1 upki-federation based on shibboleth national institute of informatics motonori nakamura toshiyuki...
TRANSCRIPT
1
UPKI-Federation based on Shibboleth
National Institute of Informatics Motonori Nakamura Toshiyuki Kataoka, Kyoto University Yasuo Okabe
2
OUTLINEOUTLINE
1.Overview of UPKI and UPKI-Fed
2.UPKI Single Sing-On Trial
3.Roadmap
3
What is UPKI?
We are undertaking the construction of University Public Key Infrastructure (UPKI), which is intended to achieve an inter-university cooperation that makes use of educational and research computing systems, digital contents, networks, and business systems at almost 800 universities and other institutions in Japan, in safe, convenient, and effective ways.
We are promoting an Inter-university authentication federation by developing UPKI common specifications, and by developing applications using the PKI.
4
1. Overview of UPKI
5
UPKI Three-layer Architecture
NIIOpen Domain CA
Also client certs in consideration
OpenDomain
PKI
Federation
Campus
PKI
Grid
PKI
A Univ. B Univ.
UPKI Three Layers Archtecture
Computing gridData grid
Auto Registration for Open Domain PKIby authentication in Campus PKI
Auto Registration for Grid PKIby authentication in Campus PKI
Student, Faculty Staff
B Univ.NAREGI CA
Student, Faculty Staff
A Univ.NAREGI CA
Job Job
Campus CA
TARO SUZUKITARO SUZUKI08 /07
TARO SUZUKITARO SUZUKI08 /07
TARO SUZUKITARO SUZUKI08 /07
IC Card
Campus CA
TARO SUZUKITARO SUZUKI08 /07
TARO SUZUKITARO SUZUKI08 /07
TARO SUZUKITARO SUZUKI08 /07
IC Card
A Univ.Web Server
B Univ.Web Server
C Univ.Web Server
Proxy Cert Proxy Cert
6
UPKI Three-Layer Architecture
Open Domain PKI (Public PKI) Using for authentication, signature and encryption on the
internet. Issuing public certs for servers and individuals in the
internet by PKI service provider.
Campus PKI Using to campus network for secure access and secure
transaction. SSO, VPN, 802.1X, e-Approval, etc. Issuing certs for server and faculty staff/students in
campus network by each organization.
Grid PKI Using to authentication for NAREGI. Issuing certs for HPC resources and NAREGI users by
NAREGI-CA.
7
UPKI Activities
Web サーバWeb サーバ
NII Pub CA
Web Srv.Web サーバWeb サーバ S/MIMES/MIME
Other Pub CA
S/MIMEWeb Srv.
学内用学内用
A Univ. CA
EE学内用学内用
B Univ. CA
EE
EEEE
A Univ. NAREGI CA
EEEE
B Univ. NAREGI CA
Campus PKI
Open Domain PKI
NAREGI PKI
S/MIMES/MIMES/MIME
Auth, Sign, Encrypt.
Sign, Encrypt.
Auth, Sign, Encrypt.
Grid Computing
ProxyProxyProxy EEProxyProxyProxy EE
Student, FacultyServer, Super Computer
Student, FacultyServer, Super Computer
NAREGI-CA Enhancement
CA Start-Pack
UPKI CommonSpecification
Server Certificates
S/MIME Certificates
Eduroam
Shibboleth
8
UPKI-FedInter-Univerisity SSO Architecuture Leveraging PKI and Shibboleth
(SAML) technologies, UPKI-Federation that enables secure Single Sign-On for inter-Universities services such as electronic journals is under development.
The project is trial stage since Sept. 2008.
9
AcademicSociety
University
SP
Faculty Student
E-JournalE-JournalCiNCiN iiii 、・・、・・ e-Learninge-LearningCert. IssuanceCert. Issuance
Server Cert.Server Cert.
IdP University AcademicSociety
University
AuthN
Society member
・・・Account Issuance,Account Issuance,Wireless LANWireless LAN ・・・・
Federation using Shibboleth and PKI
Secure access from off-campus, other campus
UPKI-FederationUPKI-Federation
- Policy- System Spec.
UPKI-IdPDiscovery Service
Support Portal
Operational OrganizationOperational Organization
Metadata Repository
UPKI-Fed Inter-University SSO Architecture
・・・ ・・・
CampusCampus SystemSystem
・・・
AuthN AuthN
Single Sign-On
UPKI-FED SSO TRIAL2.
10
11
User(B Univ.)
IdP
B University
TARO SUZUKITARO SUZUKI 08 /07
User (A Univ.)
IdP
Client Cert.Isssuance
AuthN
A University
Campus CA
Commercial Service
UPKI-Fed
IdP_00IdP_00DSDS
IdP_01IdP_01Repository
Repository
Admin.
SP
SSO SSOSSO SSO
CMS(Plone1)
CMS(Plone1)
Admin.
Admin.
