1 / 26

Authentication and Authorisation Infrastructure - AAI

The AAI project aims to establish a cross-organisational infrastructure offering authentication and authorisation services for the Swiss higher education system. It provides a foundation for e-Academia, a virtual community where individuals associated with the higher education system can access electronic resources across institutions.

rsoto
Download Presentation

Authentication and Authorisation Infrastructure - AAI

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication and Authorisation Infrastructure - AAI Christoph Graf <graf@switch.ch> Project Leader AAI SWITCH

  2. The Foundation SWITCH Set up 1987 with the purpose: “ ... to create, promote and maintain the necessary fundamental means for efficient use of modern telecommunication methods for the benefit of education and research in Switzerland and to participate in such fundamental activities.... ” … amazingly enough, it still holds true without tweaking

  3. Business Areas of SWITCH Network Security Internet Identifiers NetServices Domain NameRegistration Incident Handling Middleware Incl. AAI Network Operation • Invoicing • Administration • Help Desk • Online-Queries • Consulting SWITCHmobile EngineeringIP, QoS, Routing, ... Consulting SWITCHvconf Laboratory Help Desk User Registrations Content Delivery and Tools Consulting • Invoicing • Administration • Help Desk • Online-Queries • Consulting Service Monitoring Diverse Applicationsincl. News Consulting

  4. How it all began… • Call for participation in the Swiss Virtual Campus (SVC) in1999 • Fair amount of federal funds for the creation of e-learning course contents • Applying teams need to build consortia • Courses must be offered to consortia member organisations for free • Consortia members should put those courses into their curricula • Problems • How to deal with user authentication and authorisation in this cross-organisational context? • Should every team solve the same problem individually? • The SVC is about contents, not tools • SWITCH’s answer • This is an opportunity to drive and co-ordinate efforts in our community • The AAI activity (Authentication and Authorisation Infrastructure) was outlined • It aims at establishing a cross-organisational infrastructure offering authentication and authorisation services (in a wider context than just covering the needs of the SVC)

  5. e-Academia / AAI Concept Vision of e-Academia “We want a virtual community across our institutions in which all persons associated with the Swiss Higher Education System are able to gain access to its electronic resources, independent of the accrediting organization and independent of the place where they happen to be working.” AAI as the foundation of e-Academia “… let’s develop e-Academia, let us build the foundations in the form of a uniform authentication and authorization infrastructure (AAI) for the higher education system in Switzerland…” Roadmap 2000 2001 2002 2003 2004 2005 Concept Study Pilot RealizationV1.0 Realization V2.0

  6. + Swiss Passport ID, Credentials The AA Problem (1) University of Zurich Resource Owner Info aboutuser Resource User 1 user - 1 resource - 1 organization: NO PROBLEM

  7. Info aboutuser Info aboutuser University Hospital of Geneva ID, Credentials ID, Credentials Resource C ID, Credentials User Info aboutuser Info aboutuser ID, Credentials University of Lausanne ID, Credentials Resource B ID, Credentials User ID, Credentials ID, Credentials Many users - many resources - many organizations: A PROBLEM The AA Problem (2) Info aboutuser ID, Credentials University of Zurich Resource A User

  8. The AA Model (1) Resource Owner User‘s Home Org Access Control Definition User DB Registra- tion Access Control Manager Resource Registration 1 Legend: system data Info(name,address,….) Pre-processing User

  9. The AA Model (2) Resource Owner User‘s Home Org AAI Access Control Definition 3 Authorization Information Delivery User DB Authorization Information Authenti-cation Access Control Manager Resource Authentication 1 Legend: Access Request of an authenticated user 2 system data AAI-interaction User

  10. The AA Model (3) Resource Owner User‘s Home Org AAI Authenti-cation Access Control Manager Log Log Other Applications (Accounting, Billing, Statistics) • Input to Accounting or Billing systems: • AAI provides Identity of User and/or Name of Home Organization • Resource measures the interactions between a user and the resource

  11. Unix/Windows login PKI Integrated Systems WEB Single Sign-on SmartCards Authentication systems AAI User Directories Inter-organizational user authentication Secure transfer of authorization attributes WEB resources WEB Portals Accounting Billing Documentencryption Legacy Applications Secure e-mail Scope of the AAI

  12. Advantages of an AAI Virtual Mobility AAI is a requirement if students of different universities wish to use common resources, and it is the basis for initiatives such as the Swiss Virtual Campus. Information protection AAI simplifies the protection of information by applying standardized mechanisms. Resource owners can concentrate on the protection of their resources without having to implement an entire system including registration and authentication. Remote access AAI makes it possible to authorize users based on personal attributes of a user instead of IP addresses. User authorization thus becomes location-independent. User friendliness After a single registration a user can access a number of resources. Only one authentication technology is applied. IT efficiency Standardized AA systems and cooperation among IT organizations improve the efficiency in the implementation and operation of security solutions. Administration overhead Without AAI, a user has to register with various organizations. It is feared that the administrative overhead of individual organizations will increase dramatically. AAI counteracts this tendency. Image Complicated and inconsistent AA mechanisms, or isolation of resources and user groups, respectively, is no longer state of the art. Not having an AAI will damage the image in the long run.

