Upload
clinton-may
View
215
Download
0
Embed Size (px)
Citation preview
Connect. Communicate. Collaborate
Federated peering the NREN way:eduGAIN and eduroam
Diego R. Lopez (RedIRIS)
Klaas Wierenga (SURFnet)
Connect. Communicate. CollaborateContents
• The drivers for
(con-)federations (Diego)• The eduroam case (Klaas)• The eduGAIN case (Diego)• Universal single signon aka
DAMe (Klaas)
Connect. Communicate. Collaborate
The drivers for con-federations
Giving federations a taste of their own medicine
Connect. Communicate. CollaborateAs Federations Grow
• The risk of dying of success– Do we really need to go on selling the federated idea?
• Different communities, different needs– Not even talking about international collaboration– Different (but mostly alike) solutions– Grids and libraries as current examples– And many to come: Governments, professional
associations, commercial operators,…• Don’t hold your breath waiting for the Real And Only Global
Federation
Connect. Communicate. Collaborate
ConfederationsFederate Federations
• Same federating principles applied to federations themselves– Own policies and technologies are locally applied
• Independent management– Identity and authentication-authorization must be properly
handled by the participating federations• Commonly agreed policy
– Linking individual federation policies– Coarser than them
• Trust fabric entangling participants– Through each federation’s fabric– P2P trust must be dynamically built
Connect. Communicate. CollaborateFirst Steps
• Simplifying user collaboration across whatever border is an
excellent selling argument
– Making the whole promise of the VO idea
– eduroam fast worldwide success is a clear example
• Following a middle-both-ways approach
– Top-down: projects like GEANT2
– Bottom-up: initiatives like ShibEnableºº
Connect. Communicate. CollaborateTechnologies
• Lingua franca– Syntax: SAML (converging to 2.0) Shibboleth and
eduGAIN profiles– Semantics: eduPerson, SCHAC
• Trust fabric– Public key technologies (if not infrastructures)– Component identifiers and registries– Metadata repositories
Connect. Communicate. CollaboratePolicy and Legal Matters
• The PMA model has proven extremely useful– Consensual set of guidelines– Peer-reviewed accreditation
• Legal matters: Hic sunt leones– For techies like us– Privacy– Liability– More or less manageable in the case of (national)
federations
Connect. Communicate. Collaborate
The eduroam case
Confederation avant-la-lettre
Connect. Communicate. CollaborateThe goal of eduroam
• “open your laptop and be online”
• To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources
Connect. Communicate. Collaborateeduroam concepts
• Based on reciprocal (free) access• NREN community• Authentication at home• Authorisation at visited institution
Connect. Communicate. Collaborate
eduroam: Ubiquitous Network Access Connect. Communicate. Collaborate
RADIUS server
University B
RADIUS server
University A
SURFnet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Gast
piet@university_b.nl
StudentVLAN
CommercialVLAN
EmployeeVLAN
data
signalling
• Trust based on RADIUS plus policy documents
• 802.1X
• (VLAN assignment)
Connect. Communicate. Collaborate
A General model for eduroam interactions Connect. Communicate. Collaborate
RADIUS@visited RADIUS@home
Id RepositoryResource (AP)
RADIUS + TLS Channel(s)
Tue Oct 10 00:05:15 2006: DEBUG: Packet dump:*** Received from 145.99.133.194 port 1025 ....Code: Access-RequestIdentifier: 1Authentic: k<145><206><152><185><0><0><0><249><26><0><0><208>D<1><16>Attributes: User-Name = "[email protected]" NAS-IP-Address = 145.99.133.194 Called-Station-Id = "001217d45bc7" Calling-Station-Id = "0012f0906ccb" NAS-Identifier = "001217d45bc7" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 EAP-Message = <2><0><0>-<1>[email protected] Message-Authenticator = <27>`-y<208><232><252><177>.<160><230><177>I<218><243>\
Tue Oct 10 00:17:32 2006: DEBUG: Handling request with Handler 'TunnelledByTTLS=1, Realm=/guest.showcase.surfnet.nl/i'Tue Oct 10 00:17:32 2006: DEBUG: Deleting session for [email protected], 145.99.133.194,Tue Oct 10 00:17:32 2006: DEBUG: Handling with Radius::AuthFILE: SC-GUEST-IDTue Oct 10 00:17:32 2006: DEBUG: Reading users file /etc/radiator/db/showcase-guest-usersTue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE looks for match with [email protected] [[email protected]]Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE ACCEPT: : [email protected] [[email protected]]Tue Oct 10 00:17:32 2006: DEBUG: AuthBy FILE result: ACCEPT,Tue Oct 10 00:17:32 2006: DEBUG: Access accepted for [email protected] Oct 10 00:17:32 2006: DEBUG: Returned TTLS tunnelled Diameter Packet dump:Code: Access-Accept
Connect. Communicate. Collaborateeduroam Hierarchy Connect. Communicate. Collaborate
(virtual) eduroam root
APAN rootEuropean root (America’s root). . . .
