Presentation is loading. Please wait.

Presentation is loading. Please wait.

2005 © SWITCH Authentication and Authorization Infrastructure Martin Sutter, Head of NetServices Thomas Lenggenhager, Deputy Project Manager AAI Christoph.

Similar presentations

Presentation on theme: "2005 © SWITCH Authentication and Authorization Infrastructure Martin Sutter, Head of NetServices Thomas Lenggenhager, Deputy Project Manager AAI Christoph."— Presentation transcript:

1 2005 © SWITCH Authentication and Authorization Infrastructure Martin Sutter, Head of NetServices Thomas Lenggenhager, Deputy Project Manager AAI Christoph Graf, Head of Network Security

2 2005 © SWITCH 2 SWITCHaai Agenda AAI deployment in Switzerland SWITCHaai key issues AAI & Grid Outlook EUGridPMA

3 2005 © SWITCH 3 SWITCHaai Motivation for SWITCHaai Need for SWITCHaai spawned by Swiss Virtual Campus, a large national e-learning project. -About 30 projects developing e-learning contents involving at least three different sites  Authentication & Authorization not to be solved by each project individually

4 2005 © SWITCH 4 SWITCHaai Identity Providers (Home Orgs) Service Providers (Resources) Organizational Framework Interoperation Central Services Funding SWITCHaai Building Blocks

5 2005 © SWITCH 5 SWITCHaai SWITCH acts as SWITCHaai Federation service provider Federation membership is based on signed service agreements Organization Organizational Framework

6 2005 © SWITCH 6 SWITCHaai Interoperation Requires agreement on technical details like Standards -SAML 1.1 Software versions (as per May 2005) -Shibboleth 1.1 for identity providers Shibboleth 1.2.1 for service providers Accepted certificate authorities -SWITCHpki plus Thawte, Trustcenter, VeriSign Attribute specification -swissEduPerson

7 2005 © SWITCH 7 SWITCHaai Criteria for attribute specification -Start simple, extend as required -Common understanding on interpretation -Already widely used  swissEduPerson Attribute usage by applications -Use minimal set required -Data protection principle Interoperation Interoperation: Attributes

8 2005 © SWITCH 8 SWITCHaai Identity Provider Integration AAI-enabled Identity Provider User Directory Authentication System AAI Currently in use in SWITCHaai: Authentication Systems OpenLDAP with CAS or Pubcookie Kerberos AuthN with Active Directory Windows AuthN with IIS User Directory OpenLDAP Active Directory Identity Providers

9 2005 © SWITCH 9 SWITCHaai Identity Providers in SWITCHaai Operational AAI Identity Provider ETH Zurich University Zurich Virtual Home Org SWITCH University Geneva 110’000 Swiss Higher Ed users have an AAI-Account (≈ 50% of all) Zurich University of Applied Sciences Winterthur AAI Identity Provider getting ready University Hospital Zurich University Lucerne University Fribourg University Berne University Lausanne Identity Providers

10 2005 © SWITCH 10 SWITCHaai Federation Member Identity Provider Resource Owner End User Admin Some end users without identity provider VHO Service @SWITCH User Dir VHO Policy Identity Providers Virtual Home Organization – VHO Integrate end users without Identity Provider -Resource owner creates ‘AAI-enabled’ accounts @VHO for users without an identity provider -A VHO account is only usable for the resource(s) managed by the resource owner

11 2005 © SWITCH 11 SWITCHaai Types of Service Providers e-learninglibraries other web applications DOIT VITELS Vista@SVC AD Learn & Co Vconf-Reservation SMS-Gateway EZproxy commercial ScienceDirect WebCT@ETHZ OLAT Moodle BSCW Blackboard SwissLex IS-Academia Jobs@BWI ILIAS TWiki eShops Service Providers …  50 ‘shibbolized’ servers  10’000 active AAI Users

12 2005 © SWITCH 12 SWITCHaai Service Provider Example: DOIT University Zurich University Lausanne AAI Identity Provider University Berne AAI Service Provider DOIT: Dermatology Online with Interactive Technology 500 AAI Users Access Rule: IdP = UniZH | UniBE | UniL Affiliation= student studyBranch= medicine studyLevel= 15 Service Providers

13 2005 © SWITCH 13 SWITCHaai Service Providers Integration of „Blackboxes“ AAIportal (open source, GPL) Authentication / authorization gateway Portal functionalities (optional) User management (optional) Adaptors to blackbox applications: -WebCT Vista -WebCT CE -… AAIportal Sign On A1...... A2 API Application Shibboleth

14 2005 © SWITCH 14 SWITCHaai Central Services Central AAI Services Strategy & marketing International contacts Support, consulting, training Providing federation-specific files and configuration guides Operating WAYF server Testing parties (identity provider  service provider) Jump-start service Virtual Home Organization ‘Where are you from?’

15 2005 © SWITCH 15 SWITCHaai Key Issues in SWITCHaai Structure of SWITCHaai Federation -Switzerland is strongly federal  solve problems at the lowest level  coordinate where useful AAI is more than Shibboleth -SWITCHaai designed to be extensible  policies  federation SAML 2 and Shibboleth 2 will allow interoperability with other SAML based infrastructures

16 2005 © SWITCH 16 SWITCHaai AAI and Grid SWITCHaai concept is ready for Grid integration Current Shibboleth version not yet Grid ready GridShib, an Internet2 project, links upcoming Shibboleth 1.3 with Globus Toolkit 4.1 -first phase to be implemented until autumn 2005 -second phase to be implemented until second half of 2006 - Extension to other n-tier use cases possible

17 2005 © SWITCH 17 SWITCHaai Outlook 2005 – 2007 More national AAI related projects -supported by federal grants (on matching funds) Non-web browser based service providers (like Grid) Study on AAI and ECTS Study on extending AAI to AAAI -accounting, but not limited to billing Integration of federation partners -resources from non-members -other federations

18 2005 © SWITCH 18 SWITCHaai EUGridPMA What the EUGridPMA does -A useful job for Grid projects (evaluating CP/CPSs) -Impressive PR: made it into eIRG papers (together with TACAR) NREN perspective: -NRENs engaging in PKIs need something similar to interwork -But we will need more than one assurance level (Grid strength certs and basic strength certs) The predicted future of EUGridPMA: -Perish: If they stay Grid-specific -Flourish: if they become relevant beyond the Grid Recommendation: -NRENs to collaborate and eventually host EUGridPMA activities -Terena to play an important role (how about TACAR++?)

Download ppt "2005 © SWITCH Authentication and Authorization Infrastructure Martin Sutter, Head of NetServices Thomas Lenggenhager, Deputy Project Manager AAI Christoph."

Similar presentations

Ads by Google