- TERENA

Download Report

Transcript - TERENA

Connect. Communicate. Collaborate

Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)*

Antonio F. Gómez-Skarmeta University of Murcia (Spain) TNC2007, Copenhagen, 2007/05/21 * Funded by EC project Geant2-JRA5, Terena, RedIRIS and DFN.

Overview

• Introduction

• Starting points • Main goals of the DAMe project Connect. Communicate. Collaborate

Introduction

Connect. Communicate. Collaborate • DAMe is a research project based on previous works from TERENA, Internet 2 and the University of Murcia.

– eduroam , as a result of the TERENA Mobility Task Force, which defines a roaming architecture between NRENs based on AAA servers (RADIUS) and the 802.1X standard. – Shibboleth , a widely deployed federation mechanism. – eduGAIN , the AAI (Authentication and Authorization Infrastructure) from GEANT 2 (GN2). – NAS-SAML , a network access control system for AAA architectures developed by the University of Murcia and based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language)

DAMe project. Main Goals

• Connect. Communicate. Collaborate Authentication, but also authorization are needed in order to provide an appropriate network access: – User’s identity is not enough – Institutions can offer different QoS parameters depending on the user.

– Decisions should be taken considering the user attributes – User mobility is becoming more and more frequent – Several institutions must cooperate at several levels. • Preliminary works on this subject: – DAIDALOS project – RADIUS/SAML (Internet 2) • Application-level services can take advantage of the network acccess mechanism in order to bootstrap a seamless global SSO

Intradomain: Campus

Connect. Communicate. Collaborate Teachers Students Adm. Staff Reserachers Authentication Authority DB Web Services LDAP Directory Internet Wireless • Stable relationship among users, institution and services Authorization Authority

Interdomain: Different universities

Service Level Agreement University A Connect. Communicate. Collaborate • Alice might make use of the computer network at University B • Alice will be authenticated by University A • Alice will be authorized by University B, but making use of the attributes defined by University A • Relationships are stable and long term • Authorization information is represented using a common format University B

Interdomain: Heterogeneous systems

Connect. Communicate. Collaborate Service Level Agreement University C • Charles is authorized by University B upon the attributes defined by University C – Credentials are based on different formats – There are different criteria about syntax and semantics • Therefore, it is necessary: – To define a credential conversion system, identifying its main entities and policies. University B

Overview

• Introduction

• Starting points

• Main goals of the DAMe project Connect. Communicate. Collaborate

Starting point: eduroam

Connect. Communicate. Collaborate

• Goal:

– “open your laptop and be online” – To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources

• Concepts:

– Based on reciprocal (free) access – NREN community – Authentication at home – Authorization at visited institution

Starting point: NAS-SAML

Connect. Communicate. Collaborate

• Motivation:

– Current authorization solutions do not address most of the issues related to the provision of different types of services based on attributes credentials – NAS-SAML was defined to provide a network access system based on existing standards (802.1X, AAA, SAML, XACML) – It requires the extension of the current AAA protocols in order to exchange authorization credentials – Different profiles are defined in order to provide several design alternatives (push and pull)

Starting point:

Home Domain Attribute Release Policy

AA

NAS-SAML

Internet network Connect. Communicate. Collaborate Target Domain

AA

Attribute Release Policy

PDP PDP

Resource Access Policy Resource Access Policy NAP PAP End User

NAS-SAML: Pull profile

Home Domain Connect. Communicate. Collaborate Target Domain

AA AAA NAP AAA

End User Attribute Release Policy EAP-SUCCESS X.509 PKC SAMLReq.

...

SAMLResp.

AttributeStat.

attributes EAPOL EAP-TLS PI User’s authentication SAMLRequest AttributeQuery user SAMLRes.

...

DIAMETER-SAML SAMLRequest XACMLAuthZDecisionQ XACMLRequest subject res. action evidence attrs.

SAMLResponse XACMLAuthZDecSt.

XACMLResponse result obligs.

attributes DIAMETER-EAP translate NAS-REQ attributes PI

PDP

Overview

• Introduction • Starting points

• Main goals of the DAMe project

Connect. Communicate. Collaborate

DAMe project. Overview

Connect. Communicate. Collaborate •

Definition of a unified authentication and authorization system for federated services hosted in the eduroam network and a global SSO mechanism based on already deployed mechanisms and architectures.

Protected resource

Access request + SSO token

eduGAIN element

Federated institution eduGAIN

3

SSO token validation

AP RADIUS Server PDP NAS-SAML 2 1

Authentication + SSO token

eduroam

RADIUS Server

Authorization

AA eduGAIN element NAS-SAML

Target institution Home institution

Main goals of the DAMe project

Connect. Communicate. Collaborate •

Extension of eduroam using NAS-SAML

User mobility is controlled by assertions and policies expressed in SAML and XACML Attribute Authority

XACML

Policy Decision Point

XACML

Supplicant Authenticator (AP or switch) RADIUS server University A

User DB

RADIUS server University B

User DB

Alicia [email protected]

RedIris data Signaling SAML

Central RADIUS Proxy server

Main goals of the DAMe project

Connect. Communicate. Collaborate

Extension of eduroam using NAS-SAML

EduRoam authentication AP RADIUS Server PDP Resource Access Policy DIAMETER Server authorization DIAMETER Server AA RADIUS Server Attribute Release Policy

Home Institution Target Institution

Main goals of the DAMe project

Connect. Communicate. Collaborate

Main goals of the DAMe project

• Connect. Communicate. Collaborate

Global Single Sign On (SSO)

– Users will be authenticated only once, during the access to the network – A SSO token (eduGAIN compliant) must be distributed, validated, and managed by an appropriate middleware.

– Possibly, new EAP methods (PEAP-based) will be needed to obtain the token

Main goals of the DAMe project

• Connect. Communicate. Collaborate

Resource Access

– The user authenticates in his home domain and gets a SSO token.

– The token is delivered to the user through a secure tunnel.

– The token contains a handle instead of the real user's identity to maintain privacy.

– Later, when the user tries to access to a protected resource, he includes the token in the request.

– The resource uses the handle included in the token to request the user's attributes through eduGAIN.

– When received, the attributes are used to take the authorization decision.

Resource Access

Connect. Communicate. Collaborate

Conclusion

• Connect. Communicate. Collaborate

DAMe look forward in the integration of authentication and authorization process.

The extension must be compatible with the current status of the eduroam network and eduGAIN

Provide a SSO scenario based on bootstrapping credential at the authentication phase

Additional will development a user-friendly interface for managing authorization policies.

Additional information

• Project Web:

– http://dame.inf.um.es

Thanks for attention Connect. Communicate. Collaborate