eduroam Delegate Authentication System with Shibboleth SSO

Slides:

Advertisements

Similar presentations

Inter WISP WLAN roaming

Advertisements

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

© 2006 IBM Corporation Tivoli Identity Manager Express Tivoli Access Manager for Enterprise Single Sign-On (Product Demonstrations) Tivoli Live! – 15 June.

Slide 1 Insert your own content. Slide 2 Insert your own content.

Joining eduroam Wireless Roaming for Education and Research.

Federated Access implementation: experience of AUCA Library - Kyrgyzstan 4 th -7 th June, 2008, Aberdeen, Scotland Sania Battalova, EIFL Country and FOSS.

Lousy Introduction into SWITCHaai

Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

HotNets-VI 1 Architecting Citywide Ubiquitous Wi-Fi Access Nishanth Sastry Jon Crowcroft, Karen Sollins.

Grouper Training End Users Lite UI – External Users

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

What’s New in Fireware XTM v11.9.1

Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.

2006 © SWITCH Group Management Tool Lukas Haemmerle

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

Connect communicate collaborate Eduroam debugging Gurvinder Singh and Gunnar Bøe, Campus Networks and Systems, UNINETT AMRES Wireless workshop Belgrade,

Federation of Campus PKI and Grid PKI for Academic GOC Management Conformable to APGrid PMA National Institute of Informatics, JAPAN Toshiyuki Kataoka,

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.

AARNet Copyright 2010 Network Operations The eduroam project group

Eduroam Louis Twomey HEAnet Library Services Day 20 th November 2014.

Exploring InCommon Getting Started with InCommon: Creating Your Roadmap.

SAML Right Here, Right Now Hal Lockhart September 25, 2012.

High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.

Michal Procházka, Jan Oppolzer CESNET.

A Practical Guide for Joining EduRoam EuroCAMP Torino A Practical Guide for Joining EduRoam 4 March 2005 Version 1.6.

Module 11: Remote Access Fundamentals

AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.

Eduroam JP and development of UPKI roaming Yoshikazu Watanabe*, Satoru Yamano* Hideaki Goto**, Hideaki Sone** * NEC Corporation, Japan ** Tohoku University,

3Com Confidential Proprietary 3G CDMA AAA Function Yingchun Xu 3COM.

The I-Trust Federation: Federating the University of Illinois Keith Wessel Identity Management Service Manager University of Illinois at Urbana-Champaign.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network, Enhanced Chapter 11: Internet Authentication Service.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

Using Enterprise Logins in Portal for ArcGIS via SAML Greg Ponto & Tom Shippee.

Holly Eggleston, UCSD Shibboleth and Library Resources InCommon Library/Shibboleth Project.

Oracle Application Server Portal: Advanced Content Management for Custom Integration John Dunne (Deputy CTO, HPHC) Anton Nielsen (Technical Director,

Comité Réseau des Universités News from CRU activities: Identity federation, eduroam, PKI, SCS, Sympa, security policies cru.fr 7th.

Technical Topics for Deployed Campuses: Web SSO Will Norris University of Southern California.

1 UPKI-Federation based on Shibboleth National Institute of Informatics Motonori Nakamura Toshiyuki Kataoka, Kyoto University Yasuo Okabe.

Eduroam.us Operational Experiment Kevin Miller Duke University Andy Rosenzweig Merit Network ESCC/Internet2 Joint.

IT Security Policies and Campus Networks The dilemma of translating good security policies to practical campus networking Sara McAneney IT Security Officer.

Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.

UPKI Activities - July NII & UPKI Initiative Hideaki Sone, Tohoku University.

Flexible Access Management System for Campus VLAN Based on OpenFlow 2011 IEEE/IPSJ International Symposium on Applications and the Internet Yasuhiro Yamasaki.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

19 May 2003 © The JNT Association Terena Technical Advisory Council Terena Mobility Task Force

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

Web SSO with Cloud Resources using AD Federation Services

eduroam Managed IdP - Roadmap

JRA3-T4 eduroam development - plan Stefan Winter Task Leader JRA3-T4

SaaS Application Deep Dive

Network Neighborhood? Who’s on Your Wi-Fi?

GakuNin: Federated Identity Management Activities in Japan

The French federation Eurocamp 2007 Helsinki

Updates on Recent Activities in eduroam-JP

Getting Started.

Getting Started.

Mechanisms for Distributed Global Authentication David R Newman.

