1 / 20

eduGAIN profiles And how they are applied

eduGAIN profiles And how they are applied. Diego R. Lopez - RedIRIS Jürgen Rauschenbach -DFN DICE meeting @ Bruges May 2008. eduGAIN in a Nutshell. Based on the national federations, operated by NRENs And a community-operated one: EFDA-Fed eduGAIN is a confederation infrastructure

arnie
Download Presentation

eduGAIN profiles And how they are applied

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. eduGAIN profilesAnd how they are applied Diego R. Lopez - RedIRIS Jürgen Rauschenbach -DFN DICE meeting @ Bruges May 2008

  2. eduGAIN in a Nutshell • Based on the national federations, operated by NRENs • And a community-operated one: EFDA-Fed • eduGAIN is a confederation infrastructure • Federates federations • SAML 1.1 (and soon SAML 2.0) is the lingua franca • Specific software developed • eduGAIN base libraries (Java) • simpleSAMLphp (PHP) • eduGAINFilter (javax.servlet.filter) • Direct use of Shibboleth 2.0 being investigated

  3. Confederation Service Elements • Metadata Service - MDS • Repository of metadata of all connected IdPs and SPs • Upload by authorised components • Queried by user interfaces or autonomous services • PKI • Establishes component identity • Multi-rooted • Includes component identifiers • Verified at the registry • URN Registry • Unique, well-structured component identifiers • Delegation schema • Attribute Mapping or Credential Conversion service • Coding about to start

  4. eduGAIN Profiles • WebSSO • Shib 1.3 for SAML 1.1 • SAML2 (except artifact-based) for SAML 2.0 • AC • Certificates plus optional attribute access • UbC • Convey user credentials introduced at the client • WE • Constrained delegation • DAMe

  5. Connect. Communicate. Collaborate WebSSO Profile

  6. Connect. Communicate. Collaborate Attr. johnd Pa$$wD Attr. Attr. 1 2 9 3 6 7 8 5 4 WebSSO in PracticeCurrent Inter-Federation Usage

  7. Preparing for WebSSO • Select a suitable BE and put it at the appropriate place • Top of your federation • Co-located with your SP/IdP • As your only SP/IdP • Optionally, register your BE in your local federation • Get component identifier(s) • Obtain certificate containing component identifier(s) • Deploy the BE using the certificate • Register your metadata at the MDS

  8. Connect. Communicate. Collaborate AC Profile

  9. Connect. Communicate. Collaborate AC in PracticeThe perfSONAR Case • Unique and non-transferable ID for each client • URN obtained from eduGAIN registry service • Private and public key valid in the eduGAIN trust model • Subject Alternative Name of the cert contains the URN • Obtained from eduGAIN PKI • Security Token is based on the X.509 certificate

  10. Preparing for AC • Incorporate software able to generate requests according to the profile • Currently, part of the perfSONAR codebase • Seems easy to generalize • Deploy and configure a Home BE (H-BE) if you do not have one • Including registration and certificate • Register an URN/branch for your client(s) • Optionally, assign individual identifiers • Obtain certificate(s) containing component identifier(s) • Incorporate data about the clients at your H-BE • Deploy the clients

  11. Connect. Communicate. Collaborate UbC Profile

  12. Connect. Communicate. Collaborate UbC in PracticeThe perfSONAR Case • A similar case to AC • An online CA for getting the certificate: SASL CA

  13. Preparing for UbC • Incorporate software able to generate requests according to the profile • Currently, part of the perfSONAR codebase • Seems easy to generalize • Deploy and configure a Home BE (H-BE) if you do not have one • Including registration and certificate • Deploy and configure a SASL online CA • Including certificate • It must have direct access to user credentials • It must be able to provide a session to user attributes • Deploy the clients

  14. Why Current UbC Does Not Fly... And How To Fix It • Deployment and configuration of the SASLCA • Certificate... Stretches CA policy to the limit • User credentials... Where to locate it • Session to user attributes... How to establish the link • Use an already existing credential exchange infrastructure • Aligned with CA policies • Pervasive • With a profile allowing attribute retrieval • Hey, we have the eduroam infrastructure! • DAMe extensions to convey attributes • And RadSec to enable H-BE location

  15. Connect. Communicate. Collaborate UbC Profile Revisited

  16. Preparing for New UbC • Incorporate software able to generate requests according to the profile • Can be based on the DAMe codebase • And the relayed-trust management library • Deploy and configure a Home BE (H-BE) if you do not have one • Including registration and certificate • Deploy and configure a RadSec server • Including certificate • Several choices: FreeRadius, radsecproxy,... • Enable the DAMe extensions • Deploy the clients

  17. Connect. Communicate. Collaborate WE Profile

  18. Connect. Communicate. Collaborate WE Profile in PracticeThe perfSONAR Case • Uses the eduGAIN webSSO profile • SAML assertions contain user’s credentials • Clients must have a pair of keys valid in the eduGAIN trust model • Security Token is based on SAML assertions

  19. Connect. Communicate. Collaborate WE Profile in PracticeThe AutoBAHN Case • User authN is performed through eduGAINFilter • DM fetches user data and includes it in the WS message using SAML Parser • Each IDM may use the data to perform authorization locally

  20. Preparing for WE • Deploy a H-BE according to WebSSO requirements • Deploy and configure eduGAINFilter as R-BE for the client • Similar solution for other environments being considered • Install and configure the relayed-trust software • In the perfSONAR codebase • Working in its generalization • Needs a specific identifier and certificate

More Related