Presentation is loading. Please wait.

Presentation is loading. Please wait.

First steps in federation peering: eduGAIN and eduroam

Published byAlice Merilyn Carr Modified over 6 years ago

Similar presentations

Presentation on theme: "First steps in federation peering: eduGAIN and eduroam"— Presentation transcript:

1 First steps in federation peering: eduGAIN and eduroam
Diego R. Lopez - RedIRIS

2 Contents The drivers for (con-)federations The eduroam case
The eduGAIN case Universal single sign-on, a.k.a. DAMe

3 As Federations Grow The risk of dying of success
Do we really need to go on selling the federated idea? Different communities, different needs Not even talking about international collaboration Different (but mostly alike) solutions Grids and libraries as current examples And many to come: Governments, professional associations, commercial operators,… Don’t hold your breath waiting for the Real And Only Global Federation

4 Confederations Federate Federations
Same federating principles applied to federations themselves Own policies and technologies are locally applied Independent management Identity and authentication-authorization must be properly handled by the participating federations Commonly agreed policy Linking individual federation policies Coarser than them Trust fabric entangling participants Without affecting each federation’s fabric E2E trust must be dynamically built

5 First Steps Simplifying user collaboration across whatever border is an excellent selling argument Making the whole promise of the VO idea eduroam fast worldwide success is a clear example Lingua franca Syntax: SAML profiles Converging to 2.0 Semantics: eduPerson, SCHAC Trust fabric Public key technologies (if not infrastructures) Component identifiers and registries Metadata repositories

6 Policy and Legal Matters
The PMA model has proven extremely useful Consensual set of guidelines Peer-reviewed accreditation Legal matters: Hic sunt leones For techies like us Privacy Liability More or less manageable in the case of (national) federations

7 eduroam Confederation avant-la-lettre
A simple goal: “open your laptop and be online” The GN2 roaming mission: “To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources” Based on reciprocal (free) access For the academic and research community Authentication at home Authorization at visited institution

8 eduroam: Ubiquitous Network Access
Connect. Communicate. Collaborate eduroam: Ubiquitous Network Access Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB Gast GÉANT2 Employee VLAN Commercial VLAN Central RADIUS Proxy server Student VLAN Trust based on RADIUS plus policy documents 802.1X (VLAN assignment) signalling data

9 eduroam Confederations
Regions have their own stage of development and pace Regions have their own regional policies (with delegation to national federations) Policies will be aligned as much as possible

10 The European eduroam Policy
Mutual access Home institutions are/remain responsible for their users abroad Members are European NRENs Members guarantee required security levels by their participants Members promote eduroam in their countries European eduroam may peer with other regions

11 National Policies Mutual access Members are connected institutions
Home institution is/remains responsible for its users behavior. Home institution is responsible for proper user management Home and visited institution must keep sufficient log data Appropriate security levels

12 eduGAIN AAI peering à la European
The GN2 AAI mission: “To build an interoperable authentication and authorisation infrastructure that will be used all over Europe enabling seamless sharing of e-science resources” We started from Scattered AAI (pilot) implementations in the EU and abroad The basic idea of federating them, preserving hard-won achievements

13 Applying Confederation Concepts
An eduGAIN confederation is a loosely-coupled set of cooperating identity federations That handle identity management, authentication and authorization using their own policies Trust between any two participants in different federations is dynamically established Members of a participant federation do not know in advance about members in the other federations Syntax and semantics are adapted to a common language Through an abstract service definition

14 The eduGAIN Model MDS   R-FPP H-FPP R-BE H-BE Resource(s)
Connect. Communicate. Collaborate The eduGAIN Model Metadata Query MDS Metadata Publish Metadata Publish   R-FPP H-FPP R-BE H-BE AA Interaction AA Interaction AA Interaction Resource(s) Id Repository(ies)

