Download presentation
Presentation is loading. Please wait.
1
University of Stuttgart University of Murcia
RadSec and DAMe University of Stuttgart University of Murcia Vienna, Sascha Neinert
2
Overview DAMe Project RadSec and DAMe: Dynamic Server Discovery
DAMe Testbed Next Steps Vienna, Sascha Neinert
3
DAMe Project DAMe stands for: Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture Subproject of GÉANT2 Partners: DFN, RedIRIS, University of Murcia, University of Stuttgart Goals: Adding attribute-based Authorization to eduroam Unified Single Sign On, using eduToken in SAML format Vienna, Sascha Neinert
4
Attribute-based Authorization in eduroam
Note: NO DIAMETER! Vienna, Sascha Neinert
5
Unified Single Sign On Vienna, Sascha Neinert
6
DAMe-2 Project Additional Goals: Support for Level of Assurance (LoA):
Including LoA in the eduToken, in the AuthNContext Protocol extended for Re-Authentication with higher LoA Integration of RadSec Adding RadSec proxy servers in front of both remote (SP) and home (IdP) institution eduToken transport over RadSec Inclusion of Attribute Conversion in DAMe Vienna, Sascha Neinert
7
RadSec and DAMe: Dynamic Server Discovery
RadSec: RADIUS over TCP and TLS Implementations: radsecproxy and Radiator eduroam with RadSec mutual authentication with valid server certificates from a trusted CA (eduGAIN CA / SCA, others) subjectAltName (URI) specifying the role of a server (e.g. urn:geant:eduroam:component:sp:ABC may act as a RadSec client, urn:geant:eduroam:component:idp:XYZ may act as a server) RadSec enables dynamic server discovery: Lookup for a RadSec server serving a specific home domain Mutual authentication using server certificates TLS connection is established Vienna, Sascha Neinert
8
RadSec and DAMe: Dynamic Server Discovery
Dynamic Discovery can be done... Using DNS radsecproxy can query for _radsec._tcp.<domain-name> Radiator can also use this mechanism Using MDS radsecproxy calls radsec2mds tool SAML metadata is retrieved from eduGAIN MDS MDS is part of DAMe / eduGAIN already MDS is flexible + secure (efficient? reliable?) Vienna, Sascha Neinert
9
RadSec and DAMe: Dynamic Server Discovery (MDS)
Vienna, Sascha Neinert
10
RadSec and DAMe: Dynamic Server Discovery (MDS)
Meta data snippet: <md:EntityDescriptor ID=“…" entityID=“…"> <md:IDPSSODescriptor ID="USTUTT-RADSEC"> <md:SingleSignOnService Location="radsec (*) ://ksat124.rus.uni-stuttgart.de:2083"/> </md:IDPSSODescriptor> <md:Organization> <md:Extensions> <egmd:HLPattern egmd:MatchingAlgo="urn:geant:edugain:metadata:homelocator:matching- algo:exact" egmd:Type="HomeDomain">uni-stuttgart.de</egmd:HLPattern> </md:Extensions> </md:Organization> </md:EntityDescriptor> Vienna, Sascha Neinert
11
DAMe Testbed – Overall View
DNS AP Client RADIUS RadSec Proxy RadSec Proxy RADIUS Shib IdP DAMe- BE XACML PDP Most test cases can be done in both directions: UMU USTUTT and USTUTT UMU eduGAIN MDS USTUTT („home“) UMU („remote“) Vienna, Sascha Neinert
12
DAMe Testbed – UMU Client Network SP wpa_supplicant
FreeRADIUS with dame-dictionary radsecproxy 1.3.1 eduGAINSCA certificate including eduroam URN (urn:geant:eduroam:component: ...) Testbed has been moved from freeradius 1 to freeradius 2 Vienna, Sascha Neinert
13
DAMe Testbed – USTUTT Network IdP SAML IdP
FreeRADIUS with dame-enabled peap-module and dame-dictionary radsecproxy 1.3.1 can be discovered querying DNS for _radsec._tcp.dame.uni-stuttgart.de eduGAINSCA certificate including eduroam URN (urn:geant:eduroam:component: ...) SAML IdP Shibboleth IdP DAMe-BE Issuing eduTokens Vienna, Sascha Neinert
14
Next Steps USTUTT: separate network SP and network IdP
Finish deployment of DAMe including dynamic discovery components Publish metadata to mds.edugain.org Run federated tests UMU USTUTT Optimize radsec2mds tool Measure performance of DNS-based and MDS-based discovery Compare both methods Vienna, Sascha Neinert
15
Any questions or comments?
DAMe website: Vienna, Sascha Neinert
Similar presentations
