Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

Slides:



Advertisements
Similar presentations
Lousy Introduction into SWITCHaai
Advertisements

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Authenticated QoS Signaling William A. (Andy) Adamson Olga Kornievskaia CITI, University of Michigan.
Why eduroam sucks, and how to fix it.
TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
Copyright JNT Association 2006 The JANET Roaming Service.
EduRoam ESA workshop 17 December 2004 Utrecht.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
Deliverable H: the interoperability testbed design Klaas Wierenga SURFnet.
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Wireless ambitions Frans Panken I2 Spring meeting 24 april 2012.
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.
1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!
Connect. Communicate. Collaborate First steps in federation peering: eduGAIN and eduroam Diego R. Lopez - RedIRIS.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
High-quality Internet for higher education and research Paul Dekkers April 4th, Turkey.
COMMUNICATION SYSTEMS, NETWORKS AND DIGITAL SIGNAL PROCESSING Fifth International Symposium July, 2006, Patras, Greece Security in Wireless Networks:
Michal Procházka, Jan Oppolzer CESNET.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005
EMI INFSO-RI AAI in EEF Projects John White (Helsinki University) EMI Security Area Leader.
Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin
Connect. Communicate. Collaborate Federation Interoperability Made Possible By Design: eduGAIN Diego R. Lopez (RedIRIS)
Shibboleth Akylbek Zhumabayev September Agenda Introduction Related Standards: SAML, WS-Trust, WS-Federation Overview: Shibboleth, GSI, GridShib.
Shibboleth: An Introduction
NGMAST 2008 A Proactive and Distributed QoS Negotiation Approach for Heterogeneous environments Anis Zouari, Lucian Suciu, Jean Marie Bonnin, and Karine.
Connect. Communicate. Collaborate The authN and authR infrastructure of perfSONAR MDM Ann Arbor, MI, September 2008.
Connect. Communicate. Collaborate The MetaData Service Distributing trust in AAI confederations Manuela Stanica, DFN.
Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal,
University of Washington Identity and Access Management IEEAF – RENU Network Design Workshop Seattle - 29 Nov 2007 Lori Stevens, Director, Distributed.
Connect. Communicate. Collaborate Federated peering the NREN way: eduGAIN and eduroam Diego R. Lopez (RedIRIS) Klaas Wierenga (SURFnet)
Connect. Communicate. Collaborate TERENA Networking Conference, 7 june 2005 Eduroam: past, present, and future.
Connect. Communicate. Collaborate Universität Stuttgart A Client Middleware for Token- Based Unified Single Sign On to eduGAIN Sascha Neinert, University.
Identity Management in DEISA/PRACE Vincent RIBAILLIER, Federated Identity Workshop, CERN, June 9 th, 2011.
Diego R. Lopez, RedIRIS JRES2005, Marseille On eduGAIN and the Coming GÉANT Middleware Infrastructure.
Authentication and Authorisation in eduroam Klaas Wierenga, AA Workshop TNC Lyngby, 20th May 2007.
Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
19 May 2003 © The JNT Association Terena Technical Advisory Council Terena Mobility Task Force
Programme ›TERENA ›Overview of the middleware initiatives in the European Higher Education ›What is eduroam: the technology and how to set up eduroam ›eduroam-in-a-box:
DICE: Authorizing Dynamic Networks for VOs Jeff W. Boote Senior Network Software Engineer, Internet2 Cándido Rodríguez Montes RedIRIS TNC2009 Malaga, Spain.
EMI is partially funded by the European Commission under Grant Agreement RI Federated Grid Access Using EMI STS Henri Mikkonen Helsinki Institute.
Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010
IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)
Connect communicate collaborate Trust & Identity EC meets GÉANT 19 June 2014 Brussels Valter Nordh, NORDUnet Federation as a Service Task Leader Trust.
Federated Wireless Network Authentication Kevin Miller Duke University Internet2 Joint Techs Salt Lake City February, 2005.
University of Murcia Gabriel López.  Network authentication in eduroam and SSO token distribution ◦ RADIUS hierarchy ◦ Token based on SAML  Network.
Trust and Identity Infrastructure Services Above the Network Ann Harding, SWITCH/GÉANT UbuntuNetConnect 2014.
Connect communicate collaborate An Infocard-based proposal for unified SSO to eduroam Enrique de la Hoz, Antonio García, Diego López, Samuel Muñoz University.
Connect. Communicate. Collaborate Applying eduGAIN to network operations The perfSONAR case Diego R. Lopez (RedIRIS) Maurizio Molina (DANTE)
Project Moonshot Daniel Kouřil EGI Technical Forum
Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.
Designing Identity Federation Policy, the right way Marina Vermezović, Academic Network of Serbia TNC2013 conference 4 May 2013.
CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López
Copyright © 2009 Trusted Computing Group An Introduction to Federated TNC Josh Howlett, JANET(UK) 11 June, 2009.
University of Stuttgart University of Murcia
First steps in federation peering: eduGAIN and eduroam
The DAMe’s First Steps: eduroam and NAS-SAML
GN2 JRA5 Roaming and Authorisation Jürgen Rauschenbach, DFN-Verein
Presentation transcript:

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta University of Murcia (Spain) TNC2007, Copenhagen, 2007/05/21 * Funded by EC project Geant2-JRA5, Terena, RedIRIS and DFN.

