- Wierenga

Download Report

Transcript - Wierenga 

Connect. Communicate. Collaborate
A Client Middleware for TokenBased Unified Single Sign On
to eduGAIN
Sascha Neinert, University of Stuttgart
TNC 2008, Bruges, 20.05.2008
Universität Stuttgart
Overview
•
•
•
•
•
Connect. Communicate. Collaborate
Single Sign On
unified Single Sign On
eduToken
Token-based uSSO Profile
Conclusion
Universität Stuttgart
Single Sign On
Connect. Communicate. Collaborate
• Single Sign On (SSO): authenticate once for access to
multiple (web) resources
• SSO in a federated AAI: only one pair of credentials is
needed (this is no automated password-entering)
• SSO with eduGAIN: SSO becomes possible in a
heterogeneous environment, by building a confederation
Universität Stuttgart
Single Sign On
Connect. Communicate. Collaborate
• Advantages:
– User friendly, saves time
• Esp. with more secure authentication methods
– Higher security: password transmitted only once
– Higher security: one password can be remembered, dozens of
them hardly
– Phishing protection: the Identity Provider is “known” (URL,
certificate)
• Disadvantages:
– Higher risk: one stolen password gives access to many resources
Universität Stuttgart
unified Single Sign On
•
Connect. Communicate. Collaborate
NEW unified Single Sign On (uSSO): authenticate once
for access to network and application resources
• (this) uSSO is built on:
– eduroam: federated, secure access to network
resources
– eduGAIN: (con-)federated, secure access to web
resources (and other applications  “Grid”)
Universität Stuttgart
unified Single Sign On
Connect. Communicate. Collaborate
eduroam confederation
Visited Domain
Home Domain
Network Access
Access Point
Server (RADIUS)
(802.1X)
eduroam
Authentication Authority
(RADIUS)
User’s Device
(Supplicant +
Token Client)
eduGAIN confederation
Attribute Authority
(Shibboleth,
PAPI, ...)
Service Domain
eduGAIN
Service Provider
(Shibboleth, PAPI, ...)
Network Authentication (RADIUS/EAP/SAML)
Web Authentication and Authorization (HTTPS/SOAP/SAML)
Universität Stuttgart
unified Single Sign On
Connect. Communicate. Collaborate
• Advantages of uSSO:
– SSO advantages, but extended to the network
– WAYF problem can be solved
– Usable for non-web resources and services (Grid)
– Usable with eduGAIN  several web AAI middlewares
(Shibboleth, PAPI – Spain, A-Select – Netherlands, …)
• Disadvantages of uSSO:
– Additional (client) middleware needed
– Requires eduroam and some AAI
Universität Stuttgart
unified Single Sign On
Connect. Communicate. Collaborate
Six steps:
1.
2.
3.
4.
5.
6.
Authentication at layer 2 with 802.1x, using eduroam
Transport a token over eduroam
Put into secure token store on user’s device
Get network access (get IP address)
Authentication at the application layer, using eduGAIN
Use the token as prove of authentication
Universität Stuttgart
eduToken
•
The uSSO token is called eduToken
•
It must express:
– Who has been authenticated,
– When,
– By whom,
– Using which method
– How long the eduToken is valid
Connect. Communicate. Collaborate
Universität Stuttgart
eduToken
•
•
•
Connect. Communicate. Collaborate
SAML 1 Assertion
– Issuer
– Issue Instant
– Condition: Not On Or After
– Authentication Statement
• Authentication Instant + Method
• Subject – Name Identifier
It is digitally signed + by a trusted entity
eduToken = SAML Assertion + Authentication Statement
Universität Stuttgart
Token-based uSSO Profile
Connect. Communicate. Collaborate
User’s Device:
• Browser: with Java-Plugin
• uSSO Client: Token Manager, Java application
Service Domain:
• SP: Service Provider, e.g. Shibboleth, unmodified
• Token Fetcher Applet
• R-BE: remote eduGAIN Bridging Element, modified
Universität Stuttgart
Token-based uSSO Profile
User’s Device
Browser
Connect. Communicate. Collaborate
SP Domain
uSSO
Client
SP
R-BE
Request Access
Redirect
Token Fetcher Applet
Fetch eduToken
Decrypt
eduToken
Return eduToken
POST eduToken
Send
Grant Access
Validate eduToken
Create Assertion
Assertion
Universität Stuttgart
Token-based uSSO Profile
Connect. Communicate. Collaborate
eduGAIN Bridging Element (BE):
• Map local federation language to eduGAIN language
• Central - per federation, or distributed - per institution
• Part of the eduGAIN circle of trust
Remote BE (R-BE):
• Towards the SP: act like an IdP of the local federation
• Towards eduGAIN: talk to the Home BE
Universität Stuttgart
Token-based uSSO Profile
Connect. Communicate. Collaborate
Token-enabled R-BE:
• Towards the SP: as usual
• Towards eduGAIN: not necessary (except attribute-pull)
• NEW Towards the client: request the eduToken, receive it
(validation as usual – eduToken is in native eduGAIN
language)
– Token Request = an active component able to reach
“outside” the browser
– Implemented here as a signed Java Applet
Universität Stuttgart
Token-based uSSO Profile
Connect. Communicate. Collaborate
Token-enabled R-BE (continued):
• Implementation, Deployment:
– 1 Tomcat
– 1 Java Servlet
– 1 Java Keystore
– 1 Applet
Universität Stuttgart
Conclusion
Connect. Communicate. Collaborate
The implementation provides:
• unified Single Sign On:
“open your laptop and be signed on”
The concept also enables:
• Simplified Where Are You From
• No IdP interaction ( privacy)
• SSO for non-web applications / for local applications
Universität Stuttgart
Questions?
Connect. Communicate. Collaborate
Any questions or comments?
DAMe website: http://dame.inf.um.es/
DAMe mailing list: [email protected]
GÉANT2-JRA5 website: http://www.geant2.net/jra5
Universität Stuttgart