Presentation is loading. Please wait.

Presentation is loading. Please wait.

Connect. Communicate. Collaborate Federated peering the NREN way: eduGAIN and eduroam Diego R. Lopez (RedIRIS) Klaas Wierenga (SURFnet)

Published byClinton May Modified over 8 years ago

Similar presentations

Presentation on theme: "Connect. Communicate. Collaborate Federated peering the NREN way: eduGAIN and eduroam Diego R. Lopez (RedIRIS) Klaas Wierenga (SURFnet)"— Presentation transcript:

1 Connect. Communicate. Collaborate Federated peering the NREN way: eduGAIN and eduroam Diego R. Lopez (RedIRIS) Klaas Wierenga (SURFnet)

2 Connect. Communicate. Collaborate Contents The drivers for (con-)federations (Diego) The eduroam case (Klaas) The eduGAIN case (Diego) Universal single signon aka DAMe (Klaas)

3 Connect. Communicate. Collaborate The drivers for con-federations Giving federations a taste of their own medicine

4 Connect. Communicate. Collaborate As Federations Grow The risk of dying of success –Do we really need to go on selling the federated idea? Different communities, different needs –Not even talking about international collaboration –Different (but mostly alike) solutions –Grids and libraries as current examples –And many to come: Governments, professional associations, commercial operators,… Don’t hold your breath waiting for the Real And Only Global Federation

5 Connect. Communicate. Collaborate Confederations Federate Federations Same federating principles applied to federations themselves –Own policies and technologies are locally applied Independent management –Identity and authentication-authorization must be properly handled by the participating federations Commonly agreed policy –Linking individual federation policies –Coarser than them Trust fabric entangling participants –Through each federation’s fabric –P2P trust must be dynamically built

6 Connect. Communicate. Collaborate First Steps Simplifying user collaboration across whatever border is an excellent selling argument –Making the whole promise of the VO idea –eduroam fast worldwide success is a clear example Following a middle-both-ways approach –Top-down: projects like GEANT2 –Bottom-up: initiatives like ShibEnableºº

7 Connect. Communicate. Collaborate Technologies Lingua franca –Syntax: SAML (converging to 2.0) Shibboleth and eduGAIN profiles –Semantics: eduPerson, SCHAC Trust fabric –Public key technologies (if not infrastructures) –Component identifiers and registries –Metadata repositories

8 Connect. Communicate. Collaborate Policy and Legal Matters The PMA model has proven extremely useful –Consensual set of guidelines –Peer-reviewed accreditation Legal matters: Hic sunt leones –For techies like us –Privacy –Liability –More or less manageable in the case of (national) federations

9 Connect. Communicate. Collaborate The eduroam case Confederation avant-la-lettre

10 Connect. Communicate. Collaborate The goal of eduroam “open your laptop and be online” To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources

11 Connect. Communicate. Collaborate eduroam concepts Based on reciprocal (free) access NREN community Authentication at home Authorisation at visited institution

12 Connect. Communicate. Collaborate eduroam: Ubiquitous Network Access Connect. Communicate. Collaborate RADIUS server University B RADIUS server University A SURFnet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant Gast piet@university_b.nl Student VLAN Commercial VLAN Employee VLAN data signalling Trust based on RADIUS plus policy documents 802.1X (VLAN assignment)

13 Connect. Communicate. Collaborate A General model for eduroam interactions Connect. Communicate. Collaborate RADIUS@visited RADIUS@home Id Repository Resource (AP) RADIUS + TLS Channel(s) Tue Oct 10 00:05:15 2006: DEBUG: Packet dump: *** Received from 145.99.133.194 port 1025.... Code: Access-Request Identifier: 1 Authentic: k D Attributes: User-Name = "Klaas.Wierenga@guest.showcase.surfnet.nl" NAS-IP-Address = 145.99.133.194 Called-Station-Id = "001217d45bc7" Calling-Station-Id = "0012f0906ccb" NAS-Identifier = "001217d45bc7" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 EAP-Message = - Klaas.Wierenga@guest.showcase.surfnet.nl Message-Authenticator = `- y. I<218 > \ Tue Oct 10 00:17:32 2006: DEBUG: Handling request with Handler 'TunnelledByTTLS= 1, Realm=/guest.showcase.surfnet.nl/i' Tue Oct 10 00:17:32 2006: DEBUG: Deleting session for Klaas.Wierenga@guest.show case.surfnet.nl, 145.99.133.194, Tue Oct 10 00:17:32 2006: DEBUG: Handling with Radius::AuthFILE: SC-GUEST-ID Tue Oct 10 00:17:32 2006: DEBUG: Reading users file /etc/radiator/db/showcase-gu est-users Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE looks for match with Klaas.Wie renga@guest.showcase.surfnet.nl [Klaas.Wierenga@guest.showcase.surfnet.nl] Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE ACCEPT: : Klaas.Wierenga@guest.showcase.surfnet.nl [Klaas.Wierenga@guest.showcase.surfnet.nl] Tue Oct 10 00:17:32 2006: DEBUG: AuthBy FILE result: ACCEPT, Tue Oct 10 00:17:32 2006: DEBUG: Access accepted for Klaas.Wierenga@guest.showca se.surfnet.nl Tue Oct 10 00:17:32 2006: DEBUG: Returned TTLS tunnelled Diameter Packet dump: Code: Access-Accept

