Presentation on theme: "eduroam Delegate Authentication System with Shibboleth SSO"— Presentation transcript:
1 eduroam Delegate Authentication System with Shibboleth SSO 29th APAN MeetingFeb. 8-11, 2010, Sydney, Australiaeduroam Delegate Authentication System with Shibboleth SSOHideaki Goto, Hideaki Sone Tohoku Univ. / NIIIchiro Yamaguchi, Takaaki Suzuki Tohoku Univ.
2 1,200+ (govt. survey in year 2008) A great challenge … How many higher education institutions are there in Japan?1, (govt. survey in year 2008)765 universities (86 national, 90 public)481 two-year colleges and vocational collegeseduroam deployment: 11 / 1200 = 0.9%
3 Problems Our solutions A large number of institutions (1,200+) Difficulties in RADIUS deploymentLaborious eduroam connection / management workOur solutionsFederated Delegate Authentication System with centralized RADIUS serverremove RADIUS IdP at each institutionFederation using Shibboleth SSOsimplify RADIUS tree (higher stability)solve some privacy and security issuesWeb-based eduroam IdP / SP management systemreduce the work at both the eduroam JP office and each institution
5 Federated Delegate Authentication System Account Issuer as a Shibboleth SP of Japan’s UPKI inter-university federationCentralized RADIUS server to simplify the RADIUS proxy tree3 types depending on the needs and federation levelPseudo-anonymized, fixed-term, and traceable roaming IDs
6 Delegate Authentication System - Type I Japan’s centralized account issuerInstitutionsRADIUS serverThe accountis temporary and expires within 6 months.pseudonymous accountsIdMWeb UIIdMManual account issue requests by administrators.The system can be used even without IdM.Issuing Guest IDs is possible.
7 Delegate Authentication System – Type II Japan’s centralized account issuerInstitutionsRADIUS serverThe accountis temporary and expires within 6 months.pseudonymous accountWeb UIIdMIdMID federation using Shibboleth/SAMLfor administrators only.Administrators can request for user accounts in bulk.Issuing Guest IDs is possible.
8 Delegate Authentication System – Type III Japan’s centralized account issuerInstitutionsRADIUS serverThe accountis temporary and expires within a month.pseudonymous accountIdMIdMID federation using Shibboleth/SAMLEnd user can request for personal accounts only.
9 Web-based eduroam IdP / SP management system development under wayFeatures:Application for eduroam IdP / SP connection via eduroam JP websiteOnline sign-up for institutional administrator(s) ( require approval by the national admin. )Online registration of institution dataManagement console for institutionsRADIUS server address and secret settingEnable or disable Self-IdP / DEAS / SP(AP)Remote authentication self-testing (planned)
10 NEWS Negotiation is under way with a commercial Wi-Fi Service Provider We will have hundreds of eduroam APs in the central Tokyo !Outsourcing campus Wi-Fi system would be a key to success of large-scale deployment.
11 SummaryLarge-scale eduroam deployment in Japan -- A great challenge --Delegate Authentication Systemease eduroam deploymentFederated ID issuer as a Shibboleth SPsimplify eduroam network = stabilize eduroam authenticationWeb-based eduroam IdP / SP managementmake eduroam easy-to-joinsimplify connection and administration workat the national administrative bodyat each institution
13 Problem details in large-scale deployment Difficult and laborious configurations of RADIUS / APs at each organization.Difficulties in newly constructing an “eduroam account database” or making a RADIUS-IdM bridge for each organization.Many universities do not have Federated IdM yet.Laborious work for institution connection.A lot of paper workRADIUS configuration supportConnection testingTroubleshooting … etc.Impossible to deal with hundreds of institutions!
14 eduroam JP in UPKI project An activity in NII’s UPKI projectPromotion and Operation of eduroam JP11 institutions connected (Feb. 2010)Tutorial & technical documentsR&D to solve problemsEasy configurationsGuest use of local IP addressesLocation privacy, etc.Talks with commercial W-ISPs for roamingShared access points possible?Negotiations are under way.
15 Threats of ID/PW leakage User ID is logged at proxy servers along the AAA path.Location privacy problem.PW could be logged due to inappropriate configuration by the user.Critical security breach if an important PW is used.loggedWorldwide RADIUS treepotential leakageloggedloggedloggedID databaseRADIUS Access RequestAPRADIUS Access Accept / Reject