1 / 31

do you like to puzzle, build an AAI !

do you like to puzzle, build an AAI !. AA systems. xxx. xxx. 2 n d EuroCAMP - Porto Novem ber 8, 2005 Bart.Kerver@SURFnet.nl. Presentation outline. Drivers for an AAI; The pieces of the AAI-puzzle;

connelll
Download Presentation

do you like to puzzle, build an AAI !

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. do you like to puzzle, build an AAI ! AA systems xxx xxx 2ndEuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl

  2. Presentation outline • Drivers for an AAI; • The pieces of the AAI-puzzle; • network and application access, login, authentication, authorisation, identity management; • Assessments of some AA systems; • Federations; • Standards; • Developments;

  3. Why AAI?Network mobility

  4. Why AAI?Educational mobility

  5. Why AAI?Personalised service provisioning

  6. Why AAI?Reduce the digital key ring X X X

  7. Ingredients of an AAI Network (web)Application Authorisation Authentication Login Administration

  8. Network access: RADIUS infrastructure network European RADIUS Proxy Server European RADIUS Proxy Server National RADIUS Proxy Server National RADIUS Proxy Server Organisational RADIUS Server B Organisational RADIUS Server C Organisational RADIUS Server A

  9. Network access: User-controlled light path provisioning network UDDI/ WSIL A-Select token Application Application Applications Applications Services Services Services AAA AAA AAA AAA Broker Broker Broker Broker OMNInet SURFnet6 NetherLight Starlight

  10. Application access:centralise intelligence applications

  11. Application access:centralise intelligence applications

  12. Login server:intermediary between application and AA: provide SSO login

  13. Authentication:choose your own method (and strength) authentication • IP address • Username / password • LDAP / Active Directory • RADIUS • SQL • Passfaces • PKI certificate • OTP through SMS • OTP through internet banking • Tokens (SecurID, Vasco, …) • Biometrics • …

  14. Authorisation:Policy engines authorisation

  15. Authorisation:Policy engines: f.e. use ‘roles’ authorisation

  16. Authorisation:3 scenario’s authorisation • Authentication = authorisation (‘simple’) • Identity plus a few attributes (‘commonly used’) • Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’)

  17. Administration:Identity Management administration • How to record the identities (schema’s), credentials (attributes or roles), and privileges? • Enterprise (or meta) directory to glue all sources of information together; • Quality of registration is CRUCIAL for AuthN and AuthZ; • It’s the underlying basis for an AAI; • …and it’s a hype…

  18. Quick assessment of current AA systems • Web login (authentication) systems • Athens, A-Select, CAS, CoSign, Pubcookie • Authorisation systems • PAPI, PERMIS, Shibboleth, SPOCP • Portal products (Oracle, SiteMinder, Sun One, uPortal)

  19. Web login systems(A-Select, CAS, CoSign, Pubcookie, …) Network Authorisation (web)Application Authentication Login Administration

  20. Web login systems(Athens) Network Authorisation (web)Application Authentication Login Administration

  21. Portal products(Oracle, SiteMinder, Sun One, uPortal) Network Authorisation (web)Application Authentication Login Administration

  22. Authorisation products(PERMIS, SPOCP) Network Authorisation (web)Application Authentication Login Administration

  23. Authorisation products(PAPI) Network Authorisation (web)Application Authentication Login Administration

  24. Authorisation productsShibboleth Group A Group B

  25. Cross-domain AA:Ingredients for a federation Group A Group B • Policies (e.g. InCommon* from Internet2): • Federation Operating Practices and Procedures • Participant Agreement • Participant Operating Practices • Technologies: • Protocols / language • Schema’s • Trust / PKI * http://www.incommonfederation.org/

  26. What about……standards? ? ? ? ? ? ? • Currently many proprietary solutions(sockets, cookies, redirects, …) • Webservices (SOAP, XML RPC, WSDL, WS-*) • SAML (1.1 -> 2.0) • For federations: • WS-Federation (Microsoft, IBM) • SAML (OASIS: 150 companies, Internet2) • Liberty Alliance (Sun, 170 companies)

  27. What about……future developments (in the research world)? ? ? ? ? ? ? • Need for: • Converging or dominant standard(s), means better interoperability between the pieces of the puzzle • Attention to non-web-based applications (eg. Grids) • Universal Single Sign-On across network and application domain • (Error-) Diagnostics across federations!

  28. Security Related Events Dissemination Network Collection and Normalization of Events Network Related Events Middleware Related Events Middleware diagnostics:what if there’s an error? X Group A Group B Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets

  29. Homework but before that... Manage your identities...

  30. References • AAI terminology • Athens • A-Select • CAS • CoSign • eduroam • Internet2 Federation • Middleware diagnostics • NSF Middleware Initiative • Privilege Management • Shibboleth • Swiss Federation

  31. Thank you! Questions?

More Related