1 / 8

SURFnet AAI – A-Select ideas for new features

SURFnet AAI – A-Select ideas for new features. TF-A ACE, 06-06-2004. Bart Kerver SURFnet. AAI at SURFnet: (“focus within innovation on AuthN/AuthZ middleware”). Authentication and Authentication Infrastructure 2 pillars: (Guest) Network Access: EduRoam/802.1X

abena
Download Presentation

SURFnet AAI – A-Select ideas for new features

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SURFnet AAI – A-Selectideas for new features TF-AACE, 06-06-2004 Bart Kerver SURFnet

  2. AAI at SURFnet: (“focus within innovation on AuthN/AuthZ middleware”) • Authentication and Authentication Infrastructure • 2 pillars: • (Guest) Network Access: EduRoam/802.1X • Application Access with SSO: A-Select • Now working on integration of the two: • current A-Select implementation is lacking some features and has some limitations. • to differentiate with current implementation (and ongoing work!), project name ‘A-Select NA’

  3. Brief: current A-Select features(“what you always wanted to know but never dared to ask…”) • Web login system • One interface to apps • Multiple authN methods (AuthSPs) • Single sign-on • Notion of authN strengths or levels • Components: server, agent, filter, user db • Highly portable & modular (JAVA) • Simple access control (id, authN-institute-id) • Simple cross-domain communication • License: free for non-profit world-wide, soon open source • “Batteries included” (applications, docs, support)

  4. Experiences with AuthN in NL.(“what we see in/with deployments”) • Shibbolethimplementations lacking behind, complaints: complex in setup, no cross-organization (‘I’m all alone’), lack of packaging, no need (yet) for all the features. • A-Select and Shibb. are complementary so future-proof; • Authentication is great, but only with just some attributes it would be perfect! • Cross-Organization Authentication of A-Select is powerful and appreciated, but doesn’t fully scale (f.e. public libraries build a proxy to solve the p2p problem); • Main focus/implementation on HTTP needsenrichment; • The need for universal SSO (network+apps) ;

  5. A-Select future: main ingredients • Centralized around cross-domain & federations; • Tight(er) integration with Shibboleth (SAML); • Link with modular AuthZ-engines (Shibb, SPOCP, MS,…); • (Very) Basic attribute acquiring and transport; • Modular and connectors (protocols) for interoperability; • Not just focus on web applications: implementations: network, webservice and http

  6. Rudimentary implementation ideas • Split up of ‘finding service and ‘exchanging credentials service’; • Usage of RADIUS infrastructure for ‘finding’ of end points (A-Select Servers): scalable way to find an A-Select Server anywhere in the world; • Exchange of credentials over E2E secured link (EAP-A-Select/SSL-Tunnel/other PKI); • A-Select NA core could have 5 major components: • Modular AuthN [external] • Modular AuthZ [external] • Modular Attribute gathering [external and only rudimentary?] • Modular Protocol Connectors [internal]: SAML, XML-RPC, A-Select 1.x, RADIUS eg. and the core should be able to translate • Server-Server Communications [internal]: trust, federation handling

  7. Shibboleth SPOCP UVA-AAA MS ... Username/Passwd Banking Cards SMS Passfaces RSA (soft) certs EAP-SIM? ,,, AuthZ LDAP Active Directory SIP2 ... AuthN Attributes A-Select CORE A-Select 1.x SAML XML/RPC SOAP “EAP/A-Select” RADIUS LDAP Protocols Server – Server Server – Client Server – Agents/Apps Server - network Finding/Federation Comm.

  8. .EU European Toplevel .UK .NL United Kingdom Toplevel Dutch Toplevel .UVA.NL ac.uk ox.ac.uk man.ac.uk .co.uk .UU.NL X.UVA.NL Y.UVA.NL

More Related