Presentation is loading. Please wait.

Presentation is loading. Please wait.

2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.

Published byJulian Barton Modified over 8 years ago

Similar presentations

Presentation on theme: "2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH."— Presentation transcript:

1 2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH

2 2003 © SWITCH 2 e-Academia / AAI: Pilot phase Set up 1987 with the purpose: “... to create, promote and maintain the necessary fundamental means for efficient use of modern telecommunication methods for the benefit of education and research in Switzerland and to participate in such fundamental activities.... ” … amazingly enough, it still holds true without tweaking The Foundation SWITCH

3 2003 © SWITCH 3 e-Academia / AAI: Pilot phase Business Areas of SWITCH Network Engineering IP, QoS, Routing,... Network Operation Help Desk Consulting SecurityInternet Identifiers Domain Name Registration User Registrations NetServices Invoicing Administration Help Desk Online-Queries Consulting Invoicing Administration Help Desk Online-Queries Consulting Incident Handling Consulting Laboratory SWITCHvconf Middleware Incl. AAI Service Monitoring Diverse Applications incl. News Consulting SWITCHmobile Content Delivery and Tools

4 2003 © SWITCH 4 e-Academia / AAI: Pilot phase How it all began… Call for participation in the Swiss Virtual Campus (SVC) in1999 –Fair amount of federal funds for the creation of e-learning course contents –Applying teams need to build consortia –Courses must be offered to consortia member organisations for free –Consortia members should put those courses into their curricula Problems –How to deal with user authentication and authorisation in this cross- organisational context? –Should every team solve the same problem individually? –The SVC is about contents, not tools SWITCH’s answer –This is an opportunity to drive and co-ordinate efforts in our community –The AAI activity (Authentication and Authorisation Infrastructure) was outlined –It aims at establishing a cross-organisational infrastructure offering authentication and authorisation services (in a wider context than just covering the needs of the SVC)

5 2003 © SWITCH 5 e-Academia / AAI: Pilot phase e-Academia / AAI Concept “… let’s develop e-Academia, let us build the foundations in the form of a uniform authentication and authorization infrastructure (AAI) for the higher education system in Switzerland…” “We want a virtual community across our institutions in which all persons associated with the Swiss Higher Education System are able to gain access to its electronic resources, independent of the accrediting organization and independent of the place where they happen to be working.” Vision of e-Academia AAI as the foundation of e-Academia 20012002200320042005 Study Realization V1.0 Pilot Realization V2.0 Concept Roadmap 2000

6 2003 © SWITCH 6 e-Academia / AAI: Pilot phase University of Zurich Resource User Info about user Resource Owner 1 user - 1 resource - 1 organization: NO PROBLEM The AA Problem (1) + Swiss Passport ID, Credentials

7 2003 © SWITCH 7 e-Academia / AAI: Pilot phase Resource B University of Lausanne Resource C University Hospital of Geneva Info about user Resource A Info about user User ID, Credentials Many users - many resources - many organizations: A PROBLEM User ID, Credentials User ID, Credentials The AA Problem (2) Info about user University of Zurich ID, Credentials Info about user ID, Credentials Info about user

8 2003 © SWITCH 8 e-Academia / AAI: Pilot phase Resource Owner User‘s Home Org Access Control Manager Resource Info (name, address, ….) Registration Access Control Definition User data system Legend: Registra- tion Pre-processing User DB The AA Model (1) 1

9 2003 © SWITCH 9 e-Academia / AAI: Pilot phase Resource Owner User‘s Home Org AAI Access Control Manager Resource Authorization Information Authentication Access Control Definition Access Request of an authenticated user User Authorization Information Delivery data system AAI-interaction Legend: Authenti- cation User DB 1 2 3 The AA Model (2)

10 2003 © SWITCH 10 e-Academia / AAI: Pilot phase Resource Owner User‘s Home Org AAI Access Control Manager Authenti- cation Log Other Applications (Accounting, Billing, Statistics) The AA Model (3) Input to Accounting or Billing systems: AAI provides Identity of User and/or Name of Home Organization Resource measures the interactions between a user and the resource

