carsi - internet2 · ldap-based inform ip gateway

CARSI: Cross University Identity Management

and Resource Sharing over CERNET

Prof. PING CHEN

Peking University, Beijing, China

Aug, 9th, 2011

1CARSI & 北京大学Peking University

Agenda

Current IdM Situation in CERNET

What is CARSI?

What are we doing?

What will we do in the near future?


University A

Web Mail

e-Learning

Authentication & SSO is developing.

App-wide

user db

No SSO

Multiple

username/pa

ssword over

multiple apps

Access control ResourceIdentity management

Authentication

e-Learning

Research DB

Literature DB

e-Journals

User DB


University A

Library app1

Library app..

In CERNET, most univ are …


Authentication

MIS app..

MIS app1

Camp net app..

Camp net app1

User DB

Several apps

share a user

db

Several SSO

Separated by

app. scope

Multi physical

user db

maintained by

different team

Convenient to

maintain

Still multi

uname/pass


University A

Library app1

Library app..

In CERNET, some univ are …


Authentication

MIS app..

MIS app1

Camp net app..

Camp net app1

User DB

Multi physical

user db

maintained by

different team

Offline/online

partial user

info synch.

Convenient to

maintain

Still multiple

username/pa

ssword


University A

In CERNET, some univ. are …


Authentication

Library app1

Library app..

MIS app..

MIS app1

Camp net app..

Camp net app1

User DB

One physical

user db

Very

convenient to

maintain

Ideal selection


In PKU, the IDM is ……

Built in Jul, 2000

1GB IP gateway:

Transparently deployed on

campus network entrance

Wire-speed transfer

Identity Management

Ldap-based

Inform IP gateway when

user login/logout

SSO

One login trigger multiple

app.

Billing

IP Gateway report raw

billing data

Independent billing system


Domain A

Web Mail

e-Learning

Domain C

e-Learning

Research DB

Domain B

Literature DB

e-Journals


Authentication

Authentication is developing.Cross-domain authn makes large scope of resource sharing possible

Domain: SSO scope

Resource Sharing:

extending a SSO

id’s working scope

under user’s cntrl.

Balance over-large

SSO scope with

login convenience

Domain: univ.

One univ uid can

be used by other

univ. app. or

commercial

services

To extend the

usage of authentic

user identity


What is CARSI?

CERNET Authentication and Resource Sharing Infrastructure

Goals:

To integrate university IDMs to a CERNET federation

To share univ. authentic user info resources over

CERNET and for commercial applications

To share existing protected web applications to more

users

To provide a fundamental AAI middleware for

CERNET applications

To push new applications among universities


CARSI’s short history

Initiated in 2005, being one part of a network

security project

Extended to 4 univ. in 2008

Extended to 30 univ. in 2010

Till now, sponsored primarily by national

research projects


What are we doing?

A CNGI pre-commercial project spreading to

30 univ.

Plan to end in June, 2011

Topic: federation-wide campus learning and

living information exchange

Applications include BulletinBoard Systems,

Blog, library, lecture videos, learning

materials, entertainment videos, job seeking

info, shopping, net disk, etc.


CARSI Deployment

西安交通大学东北大学

SP

Peking Univ.

SP

User DB

Applications

SCUT

SP

User DB

Applications

Tsinghua Univ.

SP

User DB

Applications

BUAA, BUPT, CSU,

CQU, FUDAN,

HBNU

IdP IdP IdP

Industy

Applications


HUST, JLU, LZU,

LNU, NEU, OUC


SDU, SJTU, SZU,

TJU, TONGJI,

UESTC


UIBE, USTC, XMU,

XJTU, ZJU, ZZU,

DLUT, HIT

Shibboleth & CARSI


Shibboleth Workflow

Referenced from SWITCH15CARSI & 北京大学Peking University

CARSI Workflow Demo


What are we doing? FPR, VRD, OpenIdP

CARSI FPR: Federation Provider Registry

A system for federation members to manage his IdP/SP

Role based Administrator management:

FedAdmin, OrgAdmin, IdPAdmin, SPAdmin

IdP/SP management based on policy

CARSI VRD: Virtual Resource Directory

A list of sharing web applications

Synchronized with FPR-registered SPs

Classified and exhibited for user access

CARSI-OpenIdP

An open identity provider

Freely registered


What are we doing? FIVA

Federation Inter-visit Analysis

Goal: How many and what kind of influences does cross-domain AAI bring

to users (IdP) and applications (SP)?

