Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mechanisms for Distributed Global Authentication David R Newman.

Published byAri Saarnio Modified over 6 years ago

Similar presentations

Presentation on theme: "Mechanisms for Distributed Global Authentication David R Newman."— Presentation transcript:

1 Mechanisms for Distributed Global Authentication David R Newman

2 The Problem But And / Or Users need to authenticate to use a service
The service provider does not want to manage user credentials And / Or The user already has credentials they want to use

3 The Solutions

4 Versions of OpenID Mechanisms for OpenID and OpenID Connect somewhat similar. OpenID Does not require any configuration for the service provider on the identity provider. Service provider decides which identity providers to trust. Most identity providers have either been discontinued (e.g. MyOpenID) or deprecated in preference to OpenID Connect (e.g. Google) OpenID Connect Uses OAuth 2.0 to register service as an application on the identity provider.

5 OpenID

6 OpenID Providers

7 OpenID Connect

8 Shibboleth Commonly used by higher education institutions.
Requires greater co-operation between service provider and identity provider stakeholders to setup. Provides a shim on top of existing user and authentication services. Explicitly designed to support third party discovery services. Access to user attributes controlled by the identity provider rather than the user

9 Setting up a Shibboleth Service Provider
1. Download IdP metadata including certificate Shibboleth Service Provider (SP) Shibboleth Identity Provider (IdP) 4. Get IdP to download SP metadata including certificate 2. Edit SP configuration to reference IdP metadata 5. Edit IdP configuration to reference SP metadata 3. Generate key and certificate for SP and reference in configuration

10 Shibboleth Authentication
User 4. User requests IdP login service 3. SP tell user to authenticate on the IdP 1. User requests restricted resource 9. Service returns resource or forbidden 6. User provides login credentials 5. IdP provides login page 2. Service detects login required Shibboleth Service Provider (SP) Service Shibboleth Identity Provider (IdP) 8. SP tells Service whether user can access resource 7. IdP provides authentication results and user attributes to SP (via User)

11 Sharing User Attributes with Shibboleth
Shibboleth Service Provider (SP) Shibboleth Identity Provider (IdP) 2. IdP checks which attributes SP can be given 3. SP maps the attributes of interest and passes them onto the service 1. LDAP attributes mapped to SAML Service LDAP Server

12 Shibboleth with Discovery

13 Eduroam International Wi-Fi roaming service
Predominantly available at higher education institutions Users can login using their institutional username and password Easily configurable on Windows, Linux, MacOS, Android and iOS Uses RADIUS to enable 802.1x authentication

14 How RADIUS Works

15 RADIUS Peering Allows authentications beyond your domain.
Peer directly with another RADIUS server using a “shared secret” This RADIUS server can then peer with others Rules in RADIUS configuration determine whether to attempt local authentication or to which server to relay.

16 How Eduroam Works

17 SOWN’s RADIUS Peering ECS SOWN Soton Jisc (Janet) GEANT DFN Münster

18 SOWN’s RadMatrix

19 Further Reading OpenID Shibboleth Eduroam/RADIUS
Shibboleth tall Eduroam/RADIUS nt_v1_0.pdf

20 Administering the SOWN Network – David Newman and Chris Malton
Next SOWN Talk Administering the SOWN Network – David Newman and Chris Malton Probably 2nd March

21 Questions?

Download ppt "Mechanisms for Distributed Global Authentication David R Newman."

Similar presentations

Suchin Rengan Principal Technical Architect Salesforce.com

Suchin Rengan Principal Technical Architect Salesforce.com
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
OhioNET EZProxy Service

OhioNET EZProxy Service
REFEDS. Rome, October 2009 The OpenID Case Why It’s Not a Bad Idea to Play with The Big Guys.

REFEDS. Rome, October 2009 The OpenID Case Why It’s Not a Bad Idea to Play with The Big Guys.
WSO2 Identity Server Road Map

WSO2 Identity Server Road Map
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.
Integrating with UCSF’s Shibboleth system

Integrating with UCSF’s Shibboleth system
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.

I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
Michal Procházka, Jan Oppolzer CESNET.

Michal Procházka, Jan Oppolzer CESNET.
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.

SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Chad La Joie Shibboleth’s Future.

Chad La Joie Shibboleth’s Future.
Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.

Module 5 Configuring Authentication. Module Overview Lesson 1: Understanding Classic SharePoint Authentication Providers Lesson 2: Understanding Federated.
Www.jrc.ec.europa.eu Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.
Shibboleth 2.0 IdP Training: Authentication January, 2009.

Shibboleth 2.0 IdP Training: Authentication January, 2009.
ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Similar presentations

Ads by Google