eduGAIN profiles And how they are applied

1. eduGAIN profilesAnd how they are applied Diego R. Lopez - RedIRIS Jürgen Rauschenbach -DFN DICE meeting @ Bruges May 2008

2. eduGAIN in a Nutshell • Based on the national federations, operated by NRENs • And a community-operated one: EFDA-Fed • eduGAIN is a confederation infrastructure • Federates federations • SAML 1.1 (and soon SAML 2.0) is the lingua franca • Specific software developed • eduGAIN base libraries (Java) • simpleSAMLphp (PHP) • eduGAINFilter (javax.servlet.filter) • Direct use of Shibboleth 2.0 being investigated

3. Confederation Service Elements • Metadata Service - MDS • Repository of metadata of all connected IdPs and SPs • Upload by authorised components • Queried by user interfaces or autonomous services • PKI • Establishes component identity • Multi-rooted • Includes component identifiers • Verified at the registry • URN Registry • Unique, well-structured component identifiers • Delegation schema • Attribute Mapping or Credential Conversion service • Coding about to start

4. eduGAIN Profiles • WebSSO • Shib 1.3 for SAML 1.1 • SAML2 (except artifact-based) for SAML 2.0 • AC • Certificates plus optional attribute access • UbC • Convey user credentials introduced at the client • WE • Constrained delegation • DAMe

5. Connect. Communicate. Collaborate WebSSO Profile

6. Connect. Communicate. Collaborate Attr. johnd Pa$$wD Attr. Attr. 1 2 9 3 6 7 8 5 4 WebSSO in PracticeCurrent Inter-Federation Usage

7. Preparing for WebSSO • Select a suitable BE and put it at the appropriate place • Top of your federation • Co-located with your SP/IdP • As your only SP/IdP • Optionally, register your BE in your local federation • Get component identifier(s) • Obtain certificate containing component identifier(s) • Deploy the BE using the certificate • Register your metadata at the MDS

8. Connect. Communicate. Collaborate AC Profile

9. Connect. Communicate. Collaborate AC in PracticeThe perfSONAR Case • Unique and non-transferable ID for each client • URN obtained from eduGAIN registry service • Private and public key valid in the eduGAIN trust model • Subject Alternative Name of the cert contains the URN • Obtained from eduGAIN PKI • Security Token is based on the X.509 certificate

10. Preparing for AC • Incorporate software able to generate requests according to the profile • Currently, part of the perfSONAR codebase • Seems easy to generalize • Deploy and configure a Home BE (H-BE) if you do not have one • Including registration and certificate • Register an URN/branch for your client(s) • Optionally, assign individual identifiers • Obtain certificate(s) containing component identifier(s) • Incorporate data about the clients at your H-BE • Deploy the clients

11. Connect. Communicate. Collaborate UbC Profile

12. Connect. Communicate. Collaborate UbC in PracticeThe perfSONAR Case • A similar case to AC • An online CA for getting the certificate: SASL CA

13. Preparing for UbC • Incorporate software able to generate requests according to the profile • Currently, part of the perfSONAR codebase • Seems easy to generalize • Deploy and configure a Home BE (H-BE) if you do not have one • Including registration and certificate • Deploy and configure a SASL online CA • Including certificate • It must have direct access to user credentials • It must be able to provide a session to user attributes • Deploy the clients

14. Why Current UbC Does Not Fly... And How To Fix It • Deployment and configuration of the SASLCA • Certificate... Stretches CA policy to the limit • User credentials... Where to locate it • Session to user attributes... How to establish the link • Use an already existing credential exchange infrastructure • Aligned with CA policies • Pervasive • With a profile allowing attribute retrieval • Hey, we have the eduroam infrastructure! • DAMe extensions to convey attributes • And RadSec to enable H-BE location

15. Connect. Communicate. Collaborate UbC Profile Revisited

16. Preparing for New UbC • Incorporate software able to generate requests according to the profile • Can be based on the DAMe codebase • And the relayed-trust management library • Deploy and configure a Home BE (H-BE) if you do not have one • Including registration and certificate • Deploy and configure a RadSec server • Including certificate • Several choices: FreeRadius, radsecproxy,... • Enable the DAMe extensions • Deploy the clients

17. Connect. Communicate. Collaborate WE Profile

18. Connect. Communicate. Collaborate WE Profile in PracticeThe perfSONAR Case • Uses the eduGAIN webSSO profile • SAML assertions contain user’s credentials • Clients must have a pair of keys valid in the eduGAIN trust model • Security Token is based on SAML assertions

19. Connect. Communicate. Collaborate WE Profile in PracticeThe AutoBAHN Case • User authN is performed through eduGAINFilter • DM fetches user data and includes it in the WS message using SAML Parser • Each IDM may use the data to perform authorization locally

20. Preparing for WE • Deploy a H-BE according to WebSSO requirements • Deploy and configure eduGAINFilter as R-BE for the client • Similar solution for other environments being considered • Install and configure the relayed-trust software • In the perfSONAR codebase • Working in its generalization • Needs a specific identifier and certificate