15 The (X.509) Trust Fabric Validation procedures include
Normal certificate validation Trust path evaluation, signatures, revocation,… Peer identification Certificates hold the component identifier It must match the appropriate metadata Applicable to TLS connections between components Two-way validation is mandatory Verification of signed XML assertions

16 A general model for eduGAIN interactions
Connect. Communicate. Collaborate A general model for eduGAIN interactions ?cid=someURN <samlp:Request . . . RequestID=”e70c3e9e6…” IssueInstant=“ …”> . . . </samlp:Request> <samlp:Response . . . ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”> . . . </samlp:Response> MDS TLS Channel <EntityDescriptor . . . entityID= ”urn:geant2:..:responder"> . . . <SingleSignOnService . . . Location= “ /> TLS Channel(s) urn:geant2:...:responder urn:geant2:...:requester Requester Responder Resource Id Repository

17 Metadata Service Based on REST interfaces transporting SAML 2.0 metadata Usable by non-eduGAIN components Metadata are published through POST operations Metadata are retrieved through GET operations URLs are built as MDSBaseURL/FederationID/entityID?queryString Using component names The query string transports data intended to locate the appropriate home BE (Home Locators) Hints provided by the user Contents of certificate extensions (SubjectInformationAccess)

18 eduGAIN Profiles Oriented to Enable direct federation interaction
Enable services in a confederated environment Four profiles discussed so far WebSSO (Shibboleth browser/POST) AC (automated cilent: no human interaction) UbC (user behind non-Web client: use of SASL-CA) WE (WebSSO enhanced client: delegation) Others envisaged Extended Web SSO (allowing the send of POST data) eduGAIN usage from roaming clients (DAMe) Based on SAML 1.1 Mapping to SAML 2.0 profiles along the transition period

19 Deploying Authorization Mechanisms for Federated Services in eduroam (DAMe)
DAMe is a project that builds upon: eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, Shibboleth and eduGAIN NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on the SAML (Security Assertion Markup Language) and the XACML (eXtensible Access Control Markup Language) standards. [1st =] Usually, those proposals don’t explain how certificates are issued by the authorities (it is usually application-dependent) [2nd =] In complex environments, a structured and distributed system must be provided (and application independent)

20 First Goal: extNA First Goal: Extension of eduroam using NAS-SAML
Connect. Communicate. Collaborate First Goal: extNA First Goal: Extension of eduroam using NAS-SAML Policy Decision Point Source Attribute Authority XACML RADIUS server University B University A eduroam Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Gast User mobility controlled by assertions and policies expressed in SAML and XACML Signaling data SAML

21 Second Goal: eduGAIN as AuthN and AuthR Backend First Goal: extNA
Connect. Communicate. Collaborate Second Goal: eduGAIN as AuthN and AuthR Backend First Goal: extNA Link between the AAA servers (now acting as Service Providers) and eduGAIN

22 Third Goal: Universal Single Sign On
Connect. Communicate. Collaborate Users will be authenticated once, during the network access control phase The eduGAIN authentication would be bootstrapped from the NAS-SAML New method for delivering authentication credentials and new security middleware 4th goal: integrating applications, focusing on grids.

23 Summary Educational federations are happening
And suffering their first growing pains Convergence to (small number of) standards In the SAML orbit International confederations are emerging eduroam Géant2 AAI (eduGAIN) The twain will ever meet Using the same principles and standards

Download ppt "First steps in federation peering: eduGAIN and eduroam"

Similar presentations

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.

Using PHINMS and Web-Services for Interoperability The findings and conclusions in this presentation are those of the author and do not necessarily represent.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS.

TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.
CNRI Handle System and its Applications

CNRI Handle System and its Applications
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Developments and challenges in authentication and authorisation Klaas Wierenga Berlin, 23 May 2006.

Developments and challenges in authentication and authorisation Klaas Wierenga Berlin, 23 May 2006.
Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.

TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.

High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.
High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

Similar presentations

Ads by Google