High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

High-quality Internet for higher education and research Contents NRENs and AAI Federations for Network Access –eduroam Federations for Application (Web) Access –AuthN –AuthZ –eduGAIN Supporting Services –SCHAC –PKI’s –SCS –TACAR Questions

High-quality Internet for higher education and research The AAI domain Authentication Systems Administrative Systems Autorisation Systems Applications login

High-quality Internet for higher education and research NREN’s and AAI In the beginning there were: –Network access solutions –Web single sign-on solutions –Identity management systems –Authorisation engines –PKI’s –Directories Then: need for collaboration beyond institutional borders: Federations Now: need for collaboration beyond national borders: Confederations

High-quality Internet for higher education and research Federated network access: eduroam Security –IEEE 802.1X Roaming –RADIUS Trust –Policies

High-quality Internet for higher education and research eduroam architecture RADIUS server University B RADIUS server University A SURFnet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Gast Student VLAN Commercial VLAN Employee VLAN data signalerling Trust based on RADIUS plus policy documents 802.1X (VLAN assigment)

High-quality Internet for higher education and research Tunneled authentication (PEAP/TTLS) Uses TLS/SSL tunnel to protect data –The TLS tunnel is set up using the server certificate, thus authenticating the server and preventing man-in-the- middle attacks –The user sends his credentials through the secure tunnel to the server, thus authenticating the user Can use dynamic session keys for ‘in the air’ encryption © Alfa&Ariss

High-quality Internet for higher education and research Status of eduroam Over 400 institutions in Europe and Australia USA, Taiwan will follow shortly

High-quality Internet for higher education and research Federated application (Web) access A number of web single sign-on solutions exist –Shibboleth (Australia, Finland, Switzerland, UK etc.) –PAPI (Spain, UK) –A-Select (Netherlands, Australia) –FEIDE/Moria (Norway) Authorisation Systems –PERMIS –SPOCP Single technology federations are or have been built Now through the Geant2 JRA5 project these will be integrated.

High-quality Internet for higher education and research Web AuthN: A-Select “Black box” that: Accepts many authentication methods Interfaces with many applications Allows an institution to take authN out of the application

High-quality Internet for higher education and research Web AuthZ: Shibboleth Allows institutions that belong to the same federation to share resources Lingua Franca: SAML © SWITCH

High-quality Internet for higher education and research eduGAIN Goal: to federate federations Web-services and SAML based As much as possible Shibboleth compatible 4 basic interactions: –AuthnReq/Resp –HLSReq/Resp –AttrReq/Resp –AuthZReq/Resp Defining parameters, protocols and profiles

High-quality Internet for higher education and research Supporting services: SCHAC SChema HArmonisation Committee Find agreement on a set of minimal attributes to facilitate inter-institutional and international data- exchange An initial list of attributes has been agreed Let the schema evolve as time goes by and needs arise Work is ongoing to define a formal LDAP schema SCHAC would help the Bologna process

High-quality Internet for higher education and research Supporting services: PKI’s PKI’s are complex “Pop-up problem” Path validation problems Cross certification tedious NREN’s never managed to distribute client certificates on a large scale Server certificates cost money But the GRID community seem to have pulled this thing off!

High-quality Internet for higher education and research Supporting services: Server Certificate Service (SCS) Flat-fee Pop-up free Server certificates only! Rooted in commercial CA provider National RA’s Pilot funded by ACONET, CARNet, CESNET, CRU(RENATER), RedIRIS, SURFnet, SWITCH and UNI-C Currently in procurement procedure

High-quality Internet for higher education and research Supporting services: TACAR Trusted repository of verified root-CA certificates for NRENs and not for profit research projects rooted in academic community. Currently containing: –AustrianGridCA, CERN CA, CESNET CA, DFN PCA, DOEGrids, DutchGrid, EGCA, EuroPKI, Grid Canada CA, Grid-Ireleand CA, GridKa CA, GRNET, HellasGrid CA, IGC CRU, INFN CA, LIP CA, NIIF CA, RedIRIS, SURFnet, SWITCH, SwUPKI, UK e-Science CA, University of Thessaloniki Root of trust for International Grid Trust Federation (IGTF) Notice all the GRID certificates, it seems that we have found each other here already!

High-quality Internet for higher education and research Questions Is there life beyond certificates in the GRID? How do you do authorisation? How do you overcome the Grid infrastructure scalability problems? –Certificates deployment and life cycle management –Sources of authority “VO” (many VOs and users belonging to many of them) –Plug-and-play, Plug-and-be-played How may we help you? How can you help us?

High-quality Internet for higher education and research More information eduroam – TERENA TF-Mobility – TERENA TF-EMC2 – – TACAR – Géant2 Joint Research Activity 5 (authorisation and roaming) –