Presentation is loading. Please wait.

Presentation is loading. Please wait.

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-"— Presentation transcript:

1 TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal- Óscar Cánovas (UM) Antonio G. Skármeta (UM) Diego R. Lopez (RedIRIS) Klaas Wierenga (SURFnet)

2 TF-EMC2 Overview Introduction Motivation of this project Background and previous work: NAS-SAML Main goals

3 TF-EMC2 Introduction DAME is a project that builds upon previous TERENA, GN2, Internet2, and University of Murcia work: EDUROAM, a result of TERENA Mobility Task Force, which defines an inter-NREN roaming architecture,  Reports available on the EDUROAM web site eduGAIN, the AAI interoperation infrastructure designed by GN2 JRA5  Documentation available at the GÉANT2 web site Shibboleth, a widely deployed federation mechanism developed by Internet2 and the NSF Middleware Initiative.  Documentation available on the Shibboleth web site. NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on the SAML and the XACML standards,  Documentation available on the http://pki.dif.um.es web sitehttp://pki.dif.um.es

4 TF-EMC2 Overview Introduction Motivation of this project Background and previous work: NAS-SAML Main goals

5 TF-EMC2 Motivation We have experienced the emergence of federated approaches to resource sharing. Access to shared resources with a single identity Examples of these approaches: the establishment of academic federations worldwide and the concepts around Grid Computing. Some aspects generally related with integral identity management are still open, especially those related to user authorization. Only allowed users are able to perform the set of allowed actions over each resource. One of the main resources to share is the network, for mobility purposes. The TERENA Mobility Task Force defined and tested an inter-NREN roaming architecture, called EDUROAM, proposed after identifying the most suitable techniques currently deployed in the NRENs.

6 TF-EMC2 Motivation EDUROAM allows users of participating institutions to access the Internet at other participants using their home institution's credentials. It would be desirable to extend the EDUROAM architecture with authentication and authorization mechanisms. NAS-SAML is an access control proposal for AAA environments which can be used to extend EDUROAM to exchange existing credentials. Credentials can be expressed in several forms, ranging from eduGAIN/Shibboleth statements to X.509 Attribute certificates Additionally, this authorization mechanism might be used at service- level, for example for Grid Computing purposes. EDUROAM constitutes an exceptional starting point to offer a full and integrated network access experience to the users.

7 TF-EMC2 Overview Introduction Motivation of this project Background and previous work: NAS-SAML Main goals

8 TF-EMC2 NAS-SAML Main objectives: To define a network access control approach based on:  X.509 PKC authentication  User attributes (roles)  Authorization policies. Rules stating the permissions give to each system role. Use of XML to express:  access control policies (XACML)  authorization statements (SAML)  authorization protocols (SAML) The scenario should be integrated in the AAA architecture.

9 TF-EMC2 NAS-SAML Architectural elements

10 TF-EMC2 NAS-SAML End User: Entity requesting access to the network Authentication based on (X.509 PKC or login/passwd pairs) AAA Server: Requires two ASM modules:  Source Authority (SA)  Policy Decision Point (PDP) Source Authority (SA): Manages the Role Assignment Policy (roles to users) Role Assignment Policy: “in the source domain Source, the set of roles R1, R2.. Rn can be assigned to the users contained in the o=org,c=ES X.500 sub-tree for the period V” Based on XACML

11 TF-EMC2 NAS-SAML Policy Decision Point (PDP): Generates the statements related to authorization decisions Manages the Resource Access Policy Policy Administration Point (PAP): Defines, signs and publishes the Resource Access Policy Resource Access Policy: “the users pertaining to the source domain Source, and playing the role R1, will get access to the network N1 with a QoS1” Based on XACML Network Access Point (NAP): forwards the client requests to the appropriate AAA server of the target domain obtains and enforces the properties of the network connection

12 TF-EMC2 NAS-SAML Example: Inter-domain pull model

13 TF-EMC2 NAS-SAML Current status: Architectural elements, protocols, integration with DIAMETER  G. López, O. Cánovas, A. F. Gómez-Skarmeta, R. Marín. “A Network Access Control Approach based on the AAA Architecture and Authorization Attributes”. Journal of Network and Computer Applications  Implemented and tested. Security policies (access control, role assignment, conversion):  G. López, O. Cánovas, A. F. Gómez-Skarmeta. “Use of XACML Policies for a Network Access Control Service”. 4th International Workshop of Applied PKI, IWAP’2005.  Implemented and tested. Integration with PERMIS (in collaboration with D. W. Chadwick):  G. López, O. Cánovas, A. F. Gómez-Skarmeta, O. Otenko, D.W. Chadwick. “A Heterogeneous Network Access Service based on PERMIS and SAML”. 2nd European PKI Workshop, EuroPKI’2005.  Implemented and tested.

