Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Slides:



Advertisements
Similar presentations
Fujitsu Laboratories of Europe © 2004 What is a (Grid) Resource? Dr. David Snelling Fujitsu Laboratories of Europe W3C TAG - Edinburgh September 20, 2005.
Advertisements

EduGAIN – Are we there yet? Lukas Hämmerle (ghost writer, Brook Schofield) FIM4R, Helsinki – 2 October 2013.
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.
T Network Application Frameworks and XML Web Services and WSDL Sasu Tarkoma Based on slides by Pekka Nikander.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
SAML Right Here, Right Now Hal Lockhart September 25, 2012.
Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
Introduction of PRO WG activities Group Name: TP Source: Shingo Fujimoto, FUJITSU, Meeting Date: Agenda Item:
SAML 2.1 Building on Success. Outline n Summary of SAML 2.0 n Work done since 2.0 n Objectives of SAML 2.1 n Proposed Task List n Undecided Issues n Invitation.
SAML support in VOMS Valerio Venturi EGEE JRA1 AH Meeting, Amsterdam 20/23 February 2008.
Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.
17 March 2008 © 2008 The University of Edinburgh, European Microsoft Innovation Center and University of Southampton IT Innovation Centre 1 NextGRID Security.
An XML based Security Assertion Markup Language
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Navigating the Standards Landscape Andrew Owen SEARCH.
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.
Shibboleth: An Introduction
Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.
Technical Break-out group What are the biggest issues form past projects – need for education about standards and technologies to get everyone on the same.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
OAI Overview DLESE OAI Workshop April 29-30, 2002 John Weatherley
Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
Fonkey Project Update: Target Applications TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
April, 2005 ebSOA Based on FERA Reference Model Vasco Drecun Collaborative Product Development Associates, LLC Goran Zugic ebXMLsoft Inc.
Networks ∙ Services ∙ People Nicole Harris UK federation meeting eduGAIN, REFEDS and the UK 23 June 2015 Project Development Officer GÉANT.
Shibboleth 1.2 Technical Overview “So you thought 1.1 was complicated…” Scott Cantor The Ohio State University and Internet2 Scott Cantor.
Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.
SOAP, Web Service, WSDL Week 14 Web site:
OGSA Attributes: Requirements, Definitions, and SAML Profile Abstract This document specifies elements and vocabulary for expressing attribute assertions.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014.
Fondation RESTENA euroCAMP 04 April 2006
Access Policy - Federation March 23, 2016
HMA Identity Management Status
Applying eduGAIN to network operations The perfSONAR case
Cross-sector and user-centric AAI
Federation Systems, ADFS, & Shibboleth 2.0
SAML New Features and Standardization Status
University of Stuttgart University of Murcia
HMA Identity Management Status
Identity Federations - Overview
Scalability of trust and metadata exchange across federations
What’s changed in the Shibboleth 1.2 Origin
Community AAI with Check-In
Shibboleth 2.0 IdP Training: Introduction
Presentation transcript:

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking Conference Catania, May 16, 2006 Fondation RESTENA Luxembourg

Connect. Communicate. Collaborate Fondation RESTENA Luxembourg Outline eduGAIN overview and abstract operations SAML 1.1 overview Message flow –Requests and Responses –Finding the IdP Assertions –SAML assertions –shortcomings

Connect. Communicate. Collaborate Fondation RESTENA Luxembourg eduGAIN overview Goal: Connect existing identity federations Superstructure to transmit messages between federations Solves the problem of –Finding the federation to deal with –Message conversion –Ensuring trust between independent federations (in most cases: transitive trust) –Hiding most of the inter-federation superstructure to the federations involved Accessible via Java library

Connect. Communicate. Collaborate Fondation RESTENA Luxembourg eduGAIN abstract operations eduGAIN architecture document (DJ5.2.2) defines set of operations for four services –Authentication assertions –MetaData Service (p.k.a. Home Location Service) –Attribute release –Authorisation service Generic definition, can be mapped into multiple transport protocols SAML 1.1 is one of these protocols, SAML 2.0 will be another candidate later

Connect. Communicate. Collaborate Fondation RESTENA Luxembourg SAML 1.1 overview OASIS standard for authentication & authorisation XML Schemas for –SAML Protocol (exchange of SAML messages) –SAML Assertions (information about entities) Rules to use Schemas semantically correct Several types of information foreseen (“Assertions”) –Authentication assertions (not authentication) –Attribute assertions –Authorisation decisions Value of SAML lies in profile maps and implementation

Connect. Communicate. Collaborate Fondation RESTENA Luxembourg Message flow Typical Client/Server protocol Client (Requester) Server (Responder) Client (Requester)

Connect. Communicate. Collaborate Fondation RESTENA Luxembourg Finding the IdP SAML 1.1 not prepared for federations: assumes that client knows the server No lookup service foreseen eduGAIN had two choices –Extend SAML schemas to include a MDS –Don’t use SAML at all, find other means for finding the IdP SAML schema for original HLS was defined in DJ5.2.2, but for the moment, SAML is not used (HTTP REST instead) SAML 2.0 has its own means of transporting metadata

Connect. Communicate. Collaborate Fondation RESTENA Luxembourg SAML Assertions … … AttributeQuery AuthenticationQuery AuthZDecisionQuery Query SubjectQuery AuthenticationStatement Statement AttributeStatement AuthorizationStatement SubjectStatement (darker parts used in eduGAIN)

Connect. Communicate. Collaborate Fondation RESTENA Luxembourg Nuts and Bolts … 0xdeadbeef

Connect. Communicate. Collaborate Fondation RESTENA Luxembourg Limitations AuthenticationQuery –eduGAIN has optional parameter for actually performing authentication –SAML explicitly forbids transport of credentials Finding IdP not supported at all Trust: very often only transitive trust possible, no end-to- end (exception: Shib-to-Shib) –eduGAIN can transport hints to the authorisation engine (e.g. for federations that do no attribute release and instead retrieve attributes during authorisation) –Not possible to convey in AuthZDecisionQuery

Connect. Communicate. Collaborate Fondation RESTENA Luxembourg eduGAIN Limitations (2) Workaround: define, which can carry this piece of information (done by OGSA) Drawback: requires re-defining of SAML message parts up to Re-defining makes elements belong to a different namespace Possibly breaks XML signatures: Requester Home BEResponderRemote BE signed

Connect. Communicate. Collaborate Fondation RESTENA Luxembourg The road ahead Why SAML 1.1? –When design decision was made, SAML 1.1 was largely deployed –SAML-based federations were using SAML 1.1 (esp. Shibboleth 1.3) –No decent publicly available implementation of SAML 2.0 available eduGAIN “v1” implementation based on SAML 1.1 underway Experiences gathered will be the base for later SAML 2.0 eduGAIN “v2”

Connect. Communicate. Collaborate Fondation RESTENA Luxembourg The road ahead - SAML 2.0 SAML 2.0 supports metadata transport –Can be used for MDS –Parts already used in the non-SAML MDS transport Easier to extend than SAML 1.1 openSAML2 current status: still in beta phase Authorisation part will probably not use built-in SAML constructs any more –Not flexible enough –Move to XACML officially recommended by OASIS

Connect. Communicate. Collaborate Fondation RESTENA Luxembourg End Thanks for listening! Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.