Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

Published byCecilia Daniels Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010"— Presentation transcript:

1 Introduction & use-cases FedAuth BoF @ IETF78 Maastricht, July 27, 2010 klaas@wierenga.net josh.howlett@ja.net

2 What is “Federated identity”? 2 User principal wielding user-agent Identity Provider Relying Party Access resourceAuthentication Trust (business and/or technical) Directory Relying Party’s administrative domain User principal’s administrative domain

3 Three observations 1.The User-Agent is normally a browser. 2.The Web is not the Internet. 3.We already have some good systems for non- Web identity federation.

4 Example 1: federated network access 4 RADIUS server University B RADIUS server University A SURFnet Central.nl RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Visiting user user@university_b.nl Student VLAN Commercial VLAN Employee VLAN data signalling 802.1X RADIUS EAP Source: SURFnet

5 Example 2: the hybrid approach Authenticate using Web SSO, and insert a token into the non-web protocol flow. Example: Jabber with SAML or OpenID: – Without changing SAML IdP – Minimal change at Jabber client – Jabber server can run “in-the-cloud” Current work (proposed as WG item for KITTEN) looks at leveraging SASL – draft-wierenga-ietf-sasl-saml, draft-lear-ietf-sasl- openid, draft-cantor-ietf-sasl-saml-ec draft-wierenga-ietf-sasl-samldraft-lear-ietf-sasl- openiddraft-cantor-ietf-sasl-saml-ec This is necessary work, but not sufficient.

6 Research & Education Federations Early and aggressive adopters of federated identity technology. Large and rapidly growing federated systems. – UK R&E federation ≈ 10 million identities and growing. – eduGAIN ≈ projected 10s millions of identities. But some growing pains…

7 Use-case 1: Out-sourcing Reduce costs by out-sourcing services to third party service providers. Federated identity provides better user experience through SSO. reduces helpdesk burden for both IdP and SP. Today, this only works for Web applications; not for IMAP, SMTP, POP3, Jabber, Calendaring, etc. Identity Provisioning APIs exist, but Requires sharing credentials with SP. Not a complete IdM / directory system, which is often required for application personalisation or authorisation.

8 Use-case 2: High Performance Computing Improve Business Continuity. Offer HPC-as-a-service to more internal and external customers. Reduce costs incurred in operating HPC- specific RA. SSH, SFTP, SCP, NFS, CIFS.

9 Use-case 3: learning from Web SSO In creating federated authentication for new applications, avoid problems discovered with web SSO today (and fix them for web SSO). Identity Provider discovery Users already presented with hundreds of possible identity providers; international inter-federation will likely increase this to thousands quite soon. Multiple affiliations It is sometimes difficult to select the appropriate identity provider for a particular service.

10 Use-case 4: establishing trust in SAML metadata SAML IdP and SP entities usually establish trust using SAML metadata that describes each entity. In R&E federations, member SP and IdP metadata is (usually) collected into an aggregate, signed by the federation Operator and published. The distribution of the aggregate, across the network from federation to entities, is the basis of trust. Scaling Revocation Consuming metadata for entities from other federations

11 Discuss!

Download ppt "Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010"

Similar presentations

Secure Single Sign-On Across Security Domains

Secure Single Sign-On Across Security Domains
Identity Network Ideals – Heterogeneity & Co-existence

Identity Network Ideals – Heterogeneity & Co-existence
Abfab use-cases draft-ietf-abfab-usecases-00.txt Rhys Smith Mark Tysom Simon Cooper IETF80.

Abfab use-cases draft-ietf-abfab-usecases-00.txt Rhys Smith Mark Tysom Simon Cooper IETF80.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
Contrail and Federated Identity Management

Contrail and Federated Identity Management
Why eduroam sucks, and how to fix it.

Why eduroam sucks, and how to fix it.
Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.

Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.
© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.
Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.
ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman
FIM-ig Federated Identity Management Interest Group.

FIM-ig Federated Identity Management Interest Group.

Similar presentations

Ads by Google