1 / 21

Deploying Authorization Mechanisms for Federated Services in eduroam

Deploying Authorization Mechanisms for Federated Services in eduroam. Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007. Intro eduroam The European eduroam confederation eduGAIN DAMe Summary. Contents. Enable the sharing of educational resources Applications

Télécharger la présentation

Deploying Authorization Mechanisms for Federated Services in eduroam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007

  2. Intro eduroam The European eduroam confederation eduGAIN DAMe Summary Contents

  3. Enable the sharing of educational resources Applications Shibboleth, PAPI, A-Select, Liberty Federated with eduGAIN Network eduroam Both require agreement on: Responsibilities Privacy Liability Technology Language Standards Federations in European education

  4. eduroam

  5. “open your laptop and be online” or To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources The goal of eduroam

  6. eduroam Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB Guest piet@university_b.nl SURFnet Commercial VLAN Employee VLAN Central RADIUS Proxy server Student VLAN • Trust based on RADIUS plus policy documents • 802.1X • (VLAN assigment) signalling data

  7. Eduroam interactions Tue Oct 10 00:05:15 2006: DEBUG: Packet dump: *** Received from 145.99.133.194 port 1025 .... Code: Access-Request Identifier: 1 Authentic: k<145><206><152><185><0><0><0><249><26><0><0><208>D<1><16> Attributes: User-Name = "Klaas.Wierenga@guest.showcase.surfnet.nl" NAS-IP-Address = 145.99.133.194 Called-Station-Id = "001217d45bc7" Calling-Station-Id = "0012f0906ccb" NAS-Identifier = "001217d45bc7" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 EAP-Message = <2><0><0>-<1>Klaas.Wierenga@guest.showcase.surfnet.nl Message-Authenticator = <27>`-y<208><232><252><177>.<160><230><177>I<218 ><243>\ Tue Oct 10 00:17:32 2006: DEBUG: Handling request with Handler 'TunnelledByTTLS= 1, Realm=/guest.showcase.surfnet.nl/i' Tue Oct 10 00:17:32 2006: DEBUG: Deleting session for Klaas.Wierenga@guest.show case.surfnet.nl, 145.99.133.194, Tue Oct 10 00:17:32 2006: DEBUG: Handling with Radius::AuthFILE: SC-GUEST-ID Tue Oct 10 00:17:32 2006: DEBUG: Reading users file /etc/radiator/db/showcase-gu est-users Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE looks for match with Klaas.Wie renga@guest.showcase.surfnet.nl [Klaas.Wierenga@guest.showcase.surfnet.nl] Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE ACCEPT: : Klaas.Wierenga@guest .showcase.surfnet.nl [Klaas.Wierenga@guest.showcase.surfnet.nl] Tue Oct 10 00:17:32 2006: DEBUG: AuthBy FILE result: ACCEPT, Tue Oct 10 00:17:32 2006: DEBUG: Access accepted for Klaas.Wierenga@guest.showca se.surfnet.nl Tue Oct 10 00:17:32 2006: DEBUG: Returned TTLS tunnelled Diameter Packet dump: Code: Access-Accept RADIUS + TLS Channel(s) RADIUS@visited RADIUS@home eduroam hierarchy Resource (AP) Id Repository

  8. Single technology RADIUS 802.1X EAP Authentication = authorisation European eduroam confederation

  9. eduGAIN

  10. The eduGAIN model Metadata Query MDS Metadata Publish Metadata Publish R-FPP H-FPP R-BE H-BE AA Interaction AA Interaction AA Interaction Resource(s) Id Repository(ies) Lingua Franca: SAML

  11. urn:geant2:...:requester urn:geant2:...:responder eduGAIN interactions https://mds.geant.net/ ?cid=someURN <samlp:Request . . . RequestID=”e70c3e9e6…” IssueInstant=“2006-06…”> . . . </samlp:Request> <samlp:Response . . . ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”> . . . </samlp:Response> MDS TLS Channel <EntityDescriptor . . . entityID= ”urn:geant2:..:responder"> . . . <SingleSignOnService . . . Location= “https://responder.dom/” /> . . . TLS Channel(s) Requester Responder Resource Id Repository

  12. DAMe

  13. Deploying Authorization Mechanisms for Federated Services in eduroam DAME is a project that builds upon: eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard, Shibboleth and eduGAIN NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards. Universities of Murcia and Stuttgart within Géant2 JRA5 DAMe

  14. Supplicant Authenticator (AP or switch) RADIUS server University A RADIUS server University B User DB User DB eduroam Central RADIUS Proxy server 1st: Extension of eduroam with authZ Policy Decision Point Source Attribute Authority XACML Gast piet@university_b.nl • User mobility controlled by assertions and policies expressed in SAML and XACML Signaling data SAML

  15. 2nd: eduGAIN AuthN+AuthZ backend • Link between the AAA servers (now acting as Service Providers) and eduGAIN

  16. 3d: Universal Single Sign On • Users will be authenticated once, during the network access control phase • The eduGAIN authentication would be bootstrapped from the NAS-SAML • New method for delivering authentication credentials and new security middleware • 4th goal: integrating applications, focusing on grids.

  17. The proposal is functionally equivalent to the one discussed in I2 SALSA-FWNA for RADIUS-SAML integration Compatibility and convergence are the natural way forward NAS-SAML is From the inter-realm view, a Diameter binding for SAML Already available, thus allowing for fast evaluation of ideas Agree in the basics Data exchanged in RADIUS space Relevant attributes eduroam+NAS-SAML in Context

  18. Independent AuthZ

  19. Summary

  20. Convergence to (small number of) standards 802.1X+ RADIUS The SAML orbit International confederations are emerging eduroam Géant2 AAI (eduGAIN) The twain will ever meet Using the same principles and standards Summary

  21. More info: http://dame.inf.um.es/ Klaas.Wierenga@surfnet.nl Thank you!

More Related