Connect. Communicate. Collaborate Overview Introduction Starting points Main goals of the DAMe project

Connect. Communicate. Collaborate Introduction DAMe is a research project based on previous works from TERENA, Internet 2 and the University of Murcia. –eduroam, as a result of the TERENA Mobility Task Force, which defines a roaming architecture between NRENs based on AAA servers (RADIUS) and the 802.1X standard. –Shibboleth, a widely deployed federation mechanism. –eduGAIN, the AAI (Authentication and Authorization Infrastructure) from GEANT 2 (GN2). –NAS-SAML, a network access control system for AAA architectures developed by the University of Murcia and based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language)

Connect. Communicate. Collaborate Authentication, but also authorization are needed in order to provide an appropriate network access: –User’s identity is not enough –Institutions can offer different QoS parameters depending on the user. –Decisions should be taken considering the user attributes –User mobility is becoming more and more frequent –Several institutions must cooperate at several levels. Preliminary works on this subject: –DAIDALOS project –RADIUS/SAML (Internet 2) Application-level services can take advantage of the network acccess mechanism in order to bootstrap a seamless global SSO DAMe project. Main Goals

Connect. Communicate. Collaborate Intradomain: Campus Teachers Students Adm. Staff Reserachers ¿? Users DB Web Services LDAP Directory Internet Wireless Services Authentication Authority Authorization Authority Stable relationship among users, institution and services

Connect. Communicate. Collaborate Interdomain: Different universities Alice might make use of the computer network at University B Alice will be authenticated by University A Alice will be authorized by University B, but making use of the attributes defined by University A Relationships are stable and long term Authorization information is represented using a common format University A University B Service Level Agreement

Connect. Communicate. Collaborate Interdomain: Heterogeneous systems Charles is authorized by University B upon the attributes defined by University C –Credentials are based on different formats –There are different criteria about syntax and semantics Therefore, it is necessary: –To define a credential conversion system, identifying its main entities and policies. University B Service Level Agreement University C

Connect. Communicate. Collaborate Overview Introduction Starting points Main goals of the DAMe project

Connect. Communicate. Collaborate Goal: –“open your laptop and be online” –To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources Concepts: –Based on reciprocal (free) access –NREN community –Authentication at home –Authorization at visited institution Starting point: eduroam

Connect. Communicate. Collaborate RADIUS server University B RADIUS server University A RedIris Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Alicia Student VLAN Commercial VLAN Employee VLAN data signalling Trust based on RADIUS plus policy documents 802.1X (VLAN assignment) Starting point: eduroam

Connect. Communicate. Collaborate Motivation: –Current authorization solutions do not address most of the issues related to the provision of different types of services based on attributes credentials –NAS-SAML was defined to provide a network access system based on existing standards (802.1X, AAA, SAML, XACML) –It requires the extension of the current AAA protocols in order to exchange authorization credentials –Different profiles are defined in order to provide several design alternatives (push and pull) Starting point: NAS-SAML

Connect. Communicate. Collaborate Starting point: NAS-SAML

Connect. Communicate. Collaborate NAS-SAML: Pull profile

Connect. Communicate. Collaborate Overview Introduction Starting points Main goals of the DAMe project

Connect. Communicate. Collaborate DAMe project. Overview Definition of a unified authentication and authorization system for federated services hosted in the eduroam network and a global SSO mechanism based on already deployed mechanisms and architectures.

Connect. Communicate. Collaborate Main goals of the DAMe project Extension of eduroam using NAS-SAML –User mobility is controlled by assertions and policies expressed in SAML and XACML Alicia RADIUS server University B RADIUS server University A RedIris Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant data XACML Policy Decision Point SAML Attribute Authority Signaling XACML

Connect. Communicate. Collaborate Main goals of the DAMe project Extension of eduroam using NAS-SAML

Connect. Communicate. Collaborate Main goals of the DAMe project

Connect. Communicate. Collaborate Global Single Sign On (SSO) –Users will be authenticated only once, during the access to the network –A SSO token (eduGAIN compliant) must be distributed, validated, and managed by an appropriate middleware. –Possibly, new EAP methods (PEAP-based) will be needed to obtain the token Main goals of the DAMe project

Connect. Communicate. Collaborate Resource Access –The user authenticates in his home domain and gets a SSO token. –The token is delivered to the user through a secure tunnel. –The token contains a handle instead of the real user's identity to maintain privacy. –Later, when the user tries to access to a protected resource, he includes the token in the request. –The resource uses the handle included in the token to request the user's attributes through eduGAIN. –When received, the attributes are used to take the authorization decision. Main goals of the DAMe project

Connect. Communicate. Collaborate Resource Access

Connect. Communicate. Collaborate DAMe look forward in the integration of authentication and authorization process. The extension must be compatible with the current status of the eduroam network and eduGAIN Provide a SSO scenario based on bootstrapping credential at the authentication phase Additional will development a user-friendly interface for managing authorization policies. Conclusion

Connect. Communicate. Collaborate Additional information Project Web: – Thanks for attention

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.