2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.

Slides:

Advertisements

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Advertisements

Lousy Introduction into SWITCHaai

Copyright © 2005 – Clickshare Service Corp. All rights reserved. Payment Aggregation & Affinity Management Clickshare for the Media Industry For more information.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.

Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Active Directory: Final Solution to Enterprise System Integration

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

Requirements of a public and university Library for authentication and authorization infrastructures Wolfgang Lierz ETH-Bibliothek Head IT Services.

2003 © SWITCH Realization of a Vision: Authentication and Authorization Infrastructure for the Swiss Higher Education Community Copyright Martin Sutter,

SWITCHaai Team Federated Identity Management.

Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.

F. Guilleux, O. Salaün - CRU Middleware activities in French Higher Education.

Identity and Access Management PM COP Forum May 20, 2014Tuesday10100 AMLamont Library.

Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.

Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.

RECALL THE MAIN COMPONENTS OF KIM Functional User Interfaces We just looked at these Reference Implementation We will talk about these later Service Interface.

2004 © SWITCH 1 Shibboleth in Switzerland Internet2 Spring Meeting 2004 Thomas Lenggenhager Overview SWITCH & SWITCHaai Project.

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.

Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

2006 © SWITCH Grid Activities at SWITCH Christoph Witzig EGEE - 06 Geneva Sep 28, 2006.

The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.

2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

7 th FIM 4 R meeting April 2014 ESRIN Frascati.

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Towards a Unified Authentication, Authorisation and Accounting Infrastructure Patrick Kirk Chief Technical Officer (YHGfL) Lifelong Learning Infrastructure.

Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Attribute Delivery - Level of Assurance Jack Suess, VP of IT

Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.

Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.

Exploring Access to External Content Providers with Digital Certificates University of Chicago Team Charles Blair James Mouw.

Jakob Gadegaard Bendixen, Shibboleth protected proxy servers a case study from the Danish library sector.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

Bringing it All Together: Charting Your Roadmap CAMP: Charting Your Authentication Roadmap February 8, 2007 Paul Caskey Copyright Paul Caskey This.

b2access.eudat.eu B2ACCESS The simple and secure authorisation and authentication platform of EUDAT This work is licensed under the Creative.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.

1 Identities and Federation: The Next IT Wave (The Canadian Access Federation) Rick Bunt President The Canadian University Council of CIOs (CUCCIO)

Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.

Authentication and Authorisation for Research and Collaboration AARC/CORBEL Workshop for Life Sciences AAI AARC Draft Blueprint.

Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.

eduTEAMS – Current status & Future Plans

Federated Identity Management for Researchers (FIM4R)

Current Campus Issues – From My Horizon

ESA Single Sign On (SSO) and Federated Identity Management

Authentication and Access:

Shibboleth in Switzerland

Protecting Privacy with Federated AA

Presentation transcript:

2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH

2003 © SWITCH 2 e-Academia / AAI: Pilot phase e-Academia / AAI Concept “… let’s develop e-Academia, let us build the foundations in the form of a uniform authentication and authorization infrastructure (AAI) for the higher education system in Switzerland…” “We want a virtual community across our institutions in which all persons associated with the Swiss Higher Education System are able to gain access to its electronic resources, independent of the accrediting organization and independent of the place where they happen to be working.” Vision of e-Academia AAI as the foundation of e-Academia Study Realization V1.0 Pilot Realization V2.0 Concept Roadmap 2000

2003 © SWITCH 3 e-Academia / AAI: Pilot phase University of Zurich Resource User Info about user Resource Owner 1 user - 1 resource - 1 organization: NO PROBLEM The AA Problem (1) + Swiss Passport ID, Credentials

2003 © SWITCH 4 e-Academia / AAI: Pilot phase Resource B University of Lausanne Resource C University Hospital of Geneva Info about user Resource A Info about user User ID, Credentials Many users - many resources - many organizations: A PROBLEM User ID, Credentials User ID, Credentials The AA Problem (2) Info about user University of Zurich ID, Credentials Info about user ID, Credentials Info about user

2003 © SWITCH 5 e-Academia / AAI: Pilot phase Resource Owner User‘s Home Org Access Control Manager Resource Info (name, address, ….) Registration Access Control Definition User data system Legend: Registra- tion Pre-processing User DB The AA Model (1) 1

2003 © SWITCH 6 e-Academia / AAI: Pilot phase Resource Owner User‘s Home Org AAI Access Control Manager Resource Authorization Information Authentication Access Control Definition Access Request of an authenticated user User Authorization Information Delivery data system AAI-interaction Legend: Authenti- cation User DB The AA Model (2)

2003 © SWITCH 7 e-Academia / AAI: Pilot phase Resource Owner User‘s Home Org AAI Access Control Manager Authenti- cation Log Other Applications (Accounting, Billing, Statistics) The AA Model (3) Input to Accounting or Billing systems: AAI provides Identity of User and/or Name of Home Organization Resource measures the interactions between a user and the resource

2003 © SWITCH 8 e-Academia / AAI: Pilot phase AAI simplifies the protection of information by applying standardized mechanisms. Resource owners can concentrate on the protection of their resources without having to implement an entire system including registration and authentication. Information protection AAI makes it possible to authorize users based on personal attributes of a user instead of IP addresses. User authorization thus becomes location-independent. Remote access After a single registration a user can access a number of resources. Only one authentication technology is applied. User friendliness Standardized AA systems and cooperation among IT organizations improve the efficiency in the implementation and operation of security solutions. IT efficiency Without AAI, a user has to register with various organizations. It is feared that the administrative overhead of individual organizations will increase dramatically. AAI counteracts this tendency. Administration overhead Complicated and inconsistent AA mechanisms, or isolation of resources and user groups, respectively, is no longer state of the art. Not having an AAI will damage the image in the long run. Image AAI is a requirement if students of different universities wish to use common resources, and it is the basis for initiatives such as the Swiss Virtual Campus. Virtual Mobility Advantages of an AAI

2003 © SWITCH 9 e-Academia / AAI: Pilot phase Unique Identifier (anonymous) Surname Given name Date of birth Gender Address(es) Phone number(s) Preferred language Name of Home Organization Type of Home Organization Affiliation (student, staff, faculty, …) Study branch Study level Staff category Organization Path Organization Unit Path Group membership User attributes for AAI are based on standards (LDAP: eduPerson, SHIS/SIUS) have to be available in real-time have to be handled as required by federal and cantonal data protection laws: attributes have to be accurate attributes have to be stored securely attributes should only be transferred to resources with a valid case to use it. will be revised in the future in a standardised change process, depending on the requirements of Resource Owners and Home Organizations Personal attributesGroup membership Authorisation Attributes

2003 © SWITCH 10 e-Academia / AAI: Pilot phase Simple Identity Management Classification MS Passport –Trust model: One external trust broker, trust monopoly –One central user database –One single Home Organisation for all users Shibboleth –Trust model: “Club” of organisations trusting each other (but not necessarily their users!) –Decentralised user database at “Club” member sites –“Club” members acting as Home Organisation –Users are registered with exactly one Home Organisation, maintaining their electronic identity (otherwise, they end up owning multiple electronic identities) Liberty Alliance –Same as Shibboleth except: –Users may register with multiple “Club” members –Each Club member is maintaining a part of their user’s electronic identity simple complex