1 / 10

Roaming network access using Shibboleth in University of Helsinki

Roaming network access using Shibboleth in University of Helsinki. Fall 2004 Internet2 Member Meeting 29th of September, 2004 Mikael Linden, mikael.linden@csc.fi CSC, the Finnish IT Center for Science, Finland. Isn’t it a little bit exotic…. Shibboleth. Application layer. TCP.

valmai
Télécharger la présentation

Roaming network access using Shibboleth in University of Helsinki

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. AEB/Yleisesittely Roaming network access using Shibbolethin University of Helsinki Fall 2004 Internet2 Member Meeting 29th of September, 2004 Mikael Linden, mikael.linden@csc.fi CSC, the Finnish IT Center for Science, Finland

  2. AEB/Yleisesittely Isn’t it a little bit exotic… Shibboleth Application layer TCP Transport layer IP Network layer WLAN (802.11) Link layer …to use application layer technology for access control in the network layer?

  3. AEB/Yleisesittely CSC, the Finnish IT center for Science • Non-profit company owned by the ministry of education in Finland • to provide national IT infrastructure for research and education • expertise in scientific computing • supercomputing • Funet (Finnish university and research network) • Federated identity a new way for CSC to support higher education • national HAKA federation on Shibboleth • currently in pilot phase (3 IdPs, 4 SPs) • to be in production in 2004

  4. AEB/Yleisesittely Background: AA issues in European higher education • Roaming network access technologies: • 802.1X & RADIUS proxy hierarchy • VPN & complete list of VPN gateways • web redirection & RADIUS proxy hierarchy • ROAMNODE & RADIUS proxy hierarchy • more information: TERENA TF-Mobility, deliverable G • Application levelaccess technologies: • several federating softwares being used, some of them national • Shibboleth, PAPI, FEIDE, A-select…

  5. AEB/Yleisesittely Background: University of Helsinki (UH) • The largest university in Finland • A campus in downtown of Helsinki • University of Helsinki deliberate to join WLAN roaming • would not be fair for UH: probably considerably more visitors coming in than going out? • costs would accumulate for UH • UH could allow roaming access for some smaller subgroup (e.g. staff&faculty in other universities) • authentication not enough, role based authorisation needed • role attributes need to be passed from the home institution • that’s what Shibboleth is made for

  6. 2. 3. 4. 1. The user activates his WLAN card and web browser. ACD (a shib target) captures the initial HTTP request. 2. The browser is redirected to WAYF 1. 3. The user selects his IdP. Shib origin authenticates him. 4. IdP provides user attributes to ACD AEB/Yleisesittely How it works Internet WAYF 193.166.0.69 SSL Port 443 open to: WAYF: 193.166.0.69 UTa: 153.1.6.41 … University of Tampere (UTa) Access control device (ACD)(shibboleth target) Shibboleth origin 153.1.6.41 Docking network (HUPnet) University of Helsinki Bob, a researcher at UTa 5. ACD decides, if the user may access (the rest of) the Internet

  7. AEB/Yleisesittely Benefits • Makes role based authorisation easy • visiting institution makes access control decision based on the user’s role provided by the her home institution • Preserves privacy • user’s identity need not to be revealed to the visited institution (only her role and home institution is revealed) • Single sign-on • to shibbolized network and application level services • Brings together network and application level access architecture • no need for overlapping architecture

  8. AEB/Yleisesittely Downsides • In Europe, cross-organisational and cross-national AAI infrastructure in not so mature as RADIUS based hierarchy • Shibboleth used in Switzerland, Finland, UK… • To allow user enter her uid&pwd to her shibboleth origin site, the access controller needs to maintain extensive list of shibboleth origin sites in the federation • new list have to be updated regularly • however, the list have to be maintained by the federation anyway • CASG (see Terena TF-Mobility deliverable E) can make the maintenance easier

  9. AEB/Yleisesittely Practical experiment: HUPnet • HUPnet (Helsinki University Public network) has been available for UH staff&students since 2001 • for WLAN and wired (ethernet) public access in UH premises • ACD is a Linux box with web end-user UI • UH has started piloting shibbolized Access control device (ACD) • previously: AA was based on RADIUS • now: Shibboleth • implementation to be publicly available • http://www.helsinki.fi/atk/english/network/HUPnet.html

  10. AEB/Yleisesittely More information • Mikael Linden, Viljo Viitanen. ”Roaming network access using Shibboleth”, an article in Terena Networking Conference 2004 • http://www.terena.nl/conferences/tnc2004/programme/presentations/show.php?pres_id=165

More Related