Selected Research Projects on Mobile Internet
Download
Report
Transcript Selected Research Projects on Mobile Internet
Federated identity on
a pan-European
scale
Klaas Wierenga <[email protected]>
eResearch Australasia
Melbourne, 30 September 2008
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Agenda
Intro
eduroam
eduGAIN
DAMe
Conclusions and next steps
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
WAYF
Cisco Consulting
Engineering, office of the
CTO
Before that >12 yrs
SURFnet
Activity lead roaming
activity Geant2
Creator of eduroam
Co-creator of A-Select
Chair of TF-Mobility
Member of ECAM
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
Vision
Create an open European research area by
establishing interoperable access to the networks that
interconnect to form the research networking supply
chain in Europe.”
The multiple networks must appear to be one
seamless resource.
Create interoperable systems at the network and
service level for:
–roaming,
–verifying users' identities and associated rights or privileges
(authentication),
–granting access to resources (authorisation)
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
Activities
Building on work done in TERENA taskforces Mobility
and EMC2 on eduroam and federated applications
Create a pan-European roaming infrastructure for
network access for HigherEd (eduroam)
Create a pan-European authentication and
authorisation infrastructure by connecting the existing
federations in HigherEd (eduGAIN)
Create universal single sign on by integrating the
former two (DAMe)
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
5
The goal of eduroam
“open your laptop and be online”
• To build an interoperable, scalable and secure
authentication infrastructure that will be used all
over the world enabling seamless sharing of
network resources
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
eduroam
Supplicant
Authenticator
RADIUS server
(AP or switch)
RADIUS server
User
DB
University A
Guest
University B
User
DB
SURFnet
piet@university_b.nl
Employee
VLAN
Commercial
VLAN
Central RADIUS
Student
VLAN
Proxy server
•
Trust based on RADIUS plus policy
documents
signalling
•
802.1X (spin-off: SecureW2)
data
•
(VLAN assigment)
Source: SURFnet
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
7
eduroam status
US experiment with I2 (failed)
New trial with Internet2
Canada member since June 2008
Isolated trials in Latin-America
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
Spin-off: RadSec
Eduroam problems:
–Dead peer discovery
–Fragmentation
–Managing shared secret/IP-address based trust
–Static hierarchy
–DIAMETER not available
RADIUS with:
–TLS
–TCP
draft-ietf-radext-radsec-01.txt, draft-dekok-radext-tcp-transport00.txt
implementations in Radiator, FreeRADIUS (in progress),
RadSecProxy and OpenWRT and Lancom AP’s
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
9
eduGAIN
Bridging existing federations in HigherEd
Existing federations based on:
–Shibboleth 1.3
–A-select
–PAPI
–Sun Access manager
–WS-federations
–SAML 2.0 (Shibboleth and Liberty Alliance)
Lingua franca for interconnect: SAML
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
10
The eduGAIN model
Metadata
Query
Metadata
Publish
MDS
R-FPP
R-BE
Metadata
Publish
H-FPP
AA Interaction
H-BE
AA
Interaction
AA
Interaction
Resource(s)
Id Repository(ies)
Source: JRA5-team
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
11
WebSSO in Practice
Current Inter-Federation Usage
5
8
Attr.
3
4
johnd 6
Pa$$wD
9
Attr.
Attr.
7
2
1
Source: RedIRIS
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
12
Spin-off: SimpleSAMLphp
Started as bridging software for eduGAIN
Bridges between:
–SAML1.1
–SAML2.0
–A-Select
–PAPI
–Shibboleth 1.3
–WS-Fed
Now IdP and SP for SAML1.1 and 2.0 as well as an OpenID IdP
User consent module
http://rnd.feide.no/simplesamlphp
Attend the workshop on Friday!
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Deploying Authorization Mechanisms for
Federated Services in eduroam (DAMe)
DAMe is a project that builds upon:
–eduroam, which defines an inter-NREN roaming architecture
based on AAA servers (RADIUS) and the 802.1X standard,
–Shibboleth and eduGAIN
–NAS-SAML, a network access control approach for AAA
environments, developed by the University of Murcia (Spain),
based on the SAML (Security Assertion Markup Language) and
the XACML (eXtensible Access Control Markup Language)
standards.
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Unified Single Sign-on
eduroam confederation
Visited Domain
Home Domain
eduroam
Network Access
Access Point
Server (RADIUS)
(802.1X)
Authentication Authority
(RADIUS)
User’s Device
(Supplicant +
Token Client)
eduGAIN confederation
Attribute Authority
(Shibboleth,
PAPI, ...)
Service Domain
eduGAIN
Service Provider
(Shibboleth, PAPI, ...)
Network Authentication (RADIUS/EAP/SAML)
Web Authentication and Authorization (HTTPS/SOAP/SAML)
Source: DAMe project
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Summary
eduroam is happening
Federations are happening
The European federation of federations is happening
The grand unifier is SAML 2.0
This will create an open European research area
(open for collaboration with other research areas ;-)
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
16
References
TERENA TF-Mobility
–http://www.terena.org/activities/tf-mobility/
TERENA TF-EMC2
–http://www.terena.org/activities/tf-emc2/
ECAM
–http://www.terena.org/activities/tf-emc2/ecam/
European Federations:
–http://wiki.rediris.es/tf-emc2/index.php/Federations
Geant2 JRA5
–http://www.geant2.net/server/show/nav.00d00a005
DAMe
–http://dame.inf.um.es/
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
17