Download presentation
Presentation is loading. Please wait.
Published byBlaze Welch Modified over 9 years ago
1
5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004 Mikael Linden, mikael.linden@csc.fi CSC, the Finnish IT Center for Science, Finland
2
5/25/2015 AEB/Yleisesittely Isn’t it a little bit exotic… …to use application layer technology for access control in the network layer? Link layer Network layer Transport layer Application layer Shibboleth TCP IP WLAN (802.11)
3
5/25/2015 AEB/Yleisesittely CSC, the Finnish IT center for Science Non-profit company owned by the ministry of education in Finland to provide national IT infrastructure for research and education –expertise in scientific computing –supercomputing –Funet (Finnish university and research network) Federated identity a new way for CSC to support higher education –national HAKA federation on Shibboleth –currently in pilot phase (3 IdPs, 4 SPs) –to be in production in 2004
4
5/25/2015 AEB/Yleisesittely Background: AA issues in European higher education Roaming network access technologies: 1.802.1X & RADIUS proxy hierarchy 2.VPN & complete list of VPN gateways 3.web redirection & RADIUS proxy hierarchy 4.ROAMNODE & RADIUS proxy hierarchy –more information: TERENA TF-Mobility, deliverable G Application level access technologies: several federating softwares being used, some of them national –Shibboleth, PAPI, FEIDE, A-select…
5
5/25/2015 AEB/Yleisesittely Background: University of Helsinki (UH) The largest university in Finland A campus in downtown of Helsinki University of Helsinki deliberate to join WLAN roaming –would not be fair for UH: probably considerably more visitors coming in than going out? costs would accumulate for UH UH could allow roaming access for some smaller subgroup (e.g. staff&faculty in other universities) authentication not enough, role based authorisation needed role attributes need to be passed from the home institution that’s what Shibboleth is made for
6
5/25/2015 AEB/Yleisesittely Internet How it works Docking network (HUPnet) Access control device (ACD) (shibboleth target) WAYF 193.166.0.69 Shibboleth origin 153.1.6.41 University of Helsinki University of Tampere (UTa) Bob, a researcher at UTa SSL Port 443 open to: WAYF: 193.166.0.69 UTa: 153.1.6.41 … 1. 1. The user activates his WLAN card and web browser. ACD (a shib target) captures the initial HTTP request. 2. 2. The browser is redirected to WAYF 3. 3. The user selects his IdP. Shib origin authenticates him. 4. 4. IdP provides user attributes to ACD 5. ACD decides, if the user may access (the rest of) the Internet
7
5/25/2015 AEB/Yleisesittely Benefits Makes role based authorisation easy –visiting institution makes access control decision based on the user’s role provided by the her home institution Preserves privacy –user’s identity need not to be revealed to the visited institution (only her role and home institution is revealed) Single sign-on –to shibbolized network and application level services Brings together network and application level access architecture –no need for overlapping architecture
8
5/25/2015 AEB/Yleisesittely Downsides In Europe, cross-organisational and cross-national AAI infrastructure in not so mature as RADIUS based hierarchy –Shibboleth used in Switzerland, Finland, UK… To allow user enter her uid&pwd to her shibboleth origin site, the access controller needs to maintain extensive list of shibboleth origin sites in the federation –new list have to be updated regularly –however, the list have to be maintained by the federation anyway –CASG (see Terena TF-Mobility deliverable E) can make the maintenance easier
9
5/25/2015 AEB/Yleisesittely Practical experiment: HUPnet HUPnet (Helsinki University Public network) has been available for UH staff&students since 2001 –for WLAN and wired (ethernet) public access in UH premises –ACD is a Linux box with web end-user UI UH has started piloting shibbolized Access control device (ACD) –previously: AA was based on RADIUS –now: Shibboleth implementation to be publicly available http://www.helsinki.fi/atk/english/network/HUPnet.html
10
5/25/2015 AEB/Yleisesittely More information Mikael Linden, Viljo Viitanen. ”Roaming network access using Shibboleth”, an article in Terena Networking Conference 2004 http://www.terena.nl/conferences/tnc2004/programme/presentations/sh ow.php?pres_id=165
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.