Presentation is loading. Please wait.

Presentation is loading. Please wait.

Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management.

Published byJoseph McFadden Modified over 10 years ago

Similar presentations

Presentation on theme: "Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management."— Presentation transcript:

1 Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown tjc@ecs.soton.ac.uk University of Southampton (UK) JISC Access Management Showcase Event London, 18th July 2006

2 JRS and Shibboleth We have two access control worlds JRS for network access, as described in the previous talk Shibboleth for (currently) web-based applications JRS is being widely adopted With support at a European/world scale via eduroam What more value can we get from it? UK Shibboleth early adopters making progress Can Shibboleth be used for WLAN access control? Could the JRS be used as a back-end for Shibboleth?

3 JRS components

4 JRS features Easy to deploy Most sites use RADIUS already Uses generally long-established open standards Easy to join Establish one RADIUS peering with national proxy No local access control micro-management required All-In All sites implicitly trust all other sites No attributes Purely an authentication scheme Though RADIUS can carry attributes

5 Question 1 Can we use Shibboleth for network layer access control for roaming users? User powers up in WLAN hotspot Local network gateway blocks all external access until user authenticates using Shibboleth To authenticate using Shibboleth user needs web access to the WAYF service and their home authentication service Implies local network gateway must be pre-configured with at least one allowed web destination per Shibboleth- enabled site that visitors may come from That doesnt scale!

6 Shib for WLAN roaming?

7 Question 2 Can we use the JRS as a Shibboleth back end? May be able to leverage JRS to boost Shibboleth adoption - many JRS sites have no Shibboleth deployment Idea: introduce a Virtual identity provider (VIdP) Functionally equivalent to a normal IdP The VIdP uses the JRS as an authentication back-end Any JRS-enabled site can use the VIdP in place of hosting its own IdP function The VIdP can proxy on behalf of any number of sites RADIUS-Aware Gateway to Shibboleth (RAGS)

8 The RAGS model

9 Building the VIdP… Designed to have no changes to WAYF or SP code The IdP is modified to become the VIdP Tools already exist, e.g.: Apache mod_auth_radius JRadius Java connector, with support for (T)TLS for secure connection from VIdP to home site The JRS site needs to opt-in Its entry in the WAYF service points to the VIdP Can customise login appearance based on passed URL Some policy issues/decisions e.g. its *possible* to add eduroam sites to UK WAYF

10 Closing observations Shibboleth and JRS both being adopted Initial adopter sites dont overlap that much Shibboleth is unsuitable for WLAN admission JRS *could* be offered as a Shibboleth back end The VIdP is currently being developed What about attributes? What classes of attributes will be required? Can use JRadius to query RADIUS-based attributes More policy questions Would using the JRS be acceptable to the UK federation? Who would manage the VIdP?

Download ppt "Options for integrating the JANET Roaming Service (JRS) and Shibboleth Tim Chown University of Southampton (UK) JISC Access Management."

Similar presentations

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.

Shibboleth and UKAMF-FEAR not as scary as it sounds! Rhys Smith Cardiff University.
eduroam Delegate Authentication System with Shibboleth SSO

eduroam Delegate Authentication System with Shibboleth SSO
Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.

Shibboleth at Cardiff University Lindsay Roberts Project Manager – Shibboleth Implementation Phase 2.
PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.

PERSEUS : Portal-enabled Resources via Shibbolized End-user Security 16 May 2005JISC Core Middleware Programme Meeting, Loughborough 1 PERSEUS Project.
Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.

Eduserv Athens Federations David Orrell Eduserv Athens Technical Architect.
FAME-PERMIS Project University of Manchester University of Kent London, July 2006.

FAME-PERMIS Project University of Manchester University of Kent London, July 2006.
Moodle@Kidderminster College An insight Into the College VLE Graham Mason gmason@kidderminster.ac.uk.

College An insight Into the College VLE Graham Mason
Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.

Shibboleth 2.0 and Beyond Chad La Joie Georgetown University Internet2.
ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.

ASPiS - Architecture for a Shibboleth-Protected iRODS System Mark Hedges, Tobias Blanke Centre for e-Research, Kings College London Adil Hasan, Jens Jensen.
Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.

Enabling UCTrust Access for Your Application Introduction to The UC CSC Conference UC Santa Barbara, July 21-22, 2008.
Introduction to Shibboleth and the IAMSECT Project.

Introduction to Shibboleth and the IAMSECT Project.
KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.

KC-ROLO Project Kidderminster College Repository Of Learning Objects Graham Mason & Ed Beddows.
Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC 2014 20 May 2014 Dublin.

Federated Identity Management for Researchers – A quick overview from GÉANT BoF TNC May 2014 Dublin.
Www.sown.org.uk Southampton Open Wireless Network The Topology Talk.

Southampton Open Wireless Network The Topology Talk.
Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.

Shibboleth at Newcastle Caleb Racey Webteam ISS Shibboleth experiences Program  Background  What shib has enabled  Benefits of shib  How to do shib.
Www.ja.net/roaming Copyright JNT Association 2006 The JANET Roaming Service.

Copyright JNT Association 2006 The JANET Roaming Service.
Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF 80 31 March, Prague.

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.
JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.

JISC Metaleth Project Athens, Shibboleth and the University of Bristol 29 th January 2007.
5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.

5/25/2015 AEB/Yleisesittely Roaming network access using Shibboleth in University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

Similar presentations

Ads by Google