.nl
.ac.uk
.dk
. . .
.au
.cn
. . .
.edu
.us
. . .
.hr
.es
. . .
Connect. Communicate. Collaborateeduroam Confederations
• Regions have their own stage of development and pace• Regions have their own regional policies (with delegation to national federations)• Policies will be aligned as much as possible
Connect. Communicate. Collaborate
The European eduroam Policy
• Mutual access• Home institutions are/remain responsible for their users
abroad • Members are European NRENs• Members guarantee required security levels by their
participants• Members promote eduroam in their countries• European eduroam may peer with other regions
Connect. Communicate. CollaborateNational Policies
• Mutual access• Members are connected institutions• Home institution is/remains responsible for its users
behaviour.• Home institution is responsible for proper user
management• Home and visited institution must keep sufficient logdata• Appropriate security levels
Connect. Communicate. CollaborateLimitations
• Authentication = authorisation• Hierarchical trust establishment AND hierarchical routing of
access requests• Transitive trust• No dynamic trust establishment• Use of UDP• Use of shared secrets
Connect. Communicate. Collaborateeduroam-ng
• After evaluating Diameter, RadSec and DNSROAM:
• Introduction of RadSec (if possible)– TCP instead of UDP– TLS between RADIUS-servers instead of shared secrets
• Possibly at later stage introduction of DNSROAM– Support for direct peer interaction– How about firewalls / access lists?
• Eventually Diameter?
Connect. Communicate. Collaborate
The eduGAIN case
Exercising the confederation concepts
Connect. Communicate. CollaborateThe AAI Goal in GÉANT2
• To build an interoperable authentication and authorisation infrastructure that will be used all over Europe enabling seamless sharing of e-science resources
• We started from– Scattered AAI (pilot) implementations in the EU and
abroad– The basic idea of federating them, preserving hard-
won achievements
Connect. Communicate. Collaborate
Applying Confederation Concepts
• An eduGAIN confederation is a loosely-coupled set of cooperating identity federations– That handle identity management, authentication and
authorization using their own policies• Trust between any two participants in different federations
is dynamically established– Members of a participant federation do not know in
advance about members in the other federations• Syntax and semantics are adapted to a common language
– Through an abstract service definition
Connect. Communicate. CollaborateThe eduGAIN Components
• Bridging Elements (BE)– Interconnection points– Federation-wide (LFA) or distributed (LA)
• Federation Peering Point (FPP)– Able to announce BE metadata
• The Metadata Service (MDS)– Publishing interface (to FPPs)– Querying interface (to BEs)
Connect. Communicate. CollaborateThe eduGAIN Model Connect. Communicate. Collaborate
Id Repository(ies)Resource(s)
MDS
R-FPP
MetadataPublish
R-BE
MetadataQuery
AAInteraction
H-FPP
MetadataPublish
H-BE
AAInteraction
AA Interaction
Connect. Communicate. CollaborateComponent Identifiers
• eduGAIN operations strongly depend on having unique, structured and well-defined component identifiers
• Based on URNs delegated by the eduGAIN registry to the participating federation
• Identifiers establish the kind of component they apply to by means of normalized prefixes
• Identifiers follow the hierarchy of the trust establishing process
Connect. Communicate. CollaborateThe (X.509) Trust Fabric
• Validation procedures include– Normal certificate validation
• Trust path evaluation, signatures, revocation,…– Peer identification
• Certificates hold the component identifier• It must match the appropriate metadata
• Applicable to– TLS connections between components
• Two-way validation is mandatory– Verification of signed XML assertions
Connect. Communicate. Collaborate
A general model for eduGAIN interactions Connect. Communicate. Collaborate
Requester Responder
Id RepositoryResource
TLS Channel(s)
MDS
TLS Channel
https://mds.geant.net/ ?cid=someURN <EntityDescriptor . . .