How is cross-domain AAI being used?

What’s user’s using habit?

Methods: Federation log recording, aggregating and analysing: IdP log, SP

log, DS log, etc.

Resource sharing statistics Based on IdP, how many IdP users visit other-domain applications, their using

behaviour, etc

Based on SP, which domain and what kind of users visit it, what is the peak visiting time, etc

User’s behavior and action tracking Tracing user’s visiting sequence

Which visiting sequence is more adopted?

How cross-domain AAI benefit them?


What are we doing? FIVAFederation Inter-visit Analysis


What are we doing? FIVA

Federation Inter-visit Analysis


Current Situations:

Candidate applications have different authn and

access control requirements and implementations.

Resource diversity increases federation

authorization’s difficulty.

Goals:

To simplify the application federation migration

with no or little code modification.

What are we doing? Authorization


Applications: Before joining CARSI Fed

Some app. required authn with simple or no authr

policies.

Some app. already had authn and authr policies

implemented in modules loosely coupled with application

logic.

Some app. already had authn and authr policies

dispersed in application codes, and difficult to be

separated.

Some app. support some kind of campus-wide identity

management.

Some app. was planning to enforce access control.

Some had been shibbolethed.


Authn-

Required

Authr-

Required

Authn Impl. Authr Impl.

AOA –

Authn only App

Yes No CARSI no

FAA –

Fed Attribute-

relying App

Yes Yes CARSI Application

AAIA –

Authn & Authr

Independent App

Yes Yes CARSI CARSI

AAEA –

Authn & Authr

Embedded App

Yes Yes CARSI &

Application

Application

CARSI Web Application Classification


Fed Attribute-relying Application

IdP SP

Authn Result

1

2

5

4

Attr.

Relying

App

Attribute Res

Attribute ReqAccess

Ctrl

6

7

User DBUsr

Attr.

3

Shib-enabled applications: for example, Plone CMS


Authn & Authr Independent Application

IdP

Authn

Attr.

SP

Asst

Hand

.

Attr Req

Authn Result

1

5

User

DB

A

A

I

A

Attr Res

Attr Req

Unified Authorization

Role

assig

ned User Role Info

Authr

Decision

EngineAcce

ss

Cntl

Polic

y

6 8

2

4

3

Authorization part loosely coupled with application


Authn & Authr Embedded Application

IdP

Authn

Attri

SP

Assertion

Handler

Attr

Req

Content

Authn Result5

User

DBA

A

E

A

Authr

Model

Authn.

ModelF

e

d

I

d

Local uid

Id mapping

Id mapping db

L

o

c

a

l

i

d

Id Mapping

7 8

1

2

4

3

Authorization part tightly coupled with application, for

example, BBS


CARSI Today

CARSI achievement till today

Campus Study and Living Information Exchanging

Library resources: Thomson Reuters + Tsinghua Univ. library

International research collaboration

PKU physics school + CERN Italy INFN Catania node

More univ. show their interests:

Shenzhen Univ. library, Beijing Science & Technology univ.

Ongoing or possible experiments

Microsoft university plan: DreamSpark + CA + MSDN AA

The Royal Society of Chemistry

SUN YAT-SEN University


Conclusion

Federation developing situation in the world

In the US, inCommon is serving for daily life

Certificate, Social Insurance, google, etc

In the UK,

library resource visiting

Production environment widely deployed in EU countries in the

past couple of years

CARSI tomorrow

Make more people know about it

Trying to build a production environment?

Attract more interesting resources


Thank You!

CARSI: http://www.carsi.edu.cn

Email: [email protected]


carsi - internet2 · ldap-based inform ip gateway

Documents