1 / 10

Options for integrating the JANET Roaming Service (JRS) and Shibboleth

Options for integrating the JANET Roaming Service (JRS) and Shibboleth. Tim Chown tjc@ecs.soton.ac.uk University of Southampton (UK) JISC Access Management Showcase Event London, 18th July 2006. JRS and Shibboleth. We have two ‘access control’ worlds

gaurav
Download Presentation

Options for integrating the JANET Roaming Service (JRS) and Shibboleth

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown tjc@ecs.soton.ac.uk University of Southampton (UK) JISC Access Management Showcase Event London, 18th July 2006

  2. JRS and Shibboleth • We have two ‘access control’ worlds • JRS for network access, as described in the previous talk • Shibboleth for (currently) web-based applications • JRS is being widely adopted • With support at a European/world scale via eduroam • What more value can we get from it? • UK Shibboleth early adopters making progress • Can Shibboleth be used for WLAN access control? • Could the JRS be used as a back-end for Shibboleth?

  3. JRS components

  4. JRS features • Easy to deploy • Most sites use RADIUS already • Uses generally long-established open standards • Easy to join • Establish one RADIUS peering with national proxy • No local access control micro-management required • All-In • All sites implicitly trust all other sites • No attributes • Purely an authentication scheme • Though RADIUS can carry attributes

  5. Question 1 • Can we use Shibboleth for network layer access control for roaming users? • User powers up in WLAN hotspot • Local network gateway blocks all external access until user authenticates using Shibboleth • To authenticate using Shibboleth user needs web access to the WAYF service and their home authentication service • Implies local network gateway must be pre-configured with at least one allowed web destination per Shibboleth-enabled site that visitors may come from • That doesn’t scale!

  6. Shib for WLAN roaming?

  7. Question 2 • Can we use the JRS as a Shibboleth back end? • May be able to leverage JRS to boost Shibboleth adoption - many JRS sites have no Shibboleth deployment • Idea: introduce a Virtual identity provider (VIdP) • Functionally equivalent to a normal IdP • The VIdP uses the JRS as an authentication back-end • Any JRS-enabled site can use the VIdP in place of hosting its own IdP function • The VIdP can proxy on behalf of any number of sites • RADIUS-Aware Gateway to Shibboleth (RAGS)

  8. The RAGS model

  9. Building the VIdP… • Designed to have no changes to WAYF or SP code • The IdP is modified to become the VIdP • Tools already exist, e.g.: • Apache mod_auth_radius • JRadius Java connector, with support for (T)TLS for secure connection from VIdP to home site • The JRS site needs to opt-in • Its entry in the WAYF service points to the VIdP • Can customise login appearance based on passed URL • Some policy issues/decisions • e.g. its *possible* to add eduroam sites to UK WAYF

  10. Closing observations • Shibboleth and JRS both being adopted • Initial adopter sites don’t overlap that much • Shibboleth is unsuitable for WLAN admission • JRS *could* be offered as a Shibboleth back end • The VIdP is currently being developed • What about attributes? • What classes of attributes will be required? • Can use JRadius to query RADIUS-based attributes • More policy questions • Would using the JRS be acceptable to the UK federation? • Who would manage the VIdP?

More Related