1 / 23

First steps in federation peering: eduGAIN and eduroam

This article explores the drivers, challenges, and benefits of federating eduGAIN and eduroam, including the need for universal single sign-on, different community needs, and the growth of confederations. It also discusses the policies, legal matters, and technical aspects involved in these federations.

brooksn
Télécharger la présentation

First steps in federation peering: eduGAIN and eduroam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. First steps in federation peering:eduGAIN and eduroam Diego R. Lopez - RedIRIS

  2. Contents • The drivers for (con-)federations • The eduroam case • The eduGAIN case • Universal single sign-on, a.k.a. DAMe

  3. As Federations Grow • The risk of dying of success • Do we really need to go on selling the federated idea? • Different communities, different needs • Not even talking about international collaboration • Different (but mostly alike) solutions • Grids and libraries as current examples • And many to come: Governments, professional associations, commercial operators,… • Don’t hold your breath waiting for the Real And Only Global Federation

  4. ConfederationsFederate Federations • Same federating principles applied to federations themselves • Own policies and technologies are locally applied • Independent management • Identity and authentication-authorization must be properly handled by the participating federations • Commonly agreed policy • Linking individual federation policies • Coarser than them • Trust fabric entangling participants • Without affecting each federation’s fabric • E2E trust must be dynamically built

  5. First Steps • Simplifying user collaboration across whatever border is an excellent selling argument • Making the whole promise of the VO idea • eduroam fast worldwide success is a clear example • Lingua franca • Syntax: SAML profiles • Converging to 2.0 • Semantics: eduPerson, SCHAC • Trust fabric • Public key technologies (if not infrastructures) • Component identifiers and registries • Metadata repositories

  6. Policy and Legal Matters • The PMA model has proven extremely useful • Consensual set of guidelines • Peer-reviewed accreditation • Legal matters: Hic sunt leones • For techies like us • Privacy • Liability • More or less manageable in the case of (national) federations

  7. eduroamConfederation avant-la-lettre • A simple goal: “open your laptop and be online” • The GN2 roaming mission: “To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources” • Based on reciprocal (free) access • For the academic and research community • Authentication at home • Authorization at visited institution

  8. Connect. Communicate. Collaborate eduroam: Ubiquitous Network Access Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB Gast piet@university_b.nl GÉANT2 Commercial VLAN Employee VLAN Central RADIUS Proxy server Student VLAN • Trust based on RADIUS plus policy documents • 802.1X • (VLAN assignment) signalling data

  9. eduroam Confederations • Regions have their own stage of development and pace • Regions have their own regional policies (with delegation to national federations) • Policies will be aligned as much as possible

  10. The European eduroam Policy • Mutual access • Home institutions are/remain responsible for their users abroad • Members are European NRENs • Members guarantee required security levels by their participants • Members promote eduroam in their countries • European eduroam may peer with other regions

  11. National Policies • Mutual access • Members are connected institutions • Home institution is/remains responsible for its users behavior. • Home institution is responsible for proper user management • Home and visited institution must keep sufficient log data • Appropriate security levels

  12. eduGAINAAI peering à la European • The GN2 AAI mission: “To build an interoperable authentication and authorisation infrastructure that will be used all over Europe enabling seamless sharing of e-science resources” • We started from • Scattered AAI (pilot) implementations in the EU and abroad • The basic idea of federating them, preserving hard-won achievements

  13. Applying Confederation Concepts • An eduGAIN confederation is a loosely-coupled set of cooperating identity federations • That handle identity management, authentication and authorization using their own policies • Trust between any two participants in different federations is dynamically established • Members of a participant federation do not know in advance about members in the other federations • Syntax and semantics are adapted to a common language • Through an abstract service definition

  14. Connect. Communicate. Collaborate The eduGAIN Model Metadata Query MDS Metadata Publish Metadata Publish R-FPP H-FPP R-BE H-BE AA Interaction AA Interaction AA Interaction Resource(s) Id Repository(ies)

  15. The (X.509) Trust Fabric • Validation procedures include • Normal certificate validation • Trust path evaluation, signatures, revocation,… • Peer identification • Certificates hold the component identifier • It must match the appropriate metadata • Applicable to • TLS connections between components • Two-way validation is mandatory • Verification of signed XML assertions

  16. Connect. Communicate. Collaborate urn:geant2:...:requester urn:geant2:...:responder A general model for eduGAIN interactions https://mds.geant.net/ ?cid=someURN <samlp:Request . . . RequestID=”e70c3e9e6…” IssueInstant=“2006-06…”> . . . </samlp:Request> <samlp:Response . . . ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”> . . . </samlp:Response> MDS TLS Channel <EntityDescriptor . . . entityID= ”urn:geant2:..:responder"> . . . <SingleSignOnService . . . Location= “https://responder.dom/” /> . . . TLS Channel(s) Requester Responder Resource Id Repository

  17. Metadata Service • Based on REST interfaces transporting SAML 2.0 metadata • Usable by non-eduGAIN components • Metadata are published through POST operations • Metadata are retrieved through GET operations • URLs are built as MDSBaseURL/FederationID/entityID?queryString • Using component names • The query string transports data intended to locate the appropriate home BE (Home Locators) • Hints provided by the user • Contents of certificate extensions (SubjectInformationAccess)

  18. eduGAIN Profiles • Oriented to • Enable direct federation interaction • Enable services in a confederated environment • Four profiles discussed so far • WebSSO (Shibboleth browser/POST) • AC (automated cilent: no human interaction) • UbC (user behind non-Web client: use of SASL-CA) • WE (WebSSO enhanced client: delegation) • Others envisaged • Extended Web SSO (allowing the send of POST data) • eduGAIN usage from roaming clients (DAMe) • Based on SAML 1.1 • Mapping to SAML 2.0 profiles along the transition period

  19. Deploying Authorization Mechanisms for Federated Services in eduroam (DAMe) • DAMe is a project that builds upon: • eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, • Shibboleth and eduGAIN • NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on the SAML (Security Assertion Markup Language) and the XACML (eXtensible Access Control Markup Language) standards.

  20. Connect. Communicate. Collaborate Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB eduroam Central RADIUS Proxy server First Goal: Extension of eduroam using NAS-SAML First Goal: extNA Policy Decision Point Source Attribute Authority XACML Gast piet@university_b.nl • User mobility controlled by assertions and policies expressed in SAML and XACML Signaling data SAML

  21. Connect. Communicate. Collaborate First Goal: extNA Second Goal: eduGAIN as AuthN and AuthR Backend • Link between the AAA servers (now acting as Service Providers) and eduGAIN

  22. Connect. Communicate. Collaborate Third Goal: Universal Single Sign On • Users will be authenticated once, during the network access control phase • The eduGAIN authentication would be bootstrapped from the NAS-SAML • New method for delivering authentication credentials and new security middleware • 4th goal: integrating applications, focusing on grids.

  23. Summary • Educational federations are happening • And suffering their first growing pains • Convergence to (small number of) standards • In the SAML orbit • International confederations are emerging • eduroam • Géant2 AAI (eduGAIN) • The twain will ever meet • Using the same principles and standards

More Related