Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.

Published byAugustine Scott Modified over 8 years ago

Similar presentations

Presentation on theme: "University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network."— Presentation transcript:

1 University of Murcia Gabriel López

2  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network authorization based on end user attributes ◦ Based on eduGAIN BEs ◦ XACML authorization policies  Web authN and authZ profile  Beside: ◦ Integrated with Shibboleth and PAPI idPs ◦ Support for LoA (Level of Assurance) ◦ RadSec deployment in progress

3  New services for SSO  Based on the SSO token provided by DAMe  Provide APIs for BEs:  Token generation  Token validation  Authorization  Unified SSO token  perfsonar, DAMe, etc  Provide optional authorization for VoIP services based on end user attributes  SIP protocol for testing

4

5  Profile 1: The user has a valid SSO token ◦ From the end user network authentication (DAMe) ◦ New registration method required ◦ Token validation through BEs ◦ Extending registration method for authorization  Profile 2: The end user does not have a valid SSO token ◦ Receives a new SSO token for further authentications (VoIP, Web, etc…) ◦ Who does the end user authentication?  VoIP Registrar vs idP ◦ Who does the token generation? BEs vs idP

6  Profile 2: SSO token generation delegated to the BEs (DAMe-based)  Profile 2.1 Traditional authentication in the registrar server (HTTP-Digest)  Authentication in the registrar server  Profile 2.2 Authentication based on HTTP (HTTP-redirect)  Authentication in the idP  Profile 2.3 in-line/native authentication (new method)  Authentication in the idP ◦

7

8  Extension of SIP messages: ◦ Register (token) ◦ New authentication method  Extension of SIP proxies: ◦ Token validation  BEs ◦ Authorization based on end user and environment attributes  BEs  Authorization process (attributes recovery and PDP requests are transparent for proxies )

9

10  Extension of SIP messages: ◦ OK 200 (token) ◦ Classic authentication  Extension of SIP proxies: ◦ Token generation request  BEs ◦ Authorization based on end user and environment attributes  BEs

11

12  Extension of SIP messages: ◦ REGISTER (artifact) ◦ OK 200 (token) ◦ HTTP redirection authN  Extension of SIP proxies: ◦ Token generation request  BEs ◦ Authorization based on end user and environment attributes  BEs

13

14  Extension of SIP messages: ◦ OK 200 (token) ◦ Register includes end user creds (protected channel needed)  Extension of SIP proxies: ◦ Token generation request  BEs ◦ Authorization based on end user and environment attributes  BEs

15  AuthnRequest(SSOToken): Boolean ◦ SSOToken validation (profile 1)  Validity Period, signature (PKC chain, trust anchors, etc)  AuthnQuery(user): SSOToken ◦ Requests authentication statement from idP (profile 2.1) ◦ Generates SSO token  AuthnRequest(artifact): SSOToken ◦ AuthN statement recovery from idP (profile 2.2) ◦ SSO token generation  AuthnRequest(creds): SSOToken ◦ Sends authentication requests (application specific to idP) (profile 2.3) ◦ SSO token generation

16  AuthzRequest(SSOToken): Boolean (+obligations) ◦ Recover end user attributes from home domain  Through eduGAIN BEs  Directly from the AttributeProvider ◦ Request an Authorization Decision  To the local PDP  Based on End User id, End User attributes, resource, action, other info (date/time, network load, etc.)

17  SIP allows the extension of standard messages ◦ Extension Service Instruction  Authentication methods have already been proposed in other works  BE-API valid for other services?  Compliant with other SAML/SIP proposals (Tschofenig)  Security of the token ◦ alice  R-SIP Registrar ◦ SIP/SSL, IPSec, token encryption

18  backup

19

20

21

Download ppt "University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network."

Similar presentations

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.

Step Up Authentication in SAML (and XACML) Hal Lockhart February 6, 2014.
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
Moonshot Workshop 14 th October 2014. Introduction to the Day Moonshot Workshop.

Moonshot Workshop 14 th October Introduction to the Day Moonshot Workshop.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.

Hannes Tschofenig (IETF#79, SAAG, Beijing). Acknowledgements I would like to thank to Pasi Eronen. I am re- using some of his slides in this presentation.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
WebFTS as a first WLCG/HEP FIM pilot

WebFTS as a first WLCG/HEP FIM pilot
Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.

Matt Steele Senior Program Manager Microsoft Corporation SESSION CODE: SIA326.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Authorization architecture sketches draft-selander-core-access-control-02 draft-gerdes-core-dcaf-authorize-02 draft-seitz-ace-design-considerations-00.

Similar presentations

Ads by Google