Presentation on theme: "Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management."— Presentation transcript:
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management Showcase Event London, 18th July 2006
JRS and Shibboleth We have two access control worlds JRS for network access, as described in the previous talk Shibboleth for (currently) web-based applications JRS is being widely adopted With support at a European/world scale via eduroam What more value can we get from it? UK Shibboleth early adopters making progress Can Shibboleth be used for WLAN access control? Could the JRS be used as a back-end for Shibboleth?
JRS features Easy to deploy Most sites use RADIUS already Uses generally long-established open standards Easy to join Establish one RADIUS peering with national proxy No local access control micro-management required All-In All sites implicitly trust all other sites No attributes Purely an authentication scheme Though RADIUS can carry attributes
Question 1 Can we use Shibboleth for network layer access control for roaming users? User powers up in WLAN hotspot Local network gateway blocks all external access until user authenticates using Shibboleth To authenticate using Shibboleth user needs web access to the WAYF service and their home authentication service Implies local network gateway must be pre-configured with at least one allowed web destination per Shibboleth- enabled site that visitors may come from That doesnt scale!
Shib for WLAN roaming?
Question 2 Can we use the JRS as a Shibboleth back end? May be able to leverage JRS to boost Shibboleth adoption - many JRS sites have no Shibboleth deployment Idea: introduce a Virtual identity provider (VIdP) Functionally equivalent to a normal IdP The VIdP uses the JRS as an authentication back-end Any JRS-enabled site can use the VIdP in place of hosting its own IdP function The VIdP can proxy on behalf of any number of sites RADIUS-Aware Gateway to Shibboleth (RAGS)
The RAGS model
Building the VIdP… Designed to have no changes to WAYF or SP code The IdP is modified to become the VIdP Tools already exist, e.g.: Apache mod_auth_radius JRadius Java connector, with support for (T)TLS for secure connection from VIdP to home site The JRS site needs to opt-in Its entry in the WAYF service points to the VIdP Can customise login appearance based on passed URL Some policy issues/decisions e.g. its *possible* to add eduroam sites to UK WAYF
Closing observations Shibboleth and JRS both being adopted Initial adopter sites dont overlap that much Shibboleth is unsuitable for WLAN admission JRS *could* be offered as a Shibboleth back end The VIdP is currently being developed What about attributes? What classes of attributes will be required? Can use JRadius to query RADIUS-based attributes More policy questions Would using the JRS be acceptable to the UK federation? Who would manage the VIdP?