Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Slides:

Advertisements

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Advertisements

eduroam Delegate Authentication System with Shibboleth SSO

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

College An insight Into the College VLE Graham Mason

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Introduction to Shibboleth and the IAMSECT Project.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC May 2014 Dublin.

Southampton Open Wireless Network The Topology Talk.

Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.

Copyright JNT Association 2006 The JANET Roaming Service.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

EDINA 20 th March 2008 EDINA Geo/Grid - Security Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

WebFTS as a first WLCG/HEP FIM pilot

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

Shibboleth access management: a replacement for Athens and more? Mark Norman and Christian Fernau OUCS 21 June 2007.

Widely Distributed Access Management Tom Barton University of Chicago.

Windows 2003 and 802.1x Secure Wireless Deployments.

Course 201 – Administration, Content Inspection and SSL VPN

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

Shibboleth 2.0 IdP Training: Basics and Installation January, 2009.

Federated A(A(A))I Jens Jensen hepsysman, RAL,

SWITCHaai Team Introduction to Shibboleth.

PERSEU S : Portal-enabled Resources via Shibbolized End-user Security 3 May 05Spring 2005 Internet2 Member meeting 1 News from the ‘misty’ Albion: Shibboleth.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Eduroam Louis Twomey HEAnet Library Services Day 20 th November 2014.

Education roaming Secure Wireless Service for Research and Education.

Integrating with UCSF’s Shibboleth system

Michal Procházka, Jan Oppolzer CESNET.

GridShib: Grid/Shibboleth Interoperability September 14, 2006 Washington, DC Tom Barton, Tim Freeman, Kate Keahey, Raj Kettimuthu, Tom Scavo, Frank Siebenlist,

Project Moonshot update ABFAB, IETF 80. About Moonshot Moonshot is implementing ABFAB Developer meeting, 24 March 2011 Testing event, 25 March 2011 A.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.

OGF22 25 th February 2008 OGF22 Demo Slides Prof. Richard O. Sinnott Technical Director, National e-Science Centre University of Glasgow, Scotland

LIN and Shibboleth: Where do application and network access control systems meet? Tim Chown University of Southampton (UK) JISC Core.

Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,

GridShib and PERMIS Integration: Adding Policy driven Role-Based Access Control to Attribute-Based Authorisation in Grids Globus Toolkit is an open source.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

Shibboleth Use at the National e-Science Centre Hub Glasgow at collaborating institutions in the Shibboleth federation depending.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

6/12/2016 AEB/Yleisesittely WLAN roaming experiences using Shibboleth TNC 2004, Rhodes 7th of June, 2004 Mikael Linden, Viljo Viitanen,

Access Everywhere Recent developments in the UK’s mobility strategy for education and research Mark O’Leary, TNC 2011 Prague.

Shibboleth Architecture

Shibboleth Roadmap

Some data about the CBIC Federation

Mechanisms for Distributed Global Authentication David R Newman.

SharePoint Online Authentication Patterns

Supporting Institutions Towards a Shibbolized Infrastructure

Shibboleth Deployment Overview

Shibboleth 2.0 IdP Training: Introduction

TeraGrid Identity Federation Testbed Update I2MM April 25, 2007

NSF Middleware Initiative: GridShib

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management Showcase Event London, 18th July 2006

JRS and Shibboleth We have two access control worlds JRS for network access, as described in the previous talk Shibboleth for (currently) web-based applications JRS is being widely adopted With support at a European/world scale via eduroam What more value can we get from it? UK Shibboleth early adopters making progress Can Shibboleth be used for WLAN access control? Could the JRS be used as a back-end for Shibboleth?

JRS components

JRS features Easy to deploy Most sites use RADIUS already Uses generally long-established open standards Easy to join Establish one RADIUS peering with national proxy No local access control micro-management required All-In All sites implicitly trust all other sites No attributes Purely an authentication scheme Though RADIUS can carry attributes

Question 1 Can we use Shibboleth for network layer access control for roaming users? User powers up in WLAN hotspot Local network gateway blocks all external access until user authenticates using Shibboleth To authenticate using Shibboleth user needs web access to the WAYF service and their home authentication service Implies local network gateway must be pre-configured with at least one allowed web destination per Shibboleth- enabled site that visitors may come from That doesnt scale!

Shib for WLAN roaming?

Question 2 Can we use the JRS as a Shibboleth back end? May be able to leverage JRS to boost Shibboleth adoption - many JRS sites have no Shibboleth deployment Idea: introduce a Virtual identity provider (VIdP) Functionally equivalent to a normal IdP The VIdP uses the JRS as an authentication back-end Any JRS-enabled site can use the VIdP in place of hosting its own IdP function The VIdP can proxy on behalf of any number of sites RADIUS-Aware Gateway to Shibboleth (RAGS)

The RAGS model

Building the VIdP… Designed to have no changes to WAYF or SP code The IdP is modified to become the VIdP Tools already exist, e.g.: Apache mod_auth_radius JRadius Java connector, with support for (T)TLS for secure connection from VIdP to home site The JRS site needs to opt-in Its entry in the WAYF service points to the VIdP Can customise login appearance based on passed URL Some policy issues/decisions e.g. its *possible* to add eduroam sites to UK WAYF

Closing observations Shibboleth and JRS both being adopted Initial adopter sites dont overlap that much Shibboleth is unsuitable for WLAN admission JRS *could* be offered as a Shibboleth back end The VIdP is currently being developed What about attributes? What classes of attributes will be required? Can use JRadius to query RADIUS-based attributes More policy questions Would using the JRS be acceptable to the UK federation? Who would manage the VIdP?