Transcript Selected Research Projects on Mobile Internet

Federated identity on
a pan-European
scale
Klaas Wierenga <[email protected]>
eResearch Australasia
Melbourne, 30 September 2008
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
1
Agenda
 Intro
 eduroam
 eduGAIN
 DAMe
 Conclusions and next steps
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
2
WAYF
 Cisco Consulting
Engineering, office of the
CTO
 Before that >12 yrs
SURFnet
 Activity lead roaming
activity Geant2
 Creator of eduroam
 Co-creator of A-Select
 Chair of TF-Mobility
 Member of ECAM
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
3
Vision
 Create an open European research area by
establishing interoperable access to the networks that
interconnect to form the research networking supply
chain in Europe.”
 The multiple networks must appear to be one
seamless resource.
 Create interoperable systems at the network and
service level for:
–roaming,
–verifying users' identities and associated rights or privileges
(authentication),
–granting access to resources (authorisation)
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
4
Activities
 Building on work done in TERENA taskforces Mobility
and EMC2 on eduroam and federated applications
 Create a pan-European roaming infrastructure for
network access for HigherEd (eduroam)
 Create a pan-European authentication and
authorisation infrastructure by connecting the existing
federations in HigherEd (eduGAIN)
 Create universal single sign on by integrating the
former two (DAMe)
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
5
The goal of eduroam
 “open your laptop and be online”
• To build an interoperable, scalable and secure
authentication infrastructure that will be used all
over the world enabling seamless sharing of
network resources
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
6
eduroam
Supplicant
Authenticator
RADIUS server
(AP or switch)
RADIUS server
User
DB
University A
Guest
University B
User
DB
SURFnet
piet@university_b.nl
Employee
VLAN
Commercial
VLAN
Central RADIUS
Student
VLAN
Proxy server
•
Trust based on RADIUS plus policy
documents
signalling
•
802.1X (spin-off: SecureW2)
data
•
(VLAN assigment)
Source: SURFnet
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
7
eduroam status
 US experiment with I2 (failed)
 New trial with Internet2
 Canada member since June 2008
 Isolated trials in Latin-America
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
8
Spin-off: RadSec
 Eduroam problems:
–Dead peer discovery
–Fragmentation
–Managing shared secret/IP-address based trust
–Static hierarchy
–DIAMETER not available
 RADIUS with:
–TLS
–TCP
 draft-ietf-radext-radsec-01.txt, draft-dekok-radext-tcp-transport00.txt
 implementations in Radiator, FreeRADIUS (in progress),
RadSecProxy and OpenWRT and Lancom AP’s
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
9
eduGAIN
 Bridging existing federations in HigherEd
 Existing federations based on:
–Shibboleth 1.3
–A-select
–PAPI
–Sun Access manager
–WS-federations
–SAML 2.0 (Shibboleth and Liberty Alliance)
 Lingua franca for interconnect: SAML
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
10
The eduGAIN model
Metadata
Query
Metadata
Publish
MDS
R-FPP
R-BE
Metadata
Publish
H-FPP
AA Interaction
H-BE
AA
Interaction
AA
Interaction
Resource(s)
Id Repository(ies)
Source: JRA5-team
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
11
WebSSO in Practice
Current Inter-Federation Usage
5
8
Attr.
3
4
johnd 6
Pa$$wD
9
Attr.
Attr.
7
2
1
Source: RedIRIS
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
12
Spin-off: SimpleSAMLphp
 Started as bridging software for eduGAIN
 Bridges between:
–SAML1.1
–SAML2.0
–A-Select
–PAPI
–Shibboleth 1.3
–WS-Fed
 Now IdP and SP for SAML1.1 and 2.0 as well as an OpenID IdP
 User consent module
 http://rnd.feide.no/simplesamlphp
 Attend the workshop on Friday!
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
13
Deploying Authorization Mechanisms for
Federated Services in eduroam (DAMe)
 DAMe is a project that builds upon:
–eduroam, which defines an inter-NREN roaming architecture
based on AAA servers (RADIUS) and the 802.1X standard,
–Shibboleth and eduGAIN
–NAS-SAML, a network access control approach for AAA
environments, developed by the University of Murcia (Spain),
based on the SAML (Security Assertion Markup Language) and
the XACML (eXtensible Access Control Markup Language)
standards.
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
14
Unified Single Sign-on
eduroam confederation
Visited Domain
Home Domain
eduroam
Network Access
Access Point
Server (RADIUS)
(802.1X)
Authentication Authority
(RADIUS)
User’s Device
(Supplicant +
Token Client)
eduGAIN confederation
Attribute Authority
(Shibboleth,
PAPI, ...)
Service Domain
eduGAIN
Service Provider
(Shibboleth, PAPI, ...)
Network Authentication (RADIUS/EAP/SAML)
Web Authentication and Authorization (HTTPS/SOAP/SAML)
Source: DAMe project
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
15
Summary
 eduroam is happening
 Federations are happening
 The European federation of federations is happening
 The grand unifier is SAML 2.0
 This will create an open European research area
(open for collaboration with other research areas ;-)
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
16
References
 TERENA TF-Mobility
–http://www.terena.org/activities/tf-mobility/
 TERENA TF-EMC2
–http://www.terena.org/activities/tf-emc2/
 ECAM
–http://www.terena.org/activities/tf-emc2/ecam/
 European Federations:
–http://wiki.rediris.es/tf-emc2/index.php/Federations
 Geant2 JRA5
–http://www.geant2.net/server/show/nav.00d00a005
 DAMe
–http://dame.inf.um.es/
University of the Future
© 2007 Cisco Systems, Inc. All rights reserved.
Cisco Public
17