Upload
lora-reynolds
View
218
Download
0
Embed Size (px)
DESCRIPTION
Federations in European education -Enable the sharing of educational resources -Applications -Shibboleth, PAPI, A-Select, Liberty -Federated with eduGAIN -Network -eduroam -Both require agreement on: -Responsibilities -Privacy -Liability -Technology -Language -Standards
Citation preview
Deploying Authorization Mechanisms for Federated Services in eduroam
Klaas Wierenga, EuroCAMP
Helsinki, 17&18th April 2007
Contents
- Intro- eduroam- The European eduroam
confederation- eduGAIN- DAMe- Summary
Federations in European education
- Enable the sharing of educational resources
- Applications- Shibboleth, PAPI, A-Select, Liberty- Federated with eduGAIN
- Network- eduroam
- Both require agreement on:- Responsibilities- Privacy- Liability- Technology- Language- Standards
eduroam
The goal of eduroam
“open your laptop and be online”
or
• To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources
eduroam
RADIUS server
University B
RADIUS server
University A
SURFnet
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
Guest
piet@university_b.nl
StudentVLAN
CommercialVLAN
EmployeeVLAN
data
signalling
• Trust based on RADIUS plus policy documents
• 802.1X• (VLAN assigment)
Eduroam interactions
RADIUS@visited RADIUS@home
Id RepositoryResource (AP)
RADIUS + TLS Channel(s)
Tue Oct 10 00:05:15 2006: DEBUG: Packet dump:*** Received from 145.99.133.194 port 1025 ....Code: Access-RequestIdentifier: 1Authentic: k<145><206><152><185><0><0><0><249><26><0><0><208>D<1><16>Attributes: User-Name = "[email protected]" NAS-IP-Address = 145.99.133.194 Called-Station-Id = "001217d45bc7" Calling-Station-Id = "0012f0906ccb" NAS-Identifier = "001217d45bc7" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 EAP-Message = <2><0><0>-<1>[email protected] Message-Authenticator = <27>`-y<208><232><252><177>.<160><230><177>I<218><243>\
Tue Oct 10 00:17:32 2006: DEBUG: Handling request with Handler 'TunnelledByTTLS=1, Realm=/guest.showcase.surfnet.nl/i'Tue Oct 10 00:17:32 2006: DEBUG: Deleting session for [email protected], 145.99.133.194,Tue Oct 10 00:17:32 2006: DEBUG: Handling with Radius::AuthFILE: SC-GUEST-IDTue Oct 10 00:17:32 2006: DEBUG: Reading users file /etc/radiator/db/showcase-guest-usersTue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE looks for match with [email protected] [[email protected]]Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE ACCEPT: : [email protected] [[email protected]]Tue Oct 10 00:17:32 2006: DEBUG: AuthBy FILE result: ACCEPT,Tue Oct 10 00:17:32 2006: DEBUG: Access accepted for [email protected] Oct 10 00:17:32 2006: DEBUG: Returned TTLS tunnelled Diameter Packet dump:Code: Access-Accept
eduroam hierarchy
- Single technology- RADIUS- 802.1X- EAP
- Authentication = authorisation
European eduroam confederation
eduGAIN
Id Repository(ies)Resource(s)
MDS
R-FPP
MetadataPublish
R-BE
MetadataQuery
AAInteraction
H-FPP
MetadataPublish
H-BE
AAInteraction
AA Interaction
The eduGAIN model
Lingua Franca: SAML
Requester Responder
Id RepositoryResource
TLS Channel(s)
MDS
TLS Channel
https://mds.geant.net/ ?cid=someURN <EntityDescriptor . . .
entityID= ”urn:geant2:..:responder">. . .<SingleSignOnService . . . Location= “https://responder.dom/” /> . . .
<samlp:Request . . . RequestID=”e70c3e9e6…” IssueInstant=“2006-06…”> . . .</samlp:Request>
<samlp:Response . . . ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”> . . .</samlp:Response>
urn:geant2:...:responder
urn:geant2:...:requester
eduGAIN interactions
DAMe
DAMe- Deploying Authorization Mechanisms for Federated
Services in eduroam- DAME is a project that builds upon:
- eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard,
- Shibboleth and eduGAIN - NAS-SAML, a network access control approach for
AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards.
- Universities of Murcia and Stuttgart within Géant2 JRA5
Gast
piet@university_b.nl
RADIUS server
University B
RADIUS server
University A
eduroam
Central RADIUS
Proxy server
Authenticator
(AP or switch) User DB
User DB
Supplicant
data
• User mobility controlled by assertions and policies expressed in SAML and XACML
XACML
Policy Decision Point
SAML
Source Attribute Authority
Signaling
1st: Extension of eduroam with authZ
2nd: eduGAIN AuthN+AuthZ backend
- Link between the AAA servers (now acting as Service Providers) and eduGAIN
3d: Universal Single Sign On
- Users will be authenticated once, during the network access control phase- The eduGAIN authentication would be bootstrapped from the NAS-SAML- New method for delivering authentication credentials and new security middleware- 4th goal: integrating applications, focusing on grids.
eduroam+NAS-SAML in Context
- The proposal is functionally equivalent to the one discussed in I2 SALSA-FWNA for RADIUS-SAML integration- Compatibility and convergence are the natural way forward
- NAS-SAML is- From the inter-realm view, a Diameter binding for SAML
- Already available, thus allowing for fast evaluation of ideas
- Agree in the basics- Data exchanged in RADIUS space- Relevant attributes
Independent AuthZ
Summary
Summary- Convergence to (small number of) standards
- 802.1X+ RADIUS- The SAML orbit
- International confederations are emerging- eduroam- Géant2 AAI (eduGAIN)- The twain will ever meet- Using the same principles and standards