1 / 15

RadSec and DAMe

RadSec and DAMe. University of Stuttgart University of Murcia. DAMe Project RadSec and DAMe: Dynamic Server Discovery DAMe Testbed Next Steps. Overview. DAMe stands for: Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture Subproject of GÉANT2

macka
Télécharger la présentation

RadSec and DAMe

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RadSec and DAMe University of Stuttgart University of Murcia Sascha Neinert

  2. DAMe Project RadSec and DAMe: Dynamic Server Discovery DAMe Testbed Next Steps Overview Sascha Neinert

  3. DAMe stands for: Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture Subproject of GÉANT2 Partners: DFN, RedIRIS, University of Murcia, University of Stuttgart Goals: Adding attribute-based Authorization to eduroam Unified Single Sign On, using eduToken in SAML format DAMe Project Sascha Neinert

  4. Attribute-based Authorization in eduroam Sascha Neinert

  5. Unified Single Sign On Sascha Neinert

  6. Additional Goals: Support for Level of Assurance (LoA): Including LoA in the eduToken, in the AuthNContext Protocol extended for Re-Authentication with higher LoA Integration of RadSec Adding RadSec proxy servers in front of both remote (SP) and home (IdP) institution eduToken transport over RadSec Inclusion of Attribute Conversion in DAMe DAMe-2 Project Sascha Neinert

  7. RadSec: RADIUS over TCP and TLS Implementations: radsecproxy and Radiator eduroam with RadSec mutual authentication with valid server certificates from a trusted CA (eduGAIN CA / SCA, others) subjectAltName (URI) specifying the role of a server (e.g. urn:geant:eduroam:component:sp:ABC may act as a RadSec client, urn:geant:eduroam:component:idp:XYZ may act as a server) RadSec enables dynamic server discovery: Lookup for a RadSec server serving a specific home domain Mutual authentication using server certificates TLS connection is established RadSec and DAMe: Dynamic Server Discovery Sascha Neinert

  8. Dynamic Discovery can be done... Using DNS radsecproxy can query for _radsec._tcp.<domain-name> Radiator can also use this mechanism Using MDS radsecproxy calls radsec2mds tool SAML metadata is retrieved from eduGAIN MDS MDS is part of DAMe / eduGAIN already MDS is flexible + secure (efficient? reliable?) RadSec and DAMe: Dynamic Server Discovery Sascha Neinert

  9. RadSec and DAMe: Dynamic Server Discovery (MDS) Sascha Neinert

  10. RadSec and DAMe: Dynamic Server Discovery (MDS) Meta data snippet: <md:EntityDescriptor ID=“…" entityID=“…"> <md:IDPSSODescriptor ID="USTUTT-RADSEC"> <md:SingleSignOnService Location="radsec (*) ://ksat124.rus.uni-stuttgart.de:2083"/> </md:IDPSSODescriptor> <md:Organization> <md:Extensions> <egmd:HLPattern egmd:MatchingAlgo="urn:geant:edugain:metadata:homelocator:matching- algo:exact" egmd:Type="HomeDomain">uni-stuttgart.de</egmd:HLPattern> </md:Extensions> </md:Organization> </md:EntityDescriptor> Sascha Neinert

  11. DAMe Testbed – Overall View DNS Client AP RADIUS RadSec Proxy RadSec Proxy RADIUS DAMe- BE XACML PDP Shib IdP eduGAIN MDS UMU („remote“) USTUTT („home“) Sascha Neinert

  12. Client wpa_supplicant Network SP FreeRADIUS 1.1.3 with dame-dictionary radsecproxy 1.3.1 eduGAINSCA certificate including eduroam URN (urn:geant:eduroam:component: ...) DAMe Testbed – UMU Sascha Neinert

  13. Network IdP FreeRADIUS 2.0.2 with dame-enabled peap-module and dame-dictionary radsecproxy 1.3.1 can be discovered querying DNS for _radsec._tcp.dame.uni-stuttgart.de eduGAINSCA certificate including eduroam URN (urn:geant:eduroam:component: ...) SAML IdP Shibboleth IdP 1.3.2 + DAMe-BE Issuing eduTokens DAMe Testbed – USTUTT Sascha Neinert

  14. USTUTT: separate network SP and network IdP Finish deployment of DAMe including dynamic discovery components Publish metadata to mds.edugain.org Run federated tests UMU  USTUTT Optimize radsec2mds tool Measure performance of DNS-based and MDS-based discovery Compare both methods Next Steps Sascha Neinert

  15. Any questions or comments? DAMe website: http://dame.inf.um.es/ Sascha Neinert

More Related