Presentation is loading. Please wait.

Presentation is loading. Please wait.

eduroam Delegate Authentication System with Shibboleth SSO

Published byClaire O'Hara Modified over 10 years ago

Similar presentations

Presentation on theme: "eduroam Delegate Authentication System with Shibboleth SSO"— Presentation transcript:

1 eduroam Delegate Authentication System with Shibboleth SSO
29th APAN Meeting Feb. 8-11, 2010, Sydney, Australia eduroam Delegate Authentication System with Shibboleth SSO Hideaki Goto, Hideaki Sone Tohoku Univ. / NII Ichiro Yamaguchi, Takaaki Suzuki Tohoku Univ.

2 1,200+ (govt. survey in year 2008) A great challenge …
How many higher education institutions are there in Japan? 1, (govt. survey in year 2008) 765 universities (86 national, 90 public) 481 two-year colleges and vocational colleges eduroam deployment: 11 / 1200 = 0.9%

3 Problems Our solutions A large number of institutions (1,200+)
Difficulties in RADIUS deployment Laborious eduroam connection / management work Our solutions Federated Delegate Authentication System with centralized RADIUS server remove RADIUS IdP at each institution Federation using Shibboleth SSO simplify RADIUS tree (higher stability) solve some privacy and security issues Web-based eduroam IdP / SP management system reduce the work at both the eduroam JP office and each institution

4 Easy-to-join eduroam system
2. eduroam IdP/SP management web Institution’s RADIUS server national top-level <secret key 1> access points RADIUS proxy auth requests <secret key 2> RADIUS IdP 1. Delegate Authentication System (DEAS)

5 Federated Delegate Authentication System
Account Issuer as a Shibboleth SP of Japan’s UPKI inter-university federation Centralized RADIUS server to simplify the RADIUS proxy tree 3 types depending on the needs and federation level Pseudo-anonymized, fixed-term, and traceable roaming IDs

6 Delegate Authentication System - Type I
Japan’s centralized account issuer Institutions RADIUS server The account is temporary and expires within 6 months. pseudonymous accounts IdM Web UI IdM Manual account issue requests by administrators. The system can be used even without IdM. Issuing Guest IDs is possible.

7 Delegate Authentication System – Type II
Japan’s centralized account issuer Institutions RADIUS server The account is temporary and expires within 6 months. pseudonymous account Web UI IdM IdM ID federation using Shibboleth/SAML for administrators only. Administrators can request for user accounts in bulk. Issuing Guest IDs is possible.

8 Delegate Authentication System – Type III
Japan’s centralized account issuer Institutions RADIUS server The account is temporary and expires within a month. pseudonymous account IdM IdM ID federation using Shibboleth/SAML End user can request for personal accounts only.

9 Web-based eduroam IdP / SP management system
development under way Features: Application for eduroam IdP / SP connection via eduroam JP website Online sign-up for institutional administrator(s) ( require approval by the national admin. ) Online registration of institution data Management console for institutions RADIUS server address and secret setting Enable or disable Self-IdP / DEAS / SP(AP) Remote authentication self-testing (planned)

10 NEWS Negotiation is under way with a commercial Wi-Fi Service Provider
We will have hundreds of eduroam APs in the central Tokyo ! Outsourcing campus Wi-Fi system would be a key to success of large-scale deployment.

11 Summary Large-scale eduroam deployment in Japan -- A great challenge -- Delegate Authentication System ease eduroam deployment Federated ID issuer as a Shibboleth SP simplify eduroam network = stabilize eduroam authentication Web-based eduroam IdP / SP management make eduroam easy-to-join simplify connection and administration work at the national administrative body at each institution

12 Supplementary slides

13 Problem details in large-scale deployment
Difficult and laborious configurations of RADIUS / APs at each organization. Difficulties in newly constructing an “eduroam account database” or making a RADIUS-IdM bridge for each organization. Many universities do not have Federated IdM yet. Laborious work for institution connection. A lot of paper work RADIUS configuration support Connection testing Troubleshooting … etc. Impossible to deal with hundreds of institutions!

14 eduroam JP in UPKI project
An activity in NII’s UPKI project Promotion and Operation of eduroam JP 11 institutions connected (Feb. 2010) Tutorial & technical documents R&D to solve problems Easy configurations Guest use of local IP addresses Location privacy, etc. Talks with commercial W-ISPs for roaming Shared access points possible? Negotiations are under way.

15 Threats of ID/PW leakage
User ID is logged at proxy servers along the AAA path. Location privacy problem. PW could be logged due to inappropriate configuration by the user. Critical security breach if an important PW is used. logged Worldwide RADIUS tree potential leakage logged logged logged ID database RADIUS Access Request AP RADIUS Access Accept / Reject

Download ppt "eduroam Delegate Authentication System with Shibboleth SSO"

Similar presentations

Inter WISP WLAN roaming

Inter WISP WLAN roaming
Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
© 2006 IBM Corporation Tivoli Identity Manager Express Tivoli Access Manager for Enterprise Single Sign-On (Product Demonstrations) Tivoli Live! – 15 June.

© 2006 IBM Corporation Tivoli Identity Manager Express Tivoli Access Manager for Enterprise Single Sign-On (Product Demonstrations) Tivoli Live! – 15 June.
Slide 1 Insert your own content. Slide 2 Insert your own content.

Slide 1 Insert your own content. Slide 2 Insert your own content.
Joining eduroam Wireless Roaming for Education and Research.

Joining eduroam Wireless Roaming for Education and Research.
Federated Access implementation: experience of AUCA Library - Kyrgyzstan 4 th -7 th June, 2008, Aberdeen, Scotland Sania Battalova, EIFL Country and FOSS.

Federated Access implementation: experience of AUCA Library - Kyrgyzstan 4 th -7 th June, 2008, Aberdeen, Scotland Sania Battalova, EIFL Country and FOSS.
Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.

Pennsylvania Banner Users Group 2008 Fall Conference Campus Identity Management in a Banner World.
Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.
HotNets-VI 1 Architecting Citywide Ubiquitous Wi-Fi Access Nishanth Sastry Jon Crowcroft, Karen Sollins.

HotNets-VI 1 Architecting Citywide Ubiquitous Wi-Fi Access Nishanth Sastry Jon Crowcroft, Karen Sollins.
Grouper Training End Users Lite UI – External Users

Grouper Training End Users Lite UI – External Users
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Office 365 Identity June 2013 Microsoft Office365 4/2/2017

Office 365 Identity June 2013 Microsoft Office365 4/2/2017
Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.

Access & Identity Management “An integrated set of policies, processes and systems that allow an enterprise to facilitate and control access to online.
What’s New in Fireware XTM v11.9.1

What’s New in Fireware XTM v11.9.1
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
2006 © SWITCH Group Management Tool Lukas Haemmerle

2006 © SWITCH Group Management Tool Lukas Haemmerle
Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.

Core identity scenarios Federation and synchronization 2 3 Identity management overview 1 Additional features 4.
- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)

- 1 - Defense Security Service Background: During the Fall of 2012 Defense Security Service will be integrating ISFD with the Identity Management (IdM)

Similar presentations

Ads by Google