14 Connect. Communicate. Collaborate eduroam Hierarchy Connect. Communicate. Collaborate (virtual) eduroam root APAN rootEuropean root(America’s root)...nl.ac.uk.dk....au.cn....edu.us....hr.es...

15 Connect. Communicate. Collaborate eduroam Confederations Regions have their own stage of development and pace Regions have their own regional policies (with delegation to national federations) Policies will be aligned as much as possible

16 Connect. Communicate. Collaborate The European eduroam Policy Mutual access Home institutions are/remain responsible for their users abroad Members are European NRENs Members guarantee required security levels by their participants Members promote eduroam in their countries European eduroam may peer with other regions

17 Connect. Communicate. Collaborate National Policies Mutual access Members are connected institutions Home institution is/remains responsible for its users behaviour. Home institution is responsible for proper user management Home and visited institution must keep sufficient logdata Appropriate security levels

18 Connect. Communicate. Collaborate Limitations Authentication = authorisation Hierarchical trust establishment AND hierarchical routing of access requests Transitive trust No dynamic trust establishment Use of UDP Use of shared secrets

19 Connect. Communicate. Collaborate eduroam-ng After evaluating Diameter, RadSec and DNSROAM: Introduction of RadSec (if possible) –TCP instead of UDP –TLS between RADIUS-servers instead of shared secrets Possibly at later stage introduction of DNSROAM –Support for direct peer interaction –How about firewalls / access lists? Eventually Diameter?

20 Connect. Communicate. Collaborate The eduGAIN case Exercising the confederation concepts

21 Connect. Communicate. Collaborate The AAI Goal in GÉANT2 To build an interoperable authentication and authorisation infrastructure that will be used all over Europe enabling seamless sharing of e- science resources We started from –Scattered AAI (pilot) implementations in the EU and abroad –The basic idea of federating them, preserving hard- won achievements

22 Connect. Communicate. Collaborate Applying Confederation Concepts An eduGAIN confederation is a loosely-coupled set of cooperating identity federations –That handle identity management, authentication and authorization using their own policies Trust between any two participants in different federations is dynamically established –Members of a participant federation do not know in advance about members in the other federations Syntax and semantics are adapted to a common language –Through an abstract service definition

23 Connect. Communicate. Collaborate The eduGAIN Components Bridging Elements (BE) –Interconnection points –Federation-wide (LFA) or distributed (LA) Federation Peering Point (FPP) –Able to announce BE metadata The Metadata Service (MDS) –Publishing interface (to FPPs) –Querying interface (to BEs)

24 Connect. Communicate. Collaborate The eduGAIN Model Connect. Communicate. Collaborate Id Repository(ies) Resource(s) MDS R-FPP Metadata Publish R-BE Metadata Query AA Interaction H-FPP Metadata Publish H-BE AA Interaction AA Interaction

25 Connect. Communicate. Collaborate Component Identifiers eduGAIN operations strongly depend on having unique, structured and well-defined component identifiers Based on URNs delegated by the eduGAIN registry to the participating federation Identifiers establish the kind of component they apply to by means of normalized prefixes Identifiers follow the hierarchy of the trust establishing process

26 Connect. Communicate. Collaborate The (X.509) Trust Fabric Validation procedures include – Normal certificate validation Trust path evaluation, signatures, revocation,… –Peer identification Certificates hold the component identifier It must match the appropriate metadata Applicable to –TLS connections between components Two-way validation is mandatory –Verification of signed XML assertions

27 Connect. Communicate. Collaborate A general model for eduGAIN interactions Connect. Communicate. Collaborate RequesterResponder Id Repository Resource TLS Channel(s) MDS TLS Channel https://mds.geant.net/ ?cid=someURN <EntityDescriptor... entityID= ”urn:geant2:..:responder">... <SingleSignOnService... Location= “https://responder.dom/” />... <samlp:Request... RequestID=”e70c3e9e6…” IssueInstant=“2006-06…”>... <samlp:Response... ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”>...  urn:geant2:...:responder urn:geant2:...:requester 