11 2003 © SWITCH 11 e-Academia / AAI: Pilot phase Authentication systems User Directorie s WEB resources Integrated Systems WEB Portals Scope of the AAI Secure transfer of authorization attributes Inter- organizational user authentication AAI Secure e-mail Document encryptio n SmartCards PKI WEB Single Sign-on Unix/Windows login Billing Accounting Legacy Applications

12 2003 © SWITCH 12 e-Academia / AAI: Pilot phase AAI simplifies the protection of information by applying standardized mechanisms. Resource owners can concentrate on the protection of their resources without having to implement an entire system including registration and authentication. Information protection AAI makes it possible to authorize users based on personal attributes of a user instead of IP addresses. User authorization thus becomes location-independent. Remote access After a single registration a user can access a number of resources. Only one authentication technology is applied. User friendliness Standardized AA systems and cooperation among IT organizations improve the efficiency in the implementation and operation of security solutions. IT efficiency Without AAI, a user has to register with various organizations. It is feared that the administrative overhead of individual organizations will increase dramatically. AAI counteracts this tendency. Administration overhead Complicated and inconsistent AA mechanisms, or isolation of resources and user groups, respectively, is no longer state of the art. Not having an AAI will damage the image in the long run. Image AAI is a requirement if students of different universities wish to use common resources, and it is the basis for initiatives such as the Swiss Virtual Campus. Virtual Mobility Advantages of an AAI

13 2003 © SWITCH 13 e-Academia / AAI: Pilot phase Pilot projects Project Planning: Roadmap 20012002200320042005 Study Realization V1.0 Pilot Decision: Building up of infrastructure (June 2003) Realization V2.0 Jul - Sept 02Oct - Dec 02Jan - March 03Apr - Jun 03 Policy Attribute specification Budgeting the implementation of Release 1.0 Tech. & org. concept Legal basis Service description Selection of architecture

14 2003 © SWITCH 14 e-Academia / AAI: Pilot phase Unique Identifier (anonymous) Surname Given name Date of birth Gender E-mail Address(es) Phone number(s) Preferred language Name of Home Organization Type of Home Organization Affiliation (student, staff, faculty, …) Study branch Study level Staff category Organization Path Organization Unit Path Group membership User attributes for AAI are based on standards (LDAP: eduPerson, SHIS/SIUS) have to be available in real-time have to be handled as required by federal and cantonal data protection laws: attributes have to be accurate attributes have to be stored securely attributes should only be transferred to resources with a valid case to use it. will be revised in the future in a standardised change process, depending on the requirements of Resource Owners and Home Organizations Personal attributesGroup membership Authorisation Attributes

15 2003 © SWITCH 15 e-Academia / AAI: Pilot phase Shibboleth AA Process Resource WAYF Users Home OrgResource Owner 1 SHIRE I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where you come from HS 5 6 I don’t know you. Please authenticate yourself 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. SHAR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource

16 2003 © SWITCH 16 e-Academia / AAI: Pilot phase User‘s Home Org User Authenti- cation User DB Info (name, address, ….) Registration Registra- tion Preconditions for Home Organizations ID Passwd Authentication Registration A Home Organization must be able to register its users and store information about them in a user directory (database) provide a minimal set of such user attributes to the AAI The registration and administration processes have to guarantee that these attributes are kept accurate Authentication A Home Organization has to offer secure authentication over the network to its users It is up to the Home Organization which authentication technology it chooses.

17 2003 © SWITCH 17 e-Academia / AAI: Pilot phase AAI-enabling of Home Organizations User‘s Home Org Authenti- cation AAI Dir User DB User DB User DB Yes/No Attributes AAI AAI integration between authentication system and AAI user DB / directory and AAI Data consolidation Make sure that all the attributes needed are online available in the appropriate AAI format If necessary, create a specific AAI user directory (read-only, periodically updated from master databases) AAI

18 2003 © SWITCH 18 e-Academia / AAI: Pilot phase Resource Owner Resource Owner AAI Resource Types (1) Access Control Manager Resource AAI Access Control Definition Type A Unpersonalized web resources Access control policy based on group membership attributes AAI extensions for web server Example Intranet web servers Access Control Manager AAI Access Control Definition Resource User DB Type B Personalized web resources Access control policy based on individual and group membership attributes AAI extensions for web server Examples Discussion forum Web mail Student administration

