1 / 18

Authentication and Authorization Infrastructure

Authentication and Authorization Infrastructure. Martin Sutter, Head of NetServices Thomas Lenggenhager, Deputy Project Manager AAI Christoph Graf, Head of Network Security. Agenda. AAI deployment in Switzerland SWITCHaai key issues AAI & Grid Outlook EUGridPMA. Motivation for SWITCHaai.

frayne
Télécharger la présentation

Authentication and Authorization Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication and Authorization Infrastructure Martin Sutter, Head of NetServices Thomas Lenggenhager, Deputy Project Manager AAI Christoph Graf, Head of Network Security

  2. Agenda • AAI deployment in Switzerland • SWITCHaai key issues • AAI & Grid • Outlook • EUGridPMA

  3. Motivation for SWITCHaai • Need for SWITCHaai spawned by Swiss Virtual Campus,a large national e-learning project. • About 30 projects developing e-learning contents involvingat least three different sites • Authentication & Authorization not to be solvedby each project individually

  4. SWITCHaai Building Blocks Organizational Framework Interoperation Identity Providers (Home Orgs) Service Providers (Resources) Central Services Funding

  5. Organizational Framework Organization SWITCH acts as SWITCHaai Federation service provider Federation membership is based on signed service agreements

  6. Interoperation Requires agreement on technical details like • Standards • SAML 1.1 • Software versions (as per May 2005) • Shibboleth 1.1 for identity providersShibboleth 1.2.1 for service providers • Accepted certificate authorities • SWITCHpkiplus Thawte, Trustcenter, VeriSign • Attribute specification • swissEduPerson Interoperation

  7. Interoperation: Attributes • Criteria for attribute specification • Start simple, extend as required • Common understanding on interpretation • Already widely used • swissEduPerson • Attribute usage by applications • Use minimal set required • Data protection principle Interoperation

  8. Identity Provider Integration AAI-enabled Identity Provider • Currently in use in SWITCHaai: • Authentication Systems • OpenLDAP with CAS or Pubcookie • Kerberos AuthN with Active Directory • Windows AuthN with IIS • User Directory • OpenLDAP • Active Directory AAI AuthenticationSystem UserDirectory Identity Providers

  9. Virtual Home Org University Geneva Identity Providers in SWITCHaai Operational AAI Identity Provider University Hospital Zurich Zurich University of Applied Sciences Winterthur AAI Identity Provider getting ready University Zurich ETH Zurich SWITCH University Berne University Lucerne University Fribourg University Lausanne Identity Providers 110’000 Swiss Higher Ed users have an AAI-Account (≈ 50% of all)

  10. Virtual Home Organization – VHO Integrate end users without Identity Provider • Resource owner creates ‘AAI-enabled’ accounts @VHOfor users without an identity provider • A VHO account is only usable for the resource(s) managedby the resource owner Some end users without identity provider Federation Member Identity Provider Resource Owner End User Admin VHO Policy VHO Service @SWITCH Identity Providers User Dir

  11. Types of Service Providers e-learning libraries OLAT Vista@SVC EZproxy WebCT@ETHZ VITELS ScienceDirect DOIT Blackboard Moodle … BSCW ILIAS AD Learn & Co other web applications commercial Vconf-Reservation SwissLex TWiki eShops SMS-Gateway IS-Academia Service Providers Jobs@BWI  50 ‘shibbolized’ servers 10’000 active AAI Users

  12. Service Provider Example: DOIT DOIT: Dermatology Online with Interactive Technology Access Rule: IdP = UniZH | UniBE | UniL Affiliation = student studyBranch = medicine studyLevel = 15 AAI Identity Provider AAI Service Provider University Zurich University Berne University Lausanne Service Providers 500 AAI Users

  13. Application AAIportal A1 A2 API Sign On . . . Shibboleth Integration of „Blackboxes“ AAIportal (open source, GPL) • Authentication / authorization gateway • Portal functionalities (optional) • User management (optional) • Adaptors to blackbox applications: • WebCT Vista • WebCT CE • … Service Providers

  14. Central AAI Services • Strategy & marketing • International contacts • Support, consulting, training • Providing federation-specific files and configuration guides • Operating WAYF server • Testing parties (identity provider  service provider) • Jump-start service • Virtual Home Organization ‘Where are you from?’ Central Services

  15. Key Issues in SWITCHaai • Structure of SWITCHaai Federation • Switzerland is strongly federal • solve problems at the lowest level • coordinate where useful • AAI is more than Shibboleth • SWITCHaai designed to be extensible • policies • federation • SAML 2 and Shibboleth 2 will allow interoperabilitywith other SAML based infrastructures

  16. AAI and Grid • SWITCHaai concept is ready for Grid integration • Current Shibboleth version not yet Grid ready • GridShib, an Internet2 project, links upcomingShibboleth 1.3 with Globus Toolkit 4.1 • first phase to be implemented until autumn 2005 • second phase to be implemented until second half of 2006 • http://grid.ncsa.uiuc.edu/GridShib/ • Extension to other n-tier use cases possible

  17. Outlook 2005 – 2007 • More national AAI related projects • supported by federal grants (on matching funds) • Non-web browser based service providers (like Grid) • Study on AAI and ECTS • Study on extending AAI to AAAI • accounting, but not limited to billing • Integration of federation partners • resources from non-members • other federations http://www.switch.ch/aai

  18. EUGridPMA • What the EUGridPMA does • A useful job for Grid projects (evaluating CP/CPSs) • Impressive PR: made it into eIRG papers (together with TACAR) • NREN perspective: • NRENs engaging in PKIs need something similar to interwork • But we will need more than one assurance level (Grid strength certs and basic strength certs) • The predicted future of EUGridPMA: • Perish: If they stay Grid-specific • Flourish: if they become relevant beyond the Grid • Recommendation: • NRENs to collaborate and eventually host EUGridPMA activities • Terena to play an important role (how about TACAR++?)

More Related