28 Connect. Communicate. Collaborate Operation Mapping Maps the abstract service definition into actual protocols Current version is based on SAML 1.1 –Profiling the standard to fit abstract parameters A SAML 2.0 implementation will be available along the lifetime of the project –The abstract service specification protects components and applications from these changes Authentication assertions and attribute exchange mechanisms are designed to be Shibboleth 1.3 compatible –And Shibboleth 2 in the future

29 Connect. Communicate. Collaborate Metadata Service Based on REST interfaces transporting SAML 2.0 metadata Metadata are published through POST operations Metadata are retrieved through GET operations URLs are built as MDSBaseURL/FederationID/entityID?queryString –Using component names –The query string transports data intended to locate the appropriate home BE (Home Locators) Hints provided by the user Contents of certificate extensions ( SubjectInformationAccess )

30 Connect. Communicate. Collaborate eduGAIN Profiles Three profiles defined so far –Web SSO (Shibboleth compatible) –Automated client (no human interaction) –Non-web client (use of SASL-CA) Others envisaged –Extended Web SSO (allowing the send of POST data) –eduGAIN usage from roaming clients (DAMe) Based on SAML 1.1 –Mapping to SAML 2.0 profiles along the transition period

31 Connect. Communicate. Collaborate A Sample Profile Connect. Communicate. Collaborate

32 DAMe aka “The holy grail”

33 Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in eduroam (DAMe) DAME is a project that builds upon: –eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, –Shibboleth and eduGAIN –NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on the SAML (Security Assertion Markup Language) and the XACML (eXtensible Access Control Markup Language) standards.

34 Connect. Communicate. Collaborate First Goal: extNA First Goal: Extension of eduroam Using NAS-SAML Connect. Communicate. Collaborate Gast piet@university_b.nl RADIUS server University B RADIUS server University A SURFnet Central RADIUS Proxy server Authenticator (AP or switch) User DB Supplicant data User mobility controlled by assertions and policies expressed in SAML and XACML XACML Policy Decision Point SAML Source Attribute Authority Signaling

35 Connect. Communicate. Collaborate First Goal: extNA Second Goal: eduGAIN as AuthN and AuthR Backend Connect. Communicate. Collaborate Link between the AAA servers (now acting as Service Providers) and eduGAIN

36 Connect. Communicate. Collaborate First Goal: extNA Third Goal: Universal Single Sign On Connect. Communicate. Collaborate Users will be authenticated once, during the network access control phase The eduGAIN authentication would be bootstrapped from the NAS-SAML New method for delivering authentication credentials and new security middleware

37 Connect. Communicate. Collaborate Summary and conclusions

38 Connect. Communicate. Collaborate Summary Educational federations are happening –And suffering their first growing pains Convergence to (small number of) standards –In the SAML orbit International confederations are emerging –eduroam –Géant2 AAI (eduGAIN) –The twain will ever meet –Using the same principles and standards

Download ppt "Connect. Communicate. Collaborate Federated peering the NREN way: eduGAIN and eduroam Diego R. Lopez (RedIRIS) Klaas Wierenga (SURFnet)"

Similar presentations

Lousy Introduction into SWITCHaai

Lousy Introduction into SWITCHaai
Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,

Connect. Communicate. Collaborate eduroam: a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 NORDUnet 2008, Espoo,
Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,

Connect. Communicate. Collaborate eduroam: towards a managed European service Miroslav Milinović, Srce, Zagreb, Croatia eduroam SA, GÉANT2 Wi-Fi Workshop,
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun. 2005 Ionut Constandache Daniel Olmedilla.

Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June 22 2005 Licia Florio.

Licia Florio EUNIS05, Manchester 1 Eduroam EUNIS Conference, June Licia Florio.
Why eduroam sucks, and how to fix it.

Why eduroam sucks, and how to fix it.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS.

TAC - Poznan, 6 June 2005 Building trust with a European style Diego R. Lopez RedIRIS.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.

2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.

High-quality Internet for higher education and research Federated network access with Klaas Wierenga SURFnet Ljubljana, April.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.

Connect. Communicate. Collaborate The eduGAIN Way Diego R. Lopez - RedIRIS.
High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005

High-quality Internet for higher education and research eduroam EuroCAMP, Porto, November 9, 2005
Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,

Federated Identity Management for the context of storage Bart Kerver - TERENA Storage-meeting, Amsterdam,
EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004

EduRoam: movilidad por Europa... y España Toledo, 29 de octubre de 2004
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

Similar presentations

Ads by Google