Presentation is loading. Please wait.

Presentation is loading. Please wait.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

Published byDamian Ferguson Modified over 9 years ago

Similar presentations

Presentation on theme: "Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University."— Presentation transcript:

1 Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University of Stuttgart TNC 2008, Bruges, 20.05.2008

2 Connect. Communicate. Collaborate Universität Stuttgart Overview Single Sign On unified Single Sign On eduToken Token-based uSSO Profile Conclusion

3 Connect. Communicate. Collaborate Universität Stuttgart Single Sign On Single Sign On (SSO): authenticate once for access to multiple (web) resources SSO in a federated AAI: only one pair of credentials is needed (this is no automated password-entering) SSO with eduGAIN: SSO becomes possible in a heterogeneous environment, by building a confederation

4 Connect. Communicate. Collaborate Universität Stuttgart Single Sign On Advantages: –User friendly, saves time Esp. with more secure authentication methods –Higher security: password transmitted only once –Higher security: one password can be remembered, dozens of them hardly –Phishing protection: the Identity Provider is “known” (URL, certificate) Disadvantages: –Higher risk: one stolen password gives access to many resources

5 Connect. Communicate. Collaborate Universität Stuttgart unified Single Sign On NEW unified Single Sign On (uSSO): authenticate once for access to network and application resources (this) uSSO is built on: –eduroam: federated, secure access to network resources –eduGAIN: (con-)federated, secure access to web resources (and other applications  “Grid”)

6 Connect. Communicate. Collaborate Universität Stuttgart unified Single Sign On Connect. Communicate. Collaborate

7 Universität Stuttgart unified Single Sign On Advantages of uSSO: –SSO advantages, but extended to the network –WAYF problem can be solved –Usable for non-web resources and services (Grid) –Usable with eduGAIN  several web AAI middlewares (Shibboleth, PAPI – Spain, A-Select – Netherlands, …) Disadvantages of uSSO: –Additional (client) middleware needed –Requires eduroam and some AAI

8 Connect. Communicate. Collaborate Universität Stuttgart unified Single Sign On Six steps: 1.Authentication at layer 2 with 802.1x, using eduroam 2.Transport a token over eduroam 3.Put into secure token store on user’s device 4.Get network access (get IP address) 5.Authentication at the application layer, using eduGAIN 6.Use the token as prove of authentication

9 Connect. Communicate. Collaborate Universität Stuttgart eduToken The uSSO token is called eduToken It must express: –Who has been authenticated, –When, –By whom, –Using which method –How long the eduToken is valid

10 Connect. Communicate. Collaborate Universität Stuttgart eduToken SAML 1 Assertion –Issuer –Issue Instant –Condition: Not On Or After –Authentication Statement Authentication Instant + Method Subject – Name Identifier It is digitally signed + by a trusted entity eduToken = SAML Assertion + Authentication Statement

11 Connect. Communicate. Collaborate Universität Stuttgart Token-based uSSO Profile User’s Device: Browser: with Java-Plugin uSSO Client: Token Manager, Java application Service Domain: SP: Service Provider, e.g. Shibboleth, unmodified Token Fetcher Applet R-BE: remote eduGAIN Bridging Element, modified

12 Connect. Communicate. Collaborate Universität Stuttgart Token-based uSSO Profile Connect. Communicate. Collaborate

13 Universität Stuttgart Token-based uSSO Profile eduGAIN Bridging Element (BE): Map local federation language to eduGAIN language Central - per federation, or distributed - per institution Part of the eduGAIN circle of trust Remote BE (R-BE): Towards the SP: act like an IdP of the local federation Towards eduGAIN: talk to the Home BE

14 Connect. Communicate. Collaborate Universität Stuttgart Token-based uSSO Profile Token-enabled R-BE: Towards the SP: as usual Towards eduGAIN: not necessary (except attribute-pull) NEW Towards the client: request the eduToken, receive it (validation as usual – eduToken is in native eduGAIN language) –Token Request = an active component able to reach “outside” the browser –Implemented here as a signed Java Applet

15 Connect. Communicate. Collaborate Universität Stuttgart Token-based uSSO Profile Token-enabled R-BE (continued): Implementation, Deployment: –1 Tomcat –1 Java Servlet –1 Java Keystore –1 Applet

16 Connect. Communicate. Collaborate Universität Stuttgart Conclusion The implementation provides: unified Single Sign On: “open your laptop and be signed on” The concept also enables: Simplified Where Are You From No IdP interaction (  privacy) SSO for non-web applications / for local applications

17 Connect. Communicate. Collaborate Universität Stuttgart Questions? Any questions or comments? DAMe website: http://dame.inf.um.es/ DAMe mailing list: gn2-dame@dante.org.uk GÉANT2-JRA5 website: http://www.geant2.net/jra5

Download ppt "Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University."

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Federated Identity for Grid Architects Tom Scavo NCSA

Federated Identity for Grid Architects Tom Scavo NCSA
Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
1. Introducing Java Computing  What is Java Computing?  Why Java Computing?  Enterprise Java Computing  Java and Internet Web Server.

1. Introducing Java Computing  What is Java Computing?  Why Java Computing?  Enterprise Java Computing  Java and Internet Web Server.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.
Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.

SWITCHaai Team Introduction to Shibboleth.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Identity Management Report By Jean Carreon and Marlon Gonzales.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Similar presentations

Ads by Google