2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.

Slides:



Advertisements
Similar presentations
Authentication Authorization Accounting and Auditing
Advertisements

Lousy Introduction into SWITCHaai
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
Defining the Security Domain Marilu Goodyear John H. Louis University of Kansas.
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Campus Based Authentication & The Project Presented By: Tim Cameron National Council of Higher Education Loan Programs.
Technical Review Group (TRG)Agenda 27/04/06 TRG Remit Membership Operation ICT Strategy ICT Roadmap.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
ICDL 2004, New Delhi1 Access Management for Digital Libraries in a well-connected World John Paschoud SECURe Project London School of Economics Library.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Technology Steering Group January 31, 2007 Academic Affairs Technology Steering Group February 13, 2008.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
June 30, 2004CAMP Shibboleth Implementation Workshop Shibboleth Mockup - ARP GUI Management by Steven Carmody Brown University proxy Walter Hoehn.
Understanding Active Directory
2003 © SWITCH Realization of a Vision: Authentication and Authorization Infrastructure for the Swiss Higher Education Community Copyright Martin Sutter,
Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.
EduRoam Australia Project Experience in location independent wireless networking with international collaboration with TERENA EduRoam Project 19 th APAN.
SWITCHaai Team Federated Identity Management.
Digital Identity Management Strategy, Policies and Architecture Kent Percival A presentation to the Information Services Committee.
Australian Access Federation Robert Hazeltine Identity and Access Management Enterprise Systems Office.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Copyright JNT Association 2005Copyright JNT Association An Introduction to Access Management and the UK Federation Simon Cooper.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
U.S. Department of Agriculture eGovernment Program August 14, 2003 eAuthentication Agency Application Pre-Design Meeting eGovernment Program.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
AAI-enabled VO Platform “VO without Tears” Christoph Witzig EGI TF, Amsterdam, Sept 15, 2010.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Helsinki Institute of Physics (HIP) Liberty Alliance Overview of the Liberty Alliance Architecture Helsinki Institute of Physics (HIP), May 9 th.
Shibboleth Update Michael Gettes Principal Technologist Georgetown University Ken Klingenstein Director Interne2 Middleware Initiative.
UCLA Enterprise Directory Identity Management Infrastructure UC Enrollment Service Technical Conference October 16, 2007 Ying Ma
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
Presented by: Presented by: Tim Cameron CommIT Project Manager, Internet 2 CommIT Project Update.
The UK Access Management Federation for education and research John Chapman, Project Adviser, Technical Policy & Standards.
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
LGfL Update Stewart Duncan LGfL Technical Manager Ian Lehmann LGfL Operations Manager.
AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.
MAT U M A T U Middleware Assisted Take-Up Service For JISC Funded Early Adopters.
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Towards a Unified Authentication, Authorisation and Accounting Infrastructure Patrick Kirk Chief Technical Officer (YHGfL) Lifelong Learning Infrastructure.
Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.
JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Shibboleth & Federated Identity A Change of Mindset University of Texas Health Science Center at Houston Barry Ribbeck
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH.
Attribute Delivery - Level of Assurance Jack Suess, VP of IT
Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.
Administrative Information Systems Shibboleth Install Session Technical Information Session for Developers Datta Mahabalagiri.
Jakob Gadegaard Bendixen, Shibboleth protected proxy servers a case study from the Danish library sector.
Shibboleth at USMAI David Kennedy Spring 2006 Internet2 Member Meeting, April 24-26, 2006 – Arlington, VA.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Shibboleth for Middle Schools James Burger -
Networks ∙ Services ∙ People Mandeep Saini TNC15, Porto, Portugal Virtual organisation Authorisation Management Practices in Research and.
INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.
Stop Those Prying Eyes Getting to Your Data
Shibboleth Architecture
e-Infrastructure Workshop 28th March 2006, University of Leeds
ESA Single Sign On (SSO) and Federated Identity Management
Shibboleth in Switzerland
GN2 JRA5 Roaming and Authorisation Jürgen Rauschenbach, DFN-Verein
Presentation transcript:

