310 likes | 457 Views
do you like to puzzle, build an AAI !. AA systems. xxx. xxx. 2 n d EuroCAMP - Porto Novem ber 8, 2005 Bart.Kerver@SURFnet.nl. Presentation outline. Drivers for an AAI; The pieces of the AAI-puzzle;
E N D
do you like to puzzle, build an AAI ! AA systems xxx xxx 2ndEuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl
Presentation outline • Drivers for an AAI; • The pieces of the AAI-puzzle; • network and application access, login, authentication, authorisation, identity management; • Assessments of some AA systems; • Federations; • Standards; • Developments;
Ingredients of an AAI Network (web)Application Authorisation Authentication Login Administration
Network access: RADIUS infrastructure network European RADIUS Proxy Server European RADIUS Proxy Server National RADIUS Proxy Server National RADIUS Proxy Server Organisational RADIUS Server B Organisational RADIUS Server C Organisational RADIUS Server A
Network access: User-controlled light path provisioning network UDDI/ WSIL A-Select token Application Application Applications Applications Services Services Services AAA AAA AAA AAA Broker Broker Broker Broker OMNInet SURFnet6 NetherLight Starlight
Application access:centralise intelligence applications
Application access:centralise intelligence applications
Login server:intermediary between application and AA: provide SSO login
Authentication:choose your own method (and strength) authentication • IP address • Username / password • LDAP / Active Directory • RADIUS • SQL • Passfaces • PKI certificate • OTP through SMS • OTP through internet banking • Tokens (SecurID, Vasco, …) • Biometrics • …
Authorisation:Policy engines authorisation
Authorisation:Policy engines: f.e. use ‘roles’ authorisation
Authorisation:3 scenario’s authorisation • Authentication = authorisation (‘simple’) • Identity plus a few attributes (‘commonly used’) • Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’)
Administration:Identity Management administration • How to record the identities (schema’s), credentials (attributes or roles), and privileges? • Enterprise (or meta) directory to glue all sources of information together; • Quality of registration is CRUCIAL for AuthN and AuthZ; • It’s the underlying basis for an AAI; • …and it’s a hype…
Quick assessment of current AA systems • Web login (authentication) systems • Athens, A-Select, CAS, CoSign, Pubcookie • Authorisation systems • PAPI, PERMIS, Shibboleth, SPOCP • Portal products (Oracle, SiteMinder, Sun One, uPortal)
Web login systems(A-Select, CAS, CoSign, Pubcookie, …) Network Authorisation (web)Application Authentication Login Administration
Web login systems(Athens) Network Authorisation (web)Application Authentication Login Administration
Portal products(Oracle, SiteMinder, Sun One, uPortal) Network Authorisation (web)Application Authentication Login Administration
Authorisation products(PERMIS, SPOCP) Network Authorisation (web)Application Authentication Login Administration
Authorisation products(PAPI) Network Authorisation (web)Application Authentication Login Administration
Authorisation productsShibboleth Group A Group B
Cross-domain AA:Ingredients for a federation Group A Group B • Policies (e.g. InCommon* from Internet2): • Federation Operating Practices and Procedures • Participant Agreement • Participant Operating Practices • Technologies: • Protocols / language • Schema’s • Trust / PKI * http://www.incommonfederation.org/
What about……standards? ? ? ? ? ? ? • Currently many proprietary solutions(sockets, cookies, redirects, …) • Webservices (SOAP, XML RPC, WSDL, WS-*) • SAML (1.1 -> 2.0) • For federations: • WS-Federation (Microsoft, IBM) • SAML (OASIS: 150 companies, Internet2) • Liberty Alliance (Sun, 170 companies)
What about……future developments (in the research world)? ? ? ? ? ? ? • Need for: • Converging or dominant standard(s), means better interoperability between the pieces of the puzzle • Attention to non-web-based applications (eg. Grids) • Universal Single Sign-On across network and application domain • (Error-) Diagnostics across federations!
Security Related Events Dissemination Network Collection and Normalization of Events Network Related Events Middleware Related Events Middleware diagnostics:what if there’s an error? X Group A Group B Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets
Homework but before that... Manage your identities...
References • AAI terminology • Athens • A-Select • CAS • CoSign • eduroam • Internet2 Federation • Middleware diagnostics • NSF Middleware Initiative • Privilege Management • Shibboleth • Swiss Federation
Thank you! Questions?