Presentation on theme: "1 eduroam Delegate Authentication System with Shibboleth SSO Hideaki Goto, Hideaki Sone Tohoku Univ. / NII Ichiro Yamaguchi, Takaaki Suzuki Tohoku Univ."— Presentation transcript:
1 eduroam Delegate Authentication System with Shibboleth SSO Hideaki Goto, Hideaki Sone Tohoku Univ. / NII Ichiro Yamaguchi, Takaaki Suzuki Tohoku Univ. 29th APAN Meeting Feb. 8-11, 2010, Sydney, Australia
2 A great challenge … How many higher education institutions are there in Japan? 765 universities (86 national, 90 public) 481 two-year colleges and vocational colleges eduroam deployment: 11 / 1200 = 0.9% 1,200+ (govt. survey in year 2008)
3 Problems A large number of institutions (1,200+) Difficulties in RADIUS deployment Laborious eduroam connection / management work Our solutions Federated Delegate Authentication System with centralized RADIUS server remove RADIUS IdP at each institution Federation using Shibboleth SSO simplify RADIUS tree (higher stability) solve some privacy and security issues Web-based eduroam IdP / SP management system reduce the work at both the eduroam JP office and each institution
4 Easy-to-join eduroam system RADIUS IdP RADIUS proxy auth requests Institutions RADIUS server access points 1. Delegate Authentication System (DEAS) national top-level 2. eduroam IdP/SP management web
5 Federated Delegate Authentication System Account Issuer as a Shibboleth SP of Japans UPKI inter-university federation Centralized RADIUS server to simplify the RADIUS proxy tree 3 types depending on the needs and federation level Pseudo-anonymized, fixed-term, and traceable roaming IDs
6 Delegate Authentication System - Type I IdM RADIUS server Institutions IdM Manual account issue requests by administrators. The system can be used even without IdM. Issuing Guest IDs is possible. Japans centralized account issuer The account is temporary and expires within 6 months. pseudonymous accounts Web UI
7 Delegate Authentication System – Type II IdM RADIUS server Institutions IdM ID federation using Shibboleth/SAML for administrators only. Administrators can request for user accounts in bulk. Issuing Guest IDs is possible. Japans centralized account issuer pseudonymous account Web UI The account is temporary and expires within 6 months.
8 Delegate Authentication System – Type III IdM RADIUS server Institutions IdM ID federation using Shibboleth/SAML End user can request for personal accounts only. Japans centralized account issuer The account is temporary and expires within a month. pseudonymous account
9 Web-based eduroam IdP / SP management system Application for eduroam IdP / SP connection via eduroam JP website Online sign-up for institutional administrator(s) ( require approval by the national admin. ) Online registration of institution data Management console for institutions RADIUS server address and secret setting Enable or disable Self-IdP / DEAS / SP(AP) Remote authentication self-testing (planned) development under way Features:
10 NEWS Negotiation is under way with a commercial Wi-Fi Service Provider We will have hundreds of eduroam APs in the central Tokyo ! Outsourcing campus Wi-Fi system would be a key to success of large-scale deployment.
11 Summary Large-scale eduroam deployment in Japan -- A great challenge -- Delegate Authentication System ease eduroam deployment Federated ID issuer as a Shibboleth SP simplify eduroam network = stabilize eduroam authentication Web-based eduroam IdP / SP management make eduroam easy-to-join simplify connection and administration work at the national administrative body at each institution
12 Supplementary slides
13 Problem details in large-scale deployment Difficult and laborious configurations of RADIUS / APs at each organization. Difficulties in newly constructing an eduroam account database or making a RADIUS-IdM bridge for each organization. Many universities do not have Federated IdM yet. Laborious work for institution connection. A lot of paper work RADIUS configuration support Connection testing Troubleshooting … etc. Impossible to deal with hundreds of institutions!
14 eduroam JP in UPKI project An activity in NIIs UPKI project Promotion and Operation of eduroam JP 11 institutions connected (Feb. 2010) Tutorial & technical documents R&D to solve problems Easy configurations Guest use of local IP addresses Location privacy, etc. Talks with commercial W-ISPs for roaming Shared access points possible? Negotiations are under way.
15 Threats of ID/PW leakage User ID is logged at proxy servers along the AAA path. Location privacy problem. PW could be logged due to inappropriate configuration by the user. Critical security breach if an important PW is used. AP RADIUS Access Request RADIUS Access Accept / Reject Worldwide RADIUS tree logged ID database potential leakage