Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Slides:



Advertisements
Similar presentations
Federated Identity for Grid Architects Tom Scavo NCSA
Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Innovation through participation eduGAIN federation operator training eduGAIN interfederation service /18 Valter Nordh, NORDUnet / GU 1.
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
WebFTS as a first WLCG/HEP FIM pilot
The TERENA Academic CA Repository. eIRG Meeting. Dublin, 16/04/2004 Diego R. Lopez – TF-AACE  Task Force on Authentication and.
Connect. Communicate. Collaborate Federation peering à la European The eduGAIN way Diego R. Lopez - RedIRIS.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SWITCHaai Team Introduction to Shibboleth.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
Saml-intro-dec051 Security Assertion Markup Language A Brief Introduction to SAML Tom Scavo NCSA.
Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.
Security in Virtual Laboratory System Jan Meizner Supervisor: dr inż. Marian Bubak Consultancy: dr inż. Maciej Malawski Master of Science Thesis.
Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
Belnet Federation Belnet – Loriau Nicolas Brussels – 12 th of June 2014.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005
Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.
Saml-v1_x-tech-overview-dec051 Security Assertion Markup Language SAML 1.x Technical Overview Tom Scavo NCSA.
Connect. Communicate. Collaborate Place organisation and project logos in this area Usage of SAML in eduGAIN Stefan Winter, RESTENA Foundation TERENA Networking.
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Kerberos and Identity Federations Daniel Kouřil, Luděk Matyska, Michal Procházka, Tomáš Kubina AFS & Kerberos Best Practices Worshop 2008.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
Connect. Communicate. Collaborate Federated peering the NREN way: eduGAIN and eduroam Diego R. Lopez (RedIRIS) Klaas Wierenga (SURFnet)
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Géant-TrustBroker Project Overview Daniela Pöhn 7 th FIM4R meeting Frascati, Italy April 24 th, 2014.
Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure.
Diego R. Lopez, RedIRIS TF-EMC2, Umea SIR, FedSSH and more to come…
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.
Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.
1 Service Oriented Architecture SOA. 2 Service Oriented Architecture (SOA) Definition  SOA is an architecture paradigm that is gaining recently a significant.
INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.
University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.
Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.
AAI Interconnection with an European style Diego R. Lopez RedIRIS.
Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)
Project Moonshot Daniel Kouřil EGI Technical Forum
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.
Géant-TrustBroker Dynamic inter-federation identity management Daniela Pöhn TNC2014 Dublin, Ireland May 19 th, 2014.
Access Policy - Federation March 23, 2016
Applying eduGAIN to network operations The perfSONAR case
Cross-sector and user-centric AAI
Federation Systems, ADFS, & Shibboleth 2.0
University of Stuttgart University of Murcia
First steps in federation peering: eduGAIN and eduroam
Géant-TrustBroker Dynamic inter-federation identity management
Federation peering à la European The eduGAIN way
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Federation peering à la European The eduGAIN way
ESA Single Sign On (SSO) and Federated Identity Management
The DAMe’s First Steps: eduroam and NAS-SAML
Multi-Domain User Applications Research (JRA3)
AARC Blueprint Architecture and Pilots
Community AAI with Check-In
Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.
Presentation transcript:

Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)

Connect. Communicate. Collaborate The Goal of AAI within GN2 To build an interoperable authentication and authorisation infrastructure that will be used all over Europe enabling seamless sharing of e- science resources We started from –Scattered AAI (pilot) implementations in the EU and abroad –The basic idea of federating them, preserving hard- won achievements

Connect. Communicate. Collaborate The eduGAIN Model Use a set of interconnection points (Bridging Element, BE) at each federation Announce BE metadata through the FPP (Federation Peering Point) Distribute these metadata through the Metadata Service (MDS) Metadata is retrieved by the appropriate FPP and delivered to the requesting BE BEs exchange data using the eduGAIN SAML-based profiles Interactions are based upon the eduGAIN trust model

Connect. Communicate. Collaborate eduGAIN Operations Defined in abstract terms, following the SOA paradigm –Metadata Service (MDS) –Authentication Service (AuthN) –Attribute Exchange Service (Attr) –Authorisation Service (AuthZ) Formally defined parameters for each operation Bindings defined for SAML 1.1 and part of SAML 2.0 –Plans for evolving these bindings as required

