1 UPKI-Federation based on Shibboleth National Institute of Informatics Motonori Nakamura Toshiyuki Kataoka, Kyoto University Yasuo Okabe

2 OUTLINE 1.Overview of UPKI and UPKI-Fed 2.UPKI Single Sing-On Trial 3.Roadmap

3 What is UPKI? We are undertaking the construction of University Public Key Infrastructure (UPKI), which is intended to achieve an inter-university cooperation that makes use of educational and research computing systems, digital contents, networks, and business systems at almost 800 universities and other institutions in Japan, in safe, convenient, and effective ways. We are promoting an Inter-university authentication federation by developing UPKI common specifications, and by developing applications using the PKI.

4 1. Overview of UPKI

5 UPKI Three-layer Architecture

6 UPKI Three-Layer Architecture Open Domain PKI (Public PKI)  Using for authentication, signature and encryption on the internet.  Issuing public certs for servers and individuals in the internet by PKI service provider. Campus PKI  Using to campus network for secure access and secure transaction.  SSO, VPN, 802.1X, e-Approval, etc.  Issuing certs for server and faculty staff/students in campus network by each organization. Grid PKI  Using to authentication for NAREGI.  Issuing certs for HPC resources and NAREGI users by NAREGI-CA.

7 UPKI Activities Web ｻｰﾊﾞ NII Pub CA Web Srv. Web ｻｰﾊﾞ S/MIME Other Pub CA S/MIME Web Srv. 学内用 A Univ. CA EE 学内用 B Univ. CA EE A Univ. NAREGI CA EE B Univ. NAREGI CA Campus PKI Open Domain PKI NAREGI PKI S/MIME Auth, Sign, Encrypt. Sign, Encrypt. Auth, Sign, Encrypt. Grid Computing Proxy EE Proxy EE Student, Faculty Server, Super Computer Student, Faculty Server, Super Computer NAREGI-CA Enhancement CA Start-Pack UPKI Common Specification Server Certificates S/MIME Certificates Eduroam Shibboleth

8 UPKI-Fed Inter-Univerisity SSO Architecuture Leveraging PKI and Shibboleth (SAML) technologies, UPKI-Federation that enables secure Single Sign-On for inter- Universities services such as electronic journals is under development. The project is trial stage since Sept

9 Academic Society University SP Faculty Student E-Journal ＣｉＮ ii 、・・ e-Learning Cert. Issuance Server Cert. IdP University Academic Society University AuthN Society member ・・・ Account Issuance, Wireless LAN ・・ Federation using Shibboleth and PKI Secure access from off-campus, other campus UPKI-Federation - Policy - System Spec. UPKI-IdP Discovery Service Support Portal Operational Organization Metadata Repository UPKI-Fed Inter-University SSO Architecture ・・・ Campus System System ・・・ AuthN Single Sign-On

UPKI-FED SSO TRIAL 2. 10

11 User (B Univ.) Id P B University User (A Univ.) IdP Client Cert.Isssuance AuthN A University Campus CA Commercial Service UPKI-Fed IdP_00 DS IdP_01 Repository Admin. SP SSO CMS(Plone1) Admin. Attributes Management UPKI-Fed Test-bed AuthN UPKI Open Domain CA SP CMS （ Moodle ） CMS （ Plone2 ） CiNii SSO User is authenticated by IdP of his/her University Participant of Commercial Service Attributes Management

12 Feasibility Study Schedule (FY2008) Preparation - Setup documents - VMWare Image for IdP - test-bed including DS, repository Explanatory meeting (July 2008, twice) - Ask to attend both IT people and librarians from each institutes Development - developed test SP - support institutes to setup IdP, SP - metadata distribution - feasibility test instruction - share information by wiki, mailing-list, mail magazine Participants meeting (Nov. 2008) - report status from all institutions Preparation for next step - discussion and development of policy for pilot operation Demonstration at UPKI Symposium 2009 (Feb. 2009)

13 Participants 27 Institutions 30 IdP sites 18 SP sites Aug. Sep. Oct. Nov. Dec. Jan. Feb. 10 Sites 20 Sites 10 Sites ＳＰ ＩｄＰ 30 Sites 18 Sites Completed connection to Elsevier !

