authentication and authorisation infrastructure aai n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Authentication and Authorisation Infrastructure - AAI PowerPoint Presentation
Download Presentation
Authentication and Authorisation Infrastructure - AAI

Loading in 2 Seconds...

play fullscreen
1 / 10

Authentication and Authorisation Infrastructure - AAI - PowerPoint PPT Presentation


  • 139 Views
  • Uploaded on

Authentication and Authorisation Infrastructure - AAI. Christoph Graf <graf@switch.ch> Project Leader AAI SWITCH. e-Academia / AAI Concept. Vision of e-Academia.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Authentication and Authorisation Infrastructure - AAI' - cliff


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
authentication and authorisation infrastructure aai

Authentication and Authorisation Infrastructure - AAI

Christoph Graf <graf@switch.ch>

Project Leader AAI

SWITCH

e academia aai concept
e-Academia / AAI Concept

Vision of e-Academia

“We want a virtual community across our institutions in which all persons associated with the Swiss Higher Education System are able to gain access to its electronic resources, independent of the accrediting organization and independent of the place where they happen to be working.”

AAI as the foundation of e-Academia

“… let’s develop e-Academia, let us build the foundations in the form of a uniform authentication and authorization infrastructure (AAI) for the higher education system in Switzerland…”

Roadmap

2000

2001

2002

2003

2004

2005

Concept

Study

Pilot

RealizationV1.0

Realization

V2.0

the aa problem 1

+

Swiss Passport

ID, Credentials

The AA Problem (1)

University of Zurich

Resource

Owner

Info

aboutuser

Resource

User

1 user - 1 resource - 1 organization:

NO PROBLEM

the aa problem 2

Info

aboutuser

Info

aboutuser

University Hospital

of Geneva

ID, Credentials

ID, Credentials

Resource

C

ID, Credentials

User

Info

aboutuser

Info

aboutuser

ID, Credentials

University of Lausanne

ID, Credentials

Resource

B

ID, Credentials

User

ID, Credentials

ID, Credentials

Many users - many resources - many organizations:

A PROBLEM

The AA Problem (2)

Info

aboutuser

ID, Credentials

University of Zurich

Resource

A

User

the aa model 1
The AA Model (1)

Resource

Owner

User‘s Home Org

Access

Control

Definition

User

DB

Registra-

tion

Access

Control

Manager

Resource

Registration

1

Legend:

system

data

Info(name,address,….)

Pre-processing

User

the aa model 2
The AA Model (2)

Resource

Owner

User‘s Home Org

AAI

Access

Control

Definition

3

Authorization Information Delivery

User

DB

Authorization

Information

Authenti-cation

Access

Control

Manager

Resource

Authentication

1

Legend:

Access Request

of an authenticated

user

2

system

data

AAI-interaction

User

the aa model 3
The AA Model (3)

Resource

Owner

User‘s Home Org

AAI

Authenti-cation

Access

Control

Manager

Log

Log

Other Applications

(Accounting, Billing, Statistics)

  • Input to Accounting or Billing systems:
    • AAI provides Identity of User and/or Name of Home Organization
    • Resource measures the interactions between a user and the resource
advantages of an aai
Advantages of an AAI

Virtual Mobility

AAI is a requirement if students of different universities wish to use common resources, and it is the basis for initiatives such as the Swiss Virtual Campus.

Information protection

AAI simplifies the protection of information by applying standardized mechanisms. Resource owners can concentrate on the protection of their resources without having to implement an entire system including registration and authentication.

Remote access

AAI makes it possible to authorize users based on personal attributes of a user instead of IP addresses. User authorization thus becomes location-independent.

User friendliness

After a single registration a user can access a number of resources. Only one authentication technology is applied.

IT efficiency

Standardized AA systems and cooperation among IT organizations improve the efficiency in the implementation and operation of security solutions.

Administration overhead

Without AAI, a user has to register with various organizations. It is feared that the administrative overhead of individual organizations will increase dramatically. AAI counteracts this tendency.

Image

Complicated and inconsistent AA mechanisms, or isolation of resources and user groups, respectively, is no longer state of the art. Not having an AAI will damage the image in the long run.

slide9

Authorisation Attributes

Personal attributes

Group membership

  • User attributes for AAI
    • are based on standards (LDAP: eduPerson, SHIS/SIUS)
    • have to be available in real-time
    • have to be handled as required by federal and cantonal data protection laws:
      • attributes have to be accurate
      • attributes have to be stored securely
      • attributes should only be transferred to resources with a valid case to use it.
    • will be revised in the future in a standardised change process, depending on the requirements of Resource Owners and Home Organizations
  • Unique Identifier (anonymous)
  • Surname
  • Given name
  • Date of birth
  • Gender
  • E-mail
  • Address(es)
  • Phone number(s)
  • Preferred language
  • Name of Home Organization
  • Type of Home Organization
  • Affiliation (student, staff, faculty, …)
  • Study branch
  • Study level
  • Staff category
  • Organization Path
  • Organization Unit Path
  • Group membership
simple identity management classification
Simple Identity Management Classification

simple

  • MS Passport
    • Trust model: One external trust broker, trust monopoly
    • One central user database
    • One single Home Organisation for all users
  • Shibboleth
    • Trust model: “Club” of organisations trusting each other (but not necessarily their users!)
    • Decentralised user database at “Club” member sites
    • “Club” members acting as Home Organisation
    • Users are registered with exactly one Home Organisation, maintaining their electronic identity (otherwise, they end up owning multiple electronic identities)
  • Liberty Alliance
    • Same as Shibboleth except:
    • Users may register with multiple “Club” members
    • Each Club member is maintaining a part of their user’s electronic identity

complex