Connect. Communicate. Collaborate A general model for eduGAIN interactions Connect. Communicate. Collaborate Identity Repository HI Resource Requester bar … TLS-Tunnel(s)

Connect. Communicate. Collaborate Component Identifiers eduGAIN operations strongly depend on having unique, structured and well-defined component identifiers Based on URNs delegated by the eduGAIN registry to the participating federation Identifiers establish the kind of component they apply to by means of normalized prefixes Identifiers follow the hierarchy of the trust establishing process –Including the identifiers of the federation (and BE) the component is using to connect to eduGAIN

Connect. Communicate. Collaborate Some identifier examples A typical FPP identifier urn:geant:edugain:component:fpp:starfleet A typical BE identifier urn:geant:edugain:component:be:starfleet:enterprise A typical SP identifier urn:geant:edugain:component:sp:starfleet:enterprise: captainlog: tain/ A typical IdP identifier urn:geant:edugain:component:idp:starfleet:enterprise :roll

Connect. Communicate. Collaborate eduGAIN Trust Fabric Based on a PKI Validation procedures include – Normal certificate validation Trust path evaluation, signatures, revocation,… –Peer identification Certificates hold the component identifier It must match the appropriate metadata Applicable to –TLS connections between components Two-way validation is mandatory –Verification of signed XML assertions

Connect. Communicate. Collaborate eduGAIN CA Hierarchy Connect. Communicate. Collaborate eduGAINCA eduGAIN Fed1 CAeduGAINSCAeduGAIN FedN CA.. MDS server(s) FPP FedA FPP FedZ... BE1 BEN... BE1 BEN... LFA FedA LFA FedZ...

Connect. Communicate. Collaborate Metadata Service Based on REST interfaces transporting SAML 2.0 metadata FPPs publish metadata through POST operations FPPs retrieve metadata through GET operations URLs are built as MDSBaseURL/FederationID/entityID?queryString –Using component identifiers –The queryString transports data intended to locate the appropriate home BE (Home Locators) Usually, coming from hints provided by the user

Connect. Communicate. Collaborate General eduGAIN Operation Mapping Current version is based on SAML 1.1 –Profiling the standard to fit abstract parameters –Component identifiers play their role again A SAML 2.0 implementation will be available along the lifetime of the project –The abstract service specification protects components and applications from these changes Authentication assertions and attribute exchange mechanisms are designed to be Shibboleth 1.x compatible –And Shibboleth 2.0 in the future

Connect. Communicate. Collaborate eduGAIN API Structure The eduGAIN APIs are the common libraries for all eduGAIN components –Direct implementation of the eduGAIN service definition –And also available to local requesters and responders Building blocks: –eduGAINVal: Validation procedures –eduGAINBase: Adapt the abstract service definition –eduGAINMetaQuery: Queries to the Metadata Service –eduGAINMetaPub: Publication at the Metadata Service

Connect. Communicate. Collaborate A layered Model for Implementation Connect. Communicate. Collaborate Component logic (FPP, BE, local requester-responder) eduGAINBase + eduGAINVal + eduGAINMeta* SAML library  OpenSAML SOAP/TLS/XMLSig libraries  Shibboleth components whenever possible

Connect. Communicate. Collaborate eduGAIN Profiles Define the precise exchange of messages and the processing rules for these messages in particular use cases Two profiles defined so far –Web SSO (Shibboleth compatible) –Automated client (no human interaction) Others envisaged –Extended Web SSO (allowing the send of POST data) –Non-web applications (based on Web SSO) –eduGAIN usage from roaming clients (DAME)

Connect. Communicate. Collaborate eduGAIN Profiles: Web SSO Connect. Communicate. Collaborate

eduGAIN Profiles: Automated Client Connect. Communicate. Collaborate

Where We Are Implementing the eduGAIN APIs –First version expected by the end of April Polishing profiles –Through interaction with user activities Preparing the first version of a cookbook –Deployment and component implementation guidelines First pilot to be run around 4th quarter of this year Establishing links with other potential user communities beyond the GN2 project Policy is on its way

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.