19 2003 © SWITCH 19 e-Academia / AAI: Pilot phase Resource Owner AAI Resource Owner AAI Resource Types (2) Type C Unpersonalized “black box” web resources with proprietary access control AAI proxy Access Control Manager Resource AAI Access Control Definition AAI- Proxy Example 3rd party content providers (libraries) Access Control Manager Resource AAI Access Control Definition AAI- Portal or AAI- Proxy User DB Resource Type D Personalized “black box” web resources with proprietary access control and user administration AAI portal or AAI proxy Examples E-learning platforms Standard applications

20 2003 © SWITCH 20 e-Academia / AAI: Pilot phase Preconditions for Resources Resource Owner Access Control Manager Resource Access Control Definition Access Control Access Control Policy can be expressed and implemented as rules based on authorization attributes Received attributes have to be appraised as trustworthy Resource is of type A-D (detailed technical requirements will follow); if not, technical feasibility has to be verified. Legal Basis A Resource belongs to an Organization bound to the AAI Policy A Resource Owner agrees to handle received attributes as required by the AAI Policy an the Federal and Cantonal Data Protection Law

21 2003 © SWITCH 21 e-Academia / AAI: Pilot phase Resource Owner AAI AAI-enabling Resources Access Control Manager AAI Access Control Definition For Resources of Type A and B Install AAI on Resource Configure (implement) Access Control Definition For personalized resources: implement interaction with User DB User DB Resource or Portal For Resources of Type C and D Implement Portal/Proxy Install AAI on Portal/Proxy Configure (implement) Access Control Definition on Portal/Proxy For personalized resources: implement interaction with User DB

22 2003 © SWITCH 22 e-Academia / AAI: Pilot phase AAI Service Provider Org A Org B Org C User Regulations Service Agreement “Club rules” Org... The Legal Basis of an AAI AAI Policy

23 2003 © SWITCH 23 e-Academia / AAI: Pilot phase Home Organizations SWITCH Resource Owners AAI Programme Management Jan – Jun 2003Jul – Dec 2003Jan – Jun 2004Jul – Dec 2004 UNI A UNI B UNI C UNI D Res 1 Res 2 Res 3 Res 4 Res 1 Res 5 Res 6 UNI E Res 2 Res 3 Res 2 Res 3 PilotRE1RE2

24 2003 © SWITCH 24 e-Academia / AAI: Pilot phase AAI Programme Management Jan – Jun 2003Jul – Dec 2003Jan – Jun 2004Jul – Dec 2004 Home Organizations SWITCH Resource Owners UNI A UNI B UNI C UNI D Res 1 Res 2 Res 3 Res 4 Res 5 Res 6 Res 7 Res UNI E Res 8 Res 9 Res PilotRE1RE2

25 2003 © SWITCH 25 e-Academia / AAI: Pilot phase Simple Identity Management Classification MS Passport –Trust model: One external trust broker, trust monopoly –One central user database –One single Home Organisation for all users Shibboleth –Trust model: “Club” of organisations trusting each other (but not necessarily their users!) –Decentralised user database at “Club” member sites –“Club” members acting as Home Organisation –Users are registered with exactly one Home Organisation, maintaining their electronic identity (otherwise, they end up owning multiple electronic identities) Liberty Alliance –Same as Shibboleth except: –Users may register with multiple “Club” members –Each Club member is maintaining a part of their user’s electronic identity simple complex

26 2003 © SWITCH 26 e-Academia / AAI: Pilot phase Questions? ?

Download ppt "2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH."

Similar presentations

Authentication Authorization Accounting and Auditing

Authentication Authorization Accounting and Auditing
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.

Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.

Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.
Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.

Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.

ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.

Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.

June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Understanding Active Directory

Understanding Active Directory
2003 © SWITCH Realization of a Vision: Authentication and Authorization Infrastructure for the Swiss Higher Education Community Copyright Martin Sutter,

2003 © SWITCH Realization of a Vision: Authentication and Authorization Infrastructure for the Swiss Higher Education Community Copyright Martin Sutter,
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

Similar presentations

Ads by Google