AttributesManagement
UPKI-Fed Test-bed
AuthN
UPKI Open Domain CA
SP
CMS ( Moodle )
CMS ( Moodle )
CMS ( Plone2 )
CMS ( Plone2 )CiNiiCiNii
SSO
SSO
User is authenticated by IdP of his/her University
User is authenticated by IdP of his/her University
Participant ofCommercial Service Participant ofCommercial Service
AttributesManagement
12
Feasibility Study Schedule (FY2008) Preparation - Setup documents - VMWare Image for IdP - test-bed including DS, repository Explanatory meeting (July 2008, twice) - Ask to attend both IT people and librarians from each
institutes Development
- developed test SP - support institutes to setup IdP, SP - metadata distribution - feasibility test instruction - share information by wiki, mailing-list, mail magazine Participants meeting (Nov. 2008) - report status from all institutions Preparation for next step - discussion and development of policy for pilot operation Demonstration at UPKI Symposium 2009 (Feb. 2009)
13
Participants 27 Institutions 30 IdP sites 18 SP sites
Aug. Sep. Oct. Nov. Dec. Jan. Feb. Aug. Sep. Oct. Nov. Dec. Jan. Feb.
10 Sites10 Sites
20 Sites20 Sites
10 Sites10 SitesSPSP
IdPIdP
30 Sites30 Sites
18 Sites18 Sites
Completed connection to Elsevier !
Completed connection to Elsevier !
14
Status of Participating InstitutionsName IdP SP
Hokkaido Univ. ○ 2 -
Tohoku Univ. ○ -
Yamagata Univ. ○ -
Fukushima Univ. - -
High Energy Accelarator Research Organization
- -
Tsukuba Univ. ○ (Local test)
Tsukuba Univ. of Technology
- -
Chiba Univ. Test
-
Tokyo Univ. ○ -
Tokyo Institute of Technology
○ (Local test)
Ocyanomizu Univ. ○ -
Advanced Institute of Industrial Technology
○2 Multi-Mouse AP,(Local test)
Keio Univ. - -
National Institute of Informatics
○3 CiNii Shib-test
Name IdP SP
Kanazawa Univ. ○ File Transfer Service, Digital Contents Publishing (Dspace)
Nagoya Univ. ○ -
Aichi Prefectural College of Nursing and Health
○ -
Kyoto Univ. ○ Wireless LAN Account Issuance Service
Kyoto Sangyo Univ.
○ (Local test)
Osaka Univ. ○4
(Grid Cert. Issuance Service)
Ehime Univ. - -
Tokushima Univ.
○ Inter-Campus SNS(OpenPNE)
Hiroshima Univ. ○ -
Yamaguchi Univ.
○ SSO Test(Plone)
Kyusyu Univ. ○ ( Local test )
Kumamoto Univ.
○ -
Saga Univ. ○ ( Local test )2
15
Feasibility Study Trial using Shibboleth2.0/2.1.2
Single Sign-On connection among Universities’ IdPs, SPs, and commercial SPs from abroad
Shibboleth2.0 protocol among participants in Japan Shibboleth1.3 protocol to connect to existing
commercial SPs from abroad
Metadata automatic download test
Metadata signing, and verification test
Connecting IdP to campus LDAP/AD Attributes send/receive test, including Japanese
Attributes
Tools test such as ArpViewer
16
Connecting to commercial SP from abroad
NII IdP(idp.nii.ac.jp
)
NIIInstitution’
s AD
AuthN
SP SP
Test SPs in participating Institutions
All Institution member can use IdP now !All Institution member can use IdP now !
JAPANAbroad
17
Connection with commercial SPs from abroad
Completed with Elsevier (ScienceDirect, Scopus) Protocol = Shibboleth1.3 : Changed UPKI-Fed protocol from Shib2.0 only to
Shib2.0/Shib1.3 Certificate : Ask SPs from abroad to use commercial public
certificate, because we can’t issue UPKI certificate to abroad
Connection plan with other commercial SPs soon : Refworks 、 Nature 、 OUP (Oxford University Press) 、 LWW/Ovid 、 Springer 、 Thomson 、 EBSCO Within the next fiscal year(?) : CUP ( Cambridge University Press )、 Wiley-
Blackwell 、 SAGE 、 ProQuest 、 JSTOR 、 Serials Solutions 、 Taylor&Francis 、 APS ( American Physical Society )
18
Connection with Elsevier
ログインログイン
ROADMAP3.
19
20
UPKI-Fed Prospective Plan Goal: Inter-University AuthN and
AuthZ Infrastructure for ALL Services
“Feasibility Study” will end in Mar. 2009 “Pilot Operation” will start from April 2009
FY2008 FY2009 FY2010
Feasibility Study
Pilot Operation
Practical Operation
Connection using test account
Connection using real
account under campus policies
Practical operation with real account and service
21
Preparation for UPKI-Fed Pilot Operation UPKI-Fed Policy (under
development) “UPKI-Fed Pilot Operation Procedure” (Draft) “UPKI-Fed System Specification” (Draft)
Attributes (Specified in above document) eppn/persistentID, o, ou,
eduPersonAffiliation, etc… Two bytes code support (Japanese) Name, DisplayName, OrganizationName,,, (Discussing to define “jasn”,
“jaDisplayName”, “jao”,,,)
Configuration template Preparing template for attribute-resolver,
attribute-filter, attribute-map for UPKI-Fed participants
22
UPKI-Fed Pilot Operation Procedure (Draft)
23
Summary UPKI-Fed: Japanese Academic
Federation Architecture design; Develop suitable architecture on UPKI PKI infrastructure (three
layers) taking institutions situations into consideration. Deployment of Shibboleth/SAML
Roadmap; FY2008 Feasibility Study Evaluate and develop architecture using testbed
Small start with a few SP servicesFY2009
Pilot OperationFY2010 ~ Operational