2003 © SWITCH Authentication and Authorisation Infrastructure - AAI Christoph Graf Project Leader AAI SWITCH

2003 © SWITCH 2 e-Academia / AAI: Pilot phase Set up 1987 with the purpose: “... to create, promote and maintain the necessary fundamental means for efficient use of modern telecommunication methods for the benefit of education and research in Switzerland and to participate in such fundamental activities.... ” … amazingly enough, it still holds true without tweaking The Foundation SWITCH

2003 © SWITCH 3 e-Academia / AAI: Pilot phase Business Areas of SWITCH Network Engineering IP, QoS, Routing,... Network Operation Help Desk Consulting SecurityInternet Identifiers Domain Name Registration User Registrations NetServices Invoicing Administration Help Desk Online-Queries Consulting Invoicing Administration Help Desk Online-Queries Consulting Incident Handling Consulting Laboratory SWITCHvconf Middleware Incl. AAI Service Monitoring Diverse Applications incl. News Consulting SWITCHmobile Content Delivery and Tools

2003 © SWITCH 4 e-Academia / AAI: Pilot phase How it all began… Call for participation in the Swiss Virtual Campus (SVC) in1999 –Fair amount of federal funds for the creation of e-learning course contents –Applying teams need to build consortia –Courses must be offered to consortia member organisations for free –Consortia members should put those courses into their curricula Problems –How to deal with user authentication and authorisation in this cross- organisational context? –Should every team solve the same problem individually? –The SVC is about contents, not tools SWITCH’s answer –This is an opportunity to drive and co-ordinate efforts in our community –The AAI activity (Authentication and Authorisation Infrastructure) was outlined –It aims at establishing a cross-organisational infrastructure offering authentication and authorisation services (in a wider context than just covering the needs of the SVC)

2003 © SWITCH 5 e-Academia / AAI: Pilot phase e-Academia / AAI Concept “… let’s develop e-Academia, let us build the foundations in the form of a uniform authentication and authorization infrastructure (AAI) for the higher education system in Switzerland…” “We want a virtual community across our institutions in which all persons associated with the Swiss Higher Education System are able to gain access to its electronic resources, independent of the accrediting organization and independent of the place where they happen to be working.” Vision of e-Academia AAI as the foundation of e-Academia Study Realization V1.0 Pilot Realization V2.0 Concept Roadmap 2000

2003 © SWITCH 6 e-Academia / AAI: Pilot phase University of Zurich Resource User Info about user Resource Owner 1 user - 1 resource - 1 organization: NO PROBLEM The AA Problem (1) + Swiss Passport ID, Credentials

2003 © SWITCH 7 e-Academia / AAI: Pilot phase Resource B University of Lausanne Resource C University Hospital of Geneva Info about user Resource A Info about user User ID, Credentials Many users - many resources - many organizations: A PROBLEM User ID, Credentials User ID, Credentials The AA Problem (2) Info about user University of Zurich ID, Credentials Info about user ID, Credentials Info about user

2003 © SWITCH 8 e-Academia / AAI: Pilot phase Resource Owner User‘s Home Org Access Control Manager Resource Info (name, address, ….) Registration Access Control Definition User data system Legend: Registra- tion Pre-processing User DB The AA Model (1) 1

2003 © SWITCH 9 e-Academia / AAI: Pilot phase Resource Owner User‘s Home Org AAI Access Control Manager Resource Authorization Information Authentication Access Control Definition Access Request of an authenticated user User Authorization Information Delivery data system AAI-interaction Legend: Authenti- cation User DB The AA Model (2)

2003 © SWITCH 10 e-Academia / AAI: Pilot phase Resource Owner User‘s Home Org AAI Access Control Manager Authenti- cation Log Other Applications (Accounting, Billing, Statistics) The AA Model (3) Input to Accounting or Billing systems: AAI provides Identity of User and/or Name of Home Organization Resource measures the interactions between a user and the resource

