Presentation is loading. Please wait.

Presentation is loading. Please wait.

Do you like to puzzle? …build an AA Infrastructure! DELAMAN Access Group Workshop November, 30th, 2004 xxx.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Do you like to puzzle? …build an AA Infrastructure! DELAMAN Access Group Workshop November, 30th, 2004 xxx."— Presentation transcript:

1 Do you like to puzzle? …build an AA Infrastructure! DELAMAN Access Group Workshop November, 30th, 2004 Bart.Kerver@SURFnet.nl xxx

2 2 Presentation contents Drivers for an AAI; The pieces of the AAI-puzzle; –network and application access, login, authentication, authorisation, identity management; Federations; Shibboleth; E2E Middleware Diagnostics; Standards; Developments;

3 3 Authentication and Authorisation Infrastructure (AAI) The Authentication and Authorisation Services, components for Identity and Privilege Management and the entities responsible for these services - constitute an Authentication and Authorisation Infrastructure.

4 4 Why AAI? Personalised service provisioning

5 5 Why AAI? Educational mobility

6 6 Why AAI? Network mobility

7 7 Why AAI? Reduce the digital key ring X X X

8 8 Login (web)Application Administration AuthorisationNetwork Authentication Ingredients of an AAI

9 9 Network access: RADIUS proxy hierarchy Organisational RADIUS Server B Organisational RADIUS Server B Organisational RADIUS Server C Organisational RADIUS Server C National RADIUS Proxy Server National RADIUS Proxy Server National RADIUS Proxy Server National RADIUS Proxy Server European RADIUS Proxy Server European RADIUS Proxy Server European RADIUS Proxy Server European RADIUS Proxy Server Organisational RADIUS Server A Organisational RADIUS Server A network

10 10 Network access: User-controlled light path provisioning Application AAA Broker SURFnet6 Applications Broker NetherLight Application Broker OMNInet Applications Broker Starlight Services AAA UDDI/ WSIL A-Select token network

11 11 Application access: centralise intelligence applications

12 12 Application access: centralise intelligence applications

13 13 Login server: intermediary between application and AA: provide SSO login

14 14 Authentication: choose your own method (and strength) IP address Username / password –LDAP / Active Directory –RADIUS –SQL Passfaces PKI certificate OTP through SMS OTP through internet banking Tokens (SecurID, Vasco, …) Biometrics … authentication

15 15 Authentication: solutions for webenvironments Web Initial Sign-on (WebISO) –A-Select, SURFnetA-Select, SURFnet –CAS, YaleCAS, Yale –Cosign, MichiganCosign, Michigan –Distauth, UC DavisDistauth, UC Davis –eIdentity Web Authentication, Colorado StateeIdentity Web Authentication, Colorado State –PAPI, RedIRISPAPI, RedIRIS –PubcookiePubcookie –Web AuthN/AuthZ, Michigan TechWeb AuthN/AuthZ, Michigan Tech –WebAuth, StanfordWebAuth, Stanford –... Etcetera... authentication

16 16 Authorisation: Policy engines authorisation

17 17 Authorisation: Policy engines: f.e. use ‘roles’ authorisation

18 18 Authorisation: 3 scenario’s 1.Authentication = authorisation (‘simple’) 2.Identity plus a few attributes (‘commonly used’) 3.Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’) authorisation

19 19 Authorisation: privilege management authorisation

20 20 Administration: Identity Management How to record the identities (schema’s), credentials (attributes or roles), and privileges? Enterprise (or meta) directory to glue all sources of information together; Quality of registration is CRUCIAL for AuthN and AuthZ; It’s the underlying basis for an AAI; …and it’s a hype… administration

21 21 SAP/HR Local Admin LDAP ADS Admin. layer ExchangeW2K/XPRADIUSCAB Directory layer Application layer Portfolio Administration: Identity Management - layers example administration Network layer802.1x WLANDial-UP

22 22 Presentation contents Drivers for an AAI; The pieces of the AAI-puzzle; network and application access, login, authentication, authorisation, identity management;  Federations; Shibboleth; E2E Middleware Diagnostics; Standards; Developments;

23 23 Federations: A Federation is a group of organisations, whose members have agreed to cooperate in an area such as operating an inter-organisational AAI - a Federated AAI or an AAI Federation. Group AGroup B

24 24 Cross-domain AA: Ingredients for a federation Policies (e.g. InCommon* from Internet2): –Federation Operating Practices and Procedures –Participant Agreement –Participant Operating Practices Technologies: –Protocols / language –Schema’s –Trust / PKI * http://www.incommonfederation.org/ Group AGroup B

