JRAX/SA3: Title of Activity
Download
Report
Transcript JRAX/SA3: Title of Activity
Connect. Communicate. Collaborate
eduGAIN profiles
And how they are applied
Diego R. Lopez - RedIRIS
Jürgen Rauschenbach -DFN
DICE meeting @ Bruges
May 2008
The JRA5 Team
eduGAIN in a Nutshell
Connect. Communicate. Collaborate
• Based on the national federations, operated by NRENs
– And a community-operated one: EFDA-Fed
• eduGAIN is a confederation infrastructure
– Federates federations
• SAML 1.1 (and soon SAML 2.0) is the lingua franca
• Specific software developed
– eduGAIN base libraries (Java)
– simpleSAMLphp (PHP)
– eduGAINFilter (javax.servlet.filter)
• Direct use of Shibboleth 2.0 being investigated
The JRA5 Team
Confederation Service
Elements
Connect. Communicate. Collaborate
• Metadata Service - MDS
– Repository of metadata of all connected IdPs and SPs
– Upload by authorised components
– Queried by user interfaces or autonomous services
• PKI
– Establishes component identity
– Multi-rooted
– Includes component identifiers
– Verified at the registry
• URN Registry
– Unique, well-structured component identifiers
– Delegation schema
• Attribute Mapping or Credential Conversion service
– Coding about to start
The JRA5 Team
eduGAIN Profiles
Connect. Communicate. Collaborate
• WebSSO
– Shib 1.3 for SAML 1.1
– SAML2 (except artifact-based) for SAML 2.0
• AC
– Certificates plus optional attribute access
• UbC
– Convey user credentials introduced at the client
• WE
– Constrained delegation
• DAMe
The JRA5 Team
WebSSO Profile
Connect. Communicate. Collaborate
The JRA5 Team
WebSSO in Practice
Connect. Communicate. Collaborate
Current Inter-Federation Usage
5
Qui ckTime™ and a
decompressor
are needed to see this pi cture.
Qui ckTime™ and a
decompressor
are needed to see this pi cture.
8
Attr.
4
johnd 6
Pa$$wD
Attr.
QuickTime™ and a
decompressor
are needed to see this picture.
9
Attr.
7
Qui ckTime™ and a
decompressor
are needed to see this pi cture.
3
Qui ckTi me™ and a
decompressor
are needed to see this pictur e.
Qui ckTime™ and a
decompressor
are needed to see this pi cture.
Qui ckTime™ and a
decompressor
are needed to see this pi cture.
2
Qui ckTime™ and a
decompressor
are needed to see this pi cture.
1
QuickTi me™ and a
decompressor
are needed to see this pi cture.
The JRA5 Team
Preparing for WebSSO
Connect. Communicate. Collaborate
• Select a suitable BE and put it at the appropriate place
– Top of your federation
– Co-located with your SP/IdP
– As your only SP/IdP
• Optionally, register your BE in your local federation
• Get component identifier(s)
• Obtain certificate containing component identifier(s)
• Deploy the BE using the certificate
• Register your metadata at the MDS
The JRA5 Team
AC Profile
Connect. Communicate. Collaborate
The JRA5 Team
AC in Practice
The perfSONAR Case
•
•
•
Connect. Communicate. Collaborate
Unique and non-transferable ID for each client
– URN obtained from eduGAIN registry service
Private and public key valid in the eduGAIN trust model
– Subject Alternative Name of the cert contains the URN
– Obtained from eduGAIN PKI
Security Token is based on the X.509 certificate
The JRA5 Team
Preparing for AC
Connect. Communicate. Collaborate
• Incorporate software able to generate requests according to the
profile
– Currently, part of the perfSONAR codebase
– Seems easy to generalize
• Deploy and configure a Home BE (H-BE) if you do not have one
– Including registration and certificate
• Register an URN/branch for your client(s)
– Optionally, assign individual identifiers
• Obtain certificate(s) containing component identifier(s)
• Incorporate data about the clients at your H-BE
• Deploy the clients
The JRA5 Team
UbC Profile
Connect. Communicate. Collaborate
The JRA5 Team
UbC in Practice
The perfSONAR Case
•
Connect. Communicate. Collaborate
A similar case to AC
– An online CA for getting the certificate: SASL CA
The JRA5 Team
Preparing for UbC
Connect. Communicate. Collaborate
• Incorporate software able to generate requests according to the
profile
– Currently, part of the perfSONAR codebase
– Seems easy to generalize
• Deploy and configure a Home BE (H-BE) if you do not have one
– Including registration and certificate
• Deploy and configure a SASL online CA
– Including certificate
– It must have direct access to user credentials
– It must be able to provide a session to user attributes
• Deploy the clients
The JRA5 Team
Why Current UbC Does Not
Fly... And How To Fix It
Connect. Communicate. Collaborate
• Deployment and configuration of the SASLCA
– Certificate... Stretches CA policy to the limit
– User credentials... Where to locate it
– Session to user attributes... How to establish the link
• Use an already existing credential exchange infrastructure
– Aligned with CA policies
– Pervasive
– With a profile allowing attribute retrieval
• Hey, we have the eduroam infrastructure!
– DAMe extensions to convey attributes
– And RadSec to enable H-BE location
The JRA5 Team
UbC Profile Revisited
Connect. Communicate. Collaborate
The JRA5 Team
Preparing for New UbC
Connect. Communicate. Collaborate
• Incorporate software able to generate requests according to the
profile
– Can be based on the DAMe codebase
– And the relayed-trust management library
• Deploy and configure a Home BE (H-BE) if you do not have one
– Including registration and certificate
• Deploy and configure a RadSec server
– Including certificate
– Several choices: FreeRadius, radsecproxy,...
– Enable the DAMe extensions
• Deploy the clients
The JRA5 Team
WE Profile
Connect. Communicate. Collaborate
The JRA5 Team
WE Profile in Practice
The perfSONAR Case
Connect. Communicate. Collaborate
•
•
Uses the eduGAIN webSSO profile
SAML assertions contain user’s credentials
•
Clients must have a pair of keys valid in the eduGAIN trust model
•
Security Token is based on SAML assertions
The JRA5 Team
WE Profile in Practice
The AutoBAHN Case
Connect. Communicate. Collaborate
•
User authN is
performed through
eduGAINFilter
•
DM fetches user
data and includes it
in the WS message
using SAML Parser
•
Each IDM may use
the data to perform
authorization locally
The JRA5 Team
Preparing for WE
Connect. Communicate. Collaborate
• Deploy a H-BE according to WebSSO requirements
• Deploy and configure eduGAINFilter as R-BE for the client
– Similar solution for other environments being
considered
• Install and configure the relayed-trust software
– In the perfSONAR codebase
– Working in its generalization
– Needs a specific identifier and certificate
The JRA5 Team