2003 © SWITCH 11 e-Academia / AAI: Pilot phase Authentication systems User Directorie s WEB resources Integrated Systems WEB Portals Scope of the AAI Secure transfer of authorization attributes Inter- organizational user authentication AAI Secure Document encryptio n SmartCards PKI WEB Single Sign-on Unix/Windows login Billing Accounting Legacy Applications

2003 © SWITCH 12 e-Academia / AAI: Pilot phase AAI simplifies the protection of information by applying standardized mechanisms. Resource owners can concentrate on the protection of their resources without having to implement an entire system including registration and authentication. Information protection AAI makes it possible to authorize users based on personal attributes of a user instead of IP addresses. User authorization thus becomes location-independent. Remote access After a single registration a user can access a number of resources. Only one authentication technology is applied. User friendliness Standardized AA systems and cooperation among IT organizations improve the efficiency in the implementation and operation of security solutions. IT efficiency Without AAI, a user has to register with various organizations. It is feared that the administrative overhead of individual organizations will increase dramatically. AAI counteracts this tendency. Administration overhead Complicated and inconsistent AA mechanisms, or isolation of resources and user groups, respectively, is no longer state of the art. Not having an AAI will damage the image in the long run. Image AAI is a requirement if students of different universities wish to use common resources, and it is the basis for initiatives such as the Swiss Virtual Campus. Virtual Mobility Advantages of an AAI

2003 © SWITCH 13 e-Academia / AAI: Pilot phase Pilot projects Project Planning: Roadmap Study Realization V1.0 Pilot Decision: Building up of infrastructure (June 2003) Realization V2.0 Jul - Sept 02Oct - Dec 02Jan - March 03Apr - Jun 03 Policy Attribute specification Budgeting the implementation of Release 1.0 Tech. & org. concept Legal basis Service description Selection of architecture

2003 © SWITCH 14 e-Academia / AAI: Pilot phase Unique Identifier (anonymous) Surname Given name Date of birth Gender Address(es) Phone number(s) Preferred language Name of Home Organization Type of Home Organization Affiliation (student, staff, faculty, …) Study branch Study level Staff category Organization Path Organization Unit Path Group membership User attributes for AAI are based on standards (LDAP: eduPerson, SHIS/SIUS) have to be available in real-time have to be handled as required by federal and cantonal data protection laws: attributes have to be accurate attributes have to be stored securely attributes should only be transferred to resources with a valid case to use it. will be revised in the future in a standardised change process, depending on the requirements of Resource Owners and Home Organizations Personal attributesGroup membership Authorisation Attributes

2003 © SWITCH 15 e-Academia / AAI: Pilot phase Shibboleth AA Process Resource WAYF Users Home OrgResource Owner 1 SHIRE I don’t know you. Not even which home org you are from. I redirect your request to the WAYF 3 2 Please tell me where you come from HS 5 6 I don’t know you. Please authenticate yourself 7 User DB Credentials OK, I know you now. I redirect your request to the target, together with a handle 4 OK, I redirect your request now to the Handle Service of your home org. SHAR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Attributes 10 Resource Manager Attributes OK, based on the attributes, I grant access to the resource

2003 © SWITCH 16 e-Academia / AAI: Pilot phase User‘s Home Org User Authenti- cation User DB Info (name, address, ….) Registration Registra- tion Preconditions for Home Organizations ID Passwd Authentication Registration A Home Organization must be able to register its users and store information about them in a user directory (database) provide a minimal set of such user attributes to the AAI The registration and administration processes have to guarantee that these attributes are kept accurate Authentication A Home Organization has to offer secure authentication over the network to its users It is up to the Home Organization which authentication technology it chooses.

