1 / 17

Federated identity on a pan-European scale

Federated identity on a pan-European scale. Klaas Wierenga < kwiereng@cisco.com > eResearch Australasia Melbourne, 30 September 2008. Agenda. Intro eduroam eduGAIN DAMe Conclusions and next steps. WAYF. Cisco Consulting Engineering, office of the CTO Before that >12 yrs SURFnet

bernadine-wolf
Download Presentation

Federated identity on a pan-European scale

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Federated identity on a pan-European scale Klaas Wierenga <kwiereng@cisco.com> eResearch Australasia Melbourne, 30 September 2008

  2. Agenda • Intro • eduroam • eduGAIN • DAMe • Conclusions and next steps

  3. WAYF • Cisco Consulting Engineering, office of the CTO • Before that >12 yrs SURFnet • Activity lead roaming activity Geant2 • Creator of eduroam • Co-creator of A-Select • Chair of TF-Mobility • Member of ECAM

  4. Vision • Create an open European research area by establishing interoperable access to the networks that interconnect to form the research networking supply chain in Europe.” • The multiple networks must appear to be one seamless resource. • Create interoperable systems at the network and service level for: • roaming, • verifying users' identities and associated rights or privileges (authentication), • granting access to resources (authorisation)

  5. Activities • Building on work done in TERENA taskforces Mobility and EMC2 on eduroam and federated applications • Create a pan-European roaming infrastructure for network access for HigherEd (eduroam) • Create a pan-European authentication and authorisation infrastructure by connecting the existing federations in HigherEd (eduGAIN) • Create universal single sign on by integrating the former two (DAMe)

  6. The goal of eduroam • “open your laptop and be online” • To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources

  7. eduroam Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB Guest piet@university_b.nl SURFnet Commercial VLAN Employee VLAN Central RADIUS Proxy server Student VLAN • Trust based on RADIUS plus policy documents • 802.1X (spin-off: SecureW2) • (VLAN assigment) signalling data Source: SURFnet

  8. eduroam status New trial with Internet2 Isolated trials in Latin-America • US experiment with I2 (failed) • Canada member since June 2008

  9. Spin-off: RadSec • Eduroam problems: • Dead peer discovery • Fragmentation • Managing shared secret/IP-address based trust • Static hierarchy • DIAMETER not available • RADIUS with: • TLS • TCP • draft-ietf-radext-radsec-01.txt, draft-dekok-radext-tcp-transport-00.txt • implementations in Radiator, FreeRADIUS (in progress), RadSecProxy and OpenWRT and Lancom AP’s

  10. eduGAIN • Bridging existing federations in HigherEd • Existing federations based on: • Shibboleth 1.3 • A-select • PAPI • Sun Access manager • WS-federations • SAML 2.0 (Shibboleth and Liberty Alliance) • Lingua franca for interconnect: SAML

  11. The eduGAIN model Metadata Query MDS Metadata Publish Metadata Publish R-FPP H-FPP R-BE H-BE AA Interaction AA Interaction AA Interaction Resource(s) Id Repository(ies) Source: JRA5-team

  12. Attr. johnd Pa$$wD Attr. Attr. 1 2 9 3 6 7 8 5 4 WebSSO in PracticeCurrent Inter-Federation Usage Source: RedIRIS

  13. Started as bridging software for eduGAIN Bridges between: SAML1.1 SAML2.0 A-Select PAPI Shibboleth 1.3 WS-Fed Now IdP and SP for SAML1.1 and 2.0 as well as an OpenID IdP User consent module http://rnd.feide.no/simplesamlphp Attend the workshop on Friday! Spin-off: SimpleSAMLphp

  14. Deploying Authorization Mechanisms for Federated Services in eduroam (DAMe) • DAMe is a project that builds upon: • eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, • Shibboleth and eduGAIN • NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on the SAML (Security Assertion Markup Language) and the XACML (eXtensible Access Control Markup Language) standards.

  15. Unified Single Sign-on Source: DAMe project

  16. Summary • eduroam is happening • Federations are happening • The European federation of federations is happening • The grand unifier is SAML 2.0 • This will create an open European research area (open for collaboration with other research areas ;-)

  17. References • TERENA TF-Mobility • http://www.terena.org/activities/tf-mobility/ • TERENA TF-EMC2 • http://www.terena.org/activities/tf-emc2/ • ECAM • http://www.terena.org/activities/tf-emc2/ecam/ • European Federations: • http://wiki.rediris.es/tf-emc2/index.php/Federations • Geant2 JRA5 • http://www.geant2.net/server/show/nav.00d00a005 • DAMe • http://dame.inf.um.es/

More Related