carsi - internet2 · ldap-based inform ip gateway
TRANSCRIPT
CARSI: Cross University Identity Management
and Resource Sharing over CERNET
Prof. PING CHEN
Peking University, Beijing, China
Aug, 9th, 2011
1CARSI & 北京大学Peking University
Agenda
Current IdM Situation in CERNET
What is CARSI?
What are we doing?
What will we do in the near future?
2CARSI & 北京大学Peking University
University A
Web Mail
e-Learning
Authentication & SSO is developing.
App-wide
user db
No SSO
Multiple
username/pa
ssword over
multiple apps
Access control ResourceIdentity management
Authentication
e-Learning
Research DB
Literature DB
e-Journals
User DB
3CARSI & 北京大学Peking University
University A
Library app1
Library app..
In CERNET, most univ are …
Access control ResourceIdentity management
Authentication
MIS app..
MIS app1
Camp net app..
Camp net app1
User DB
Several apps
share a user
db
Several SSO
Separated by
app. scope
Multi physical
user db
maintained by
different team
Convenient to
maintain
Still multi
uname/pass
4CARSI & 北京大学Peking University
University A
Library app1
Library app..
In CERNET, some univ are …
Access control ResourceIdentity management
Authentication
MIS app..
MIS app1
Camp net app..
Camp net app1
User DB
Multi physical
user db
maintained by
different team
Offline/online
partial user
info synch.
Convenient to
maintain
Still multiple
username/pa
ssword
5CARSI & 北京大学Peking University
University A
In CERNET, some univ. are …
Access control ResourceIdentity management
Authentication
Library app1
Library app..
MIS app..
MIS app1
Camp net app..
Camp net app1
User DB
One physical
user db
Very
convenient to
maintain
Ideal selection
6CARSI & 北京大学Peking University
In PKU, the IDM is ……
Built in Jul, 2000
1GB IP gateway:
Transparently deployed on
campus network entrance
Wire-speed transfer
Identity Management
Ldap-based
Inform IP gateway when
user login/logout
SSO
One login trigger multiple
app.
Billing
IP Gateway report raw
billing data
Independent billing system
7CARSI & 北京大学Peking University
Domain A
Web Mail
e-Learning
Domain C
e-Learning
Research DB
Domain B
Literature DB
e-Journals
Access control ResourceIdentity management
Authentication
Authentication is developing.Cross-domain authn makes large scope of resource sharing possible
Domain: SSO scope
Resource Sharing:
extending a SSO
id’s working scope
under user’s cntrl.
Balance over-large
SSO scope with
login convenience
Domain: univ.
One univ uid can
be used by other
univ. app. or
commercial
services
To extend the
usage of authentic
user identity
10CARSI & 北京大学Peking University
What is CARSI?
CERNET Authentication and Resource Sharing Infrastructure
Goals:
To integrate university IDMs to a CERNET federation
To share univ. authentic user info resources over
CERNET and for commercial applications
To share existing protected web applications to more
users
To provide a fundamental AAI middleware for
CERNET applications
To push new applications among universities
11CARSI & 北京大学Peking University
CARSI’s short history
Initiated in 2005, being one part of a network
security project
Extended to 4 univ. in 2008
Extended to 30 univ. in 2010
Till now, sponsored primarily by national
research projects
12CARSI & 北京大学Peking University
What are we doing?
A CNGI pre-commercial project spreading to
30 univ.
Plan to end in June, 2011
Topic: federation-wide campus learning and
living information exchange
Applications include BulletinBoard Systems,
Blog, library, lecture videos, learning
materials, entertainment videos, job seeking
info, shopping, net disk, etc.
13CARSI & 北京大学Peking University
CARSI Deployment
西安交通大学东北大学
SP
Peking Univ.
SP
User DB
Applications
SCUT
SP
User DB
Applications
Tsinghua Univ.
