1 / 15

eduroam Delegate Authentication System with Shibboleth SSO

Explore the implementation of a Delegate Authentication System to simplify eduroam deployment across 1200+ institutions in Japan, enhancing network stability and security.

ematheny
Download Presentation

eduroam Delegate Authentication System with Shibboleth SSO

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 29th APAN Meeting Feb. 8-11, 2010, Sydney, Australia eduroam Delegate Authentication System with Shibboleth SSO Hideaki Goto, Hideaki Sone Tohoku Univ. / NII Ichiro Yamaguchi, Takaaki Suzuki Tohoku Univ.

  2. A great challenge … How many higher education institutionsare there in Japan? 1,200+ (govt. survey in year 2008) • 765 universities (86 national, 90 public) • 481 two-year colleges and vocational colleges eduroam deployment: 11 / 1200 = 0.9%

  3. Problems • A large number of institutions (1,200+) • Difficulties in RADIUS deployment • Laborious eduroam connection / management work • Our solutions • Federated Delegate Authentication System with centralized RADIUS server • remove RADIUS IdP at each institution • Federation using Shibboleth SSO • simplify RADIUS tree (higher stability) • solve some privacy and security issues • Web-based eduroam IdP / SP management system • reduce the work at both the eduroam JP officeand each institution

  4. Easy-to-join eduroam system 2. eduroam IdP/SP management web Institution’sRADIUS server national top-level <secret key 1> access points RADIUS proxy auth requests <secret key 2> RADIUS IdP 1. Delegate Authentication System (DEAS)

  5. Federated Delegate Authentication System • Account Issuer as a Shibboleth SP of Japan’s UPKI inter-university federation • Centralized RADIUS server to simplify the RADIUS proxy tree • 3 types depending on the needs and federation level • Pseudo-anonymized, fixed-term, and traceable roaming IDs

  6. Delegate Authentication System - Type I Japan’s centralizedaccount issuer Institutions RADIUSserver The account is temporary and expires within 6 months. pseudonymousaccounts IdM IdM Web UI Manual account issue requests by administrators. • The system can be used even without IdM. • Issuing Guest IDs is possible.

  7. Delegate Authentication System – Type II Japan’s centralizedaccount issuer Institutions RADIUSserver The account is temporary and expires within 6 months. pseudonymousaccount Web UI IdM IdM ID federation using Shibboleth/SAML for administrators only. • Administrators can request for user accounts in bulk. • Issuing Guest IDs is possible.

  8. Delegate Authentication System – Type III Japan’s centralizedaccount issuer Institutions RADIUSserver The account is temporary and expires within a month. pseudonymousaccount IdM IdM ID federation using Shibboleth/SAML • End user can request for personal accounts only.

  9. Web-based eduroam IdP / SP management system • Application for eduroam IdP / SP connectionvia eduroam JP website • Online sign-up for institutional administrator(s) ( require approval by the national admin. ) • Online registration of institution data • Management console for institutions • RADIUS server address and secret setting • Enable or disable Self-IdP / DEAS / SP(AP) • Remote authentication self-testing (planned) development under way Features:

  10. NEWS • Negotiation is under waywith a commercial Wi-Fi Service Provider • We will have hundreds of eduroam APs in the central Tokyo ! Outsourcing campus Wi-Fi system would be a key to success of large-scale deployment.

  11. Summary • Large-scale eduroam deployment in Japan -- A great challenge -- • Delegate Authentication System • ease eduroam deployment • Federated ID issuer as a Shibboleth SP • simplify eduroam network = stabilize eduroam authentication • Web-based eduroam IdP / SP management • make eduroam easy-to-join • simplify connection and administration work • at the national administrative body • at each institution

  12. Supplementary slides

  13. Problem details in large-scale deployment • Difficult and laborious configurations of RADIUS / APs at each organization. • Difficulties in newly constructing an “eduroam account database” or making a RADIUS-IdM bridge for each organization. • Many universities do not have Federated IdM yet. • Laborious work for institution connection. • A lot of paper work • RADIUS configuration support • Connection testing • Troubleshooting … etc. Impossible to deal with hundreds of institutions!

  14. eduroam JP in UPKI project • An activity in NII’s UPKI project • Promotion and Operation of eduroam JP • 11 institutions connected (Feb. 2010) • Tutorial & technical documents • R&D to solve problems • Easy configurations • Guest use of local IP addresses • Location privacy, etc. • Talks with commercial W-ISPsfor roaming • Shared access points possible? • Negotiations are under way.

  15. Threats of ID/PW leakage • User ID is logged at proxy servers along the AAA path. • Location privacy problem. • PW could be logged due to inappropriate configuration by the user. • Critical security breach if an important PW is used. logged Worldwide RADIUS tree potentialleakage logged logged logged ID database RADIUS Access Request RADIUS Access Accept / Reject AP

More Related