We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byEliana Snead
Modified over 2 years ago
2005 © SWITCH Authentication and Authorization Infrastructure Martin Sutter, Head of NetServices Thomas Lenggenhager, Deputy Project Manager AAI Christoph Graf, Head of Network Security
2005 © SWITCH 2 SWITCHaai Agenda AAI deployment in Switzerland SWITCHaai key issues AAI & Grid Outlook EUGridPMA
2005 © SWITCH 3 SWITCHaai Motivation for SWITCHaai Need for SWITCHaai spawned by Swiss Virtual Campus, a large national e-learning project. -About 30 projects developing e-learning contents involving at least three different sites Authentication & Authorization not to be solved by each project individually
2005 © SWITCH 4 SWITCHaai Identity Providers (Home Orgs) Service Providers (Resources) Organizational Framework Interoperation Central Services Funding SWITCHaai Building Blocks
2005 © SWITCH 5 SWITCHaai SWITCH acts as SWITCHaai Federation service provider Federation membership is based on signed service agreements Organization Organizational Framework
2005 © SWITCH 6 SWITCHaai Interoperation Requires agreement on technical details like Standards -SAML 1.1 Software versions (as per May 2005) -Shibboleth 1.1 for identity providers Shibboleth 1.2.1 for service providers Accepted certificate authorities -SWITCHpki plus Thawte, Trustcenter, VeriSign Attribute specification -swissEduPerson
2005 © SWITCH 7 SWITCHaai Criteria for attribute specification -Start simple, extend as required -Common understanding on interpretation -Already widely used swissEduPerson Attribute usage by applications -Use minimal set required -Data protection principle Interoperation Interoperation: Attributes
2005 © SWITCH 8 SWITCHaai Identity Provider Integration AAI-enabled Identity Provider User Directory Authentication System AAI Currently in use in SWITCHaai: Authentication Systems OpenLDAP with CAS or Pubcookie Kerberos AuthN with Active Directory Windows AuthN with IIS User Directory OpenLDAP Active Directory Identity Providers
2005 © SWITCH 9 SWITCHaai Identity Providers in SWITCHaai Operational AAI Identity Provider ETH Zurich University Zurich Virtual Home Org SWITCH University Geneva 110’000 Swiss Higher Ed users have an AAI-Account (≈ 50% of all) Zurich University of Applied Sciences Winterthur AAI Identity Provider getting ready University Hospital Zurich University Lucerne University Fribourg University Berne University Lausanne Identity Providers
2005 © SWITCH 10 SWITCHaai Federation Member Identity Provider Resource Owner End User Admin Some end users without identity provider VHO Service @SWITCH User Dir VHO Policy Identity Providers Virtual Home Organization – VHO Integrate end users without Identity Provider -Resource owner creates ‘AAI-enabled’ accounts @VHO for users without an identity provider -A VHO account is only usable for the resource(s) managed by the resource owner
2005 © SWITCH 11 SWITCHaai Types of Service Providers e-learninglibraries other web applications DOIT VITELS Vista@SVC AD Learn & Co Vconf-Reservation SMS-Gateway EZproxy commercial ScienceDirect WebCT@ETHZ OLAT Moodle BSCW Blackboard SwissLex IS-Academia Jobs@BWI ILIAS TWiki eShops Service Providers … 50 ‘shibbolized’ servers 10’000 active AAI Users
2005 © SWITCH 12 SWITCHaai Service Provider Example: DOIT University Zurich University Lausanne AAI Identity Provider University Berne AAI Service Provider DOIT: Dermatology Online with Interactive Technology 500 AAI Users Access Rule: IdP = UniZH | UniBE | UniL Affiliation= student studyBranch= medicine studyLevel= 15 Service Providers
2005 © SWITCH 13 SWITCHaai Service Providers Integration of „Blackboxes“ AAIportal (open source, GPL) Authentication / authorization gateway Portal functionalities (optional) User management (optional) Adaptors to blackbox applications: -WebCT Vista -WebCT CE -… AAIportal Sign On A1...... A2 API Application Shibboleth
2005 © SWITCH 14 SWITCHaai Central Services Central AAI Services Strategy & marketing International contacts Support, consulting, training Providing federation-specific files and configuration guides Operating WAYF server Testing parties (identity provider service provider) Jump-start service Virtual Home Organization ‘Where are you from?’
2005 © SWITCH 15 SWITCHaai Key Issues in SWITCHaai Structure of SWITCHaai Federation -Switzerland is strongly federal solve problems at the lowest level coordinate where useful AAI is more than Shibboleth -SWITCHaai designed to be extensible policies federation SAML 2 and Shibboleth 2 will allow interoperability with other SAML based infrastructures
2005 © SWITCH 16 SWITCHaai AAI and Grid SWITCHaai concept is ready for Grid integration Current Shibboleth version not yet Grid ready GridShib, an Internet2 project, links upcoming Shibboleth 1.3 with Globus Toolkit 4.1 -first phase to be implemented until autumn 2005 -second phase to be implemented until second half of 2006 -http://grid.ncsa.uiuc.edu/GridShib/ Extension to other n-tier use cases possible
2005 © SWITCH 17 SWITCHaai Outlook 2005 – 2007 More national AAI related projects -supported by federal grants (on matching funds) Non-web browser based service providers (like Grid) Study on AAI and ECTS Study on extending AAI to AAAI -accounting, but not limited to billing Integration of federation partners -resources from non-members -other federations http://www.switch.ch/aai
2005 © SWITCH 18 SWITCHaai EUGridPMA What the EUGridPMA does -A useful job for Grid projects (evaluating CP/CPSs) -Impressive PR: made it into eIRG papers (together with TACAR) NREN perspective: -NRENs engaging in PKIs need something similar to interwork -But we will need more than one assurance level (Grid strength certs and basic strength certs) The predicted future of EUGridPMA: -Perish: If they stay Grid-specific -Flourish: if they become relevant beyond the Grid Recommendation: -NRENs to collaborate and eventually host EUGridPMA activities -Terena to play an important role (how about TACAR++?)
2005 © SWITCH Deployment of a Shibboleth-based Infrastructure in Switzerland: SWITCHaai Martin Sutter, Head of NetServices, SWITCH (Ueli Kienholz & Thomas.
2005 © SWITCH Interoperability Shibboleth and gLite in EGEE-2 MWSG Amsterdam Dec 15, 2005 Christoph Witzig SWITCH.
2004 © SWITCH 1 Shibboleth in Switzerland Internet2 Spring Meeting 2004 Thomas Lenggenhager Overview SWITCH & SWITCHaai Project.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
2006 © SWITCH Grid Activities at SWITCH Christoph Witzig EGEE - 06 Geneva Sep 28, 2006.
Lousy Introduction into SWITCHaai
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
SWITCHaai Team Federated Identity Management.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
2006 © SWITCH Spring 2006 Internet2 Member Meeting The SWITCHaai Federation in Switzerland Thomas Lenggenhager
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Copyright JNT Association 20051Optional Copyright JNT Association Joining the UK Access Management Federation 4th April.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
© 2017 SlidePlayer.com Inc. All rights reserved.