25 25 Cross-domain AA: Federation organisational Group AGroup B

26 26 Birdseye view of Shibboleth Suite What is Shibboleth? –An Internet2/MACE project than provides a framework and technology for inter institutional authorisation for (web) resources. A major feature is to offer authorisation without compromising the users privacy. Trust relations are created within a federation; What does Shibboleth offer? –authorisation, attribute gathering and privacy safe transport of attributes; What doesn’t Shibboleth do? –Out of the box authentication, choose a WebISO (f.e. A-Select) Results at a protected resource after Shibboleth process: –user ID-x with the attributes X,Y wants access to resource Z

27 27 Shibboleth mapping of AAI components Group AGroup B

28 28 Shibboleth components terminology explained The user makes an initial request to the resource provider (also referred to as ‘Target’ in Shibboleth terms), which is protected by a Shibboleth Indexical Reference Establisher (SHIRE). The SHIRE redirects the user either directly to a Handle Service (HS), or to the Where Are You From (WAYF) service that locates the HS associated with the user. The SHIRE or WAYF requests a handle for the user from the HS. The HS invokes the Authentication System (AS), and returns a handle to the authenticated user. This handle refers to the user, but does not directly identify him/her. Only the HS knows which user is associated with a certain handle. The Shibboleth Attribute Requestor (SHAR) queries the AA for attributes using the handle it obtained in step 4. Attributes are exchanged using SAML (Security Assertion Markup Language). The SHAR receives the attributes it requested from the AA. The Resource Manager (RM) then decides whether or not to grant access to the user based on these attributes. Attribute Release Policies (ARP) are the rules that define which attributes are released to which resource providers (targets). The most basic ARP consists of a destination SHAR name and a list of attributes and values that should be released to the SHAR. Attribute Acceptance Policies (AAP) define which attributes and values are accepted by the SHAR. Only those attributes that are accepted are passed on to the RM, the rest are filtered out. Examples of attributes that might be rejected are attributes that are only trusted by specific AAs (origins), or attributes which value is expected to be from a small set of enumerated choices (if the value is not in this set, it is discarded).

29 29 E2E Middleware diagnostics: what if there’s an error? Security Related Events Middleware Related Events Network Related Events Collection and Normalization of Events Dissemination Network X Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets Group AGroup B

30 30 Archive and Network Forensics Archive Netflow Host 7 Network Devices Host 3 Host 1 Host 2 Combined Forensics and Reporting Host 5 Host 8 General Forensics And Reporting Host 6 User Diag App Host 9 Application, System or Security Events LDAP, DNS Web-App EnterpriseFederation Network Events E2E Middleware diagnostics: what if there’s an error? X Group AGroup B

31 31 What about… …standards? Currently many proprietary solutions (sockets, cookies, redirects, …) Webservices (SOAP, XML RPC, WSDL, WS-*) SAML For federations: –WS-Federation (Microsoft, IBM) –SAML (OASIS: 150 companies, Internet2) –Liberty Alliance (Sun, 170 companies) ? ? ? ? ??

32 32 What about… …developments (in the research world)? Australia: start with Shibboleth Europe: combination of Shibboleth and ‘home-grown’ USA: Shibboleth European Project Geant2: –GN2-JRA5: focus on European AAI, SSO for network and applications Need for: –Converging or dominant standard(s), means better interoperability between the pieces of the puzzle –Universal Single Sign-On across network and application domain –Attention to non-web-based applications ? ? ? ? ??

33 33 References Identity Management AAI Terminology EduRoam A-Select weblogin Privilege Management Intro on federations Internet2 Federation Swiss Federation End-to-end diagnostics

34 Questions ?

35 35 Advisory Committee Operations Committee Board of Founders Delaman Foundation Central AAI Services Foundation Members Service Provider Delaman Federation To conclude: a possible future: DELAMAN Federation based on Shibboleth? Institutes, Research, Universities, Libraries Home organi- sation resource Home organi- sation Foundation Partners resource Service subscription Resource registration

Download ppt "Do you like to puzzle? …build an AA Infrastructure! DELAMAN Access Group Workshop November, 30th, 2004 xxx."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.

Next Generation Athens Services Ed Zedlewski UK e-Science Town Meeting, London, 11 April 2005.
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.

Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Www.mobilevce.com © 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.

© 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
The EC PERMIS Project David Chadwick

The EC PERMIS Project David Chadwick
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.

Authentication Systems and Single Sign-On (SSO) David Orrell, Eduserv Athens 1st EuroCAMP, 2-4 March 2005, Turin, Italy.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March 3. 2008.

Administrative Information Systems Shibboleth: The Next Generation ISIS Technical Information Session for Developers Datta Mahabalagiri March
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.

Similar presentations

Ads by Google