14 Status of Participating Institutions NameIdPSP Hokkaido Univ.○ 2 － Tohoku Univ.○ － Yamagata Univ.○ － Fukushima Univ.- － High Energy Accelarator Research Organization - － Tsukuba Univ.○(Local test) Tsukuba Univ. of Technology －－ Chiba Univ.Test － Tokyo Univ.○ － Tokyo Institute of Technology ○(Local test) Ocyanomizu Univ. ○ － Advanced Institute of Industrial Technology ○2○2Multi-Mouse AP, (Local test) Keio Univ. －－ National Institute of Informatics ○3○3 CiNii Shib-test NameIdPSP Kanazawa Univ.○File Transfer Service, Digital Contents Publishing (Dspace) Nagoya Univ.○ － Aichi Prefectural College of Nursing and Health ○ － Kyoto Univ.○Wireless LAN Account Issuance Service Kyoto Sangyo Univ. ○(Local test) Osaka Univ. ○４○４ (Grid Cert. Issuance Service) Ehime Univ. －－ Tokushima Univ.○Inter-Campus SNS(OpenPNE) Hiroshima Univ.○ － Yamaguchi Univ.○ SSO Test(Plone) Kyusyu Univ.○ （ Local test ） Kumamoto Univ.○ － Saga Univ.○ （ Local test ）２

15 Feasibility Study Trial using Shibboleth2.0/2.1.2  Single Sign-On connection among Universities’ IdPs, SPs, and commercial SPs from abroad  Shibboleth2.0 protocol among participants in Japan  Shibboleth1.3 protocol to connect to existing commercial SPs from abroad  Metadata automatic download test  Metadata signing, and verification test  Connecting IdP to campus LDAP/AD  Attributes send/receive test, including Japanese Attributes  Tools test such as ArpViewer

16 Connecting to commercial SP from abroad NII IdP (idp.nii.ac.jp) NII Institution’s AD AuthN SP Test SPs in participating Institutions All Institution member can use IdP now ! JAPAN Abroad

17 Connection with commercial SPs from abroad Completed with Elsevier (ScienceDirect, Scopus)  Protocol = Shibboleth1.3 ： Changed UPKI-Fed protocol from Shib2.0 only to Shib2.0/Shib1.3  Certificate ： Ask SPs from abroad to use commercial public certificate, because we can’t issue UPKI certificate to abroad Connection plan with other commercial SPs  soon ： Refworks 、 Nature 、 OUP (Oxford University Press) 、 LWW/Ovid 、 Springer 、 Thomson 、 EBSCO  Within the next fiscal year(?) ： CUP （ Cambridge University Press ）、 Wiley-Blackwell 、 SAGE 、 ProQuest 、 JSTOR 、 Serials Solutions 、 Taylor&Francis 、 APS （ American Physical Society ）

18 Connection with Elsevier ログイン

ROADMAP 3. 19

20 UPKI-Fed Prospective Plan Goal: Inter-University AuthN and AuthZ Infrastructure for ALL Services  “Feasibility Study” will end in Mar  “Pilot Operation” will start from April 2009 FY2008FY2009FY2010 Feasibility Study Pilot Operation Practical Operation Connection using test account Connection using real account under campus policies Practical operation with real account and service

21 Preparation for UPKI-Fed Pilot Operation UPKI-Fed Policy (under development)  “UPKI-Fed Pilot Operation Procedure” (Draft)  “UPKI-Fed System Specification” (Draft) Attributes (Specified in above document)  eppn/persistentID, o, ou, eduPersonAffiliation, etc…  Two bytes code support (Japanese) Name, DisplayName, OrganizationName,,, (Discussing to define “jasn”, “jaDisplayName”, “jao”,,,) Configuration template  Preparing template for attribute-resolver, attribute- filter, attribute-map for UPKI-Fed participants

22 UPKI-Fed Pilot Operation Procedure (Draft)

23 Summary UPKI-Fed: Japanese Academic Federation  Architecture design; Develop suitable architecture on UPKI PKI infrastructure (three layers) taking institutions situations into consideration. Deployment of Shibboleth/SAML  Roadmap; FY2008 Feasibility Study Evaluate and develop architecture using testbed Small start with a few SP services FY2009 Pilot Operation FY2010 ～ Operational