14 TF-EMC2 Overview Introduction Motivation of this project Background and previous work: NAS-SAML Main goals and summary of activities

15 TF-EMC2 Main goals First Goal: Extension of EDUROAM using NAS-SAML User mobility controlled by assertions and policies expressed in SAML and XACML. Enhanced interoperability among organizations (common language)

16 TF-EMC2 Main goals First Goal: Extension of EDUROAM using NAS-SAML RELATED ACTIVITIES: Activity 1. Integration of the NAS-SAML architecture in the EDUROAM network.  Task 1. Analysis of the current status of the EDUROAM network.  Task 2. Analysis of the required user attributes and policies for roaming.  Task 3. Development of the Source Authority and Policy Decision Points.  Task 4. Development a custom SAML module for RADIUS and DIAMETER servers.  Task 5. Create a translator to convert RADIUS messages into DIAMETER and vice versa.  Task 6. Validate the resulting architecture for mobility purposes. Activity 2. Development of a user-friendly management interface for authorization policies.  Task 1. Analysis of the different existing proposals for privilege administration.  Task 2. Development of a high level interface able to be integrated with common office applications.  Task 3. Creation of interpreters and translators able to convert policies into XACML.  Task 4. Validate the resulting interface.

17 TF-EMC2 Main goals Second Goal: Use of eduGAIN/Shibboleth as AuthN and AuthZ backend NAS-SAML has been already integrated with other proposals (X.509 AC) Link between the AAA servers (now acting as Service Providers) and the Identity Providers of the federation.

18 TF-EMC2 Main goals Second Goal: Preliminary design.

19 TF-EMC2 Main goals Second Goal: Use of eduGAIN/Shibboleth as AuthN and AuthZ backend RELATED ACTIVITIES: Activity 3. Use of eduGAIN/Shibboleth as authentication back-end for NAS-SAML  Task 1. Analysis of the proposed profiles for SSO. Identification of the possible modifications that would require some of those profiles.  Task 2. Development of a Shibboleth Service Provider module responsible for the creation and exchange of Shibboleth data exchange  Task 3. Development of an eduGAIN BE to provide direct access to the con- federation infrastructure  Task 4. Definition of the authentication methods to be used by the end users in order to demonstrate their digital identity.  Task 5. Extension of the existing XACML context manager in order to interpret the eduGAIN/Shibboleth SAML credentials.  Task 6. Validate the resulting architecture.

20 TF-EMC2 Main goals Third Goal: Global Single Sign On (SSO) Users will be authenticated once, during the network access control phase The eduGAIN/Shibboleth authentication would be bootstrapped from the NAS-SAML New PEAP method for delivering authentication credentials and new security middleware

21 TF-EMC2 Main goals Third Goal: Global Single Sign On (SSO) RELATED ACTIVITIES: Activity 4. Development of a global SSO  Task 1. Analysis of the requirements of a new PEAP authentication method able to exchange the necessary eduGAIN/Shibboleth signed tokens.  Task 2. Development of the client and server software modules implementing the specified PEAP method..  Task 3. Design and develop the middleware able to manage the signed Shibboleth tokens that will be then provided to the resource providers  Task 4. Modify the existing service providers in order to include a custom SSO profile based on a push method, that is, a method where the end users are able to provide the required authentication credentials.  Task 5. Validate the resulting system.

22 TF-EMC2 Main goals Fourth Goal: Authorization mechanisms for application-level services Mainly focused on Grid Computing Grid Services have specific components for authorization purposes We plan to link that components with the existing authorization infrastructure, using standard extension points:  OGSA-Authz  MyProxy  GridShib RELATED ACTIVITIES: Activity 5. Deployment of an authorization mechanism for an application-level service: Grid Computing.  Task 1. Analysis of the different Grid platforms that are being currently used in the different European initiatives.  Task 2. Analysis of the GridShib tool as starting point to provide authorization services to Grids.  Task 3. Definition of the set of attributes used to describe grid-relevant properties.  Task 4. Modify the existing network of AAA servers in order to add the Grid-related policies and attributes.  Task 5. Validate the resulting authorization services.

23 TF-EMC2 Budget In order to accomplish this proposal, the time and cost estimation is as follow: Activity 1-3: Man Month (MM) Effort: 14 MM Activity 4-6: 18 MM Technical coordination 6 MM Total Effort: 40 MM Based on this schema, we estimate: A 16 month project for 2 persons full time A cost of 80.000 euros

Download ppt "TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-"

Similar presentations

EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.

TNC 2008 / Short Lived Credential Service Implementation Based on National AAI Short Lived Credential Service Implementation Based on National AAI Emir.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
Understanding Active Directory

Understanding Active Directory
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.

1 July 2005© 2005 University of Kent1 Seamless Integration of PERMIS and Shibboleth – Development of a Flexible PERMIS Authorisation Module for Shibboleth.
Web services security I

Web services security I
A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.

A Use Case for SAML Extensibility Ashish Patel, France Telecom Paul Madsen, NTT.
Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:

Online AAI José A. Montenegro GISUM Group Security Information Section University of Malaga Malaga (Spain) Web:
Clinic Security and Policy Enforcement in Windows Server 2008.

Clinic Security and Policy Enforcement in Windows Server 2008.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

EuroPKI 2008 Manuel Sánchez Óscar Cánovas Gabriel López Antonio F. Gómez Skarmeta University of Murcia Levels of Assurance and Reauthentication in Federated.

Similar presentations

Ads by Google