0 since version 2) −Shibboleth IdP (Java/Tomcat) −Shibboleth SP (C++, integrates well with Apache) −simpleSAMLphp −One distribution for both IdP and SP −More than just SAML: Facebook, Twitter, OpenID, … −Supports 'user consent' out of the box 12/06/2014Workshop Belnet R&E Federation 30

Standardization : SAML2 Other Federation implementations −Microsoft ADFS 2.0 (with some limitations: see microsoft doc) −PingFederate −IBM & Oracle products 12/06/2014Workshop Belnet R&E Federation 31

Metadata What's in the metadata −Mandatory! −Who are the IdPs? −Who are the SPs? −What are their URLs and certificates −Organisation and Technical Contact 12/06/2014Workshop Belnet R&E Federation 32

Metadata Entity metadata vs. Federation metadata −Entity metadata: −for single IdP or SP −Federation metadata: −aggregation of entity metadata −for all IdPs and SPs in the Federation 12/06/2014Workshop Belnet R&E Federation 33

eduGAIN

12/06/2014Workshop Belnet R&E Federation35

eduGAIN Interconnecting federations Metadata Service : aggregates and pushes 12/06/2014Workshop Belnet R&E Federation 36

eduGAIN Extends the portfolio of services Extends the audience To get access to eduGAIN, you need to request it 12/06/2014Workshop Belnet R&E Federation 37

Belnet Federation services

Antispam Pro 12/06/2014Workshop Belnet R&E Federation 39

Antispam Pro Cloud-based –Data/servers are in Belnet (trust) Flexible –Easy user management and delegation –Customizable Complete –Inbound and outbound –Antispam and Antivirus –Reporting 12/06/2014Workshop Belnet R&E Federation 40

Mconf Collaborative web interface with public/private space. Recently added to the Federation Go ahead and use it 12/06/2014Workshop Belnet R&E Federation41

Belnet 12/06/2014Workshop Belnet R&E Federation42

Mconf Give us your feedback via Not a Belnet service Limited support 12/06/2014Workshop Belnet R&E Federation43

FileSender Sends with big files attached From the members of the R&E Federation To any recipient 12/06/2014Workshop Belnet R&E Federation 44

FileSender 12/06/2014Workshop Belnet R&E Federation 45

Viabel.net 12/06/2014Workshop Belnet R&E Federation 46

Personal Certificates 12/06/2014Workshop Belnet R&E Federation 47

Q&A