Presentation is loading. Please wait.

Presentation is loading. Please wait.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Published byDustin Waters Modified over 8 years ago

Similar presentations

Presentation on theme: "Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta."— Presentation transcript:

1 Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta University of Murcia (Spain) TNC2007, Copenhagen, 2007/05/21 * Funded by EC project Geant2-JRA5, Terena, RedIRIS and DFN.

2 Connect. Communicate. Collaborate Overview Introduction Starting points Main goals of the DAMe project

3 Connect. Communicate. Collaborate Introduction DAMe is a research project based on previous works from TERENA, Internet 2 and the University of Murcia. –eduroam, as a result of the TERENA Mobility Task Force, which defines a roaming architecture between NRENs based on AAA servers (RADIUS) and the 802.1X standard. –Shibboleth, a widely deployed federation mechanism. –eduGAIN, the AAI (Authentication and Authorization Infrastructure) from GEANT 2 (GN2). –NAS-SAML, a network access control system for AAA architectures developed by the University of Murcia and based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language)

4 Connect. Communicate. Collaborate Authentication, but also authorization are needed in order to provide an appropriate network access: –User’s identity is not enough –Institutions can offer different QoS parameters depending on the user. –Decisions should be taken considering the user attributes –User mobility is becoming more and more frequent –Several institutions must cooperate at several levels. Preliminary works on this subject: –DAIDALOS project –RADIUS/SAML (Internet 2) Application-level services can take advantage of the network acccess mechanism in order to bootstrap a seamless global SSO DAMe project. Main Goals

5 Connect. Communicate. Collaborate Intradomain: Campus Teachers Students Adm. Staff Reserachers ¿? Users DB Web Services LDAP Directory Internet Wireless Services Authentication Authority Authorization Authority Stable relationship among users, institution and services

6 Connect. Communicate. Collaborate Interdomain: Different universities Alice might make use of the computer network at University B Alice will be authenticated by University A Alice will be authorized by University B, but making use of the attributes defined by University A Relationships are stable and long term Authorization information is represented using a common format University A University B Service Level Agreement

7 Connect. Communicate. Collaborate Interdomain: Heterogeneous systems Charles is authorized by University B upon the attributes defined by University C –Credentials are based on different formats –There are different criteria about syntax and semantics Therefore, it is necessary: –To define a credential conversion system, identifying its main entities and policies. University B Service Level Agreement University C

8 Connect. Communicate. Collaborate Overview Introduction Starting points Main goals of the DAMe project

9 Connect. Communicate. Collaborate Goal: –“open your laptop and be online” –To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources Concepts: –Based on reciprocal (free) access –NREN community –Authentication at home –Authorization at visited institution Starting point: eduroam

10 Connect. Communicate. Collaborate RADIUS server University B RADIUS server University A RedIris Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Alicia alicia@um.es Student VLAN Commercial VLAN Employee VLAN data signalling Trust based on RADIUS plus policy documents 802.1X (VLAN assignment) Starting point: eduroam

11 Connect. Communicate. Collaborate Motivation: –Current authorization solutions do not address most of the issues related to the provision of different types of services based on attributes credentials –NAS-SAML was defined to provide a network access system based on existing standards (802.1X, AAA, SAML, XACML) –It requires the extension of the current AAA protocols in order to exchange authorization credentials –Different profiles are defined in order to provide several design alternatives (push and pull) Starting point: NAS-SAML

12 Connect. Communicate. Collaborate Starting point: NAS-SAML

13 Connect. Communicate. Collaborate NAS-SAML: Pull profile

14 Connect. Communicate. Collaborate Overview Introduction Starting points Main goals of the DAMe project

15 Connect. Communicate. Collaborate DAMe project. Overview Definition of a unified authentication and authorization system for federated services hosted in the eduroam network and a global SSO mechanism based on already deployed mechanisms and architectures.

16 Connect. Communicate. Collaborate Main goals of the DAMe project Extension of eduroam using NAS-SAML –User mobility is controlled by assertions and policies expressed in SAML and XACML Alicia alicia@um.es RADIUS server University B RADIUS server University A RedIris Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant data XACML Policy Decision Point SAML Attribute Authority Signaling XACML

17 Connect. Communicate. Collaborate Main goals of the DAMe project Extension of eduroam using NAS-SAML

18 Connect. Communicate. Collaborate Main goals of the DAMe project

19 Connect. Communicate. Collaborate Global Single Sign On (SSO) –Users will be authenticated only once, during the access to the network –A SSO token (eduGAIN compliant) must be distributed, validated, and managed by an appropriate middleware. –Possibly, new EAP methods (PEAP-based) will be needed to obtain the token Main goals of the DAMe project

20 Connect. Communicate. Collaborate Resource Access –The user authenticates in his home domain and gets a SSO token. –The token is delivered to the user through a secure tunnel. –The token contains a handle instead of the real user's identity to maintain privacy. –Later, when the user tries to access to a protected resource, he includes the token in the request. –The resource uses the handle included in the token to request the user's attributes through eduGAIN. –When received, the attributes are used to take the authorization decision. Main goals of the DAMe project

21 Connect. Communicate. Collaborate Resource Access

22 Connect. Communicate. Collaborate DAMe look forward in the integration of authentication and authorization process. The extension must be compatible with the current status of the eduroam network and eduGAIN Provide a SSO scenario based on bootstrapping credential at the authentication phase Additional will development a user-friendly interface for managing authorization policies. Conclusion

23 Connect. Communicate. Collaborate Additional information Project Web: –http://dame.inf.um.eshttp://dame.inf.um.es Thanks for attention

Download ppt "Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta."

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.

Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Why eduroam sucks, and how to fix it.

Why eduroam sucks, and how to fix it.
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
Www.ja.net/roaming Copyright JNT Association 2006 The JANET Roaming Service.

Copyright JNT Association 2006 The JANET Roaming Service.
EduRoam ESA workshop 17 December 2004 Utrecht.

EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.

Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Wireless ambitions Frans Panken I2 Spring meeting 24 april 2012.

Wireless ambitions Frans Panken I2 Spring meeting 24 april 2012.

Similar presentations

Ads by Google