entityID= ”urn:geant2:..:responder">. . .<SingleSignOnService . . . Location= “https://responder.dom/” /> . . .
<samlp:Request . . . RequestID=”e70c3e9e6…” IssueInstant=“2006-06…”> . . .</samlp:Request>
<samlp:Response . . . ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”> . . .</samlp:Response>
urn:geant2:...:responder
urn:geant2:...:requester
Connect. Communicate. CollaborateOperation Mapping
• Maps the abstract service definition into actual protocols• Current version is based on SAML 1.1
– Profiling the standard to fit abstract parameters• A SAML 2.0 implementation will be available along the
lifetime of the project– The abstract service specification protects components
and applications from these changes• Authentication assertions and attribute exchange
mechanisms are designed to be Shibboleth 1.3 compatible– And Shibboleth 2 in the future
Connect. Communicate. CollaborateMetadata Service
• Based on REST interfaces transporting SAML 2.0 metadata• Metadata are published through POST operations• Metadata are retrieved through GET operations• URLs are built as
MDSBaseURL/FederationID/entityID?queryString– Using component names– The query string transports data intended to locate the appropriate
home BE (Home Locators)• Hints provided by the user• Contents of certificate extensions
(SubjectInformationAccess)
Connect. Communicate. CollaborateeduGAIN Profiles
• Three profiles defined so far– Web SSO (Shibboleth compatible)– Automated client (no human interaction)– Non-web client (use of SASL-CA)
• Others envisaged– Extended Web SSO (allowing the send of POST data)– eduGAIN usage from roaming clients (DAMe)
• Based on SAML 1.1– Mapping to SAML 2.0 profiles along the transition period
Connect. Communicate. CollaborateA Sample Profile Connect. Communicate. Collaborate
Connect. Communicate. Collaborate
DAMe
aka “The holy grail”
Connect. Communicate. Collaborate
Deploying Authorization Mechanisms for Federated Services in eduroam (DAMe)
• DAME is a project that builds upon:
– eduroam, which defines an inter-NREN roaming architecture
based on AAA servers (RADIUS) and the 802.1X standard,
– Shibboleth and eduGAIN
– NAS-SAML, a network access control approach for AAA
environments, developed by the University of Murcia (Spain),
based on the SAML (Security Assertion Markup Language) and
the XACML (eXtensible Access Control Markup Language)
standards.
Connect. Communicate. CollaborateFirst Goal: extNAFirst Goal: Extension of eduroam Using NAS-SAML Connect. Communicate. Collaborate
Gast
piet@university_b.nl
RADIUS server
University B
RADIUS server
University A
SURFnet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
data
• User mobility controlled by assertions and policies expressed in SAML and XACML
XACML
Policy Decision Point
SAML
Source Attribute Authority
Signaling
Connect. Communicate. CollaborateFirst Goal: extNASecond Goal: eduGAIN as AuthN and AuthR Backend Connect. Communicate. Collaborate
• Link between the AAA servers (now acting as Service Providers) and eduGAIN
Connect. Communicate. CollaborateFirst Goal: extNAThird Goal: Universal Single Sign On Connect. Communicate. Collaborate
• Users will be authenticated once, during the network access control phase
• The eduGAIN authentication would be bootstrapped from the NAS-SAML
• New method for delivering authentication credentials and new security middleware
Connect. Communicate. Collaborate
Summary and conclusions
Connect. Communicate. CollaborateSummary
• Educational federations are happening– And suffering their first growing pains
• Convergence to (small number of) standards– In the SAML orbit
• International confederations are emerging– eduroam– Géant2 AAI (eduGAIN)– The twain will ever meet– Using the same principles and standards