  13. Project Planning: Roadmap 2001 2002 2003 2004 2005 Study Pilot RealizationV1.0 Realization V2.0 Decision: Building up of infrastructure (June 2003) Jul - Sept 02 Oct - Dec 02 Jan - March 03 Apr - Jun 03 Pilot projects Tech. & org. concept Legal basis Service description Selection of architecture Budgeting the implementation of Release 1.0 Policy Attribute specification

  14. Authorisation Attributes Personal attributes Group membership • User attributes for AAI • are based on standards (LDAP: eduPerson, SHIS/SIUS) • have to be available in real-time • have to be handled as required by federal and cantonal data protection laws: • attributes have to be accurate • attributes have to be stored securely • attributes should only be transferred to resources with a valid case to use it. • will be revised in the future in a standardised change process, depending on the requirements of Resource Owners and Home Organizations • Unique Identifier (anonymous) • Surname • Given name • Date of birth • Gender • E-mail • Address(es) • Phone number(s) • Preferred language • Name of Home Organization • Type of Home Organization • Affiliation (student, staff, faculty, …) • Study branch • Study level • Staff category • Organization Path • Organization Unit Path • Group membership

  15. OK, I redirect your request now to the Handle Service of your home org. Please tell me where you come from I don’t know you. Not even which home org you are from. I redirect your request to the WAYF I don’t know you. Please authenticate yourself 2 3 4 5 6 1 7 Credentials SHIRE HS 8 Handle User DB Handle Resource Manager Handle 9 AA SHAR OK, I know you now. I redirect your request to the target, together with a handle Attributes 10 Attributes I don’t know the attributes of this user. Let’s ask the Attribute Authority Let’s pass over the attributes the user has allowed me to release OK, based on the attributes, I grant access to the resource Shibboleth AA Process WAYF Users Home Org Resource Owner Resource

  16. Preconditions for Home Organizations User‘s Home Org • Registration • A Home Organization must be able to • register its users and store information about them in a user directory (database) • provide a minimal set of such user attributes to the AAI • The registration and administration processes have to guarantee that these attributes are kept accurate User DB Registra- tion Authenti-cation Authentication Registration • Authentication • A Home Organization has to offer secure authentication over the network to its users • It is up to the Home Organization which authentication technology it chooses. Info(name,address,….) ID Passwd User

  17. User DB User DB User DB AAI-enabling of Home Organizations • AAI integration between • authentication system and AAI • user DB / directory and AAI User‘s Home Org AAI Dir AAI Attributes AAI • Data consolidation • Make sure that all the attributes needed are online available in the appropriate AAI format • If necessary, create a specific AAI user directory (read-only, periodically updated from master databases) Authenti-cation Yes/No

  18. Resource Types (1) • Type A • Unpersonalized web resources • Access control policy based on group membership attributes • AAI extensions for web server Resource Owner AAI Access Control Definition • Example • Intranet web servers AAI Access Control Manager Resource • Type B • Personalized web resources • Access control policy based on individual and group membership attributes • AAI extensions for web server AAI Resource Owner User DB Access Control Definition • Examples • Discussion forum • Web mail • Student administration AAI Access Control Manager Resource

  19. Resource Types (2) Resource Owner AAI • Type C • Unpersonalized “black box” web resources with proprietary access control • AAI proxy Access Control Definition • Example • 3rd party content providers (libraries) Resource Resource AAI Access Control Manager AAI- Proxy Resource • Type D • Personalized “black box” web resources with proprietary access control and user administration • AAI portal or AAI proxy Resource Owner AAI User DB Access Control Definition • Examples • E-learning platforms • Standard applications AAI Access Control Manager AAI- Portal or AAI- Proxy Resource

  20. Preconditions for Resources • Access Control • Access Control Policy can be expressed and implemented as rules based on authorization attributes • Received attributes have to be appraised as trustworthy • Resource is of type A-D (detailed technical requirements will follow); if not, technical feasibility has to be verified. Resource Owner Access Control Definition Access Control Manager Resource • Legal Basis • A Resource belongs to an Organization bound to the AAI Policy • A Resource Owner agrees to handle received attributes as required by the AAI Policy an the Federal and Cantonal Data Protection Law

  21. AAI-enabling Resources Resource Owner • For Resources of Type A and B • Install AAI on Resource • Configure (implement) Access Control Definition • For personalized resources: implement interaction with User DB AAI User DB Access Control Definition AAI Access Control Manager Resource or Portal • For Resources of Type C and D • Implement Portal/Proxy • Install AAI on Portal/Proxy • Configure (implement) Access Control Definition on Portal/Proxy • For personalized resources: implement interaction with User DB

  22. The Legal Basis of an AAI AAI Service Provider AAI Policy Service Agreement “Club rules” Org ... Org C Org B Org A User Regulations

  23. AAI Programme Management Jan – Jun 2003 Jul – Dec 2003 Jan – Jun 2004 Jul – Dec 2004 Home Organizations UNI E UNI A UNI C UNI B UNI D SWITCH Pilot RE1 RE2 Resource Owners Res 5 Res 4 Res 1 Res 1 Res 3 Res 6 Res 2 Res 3 Res 3 Res 1 Res 2 Res 2

  24. AAI Programme Management Jan – Jun 2003 Jul – Dec 2003 Jan – Jun 2004 Jul – Dec 2004 Home Organizations UNI E UNI A UNI C UNI B UNI D SWITCH Pilot RE1 RE2 Resource Owners Res 7 Res 4 Res 1 Res 6 Res 3 Res Res 2 Res 9 Res Res 5 Res 8 Res

  25. Simple Identity Management Classification simple • MS Passport • Trust model: One external trust broker, trust monopoly • One central user database • One single Home Organisation for all users • Shibboleth • Trust model: “Club” of organisations trusting each other (but not necessarily their users!) • Decentralised user database at “Club” member sites • “Club” members acting as Home Organisation • Users are registered with exactly one Home Organisation, maintaining their electronic identity (otherwise, they end up owning multiple electronic identities) • Liberty Alliance • Same as Shibboleth except: • Users may register with multiple “Club” members • Each Club member is maintaining a part of their user’s electronic identity complex

  26. Questions? • ?

More Related