deploying authorization mechanisms for federated services in eduroam
Download
Skip this Video
Download Presentation
Deploying Authorization Mechanisms for Federated Services in eduroam

Loading in 2 Seconds...

play fullscreen
1 / 21

Deploying Authorization Mechanisms for Federated Services in eduroam - PowerPoint PPT Presentation


  • 168 Views
  • Uploaded on

Deploying Authorization Mechanisms for Federated Services in eduroam. Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007. Intro eduroam The European eduroam confederation eduGAIN DAMe Summary. Contents. Enable the sharing of educational resources Applications

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Deploying Authorization Mechanisms for Federated Services in eduroam' - daniel_millan


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
deploying authorization mechanisms for federated services in eduroam

Deploying Authorization Mechanisms for Federated Services in eduroam

Klaas Wierenga, EuroCAMP

Helsinki, 17&18th April 2007

contents
Intro

eduroam

The European eduroam confederation

eduGAIN

DAMe

Summary

Contents
federations in european education
Enable the sharing of educational resources

Applications

Shibboleth, PAPI, A-Select, Liberty

Federated with eduGAIN

Network

eduroam

Both require agreement on:

Responsibilities

Privacy

Liability

Technology

Language

Standards

Federations in European education
the goal of eduroam
“open your laptop and be online”

or

To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources

The goal of eduroam
eduroam1
eduroam

Supplicant

Authenticator

(AP or switch)

RADIUS server

University A

RADIUS server

University B

User DB

User DB

Guest

[email protected]_b.nl

SURFnet

Commercial

VLAN

Employee

VLAN

Central RADIUS

Proxy server

Student

VLAN

  • Trust based on RADIUS plus policy documents
  • 802.1X
  • (VLAN assigment)

signalling

data

eduroam interactions
Eduroam interactions

Tue Oct 10 00:05:15 2006: DEBUG: Packet dump:

*** Received from 145.99.133.194 port 1025 ....

Code: Access-Request

Identifier: 1

Authentic: k<145><206><152><185><0><0><0><249><26><0><0><208>D<1><16>

Attributes:

User-Name = "[email protected]"

NAS-IP-Address = 145.99.133.194

Called-Station-Id = "001217d45bc7"

Calling-Station-Id = "0012f0906ccb"

NAS-Identifier = "001217d45bc7"

NAS-Port = 55

Framed-MTU = 1400

NAS-Port-Type = Wireless-IEEE-802-11

EAP-Message = <2><0><0>-<1>[email protected]

Message-Authenticator = <27>`-y<208><232><252><177>.<160><230><177>I<218

><243>\

Tue Oct 10 00:17:32 2006: DEBUG: Handling request with Handler \'TunnelledByTTLS=

1, Realm=/guest.showcase.surfnet.nl/i\'

Tue Oct 10 00:17:32 2006: DEBUG: Deleting session for [email protected]

case.surfnet.nl, 145.99.133.194,

Tue Oct 10 00:17:32 2006: DEBUG: Handling with Radius::AuthFILE: SC-GUEST-ID

Tue Oct 10 00:17:32 2006: DEBUG: Reading users file /etc/radiator/db/showcase-gu

est-users

Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE looks for match with Klaas.Wie

[email protected] [[email protected]]

Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE ACCEPT: : [email protected]

.showcase.surfnet.nl [[email protected]]

Tue Oct 10 00:17:32 2006: DEBUG: AuthBy FILE result: ACCEPT,

Tue Oct 10 00:17:32 2006: DEBUG: Access accepted for [email protected]

se.surfnet.nl

Tue Oct 10 00:17:32 2006: DEBUG: Returned TTLS tunnelled Diameter Packet dump:

Code: Access-Accept

RADIUS + TLS Channel(s)

[email protected]

[email protected]

eduroam hierarchy

Resource (AP)

Id Repository

european eduroam confederation
Single technology

RADIUS

802.1X

EAP

Authentication = authorisation

European eduroam confederation
the edugain model
The eduGAIN model

Metadata

Query

MDS

Metadata

Publish

Metadata

Publish

R-FPP

H-FPP

R-BE

H-BE

AA Interaction

AA

Interaction

AA

Interaction

Resource(s)

Id Repository(ies)

Lingua Franca: SAML

edugain interactions

urn:geant2:...:requester

urn:geant2:...:responder

eduGAIN interactions

https://mds.geant.net/

?cid=someURN

<samlp:Request . . .

RequestID=”e70c3e9e6…”

IssueInstant=“2006-06…”>

. . .

</samlp:Request>

<samlp:Response . . .

ResponseID=”092e50a08…”

InResponseTo=“e70c3e9e…”>

. . .

</samlp:Response>

MDS

TLS Channel

<EntityDescriptor . . .

entityID=

”urn:geant2:..:responder">

. . .

<SingleSignOnService . . .

Location=

“https://responder.dom/” />

. . .

TLS Channel(s)

Requester

Responder

Resource

Id Repository

slide13
Deploying Authorization Mechanisms for Federated Services in eduroam

DAME is a project that builds upon:

eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard,

Shibboleth and eduGAIN

NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards.

Universities of Murcia and Stuttgart within Géant2 JRA5

DAMe
1st extension of eduroam with authz

Supplicant

Authenticator

(AP or switch)

RADIUS server

University A

RADIUS server

University B

User DB

User DB

eduroam

Central RADIUS

Proxy server

1st: Extension of eduroam with authZ

Policy Decision Point

Source Attribute Authority

XACML

Gast

[email protected]_b.nl

  • User mobility controlled by assertions and policies expressed in SAML and XACML

Signaling

data

SAML

2nd edugain authn authz backend
2nd: eduGAIN AuthN+AuthZ backend
  • Link between the AAA servers (now acting as Service Providers) and eduGAIN
3d universal single sign on
3d: Universal Single Sign On
  • Users will be authenticated once, during the network access control phase
  • The eduGAIN authentication would be bootstrapped from the NAS-SAML
  • New method for delivering authentication credentials and new security middleware
  • 4th goal: integrating applications, focusing on grids.
eduroam nas saml in context
The proposal is functionally equivalent to the one discussed in I2 SALSA-FWNA for RADIUS-SAML integration

Compatibility and convergence are the natural way forward

NAS-SAML is

From the inter-realm view, a Diameter binding for SAML

Already available, thus allowing for fast evaluation of ideas

Agree in the basics

Data exchanged in RADIUS space

Relevant attributes

eduroam+NAS-SAML in Context
summary1
Convergence to (small number of) standards

802.1X+ RADIUS

The SAML orbit

International confederations are emerging

eduroam

Géant2 AAI (eduGAIN)

The twain will ever meet

Using the same principles and standards

Summary
ad