do you like to puzzle?
DESCRIPTION
Do you like to puzzle?. …build an AA Infrastructure!. DELAMAN Access Group Workshop Novem ber, 30th, 2004. xxx. xxx. [email protected]. xxx. xxx. xxx. xxx. Presentation contents. Drivers for an AAI; The pieces of the AAI-puzzle; - PowerPoint PPT PresentationTRANSCRIPT
Do you like to puzzle?…build an AA Infrastructure!
DELAMAN Access Group Workshop
November, 30th, 2004
xxx
xxxxxx
xxx
xxxxxx
2
Presentation contents
• Drivers for an AAI;• The pieces of the AAI-puzzle;
– network and application access, login, authentication, authorisation, identity management;
• Federations;• Shibboleth;• E2E Middleware Diagnostics;• Standards;• Developments;
3
Authentication and Authorisation Infrastructure (AAI)
The Authentication and Authorisation Services, components for Identity and Privilege Management and the entities responsible for these services - constitute an Authentication and Authorisation Infrastructure.
4
Why AAI?Personalised service provisioning
5
Why AAI?Educational mobility
6
Why AAI?Network mobility
7
Why AAI?Reduce the digital key ring
XXX
8
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Ingredients of an AAI
9
Network access: RADIUS proxy hierarchy
Organisational RADIUS Server
B
Organisational RADIUS Server
C
National RADIUSProxy Server
National RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
Organisational RADIUS Server
A
network
10
Network access: User-controlled light path provisioning
Application
AAA
Broker
SURFnet6
Applications
Broker
NetherLight
Application
Broker
OMNInet
Applications
Broker
Starlight
Services Services Services
AAA AAA AAA
UDDI/WSIL
A-Select
token
network
11
Application access:centralise intelligence
applications
12
Application access:centralise intelligence
applications
13
Login server:intermediary between application and AA: provide SSO login
14
Authentication:choose your own method (and strength)
• IP address• Username / password
– LDAP / Active Directory– RADIUS– SQL
• Passfaces• PKI certificate• OTP through SMS• OTP through internet banking• Tokens (SecurID, Vasco, …)• Biometrics• …
authentication
15
Authentication:solutions for webenvironments
• Web Initial Sign-on (WebISO)
– A-Select, SURFnet – CAS, Yale – Cosign, Michigan – Distauth, UC Davis– eIdentity Web Authentication, Colorado State – PAPI, RedIRIS – Pubcookie – Web AuthN/AuthZ, Michigan Tech – WebAuth, Stanford– ... Etcetera...
authentication
16
Authorisation:Policy engines authorisation
17
Authorisation:Policy engines: f.e. use ‘roles’ authorisation
18
Authorisation:3 scenario’s
1. Authentication = authorisation (‘simple’)
2. Identity plus a few attributes (‘commonly used’)
3. Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’)
authorisation
20
Administration:Identity Management
• How to record the identities (schema’s), credentials (attributes or roles), and privileges?
• Enterprise (or meta) directory to glue all sources of information together;
• Quality of registration is CRUCIAL for AuthN and AuthZ;• It’s the underlying basis for an AAI;• …and it’s a hype…
administration
21
SAP/HR Local Admin
LDAPADS
Admin. layer
Exchange W2K/XP RADIUS CAB
Directory layer
Application layerPortfolio
Administration:Identity Management - layers example administration
Network layer802.1x WLAN Dial-UP
22
Presentation contents
Drivers for an AAI; The pieces of the AAI-puzzle;
network and application access, login, authentication, authorisation, identity management;
Federations; • Shibboleth;• E2E Middleware Diagnostics;• Standards;• Developments;
23
Federations:
A Federation is a group of organisations, whose members have agreed to cooperate in an area such as operating an inter-organisational AAI - a Federated AAI or an AAI Federation.
Group A Group B
24
Cross-domain AA:Ingredients for a federation
• Policies (e.g. InCommon* from Internet2): – Federation Operating Practices and Procedures– Participant Agreement – Participant Operating Practices
• Technologies:– Protocols / language– Schema’s– Trust / PKI
* http://www.incommonfederation.org/
Group A Group B
25
Cross-domain AA:Federation organisational Group A Group B
26
Birdseye view of Shibboleth Suite
• What is Shibboleth?– An Internet2/MACE project than provides a framework and
technology for inter institutional authorisation for (web) resources. A major feature is to offer authorisation without compromising the users privacy. Trust relations are created within a federation;
• What does Shibboleth offer?– authorisation, attribute gathering and privacy safe transport of
attributes;
• What doesn’t Shibboleth do?– Out of the box authentication, choose a WebISO (f.e. A-Select)
• Results at a protected resource after Shibboleth process:– user ID-x with the attributes X,Y wants access to resource Z
27
Shibbolethmapping of AAI components Group A Group B
29
E2E Middleware diagnostics:what if there’s an error?
Security Related Events
Middleware Related Events
Network Related Events
Collection and Normalization of Events
Dissemination Network
X
Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets
Group A Group B
30
Archiveand
NetworkForensics
Archive
Netflow
Host 7
Network Devices
Host 3
Host 1
Host 2
CombinedForensics
andReporting
Host 5
Host 8
GeneralForensics
AndReporting
Host 6
UserDiag App
Host 9
Application, System or Security Events
LDAP,DNS
Web-App
Enterprise Federation
Network Events
E2E Middleware diagnostics:what if there’s an error?
XGroup A Group B
31
What about……standards?
• Currently many proprietary solutions(sockets, cookies, redirects, …)
• Webservices (SOAP, XML RPC, WSDL, WS-*)
• SAML
• For federations:– WS-Federation (Microsoft, IBM)– SAML (OASIS: 150 companies, Internet2)– Liberty Alliance (Sun, 170 companies)
?? ??? ?
32
What about……developments (in the research world)?
• Australia: start with Shibboleth• Europe: combination of Shibboleth and ‘home-grown’• USA: Shibboleth
• European Project Geant2: – GN2-JRA5: focus on European AAI, SSO for network and applications
• Need for:– Converging or dominant standard(s), means better interoperability
between the pieces of the puzzle– Universal Single Sign-On across network and application domain– Attention to non-web-based applications
?? ??? ?
33
References
• Identity Management• AAI Terminology• EduRoam• A-Select weblogin• Privilege Management• Intro on federations• Internet2 Federation• Swiss Federation• End-to-end diagnostics
Questions ?
35
Adv
isor
y C
omm
ittee
Ope
ratio
ns C
omm
ittee
Board of Founders
Delaman Foundation
Central AAI Services
Foundation Members
Service Provider
Delaman Federation
To conclude: a possible future: DELAMAN Federation based on Shibboleth?
Institutes, Research, Universities, Libraries
Home organi- sation
resource resourceresource
resource resourceresource
Home organi- sation
Foundation Partners
resourceresourceresource
Service subscription
Resource registration