170 likes | 303 Views
Federated identity on a pan-European scale. Klaas Wierenga < kwiereng@cisco.com > eResearch Australasia Melbourne, 30 September 2008. Agenda. Intro eduroam eduGAIN DAMe Conclusions and next steps. WAYF. Cisco Consulting Engineering, office of the CTO Before that >12 yrs SURFnet
E N D
Federated identity on a pan-European scale Klaas Wierenga <kwiereng@cisco.com> eResearch Australasia Melbourne, 30 September 2008
Agenda • Intro • eduroam • eduGAIN • DAMe • Conclusions and next steps
WAYF • Cisco Consulting Engineering, office of the CTO • Before that >12 yrs SURFnet • Activity lead roaming activity Geant2 • Creator of eduroam • Co-creator of A-Select • Chair of TF-Mobility • Member of ECAM
Vision • Create an open European research area by establishing interoperable access to the networks that interconnect to form the research networking supply chain in Europe.” • The multiple networks must appear to be one seamless resource. • Create interoperable systems at the network and service level for: • roaming, • verifying users' identities and associated rights or privileges (authentication), • granting access to resources (authorisation)
Activities • Building on work done in TERENA taskforces Mobility and EMC2 on eduroam and federated applications • Create a pan-European roaming infrastructure for network access for HigherEd (eduroam) • Create a pan-European authentication and authorisation infrastructure by connecting the existing federations in HigherEd (eduGAIN) • Create universal single sign on by integrating the former two (DAMe)
The goal of eduroam • “open your laptop and be online” • To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources
eduroam Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB Guest piet@university_b.nl SURFnet Commercial VLAN Employee VLAN Central RADIUS Proxy server Student VLAN • Trust based on RADIUS plus policy documents • 802.1X (spin-off: SecureW2) • (VLAN assigment) signalling data Source: SURFnet
eduroam status New trial with Internet2 Isolated trials in Latin-America • US experiment with I2 (failed) • Canada member since June 2008
Spin-off: RadSec • Eduroam problems: • Dead peer discovery • Fragmentation • Managing shared secret/IP-address based trust • Static hierarchy • DIAMETER not available • RADIUS with: • TLS • TCP • draft-ietf-radext-radsec-01.txt, draft-dekok-radext-tcp-transport-00.txt • implementations in Radiator, FreeRADIUS (in progress), RadSecProxy and OpenWRT and Lancom AP’s
eduGAIN • Bridging existing federations in HigherEd • Existing federations based on: • Shibboleth 1.3 • A-select • PAPI • Sun Access manager • WS-federations • SAML 2.0 (Shibboleth and Liberty Alliance) • Lingua franca for interconnect: SAML
The eduGAIN model Metadata Query MDS Metadata Publish Metadata Publish R-FPP H-FPP R-BE H-BE AA Interaction AA Interaction AA Interaction Resource(s) Id Repository(ies) Source: JRA5-team
Attr. johnd Pa$$wD Attr. Attr. 1 2 9 3 6 7 8 5 4 WebSSO in PracticeCurrent Inter-Federation Usage Source: RedIRIS
Started as bridging software for eduGAIN Bridges between: SAML1.1 SAML2.0 A-Select PAPI Shibboleth 1.3 WS-Fed Now IdP and SP for SAML1.1 and 2.0 as well as an OpenID IdP User consent module http://rnd.feide.no/simplesamlphp Attend the workshop on Friday! Spin-off: SimpleSAMLphp
Deploying Authorization Mechanisms for Federated Services in eduroam (DAMe) • DAMe is a project that builds upon: • eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, • Shibboleth and eduGAIN • NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on the SAML (Security Assertion Markup Language) and the XACML (eXtensible Access Control Markup Language) standards.
Unified Single Sign-on Source: DAMe project
Summary • eduroam is happening • Federations are happening • The European federation of federations is happening • The grand unifier is SAML 2.0 • This will create an open European research area (open for collaboration with other research areas ;-)
References • TERENA TF-Mobility • http://www.terena.org/activities/tf-mobility/ • TERENA TF-EMC2 • http://www.terena.org/activities/tf-emc2/ • ECAM • http://www.terena.org/activities/tf-emc2/ecam/ • European Federations: • http://wiki.rediris.es/tf-emc2/index.php/Federations • Geant2 JRA5 • http://www.geant2.net/server/show/nav.00d00a005 • DAMe • http://dame.inf.um.es/