2003 © SWITCH 17 e-Academia / AAI: Pilot phase AAI-enabling of Home Organizations User‘s Home Org Authenti- cation AAI Dir User DB User DB User DB Yes/No Attributes AAI AAI integration between authentication system and AAI user DB / directory and AAI Data consolidation Make sure that all the attributes needed are online available in the appropriate AAI format If necessary, create a specific AAI user directory (read-only, periodically updated from master databases) AAI

2003 © SWITCH 18 e-Academia / AAI: Pilot phase Resource Owner Resource Owner AAI Resource Types (1) Access Control Manager Resource AAI Access Control Definition Type A Unpersonalized web resources Access control policy based on group membership attributes AAI extensions for web server Example Intranet web servers Access Control Manager AAI Access Control Definition Resource User DB Type B Personalized web resources Access control policy based on individual and group membership attributes AAI extensions for web server Examples Discussion forum Web mail Student administration

2003 © SWITCH 19 e-Academia / AAI: Pilot phase Resource Owner AAI Resource Owner AAI Resource Types (2) Type C Unpersonalized “black box” web resources with proprietary access control AAI proxy Access Control Manager Resource AAI Access Control Definition AAI- Proxy Example 3rd party content providers (libraries) Access Control Manager Resource AAI Access Control Definition AAI- Portal or AAI- Proxy User DB Resource Type D Personalized “black box” web resources with proprietary access control and user administration AAI portal or AAI proxy Examples E-learning platforms Standard applications

2003 © SWITCH 20 e-Academia / AAI: Pilot phase Preconditions for Resources Resource Owner Access Control Manager Resource Access Control Definition Access Control Access Control Policy can be expressed and implemented as rules based on authorization attributes Received attributes have to be appraised as trustworthy Resource is of type A-D (detailed technical requirements will follow); if not, technical feasibility has to be verified. Legal Basis A Resource belongs to an Organization bound to the AAI Policy A Resource Owner agrees to handle received attributes as required by the AAI Policy an the Federal and Cantonal Data Protection Law

2003 © SWITCH 21 e-Academia / AAI: Pilot phase Resource Owner AAI AAI-enabling Resources Access Control Manager AAI Access Control Definition For Resources of Type A and B Install AAI on Resource Configure (implement) Access Control Definition For personalized resources: implement interaction with User DB User DB Resource or Portal For Resources of Type C and D Implement Portal/Proxy Install AAI on Portal/Proxy Configure (implement) Access Control Definition on Portal/Proxy For personalized resources: implement interaction with User DB

2003 © SWITCH 22 e-Academia / AAI: Pilot phase AAI Service Provider Org A Org B Org C User Regulations Service Agreement “Club rules” Org... The Legal Basis of an AAI AAI Policy

2003 © SWITCH 23 e-Academia / AAI: Pilot phase Home Organizations SWITCH Resource Owners AAI Programme Management Jan – Jun 2003Jul – Dec 2003Jan – Jun 2004Jul – Dec 2004 UNI A UNI B UNI C UNI D Res 1 Res 2 Res 3 Res 4 Res 1 Res 5 Res 6 UNI E Res 2 Res 3 Res 2 Res 3 PilotRE1RE2

2003 © SWITCH 24 e-Academia / AAI: Pilot phase AAI Programme Management Jan – Jun 2003Jul – Dec 2003Jan – Jun 2004Jul – Dec 2004 Home Organizations SWITCH Resource Owners UNI A UNI B UNI C UNI D Res 1 Res 2 Res 3 Res 4 Res 5 Res 6 Res 7 Res UNI E Res 8 Res 9 Res PilotRE1RE2

2003 © SWITCH 25 e-Academia / AAI: Pilot phase Simple Identity Management Classification MS Passport –Trust model: One external trust broker, trust monopoly –One central user database –One single Home Organisation for all users Shibboleth –Trust model: “Club” of organisations trusting each other (but not necessarily their users!) –Decentralised user database at “Club” member sites –“Club” members acting as Home Organisation –Users are registered with exactly one Home Organisation, maintaining their electronic identity (otherwise, they end up owning multiple electronic identities) Liberty Alliance –Same as Shibboleth except: –Users may register with multiple “Club” members –Each Club member is maintaining a part of their user’s electronic identity simple complex

2003 © SWITCH 26 e-Academia / AAI: Pilot phase Questions? ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.