150 likes | 430 Views
RadSec and DAMe. University of Stuttgart University of Murcia. DAMe Project RadSec and DAMe: Dynamic Server Discovery DAMe Testbed Next Steps. Overview. DAMe stands for: Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture Subproject of GÉANT2
E N D
RadSec and DAMe University of Stuttgart University of Murcia Sascha Neinert
DAMe Project RadSec and DAMe: Dynamic Server Discovery DAMe Testbed Next Steps Overview Sascha Neinert
DAMe stands for: Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture Subproject of GÉANT2 Partners: DFN, RedIRIS, University of Murcia, University of Stuttgart Goals: Adding attribute-based Authorization to eduroam Unified Single Sign On, using eduToken in SAML format DAMe Project Sascha Neinert
Attribute-based Authorization in eduroam Sascha Neinert
Unified Single Sign On Sascha Neinert
Additional Goals: Support for Level of Assurance (LoA): Including LoA in the eduToken, in the AuthNContext Protocol extended for Re-Authentication with higher LoA Integration of RadSec Adding RadSec proxy servers in front of both remote (SP) and home (IdP) institution eduToken transport over RadSec Inclusion of Attribute Conversion in DAMe DAMe-2 Project Sascha Neinert
RadSec: RADIUS over TCP and TLS Implementations: radsecproxy and Radiator eduroam with RadSec mutual authentication with valid server certificates from a trusted CA (eduGAIN CA / SCA, others) subjectAltName (URI) specifying the role of a server (e.g. urn:geant:eduroam:component:sp:ABC may act as a RadSec client, urn:geant:eduroam:component:idp:XYZ may act as a server) RadSec enables dynamic server discovery: Lookup for a RadSec server serving a specific home domain Mutual authentication using server certificates TLS connection is established RadSec and DAMe: Dynamic Server Discovery Sascha Neinert
Dynamic Discovery can be done... Using DNS radsecproxy can query for _radsec._tcp.<domain-name> Radiator can also use this mechanism Using MDS radsecproxy calls radsec2mds tool SAML metadata is retrieved from eduGAIN MDS MDS is part of DAMe / eduGAIN already MDS is flexible + secure (efficient? reliable?) RadSec and DAMe: Dynamic Server Discovery Sascha Neinert
RadSec and DAMe: Dynamic Server Discovery (MDS) Sascha Neinert
RadSec and DAMe: Dynamic Server Discovery (MDS) Meta data snippet: <md:EntityDescriptor ID=“…" entityID=“…"> <md:IDPSSODescriptor ID="USTUTT-RADSEC"> <md:SingleSignOnService Location="radsec (*) ://ksat124.rus.uni-stuttgart.de:2083"/> </md:IDPSSODescriptor> <md:Organization> <md:Extensions> <egmd:HLPattern egmd:MatchingAlgo="urn:geant:edugain:metadata:homelocator:matching- algo:exact" egmd:Type="HomeDomain">uni-stuttgart.de</egmd:HLPattern> </md:Extensions> </md:Organization> </md:EntityDescriptor> Sascha Neinert
DAMe Testbed – Overall View DNS Client AP RADIUS RadSec Proxy RadSec Proxy RADIUS DAMe- BE XACML PDP Shib IdP eduGAIN MDS UMU („remote“) USTUTT („home“) Sascha Neinert
Client wpa_supplicant Network SP FreeRADIUS 1.1.3 with dame-dictionary radsecproxy 1.3.1 eduGAINSCA certificate including eduroam URN (urn:geant:eduroam:component: ...) DAMe Testbed – UMU Sascha Neinert
Network IdP FreeRADIUS 2.0.2 with dame-enabled peap-module and dame-dictionary radsecproxy 1.3.1 can be discovered querying DNS for _radsec._tcp.dame.uni-stuttgart.de eduGAINSCA certificate including eduroam URN (urn:geant:eduroam:component: ...) SAML IdP Shibboleth IdP 1.3.2 + DAMe-BE Issuing eduTokens DAMe Testbed – USTUTT Sascha Neinert
USTUTT: separate network SP and network IdP Finish deployment of DAMe including dynamic discovery components Publish metadata to mds.edugain.org Run federated tests UMU USTUTT Optimize radsec2mds tool Measure performance of DNS-based and MDS-based discovery Compare both methods Next Steps Sascha Neinert
Any questions or comments? DAMe website: http://dame.inf.um.es/ Sascha Neinert