230 likes | 329 Views
UPKI-Federation based on Shibboleth. National Institute of Informatics Motonori Nakamura Toshiyuki Kataoka, Kyoto University Yasuo Okabe. OUTLINE. Overview of UPKI and UPKI-Fed UPKI Single Sing-On Trial Roadmap. What is UPKI?.
E N D
UPKI-Federation based on Shibboleth National Institute of Informatics Motonori Nakamura Toshiyuki Kataoka, Kyoto University Yasuo Okabe
OUTLINE Overview of UPKI and UPKI-Fed UPKI Single Sing-On Trial Roadmap
What is UPKI? • We are undertaking the construction of University Public Key Infrastructure (UPKI), which is intended to achieve an inter-university cooperation that makes use of educational and research computing systems, digital contents, networks, and business systems at almost 800 universities and other institutions in Japan, in safe, convenient, and effective ways. • We are promoting an Inter-university authentication federation by developing UPKI common specifications, and by developing applications using the PKI.
UPKI Three-Layer Architecture • Open Domain PKI (Public PKI) • Using for authentication, signature and encryption on the internet. • Issuing public certs for servers and individuals in the internet by PKI service provider. • Campus PKI • Using to campus network for secure access and secure transaction. • SSO, VPN, 802.1X, e-Approval, etc. • Issuing certs for server and faculty staff/students in campus network by each organization. • Grid PKI • Using to authentication for NAREGI. • Issuing certs for HPC resources and NAREGI users by NAREGI-CA.
Sign, Encrypt. NII Pub CA Other Pub CA Open Domain PKI Webサーバ S/MIME Webサーバ S/MIME Webサーバ S/MIME Webサーバ S/MIME Web Srv. S/MIME Web Srv. S/MIME Auth, Sign, Encrypt. Auth, Sign, Encrypt. Campus PKI B Univ.CA A Univ.CA 学内用 学内用 学内用 学内用 EE EE Grid Computing NAREGI PKI A Univ.NAREGI CA B Univ.NAREGI CA Proxy EE Proxy EE Proxy EE Proxy EE Proxy EE Proxy EE Server, Super Computer Server, Super Computer Student,Faculty Student,Faculty UPKI Activities Server Certificates S/MIME Certificates UPKI Common Specification Eduroam Shibboleth CA Start-Pack NAREGI-CA Enhancement
UPKI-FedInter-Univerisity SSO Architecuture • Leveraging PKI and Shibboleth (SAML) technologies, UPKI-Federation that enables secure Single Sign-On for inter-Universities services such as electronic journals is under development. • The project is trial stage since Sept. 2008.
UPKI-Fed Inter-University SSO Architecture UPKI-Federation Account Issuance, Wireless LAN・・ e-Learning Campus System E-Journal CiNii、・・ Cert. Issuance Server Cert. ・・・ ・・・ SP Discovery Service UPKI-IdP Operational Organization • Policy • System Spec. Metadata Repository Support Portal University University University Federation using Shibboleth and PKI Academic Society Academic Society IdP ・・・ ・・・ AuthN AuthN AuthN Secure access from off-campus, other campus Faculty Single Sign-On Student Society member
2. UPKI-FED SSO TRIAL
UPKI-Fed Test-bed Commercial Service B University A University Attributes Management Attributes Management IdP IdP SP SP Admin. Campus CA Admin. Admin. Client Cert.Isssuance User is authenticated by IdP of his/her University Participant of Commercial Service User (B Univ.) SSO User (A Univ.) AuthN AuthN SSO SSO SSO SSO SSO CiNii CMS(Plone1) CMS(Plone2) CMS(Moodle) UPKI Open Domain CA DS IdP_00 Repository IdP_01 UPKI-Fed
Feasibility Study Schedule (FY2008) • Preparation • - Setup documents • - VMWare Image for IdP • - test-bed including DS, repository • Explanatory meeting (July 2008, twice) • - Ask to attend both IT people and librarians from each institutes • Development • - developed test SP • - support institutes to setup IdP, SP • - metadata distribution • - feasibility test instruction • - share information by wiki, mailing-list, mail magazine • Participants meeting (Nov. 2008) • - report status from all institutions • Preparation for next step • - discussion and development of policy for pilot operation • Demonstration at UPKI Symposium 2009 (Feb. 2009)
Participants 27 Institutions 30 IdP sites 18 SP sites 30 Sites IdP 20 Sites Completed connection to Elsevier ! 18 Sites 10 Sites SP 10 Sites Aug. Sep. Oct. Nov. Dec. Jan. Feb.
Feasibility Study Trial using Shibboleth2.0/2.1.2 Single Sign-On connection among Universities’ IdPs, SPs, and commercial SPs from abroad Shibboleth2.0 protocol among participants in Japan Shibboleth1.3 protocol to connect to existing commercial SPs from abroad Metadata automatic download test Metadata signing, and verification test Connecting IdP to campus LDAP/AD Attributes send/receive test, including Japanese Attributes Tools test such as ArpViewer
Connecting to commercial SP from abroad Abroad JAPAN SP SP Test SPs in participating Institutions AuthN The first Shibboleth connection in Asia with e-Journal from abroad ! All Institution member can use IdP now ! NII IdP (idp.nii.ac.jp) Institution’s AD NII
Connection with commercial SPs from abroad Completed with Elsevier (ScienceDirect, Scopus) Protocol = Shibboleth1.3: Changed UPKI-Fed protocol from Shib2.0 only to Shib2.0/Shib1.3 Certificate: Ask SPs from abroad to use commercial public certificate, because we can’t issue UPKI certificate to abroad Connection plan with other commercial SPs soon: Refworks、 Nature、OUP (Oxford University Press)、 LWW/Ovid、Springer、Thomson、EBSCO Within the next fiscal year(?): CUP(Cambridge University Press)、Wiley-Blackwell、SAGE、ProQuest、JSTOR、Serials Solutions、Taylor&Francis、APS(American Physical Society)
3. ROADMAP
UPKI-Fed Prospective Plan Goal: Inter-University AuthN and AuthZ Infrastructure for ALL Services “Feasibility Study” will end in Mar. 2009 “Pilot Operation” will start from April 2009 FY2008 FY2009 FY2010 Feasibility Study Pilot Operation Practical Operation Connection using real account under campus policies Connection using test account Practical operation with real account and service
Preparation for UPKI-Fed Pilot Operation • UPKI-Fed Policy(under development) • “UPKI-Fed Pilot Operation Procedure” (Draft) • “UPKI-Fed System Specification” (Draft) • Attributes (Specified in above document) • eppn/persistentID, o, ou, eduPersonAffiliation, etc… • Two bytes code support (Japanese) Name, DisplayName, OrganizationName,,, (Discussing to define “jasn”, “jaDisplayName”, “jao”,,,) • Configuration template • Preparing template for attribute-resolver, attribute-filter, attribute-map for UPKI-Fed participants
Summary • UPKI-Fed: Japanese Academic Federation • Architecture design; Develop suitable architecture on UPKI PKI infrastructure (three layers) taking institutions situations into consideration. Deployment of Shibboleth/SAML • Roadmap; FY2008 Feasibility Study Evaluate and develop architecture using testbed Small start with a few SP services FY2009 Pilot Operation FY2010~ Operational