Presentation transcript:

eduroam Delegate Authentication System with Shibboleth SSO 29th APAN Meeting Feb. 8-11, 2010, Sydney, Australia eduroam Delegate Authentication System with Shibboleth SSO Hideaki Goto, Hideaki Sone Tohoku Univ. / NII Ichiro Yamaguchi, Takaaki Suzuki Tohoku Univ.

1,200+ (govt. survey in year 2008) A great challenge … How many higher education institutions are there in Japan? 1,200+ (govt. survey in year 2008) 765 universities (86 national, 90 public) 481 two-year colleges and vocational colleges eduroam deployment: 11 / 1200 = 0.9%

Problems Our solutions A large number of institutions (1,200+) Difficulties in RADIUS deployment Laborious eduroam connection / management work Our solutions Federated Delegate Authentication System with centralized RADIUS server remove RADIUS IdP at each institution Federation using Shibboleth SSO simplify RADIUS tree (higher stability) solve some privacy and security issues Web-based eduroam IdP / SP management system reduce the work at both the eduroam JP office and each institution

Easy-to-join eduroam system 2. eduroam IdP/SP management web Institution’s RADIUS server national top-level <secret key 1> access points RADIUS proxy auth requests <secret key 2> RADIUS IdP 1. Delegate Authentication System (DEAS)

Federated Delegate Authentication System Account Issuer as a Shibboleth SP of Japan’s UPKI inter-university federation Centralized RADIUS server to simplify the RADIUS proxy tree 3 types depending on the needs and federation level Pseudo-anonymized, fixed-term, and traceable roaming IDs

Delegate Authentication System - Type I Japan’s centralized account issuer Institutions RADIUS server The account is temporary and expires within 6 months. pseudonymous accounts IdM Web UI IdM Manual account issue requests by administrators. The system can be used even without IdM. Issuing Guest IDs is possible.

Delegate Authentication System – Type II Japan’s centralized account issuer Institutions RADIUS server The account is temporary and expires within 6 months. pseudonymous account Web UI IdM IdM ID federation using Shibboleth/SAML for administrators only. Administrators can request for user accounts in bulk. Issuing Guest IDs is possible.

Delegate Authentication System – Type III Japan’s centralized account issuer Institutions RADIUS server The account is temporary and expires within a month. pseudonymous account IdM IdM ID federation using Shibboleth/SAML End user can request for personal accounts only.

Web-based eduroam IdP / SP management system development under way Features: Application for eduroam IdP / SP connection via eduroam JP website Online sign-up for institutional administrator(s) ( require approval by the national admin. ) Online registration of institution data Management console for institutions RADIUS server address and secret setting Enable or disable Self-IdP / DEAS / SP(AP) Remote authentication self-testing (planned)

NEWS Negotiation is under way with a commercial Wi-Fi Service Provider We will have hundreds of eduroam APs in the central Tokyo ! Outsourcing campus Wi-Fi system would be a key to success of large-scale deployment.

Summary Large-scale eduroam deployment in Japan -- A great challenge -- Delegate Authentication System ease eduroam deployment Federated ID issuer as a Shibboleth SP simplify eduroam network = stabilize eduroam authentication Web-based eduroam IdP / SP management make eduroam easy-to-join simplify connection and administration work at the national administrative body at each institution

Supplementary slides

Problem details in large-scale deployment Difficult and laborious configurations of RADIUS / APs at each organization. Difficulties in newly constructing an “eduroam account database” or making a RADIUS-IdM bridge for each organization. Many universities do not have Federated IdM yet. Laborious work for institution connection. A lot of paper work RADIUS configuration support Connection testing Troubleshooting … etc. Impossible to deal with hundreds of institutions!

eduroam JP in UPKI project An activity in NII’s UPKI project Promotion and Operation of eduroam JP 11 institutions connected (Feb. 2010) Tutorial & technical documents R&D to solve problems Easy configurations Guest use of local IP addresses Location privacy, etc. Talks with commercial W-ISPs for roaming Shared access points possible? Negotiations are under way.

Threats of ID/PW leakage User ID is logged at proxy servers along the AAA path. Location privacy problem. PW could be logged due to inappropriate configuration by the user. Critical security breach if an important PW is used. logged Worldwide RADIUS tree potential leakage logged logged logged ID database RADIUS Access Request AP RADIUS Access Accept / Reject