1 / 33

Do you like to puzzle?

Do you like to puzzle?. …build an AA Infrastructure!. DELAMAN Access Group Workshop Novem ber, 30th, 2004. xxx. xxx. Bart.Kerver@SURFnet.nl. xxx. xxx. xxx. xxx. Presentation contents. Drivers for an AAI; The pieces of the AAI-puzzle;

lilly
Download Presentation

Do you like to puzzle?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Do you like to puzzle? …build an AA Infrastructure! DELAMAN Access Group Workshop November, 30th, 2004 xxx xxx Bart.Kerver@SURFnet.nl xxx xxx xxx xxx

  2. Presentation contents • Drivers for an AAI; • The pieces of the AAI-puzzle; • network and application access, login, authentication, authorisation, identity management; • Federations; • Shibboleth; • E2E Middleware Diagnostics; • Standards; • Developments;

  3. Authentication and Authorisation Infrastructure (AAI) The Authentication and Authorisation Services, components for Identity and Privilege Management and the entities responsible for these services - constitute an Authentication and Authorisation Infrastructure.

  4. Why AAI?Personalised service provisioning

  5. Why AAI?Educational mobility

  6. Why AAI?Network mobility

  7. Why AAI?Reduce the digital key ring X X X

  8. Ingredients of an AAI (web)Application Network Authorisation Authentication Login Administration

  9. Network access: RADIUS proxy hierarchy network European RADIUS Proxy Server European RADIUS Proxy Server National RADIUS Proxy Server National RADIUS Proxy Server Organisational RADIUS Server B Organisational RADIUS Server C Organisational RADIUS Server A

  10. UDDI/ WSIL A-Select token Application Application Applications Applications Services Services Services AAA AAA AAA AAA Broker Broker Broker Broker OMNInet SURFnet6 Starlight NetherLight Network access: User-controlled light path provisioning network

  11. Application access:centralise intelligence applications

  12. Application access:centralise intelligence applications

  13. Login server:intermediary between application and AA: provide SSO login

  14. Authentication:choose your own method (and strength) authentication • IP address • Username / password • LDAP / Active Directory • RADIUS • SQL • Passfaces • PKI certificate • OTP through SMS • OTP through internet banking • Tokens (SecurID, Vasco, …) • Biometrics • …

  15. Authentication:solutions for webenvironments authentication • Web Initial Sign-on (WebISO) • A-Select, SURFnet • CAS, Yale • Cosign, Michigan • Distauth, UC Davis • eIdentity Web Authentication, Colorado State • PAPI, RedIRIS • Pubcookie • Web AuthN/AuthZ, Michigan Tech • WebAuth, Stanford • ... Etcetera...

  16. Authorisation:Policy engines authorisation

  17. Authorisation:Policy engines: f.e. use ‘roles’ authorisation

  18. Authorisation:3 scenario’s authorisation • Authentication = authorisation (‘simple’) • Identity plus a few attributes (‘commonly used’) • Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’)

  19. Administration:Identity Management administration • How to record the identities (schema’s), credentials (attributes or roles), and privileges? • Enterprise (or meta) directory to glue all sources of information together; • Quality of registration is CRUCIAL for AuthN and AuthZ; • It’s the underlying basis for an AAI; • …and it’s a hype…

  20. Administration:Identity Management - layers example administration Local Admin SAP/HR Admin. layer Directory layer ADS LDAP Portfolio Application layer Exchange W2K/XP RADIUS CAB 802.1x WLAN Dial-UP Network layer

  21. Presentation contents • Drivers for an AAI; • The pieces of the AAI-puzzle; • network and application access, login, authentication, authorisation, identity management; • Federations; • Shibboleth; • E2E Middleware Diagnostics; • Standards; • Developments;

  22. Federations: Group A Group B A Federation is a group of organisations, whose members have agreed to cooperate in an area such as operating an inter-organisational AAI - a Federated AAI or an AAI Federation.

  23. Cross-domain AA:Ingredients for a federation Group A Group B • Policies (e.g. InCommon* from Internet2): • Federation Operating Practices and Procedures • Participant Agreement • Participant Operating Practices • Technologies: • Protocols / language • Schema’s • Trust / PKI * http://www.incommonfederation.org/

  24. Cross-domain AA:Federation organisational Group A Group B

  25. Birdseye view of Shibboleth Suite • What is Shibboleth? • An Internet2/MACE project than provides a framework and technology for inter institutional authorisation for (web) resources. A major feature is to offer authorisation without compromising the users privacy. Trust relations are created within a federation; • What does Shibboleth offer? • authorisation, attribute gathering and privacy safe transport of attributes; • What doesn’t Shibboleth do? • Out of the box authentication, choose a WebISO (f.e. A-Select) • Results at a protected resource after Shibboleth process: • user ID-x with the attributes X,Y wants access to resource Z

  26. Shibbolethmapping of AAI components Group A Group B

  27. Security Related Events Dissemination Network Collection and Normalization of Events Network Related Events Middleware Related Events X E2E Middleware diagnostics:what if there’s an error? Group A Group B Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets

  28. X E2E Middleware diagnostics:what if there’s an error? Group A Group B Host 1 Web-App Archive Combined Forensics and Reporting General Forensics And Reporting Application, System or Security Events Host 3 Host 5 Host 6 LDAP, DNS Enterprise Federation User Diag App Netflow Archive and Network Forensics Host 2 Network Devices Network Events Host 7 Host 8 Host 9

  29. ? ? ? ? What about……standards? ? ? • Currently many proprietary solutions(sockets, cookies, redirects, …) • Webservices (SOAP, XML RPC, WSDL, WS-*) • SAML • For federations: • WS-Federation (Microsoft, IBM) • SAML (OASIS: 150 companies, Internet2) • Liberty Alliance (Sun, 170 companies)

  30. ? ? ? ? What about……developments (in the research world)? ? ? • Australia: start with Shibboleth • Europe: combination of Shibboleth and ‘home-grown’ • USA: Shibboleth • European Project Geant2: • GN2-JRA5: focus on European AAI, SSO for network and applications • Need for: • Converging or dominant standard(s), means better interoperability between the pieces of the puzzle • Universal Single Sign-On across network and application domain • Attention to non-web-based applications

  31. References • Identity Management • AAI Terminology • EduRoam • A-Select weblogin • Privilege Management • Intro on federations • Internet2 Federation • Swiss Federation • End-to-end diagnostics

  32. Questions ?

  33. To conclude: a possible future: DELAMAN Federation based on Shibboleth? Service Provider Board of Founders Service subscription Resource registration Delaman Foundation Advisory Committee Operations Committee Central AAI Services Foundation Members Foundation Partners Home organi- sation Home organi- sation resource resource resource resource resource resource resource resource resource Institutes, Research, Universities, Libraries Delaman Federation

More Related