SP
User DB
Applications
BUAA, BUPT, CSU,
CQU, FUDAN,
HBNU
IdP IdP IdP
Industy
Applications
西安交通大学东北大学
HUST, JLU, LZU,
LNU, NEU, OUC
西安交通大学东北大学
SDU, SJTU, SZU,
TJU, TONGJI,
UESTC
西安交通大学东北大学
UIBE, USTC, XMU,
XJTU, ZJU, ZZU,
DLUT, HIT
Shibboleth & CARSI
14CARSI & 北京大学Peking University
What are we doing? FPR, VRD, OpenIdP
CARSI FPR: Federation Provider Registry
A system for federation members to manage his IdP/SP
Role based Administrator management:
FedAdmin, OrgAdmin, IdPAdmin, SPAdmin
IdP/SP management based on policy
CARSI VRD: Virtual Resource Directory
A list of sharing web applications
Synchronized with FPR-registered SPs
Classified and exhibited for user access
CARSI-OpenIdP
An open identity provider
Freely registered
21CARSI & 北京大学Peking University
What are we doing? FIVA
Federation Inter-visit Analysis
Goal: How many and what kind of influences does cross-domain AAI bring
to users (IdP) and applications (SP)?
How is cross-domain AAI being used?
What’s user’s using habit?
Methods: Federation log recording, aggregating and analysing: IdP log, SP
log, DS log, etc.
Resource sharing statistics Based on IdP, how many IdP users visit other-domain applications, their using
behaviour, etc
Based on SP, which domain and what kind of users visit it, what is the peak visiting time, etc
User’s behavior and action tracking Tracing user’s visiting sequence
Which visiting sequence is more adopted?
How cross-domain AAI benefit them?
22CARSI & 北京大学Peking University
Current Situations:
Candidate applications have different authn and
access control requirements and implementations.
Resource diversity increases federation
authorization’s difficulty.
Goals:
To simplify the application federation migration
with no or little code modification.
What are we doing? Authorization
25CARSI & 北京大学Peking University
Applications: Before joining CARSI Fed
Some app. required authn with simple or no authr
policies.
Some app. already had authn and authr policies
implemented in modules loosely coupled with application
logic.
Some app. already had authn and authr policies
dispersed in application codes, and difficult to be
separated.
Some app. support some kind of campus-wide identity
management.
Some app. was planning to enforce access control.
Some had been shibbolethed.
26CARSI & 北京大学Peking University
Authn-
Required
Authr-
Required
Authn Impl. Authr Impl.
AOA –
Authn only App
Yes No CARSI no
FAA –
Fed Attribute-
relying App
Yes Yes CARSI Application
AAIA –
Authn & Authr
Independent App
Yes Yes CARSI CARSI
AAEA –
Authn & Authr
Embedded App
Yes Yes CARSI &
Application
Application
CARSI Web Application Classification
27CARSI & 北京大学Peking University
Fed Attribute-relying Application
IdP SP
Authn Result
1
2
5
4
Attr.
Relying
App
Attribute Res
Attribute ReqAccess
Ctrl
6
7
User DBUsr
Attr.
3
Shib-enabled applications: for example, Plone CMS
28CARSI & 北京大学Peking University
Authn & Authr Independent Application
IdP
Authn
Attr.
SP
Asst
Hand
.
Attr Req
Authn Result
1
5
User
DB
A
A
I
A
Attr Res
Attr Req
Unified Authorization
Role
assig
ned User Role Info
Authr
Decision
EngineAcce
ss
Cntl
Polic
y
6 8
2
4
3
Authorization part loosely coupled with application
29CARSI & 北京大学Peking University
Authn & Authr Embedded Application
IdP
Authn
Attri
SP
Assertion
Handler
Attr
Req
Content
Authn Result5
User
DBA
A
E
A
Authr
Model
Authn.
ModelF
e
d
I
d
Local uid
Id mapping
Id mapping db
L
o
c
a
l
i
d
Id Mapping
7 8
1
2
4
3
Authorization part tightly coupled with application, for
example, BBS
30CARSI & 北京大学Peking University
CARSI Today
CARSI achievement till today
Campus Study and Living Information Exchanging
Library resources: Thomson Reuters + Tsinghua Univ. library
International research collaboration
PKU physics school + CERN Italy INFN Catania node
More univ. show their interests:
Shenzhen Univ. library, Beijing Science & Technology univ.
Ongoing or possible experiments
Microsoft university plan: DreamSpark + CA + MSDN AA
The Royal Society of Chemistry
SUN YAT-SEN University
31CARSI & 北京大学Peking University
Conclusion
Federation developing situation in the world
In the US, inCommon is serving for daily life
Certificate, Social Insurance, google, etc
In the UK,
library resource visiting
Production environment widely deployed in EU countries in the
past couple of years
CARSI tomorrow
Make more people know about it
Trying to build a production environment?
Attract more interesting resources
32CARSI & 北京大学Peking University