Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Slides:



Advertisements
Similar presentations
Secure Single Sign-On Across Security Domains
Advertisements

Lousy Introduction into SWITCHaai
Federated Identity for Grid Architects Tom Scavo NCSA
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
1. Introducing Java Computing  What is Java Computing?  Why Java Computing?  Enterprise Java Computing  Java and Internet Web Server.
WebFTS as a first WLCG/HEP FIM pilot
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Identity Management Report By Jean Carreon and Marlon Gonzales.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Integrating with UCSF’s Shibboleth system
Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.
Michal Procházka, Jan Oppolzer CESNET.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.
Federated Identity and Shibboleth Concepts Rick Summerhill Chief Technology Officer Internet2 GEC3 October 29, 2008 Slides by Nate Klingenstein
Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.
DICE: Authorizing Dynamic Networks for VOs Jeff W. Boote Senior Network Software Engineer, Internet2 Cándido Rodríguez Montes RedIRIS TNC2009 Malaga, Spain.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.
Connect communicate collaborate An Infocard-based proposal for unified SSO to eduroam Enrique de la Hoz, Antonio García, Diego López, Samuel Muñoz University.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)
Project Moonshot Daniel Kouřil EGI Technical Forum
Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.
Enabling the Modern Workstyle with Windows 10 & Azure Active Directory Venkatesh Gopalakrishnan 2016 Redmond Summit | Identity Without Boundaries May 25,
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
The IGTF to eduGAIN Bridge
Access Policy - Federation March 23, 2016
Secure Single Sign-On Across Security Domains
Using Your Own Authentication System with ArcGIS Online
Applying eduGAIN to network operations The perfSONAR case
Mechanisms of Interfederation
University of Stuttgart University of Murcia
First steps in federation peering: eduGAIN and eduroam
HMA Identity Management Status
Identity Federations - Overview
Federation peering à la European The eduGAIN way
Federation peering à la European The eduGAIN way
The DAMe’s First Steps: eduroam and NAS-SAML
The main cause for that are the famous phishing attacks, in which the attacker directs users to a fake web page identical to another one and steals the.
Presentation transcript:

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University of Stuttgart TNC 2008, Bruges,

Connect. Communicate. Collaborate Universität Stuttgart Overview Single Sign On unified Single Sign On eduToken Token-based uSSO Profile Conclusion

Connect. Communicate. Collaborate Universität Stuttgart Single Sign On Single Sign On (SSO): authenticate once for access to multiple (web) resources SSO in a federated AAI: only one pair of credentials is needed (this is no automated password-entering) SSO with eduGAIN: SSO becomes possible in a heterogeneous environment, by building a confederation

Connect. Communicate. Collaborate Universität Stuttgart Single Sign On Advantages: –User friendly, saves time Esp. with more secure authentication methods –Higher security: password transmitted only once –Higher security: one password can be remembered, dozens of them hardly –Phishing protection: the Identity Provider is “known” (URL, certificate) Disadvantages: –Higher risk: one stolen password gives access to many resources

Connect. Communicate. Collaborate Universität Stuttgart unified Single Sign On NEW unified Single Sign On (uSSO): authenticate once for access to network and application resources (this) uSSO is built on: –eduroam: federated, secure access to network resources –eduGAIN: (con-)federated, secure access to web resources (and other applications  “Grid”)

Connect. Communicate. Collaborate Universität Stuttgart unified Single Sign On Connect. Communicate. Collaborate

Universität Stuttgart unified Single Sign On Advantages of uSSO: –SSO advantages, but extended to the network –WAYF problem can be solved –Usable for non-web resources and services (Grid) –Usable with eduGAIN  several web AAI middlewares (Shibboleth, PAPI – Spain, A-Select – Netherlands, …) Disadvantages of uSSO: –Additional (client) middleware needed –Requires eduroam and some AAI

Connect. Communicate. Collaborate Universität Stuttgart unified Single Sign On Six steps: 1.Authentication at layer 2 with 802.1x, using eduroam 2.Transport a token over eduroam 3.Put into secure token store on user’s device 4.Get network access (get IP address) 5.Authentication at the application layer, using eduGAIN 6.Use the token as prove of authentication

Connect. Communicate. Collaborate Universität Stuttgart eduToken The uSSO token is called eduToken It must express: –Who has been authenticated, –When, –By whom, –Using which method –How long the eduToken is valid

Connect. Communicate. Collaborate Universität Stuttgart eduToken SAML 1 Assertion –Issuer –Issue Instant –Condition: Not On Or After –Authentication Statement Authentication Instant + Method Subject – Name Identifier It is digitally signed + by a trusted entity eduToken = SAML Assertion + Authentication Statement

Connect. Communicate. Collaborate Universität Stuttgart Token-based uSSO Profile User’s Device: Browser: with Java-Plugin uSSO Client: Token Manager, Java application Service Domain: SP: Service Provider, e.g. Shibboleth, unmodified Token Fetcher Applet R-BE: remote eduGAIN Bridging Element, modified

Connect. Communicate. Collaborate Universität Stuttgart Token-based uSSO Profile Connect. Communicate. Collaborate

Universität Stuttgart Token-based uSSO Profile eduGAIN Bridging Element (BE): Map local federation language to eduGAIN language Central - per federation, or distributed - per institution Part of the eduGAIN circle of trust Remote BE (R-BE): Towards the SP: act like an IdP of the local federation Towards eduGAIN: talk to the Home BE

Connect. Communicate. Collaborate Universität Stuttgart Token-based uSSO Profile Token-enabled R-BE: Towards the SP: as usual Towards eduGAIN: not necessary (except attribute-pull) NEW Towards the client: request the eduToken, receive it (validation as usual – eduToken is in native eduGAIN language) –Token Request = an active component able to reach “outside” the browser –Implemented here as a signed Java Applet

Connect. Communicate. Collaborate Universität Stuttgart Token-based uSSO Profile Token-enabled R-BE (continued): Implementation, Deployment: –1 Tomcat –1 Java Servlet –1 Java Keystore –1 Applet

Connect. Communicate. Collaborate Universität Stuttgart Conclusion The implementation provides: unified Single Sign On: “open your laptop and be signed on” The concept also enables: Simplified Where Are You From No IdP interaction (  privacy) SSO for non-web applications / for local applications

Connect. Communicate. Collaborate Universität Stuttgart Questions? Any questions or comments? DAMe website: DAMe mailing list: GÉANT2-JRA5 website:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.