Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.

Slides:

Advertisements

Similar presentations

Research Issues in Web Services CS 4244 Lecture Zaki Malik Department of Computer Science Virginia Tech

Advertisements

CLARIN AAI, Web Services Security Requirements

Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Middleware for P2P architecture Jikai Yin, Shuai Zhang, Ziwen Zhang.

Web services security I

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

To identity federation and beyond! Josh Howlett JANET(UK) HEAnet 2008.

SWITCHaai Team Introduction to Shibboleth.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

POAD Distributed System Case Study: A Medical Informatics System Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Trust- and Clustering-Based Authentication Service in Mobile Ad Hoc Networks Presented by Edith Ngai 28 October 2003.

1 Schema Registries Steven Hughes, Lou Reich, Dan Crichton NASA 21 October 2015.

SAML 2.0: Federation Models, Use-Cases and Standards Roadmap

Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.

Shibboleth: An Introduction

Access Control and Markup Languages Pages 183 – 187 in the CISSP 1.

1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

1 herbert van de sompel CS 502 Computing Methods for Digital Libraries Cornell University – Computer Science Herbert Van de Sompel

Payment in Identity Federations David J. Lutz Universitaet Stuttgart.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

Connect. Communicate. Collaborate Federated peering the NREN way: eduGAIN and eduroam Diego R. Lopez (RedIRIS) Klaas Wierenga (SURFnet)

Fonkey Project Update: Target Applications TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

1 Registry Services Overview J. Steven Hughes (Deputy Chair) Principal Computer Scientist NASA/JPL 17 December 2015.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure.

NRENs, Grids and Integrated AAI In Search For the Utopian Solution Christos Kanellopoulos AUTH/GRNET October 17 th, 2005 skanct at physics.auth.gr 2nd.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.

April, 2005 ebSOA Based on FERA Reference Model Vasco Drecun Collaborative Product Development Associates, LLC Goran Zugic ebXMLsoft Inc.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

1 OASIS BDX TC - March BDX Technical Committee Addressing Mechanism or BDX Technical Committee Addressing Mechanism or "how do I find where to send.

Access Policy - Federation March 23, 2016

Applying eduGAIN to network operations The perfSONAR case

Cross-sector and user-centric AAI

Mechanisms of Interfederation

Federation made simple

University of Stuttgart University of Murcia

First steps in federation peering: eduGAIN and eduroam

Federation peering à la European The eduGAIN way

AAI Alignment Nicolas Liampotis (based on the work of Mikael Linden)

Federation peering à la European The eduGAIN way

Choosing the Discovery Model Martin Forsberg

Community AAI with Check-In

Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.

PKI (Public Key Infrastructure)

eIDAS-enabled Student Mobility

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN

Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

Connect. Communicate. Collaborate DF What is the MetaData Service (MDS)? eduGAIN component developed in GN2-JRA5 eduGAIN: the GÉANT2 AAI Support dynamic establishment of trust relations between members of AAI confederation Information model conform to SAML v 2.0 Metadata Specification SAML: Security Assertions Markup Language (OASIS)

Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

Connect. Communicate. Collaborate DF AAI confederation hierarchy AAI confederation  interconnecting AAI federations AAI federation  participant institutions  users –access to external resources & services –unaware of participants in other federations –require procedure of trust establishment between them

Connect. Communicate. Collaborate DF AAI confederation hierarchy (2)

Connect. Communicate. Collaborate DF Role of metadata Connecting to entities in other federated AAIs – required information: –where (in which federation)? –how to reach ? –what is supported (protocols and functionalities)?  metadata –distribution to all confederation members static (pre-configured upon software installation) dynamic (on request)

Connect. Communicate. Collaborate DF Role of a MetaData Service in AAI confederations AAI confederations –non-static environments! –frequent updates  means for dynamic collection & distribution of metadata: MetaData Service (MDS)

Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

Connect. Communicate. Collaborate DF Basic principles Centralised storage of metadata for eduGAIN components Dynamic retrieval & update –metadata exchange interface: eduGAINMeta –based on REST architecture model Distributed publishing & querying –among local federations – no central admin –multiple metadata publishers and consumers

Connect. Communicate. Collaborate DF eduGAIN components

Connect. Communicate. Collaborate DF Bridging Elements MDS used by Bridging Elements (BEs): –gateways eduGAIN – local federations –communication with peers (BEs) in other federations –query MDS for metadata about Home BE –MDS response: SAML 2.0 Metadata doc –consumers/publishers of metadata

Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

Connect. Communicate. Collaborate DF URL structure Syntax of REST URL mapping: MDS base URL[/federation ID][/entity ID][?query string] Combinations of: –MDS base URL : –federation ID : dfn, feide,... –entity ID : be1 –query string – Home Locator(s) : homeDomain=uio.no

Connect. Communicate. Collaborate DF Home Locators eduGAIN specific atribute-value pairs For: locating a remote BE (Home BE) From: –hints provided by user –contents of certificate extensions Types: –Home domain (homeDomain=switch.ch) –URN (urn=urn:geant:edugain:component:be:switch:be1)

Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

Connect. Communicate. Collaborate DF Publishing/ updating Who: metadata publishers –Federation Peering Point (FPP) –authorized Bridging Elements (BEs) What: SAML 2.0 Metadata documents –EntityDescriptor root (  one BE) –EntitiesDescriptor root (  several BEs) How: HTTP POST/PUT

Connect. Communicate. Collaborate DF Publishing/ updating (2) For whole federation: –only by FPP –EntitiesDescriptor –URL syntax: For single entities: –by FPP / authorized BEs –EntityDescriptor –URL syntax:

Connect. Communicate. Collaborate DF Retrieving metadata BE queries MDS via HTTP GET Metadata lookup –entity/federation name is known – Metadata search – entity name unknown, home locators –

Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

Connect. Communicate. Collaborate DF Trust establishment Elements of trust establishment in eduGAIN: –MDS –eduGAIN PKI –Component identifiers (CIDs) MDS trust tightly bound with eduGAIN PKI  minimal trust in the service itself Transitive trust

Connect. Communicate. Collaborate DF Security checks MDS validations: –publisher‘s X.509 certificate –publishing rights Publishers‘ signatures fwd with metadata  validation by consumers

Connect. Communicate. Collaborate DF Outline What is the MetaData Service (MDS)? Role of a MetaData Service in AAI confederations Use of the MDS in eduGAIN The MDS URLs Publishing and retrieving metadata Trust and security considerations Conclusions

Connect. Communicate. Collaborate DF Conclusions MDS: dynamic metadata distribution in AAI confederations Centralised storage, distributed trust Employes standard SAML 2.0 Metadata Possible use in any SAML-based infrastructure Deployment together with eduGAIN-like PKI

Connect. Communicate. Collaborate DF Thank you for your attention! Questions?