Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.

Slides:

Advertisements

Similar presentations

Lousy Introduction into SWITCHaai

Advertisements

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

Why eduroam sucks, and how to fix it.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

SALSA-NetAuth SALSA-FWNA BoF Kevin Miller Duke University Internet2 Member Meeting May 2005.

Copyright JNT Association 2006 The JANET Roaming Service.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS.

EduRoam ESA workshop 17 December 2004 Utrecht.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

Authz work in GGF David Chadwick

Network Access and 802.1X Klaas Wierenga SURFnet

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

Do you like to puzzle? …build an AA Infrastructure! DELAMAN Access Group Workshop November, 30th, 2004 xxx.

Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Authorised Global Roaming Offering Accessible Authorization Services to EduRoam David Chadwick, George Beitis, Gareth Owen University of Kent.

Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

Developments and challenges in authentication and authorisation Klaas Wierenga Berlin, 23 May 2006.

Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.

High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.

Michal Procházka, Jan Oppolzer CESNET.

OpenPASS Open Privacy, Access and Security Services “Quis custodiet ipsos custodes?”

High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Shibboleth: An Introduction

802.1X in SURFnet 22 May 2003.

Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.

Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.

Authentication and Authorisation for Research and Collaboration Licia Florio REFEDS Meeting The AARC Project I2 Technology Exchange.

Connect. Communicate. Collaborate Federated peering the NREN way: eduGAIN and eduroam Diego R. Lopez (RedIRIS) Klaas Wierenga (SURFnet)

Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

19 May 2003 © The JNT Association Terena Technical Advisory Council Terena Mobility Task Force

Programme ›TERENA ›Overview of the middleware initiatives in the European Higher Education ›What is eduroam: the technology and how to set up eduroam ›eduroam-in-a-box:

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.

Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

AAI Interconnection with an European style Diego R. Lopez RedIRIS.

Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)

Project Moonshot Daniel Kouřil EGI Technical Forum

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

10 Years of eduroam (from an idea to a product)

Applying eduGAIN to network operations The perfSONAR case

University of Stuttgart University of Murcia

First steps in federation peering: eduGAIN and eduroam

Federation peering à la European The eduGAIN way

Federation peering à la European The eduGAIN way

TF-Mobility update TF-EMC2, Barcelona 9 September 2005.

The DAMe’s First Steps: eduroam and NAS-SAML

Presentation transcript:

Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007

Contents -Intro -eduroam -The European eduroam confederation -eduGAIN -DAMe -Summary

Federations in European education -Enable the sharing of educational resources -Applications -Shibboleth, PAPI, A-Select, Liberty -Federated with eduGAIN -Network -eduroam -Both require agreement on: -Responsibilities -Privacy -Liability -Technology -Language -Standards

eduroam

The goal of eduroam “open your laptop and be online” or To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources

eduroam RADIUS server University B RADIUS server University A SURFnet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Guest Student VLAN Commercial VLAN Employee VLAN data signalling Trust based on RADIUS plus policy documents 802.1X (VLAN assigment)

Eduroam interactions Id Repository Resource (AP) RADIUS + TLS Channel(s) Tue Oct 10 00:05: : DEBUG: Packet dump: *** Received from port Code: Access-Request Identifier: 1 Authentic: k D Attributes: User-Name = NAS-IP-Address = Called-Station-Id = "001217d45bc7" Calling-Station-Id = "0012f0906ccb" NAS-Identifier = "001217d45bc7" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE EAP-Message = - Message-Authenticator = `- y. I<218 > \ Tue Oct 10 00:17: : DEBUG: Handling request with Handler 'TunnelledByTTLS= 1, Realm=/guest.showcase.surfnet.nl/i' Tue Oct 10 00:17: : DEBUG: Deleting session for case.surfnet.nl, , Tue Oct 10 00:17: : DEBUG: Handling with Radius::AuthFILE: SC-GUEST-ID Tue Oct 10 00:17: : DEBUG: Reading users file /etc/radiator/db/showcase-gu est-users Tue Oct 10 00:17: : DEBUG: Radius::AuthFILE looks for match with Klaas.Wie Tue Oct 10 00:17: : DEBUG: Radius::AuthFILE ACCEPT: : Tue Oct 10 00:17: : DEBUG: AuthBy FILE result: ACCEPT, Tue Oct 10 00:17: : DEBUG: Access accepted for se.surfnet.nl Tue Oct 10 00:17: : DEBUG: Returned TTLS tunnelled Diameter Packet dump: Code: Access-Accept eduroam hierarchy

-Single technology -RADIUS X -EAP -Authentication = authorisation European eduroam confederation

eduGAIN

Id Repository(ies) Resource(s) MDS R-FPP Metadata Publish R-BE Metadata Query AA Interaction H-FPP Metadata Publish H-BE AA Interaction AA Interaction The eduGAIN model Lingua Franca: SAML

RequesterResponder Id Repository Resource TLS Channel(s) MDS TLS Channel ?cid=someURN <EntityDescriptor... entityID= ”urn:geant2:..:responder">... <SingleSignOnService... Location= “ />... <samlp:Request... RequestID=”e70c3e9e6…” IssueInstant=“ …”>... <samlp:Response... ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”>...  urn:geant2:...:responder urn:geant2:...:requester  eduGAIN interactions

DAMe

-Deploying Authorization Mechanisms for Federated Services in eduroam -DAME is a project that builds upon: -eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, -Shibboleth and eduGAIN -NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards. -Universities of Murcia and Stuttgart within Géant2 JRA5

Gast RADIUS server University B RADIUS server University A eduroam Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant data User mobility controlled by assertions and policies expressed in SAML and XACML XACML Policy Decision Point SAML Source Attribute Authority Signaling 1st: Extension of eduroam with authZ

2nd: eduGAIN AuthN+AuthZ backend -Link between the AAA servers (now acting as Service Providers) and eduGAIN

3d: Universal Single Sign On -Users will be authenticated once, during the network access control phase -The eduGAIN authentication would be bootstrapped from the NAS-SAML -New method for delivering authentication credentials and new security middleware -4th goal: integrating applications, focusing on grids.

eduroam+NAS-SAML in Context -The proposal is functionally equivalent to the one discussed in I2 SALSA-FWNA for RADIUS-SAML integration -Compatibility and convergence are the natural way forward -NAS-SAML is -From the inter-realm view, a Diameter binding for SAML -Already available, thus allowing for fast evaluation of ideas - Agree in the basics -Data exchanged in RADIUS space -Relevant attributes

Independent AuthZ

Summary

-Convergence to (small number of) standards X+ RADIUS -The SAML orbit -International confederations are emerging -eduroam -Géant2 AAI (eduGAIN) -The twain will ever meet -Using the same principles and standards

Thank you! More info: