Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

Slides:

Advertisements

Similar presentations

Secure Single Sign-On Across Security Domains

Advertisements

Identity Network Ideals – Heterogeneity & Co-existence

Abfab use-cases draft-ietf-abfab-usecases-00.txt Rhys Smith Mark Tysom Simon Cooper IETF80.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Federated Access to Grids Daniel Kouřil, Sam Hartman, Josh Hewlet, Jens Jensen, Michal Procházka EGI User Forum 2011.

Agenda AD to Windows Azure AD Sync Options Federation Architecture

Contrail and Federated Identity Management

Why eduroam sucks, and how to fix it.

Step-up Authentication as-a Service Pieter van der Meulen Technical Product Manager.

© Janet 2012 Project Moonshot Technology, use cases & pilot 17 January, 2012 Haka conference, Helsinki 1.

Infocard and Eduroam Enrique de la Hoz, Diego R. L ó pez, Antonio Garc í a, Samuel Mu ñ oz.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

Agenda Project beginnings and funding. Purpose of the federation. Federation members. Federation protocols. Special features in our federation. Pilot.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Data and Applications Security Developments and Directions Dr. Bhavani Thuraisingham The University of Texas at Dallas Single-Sign On and Federated Identity.

ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

FIM-ig Federated Identity Management Interest Group.

SWITCHaai Team Federated Identity Management.

ESA EO Federated Identity Management Initiatives A. Baldi ESA: M. Leonardi RHEA:

SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

Michal Procházka, Jan Oppolzer CESNET.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Shib-Grid Integrated Authorization (Shintau) George Inman (University of Kent) TF-EMC2 Meeting Prague, 5 th September 2007.

Chad La Joie Shibboleth’s Future.

High-quality Internet for higher education and research AAI from the NREN perspective Schiphol, October 17, 2005

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Report and plans Attribute.

Federated Identity Management for HEP David Kelsey HEPiX, IHEP Beijing 18 Oct 2012.

Image © Viatour Luc ( Project Moonshot TNC 2010 Vilnius, 1 June 2010 Josh Howlett, JANET(UK)

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.

IdP Selection WG A proposal to next steps (Draft) Version v0.2.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.

June 9, 2009 SURFfederatie: implementing a multi- protocol federation Hans Zandbelt & Joost van Dijk, SURFnet.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

Networks ∙ Services ∙ People Marina Adomeit FIM4R meeting Virtual Organisation Platform as a Service VOPaaS Nov 30, 2015, Austria Task Leader,

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

AAI needs of the Distributed Computing Infrastructures - CLARIN Dieter Van Uytvanck Max Planck Institute for Psycholinguistics

Workshop on Security for Web Services. Amsterdam, April 2010 Applying SAML to Identity Data Exchange.

Project Moonshot Daniel Kouřil EGI Technical Forum

Networks ∙ Services ∙ People Licia Florio TNC, Lisbon Consuming identities across e- Infrastructures 16 June 2015 PDO GÈANT.

Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.

Networks ∙ Services ∙ People Marina Adomeit TNC16 Conference, Prague Towards a platform for supporting collaboration GÉANT VOPaaS

Networks ∙ Services ∙ People Ann Harding Networkshop 44, Manchester Thinking globally, acting locally Trust and Identity in the GÉANT project.

CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López

Authentication and Authorisation for Research and Collaboration Taipei - Taiwan Mechanisms of Interfederation 13th March 2016 Alessandra.

Access Policy - Federation March 23, 2016

Secure Single Sign-On Across Security Domains

LIGO Identity and Access Management

Mechanisms of Interfederation

Federation made simple

eduTEAMS platform for collaboration Niels Van Dijk

Identity Federations - Overview

Data and Applications Security Developments and Directions

European AFS & Kerberos Conference 2010

Scalability of trust and metadata exchange across federations

Incident Response for Federated Identities

Office 365 Identity Management

Office 365 Development.

Community AAI with Check-In

Example Use Case for Attribute Authorities and Token Translation Services - the case for eduGAIN Andrea Biancini.

Device Registration and Multi-Factor Authentication

Check-in Identity and Access Management solution that makes it easy to secure access to services and resources.

Presentation transcript:

Introduction & use-cases FedAuth IETF78 Maastricht, July 27, 2010

What is “Federated identity”? 2 User principal wielding user-agent Identity Provider Relying Party Access resourceAuthentication Trust (business and/or technical) Directory Relying Party’s administrative domain User principal’s administrative domain

Three observations 1.The User-Agent is normally a browser. 2.The Web is not the Internet. 3.We already have some good systems for non- Web identity federation.

Example 1: federated network access 4 RADIUS server University B RADIUS server University A SURFnet Central.nl RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Visiting user Student VLAN Commercial VLAN Employee VLAN data signalling 802.1X RADIUS EAP Source: SURFnet

Example 2: the hybrid approach Authenticate using Web SSO, and insert a token into the non-web protocol flow. Example: Jabber with SAML or OpenID: – Without changing SAML IdP – Minimal change at Jabber client – Jabber server can run “in-the-cloud” Current work (proposed as WG item for KITTEN) looks at leveraging SASL – draft-wierenga-ietf-sasl-saml, draft-lear-ietf-sasl- openid, draft-cantor-ietf-sasl-saml-ec draft-wierenga-ietf-sasl-samldraft-lear-ietf-sasl- openiddraft-cantor-ietf-sasl-saml-ec This is necessary work, but not sufficient.

Research & Education Federations Early and aggressive adopters of federated identity technology. Large and rapidly growing federated systems. – UK R&E federation ≈ 10 million identities and growing. – eduGAIN ≈ projected 10s millions of identities. But some growing pains…

Use-case 1: Out-sourcing Reduce costs by out-sourcing services to third party service providers. Federated identity provides better user experience through SSO. reduces helpdesk burden for both IdP and SP. Today, this only works for Web applications; not for IMAP, SMTP, POP3, Jabber, Calendaring, etc. Identity Provisioning APIs exist, but Requires sharing credentials with SP. Not a complete IdM / directory system, which is often required for application personalisation or authorisation.

Use-case 2: High Performance Computing Improve Business Continuity. Offer HPC-as-a-service to more internal and external customers. Reduce costs incurred in operating HPC- specific RA. SSH, SFTP, SCP, NFS, CIFS.

Use-case 3: learning from Web SSO In creating federated authentication for new applications, avoid problems discovered with web SSO today (and fix them for web SSO). Identity Provider discovery Users already presented with hundreds of possible identity providers; international inter-federation will likely increase this to thousands quite soon. Multiple affiliations It is sometimes difficult to select the appropriate identity provider for a particular service.

Use-case 4: establishing trust in SAML metadata SAML IdP and SP entities usually establish trust using SAML metadata that describes each entity. In R&E federations, member SP and IdP metadata is (usually) collected into an aggregate, signed by the federation Operator and published. The distribution of the aggregate, across the network from federation to entities, is the basis of trust. Scaling Revocation Consuming metadata for entities from other federations

Discuss!