Authentication and Authorization Infrastructure
description
Transcript of Authentication and Authorization Infrastructure
2005 © SWITCH
Authentication and Authorization Infrastructure
Martin Sutter, Head of NetServicesThomas Lenggenhager, Deputy Project Manager AAI
Christoph Graf, Head of Network Security
2005 © SWITCH 2SWITCHaai
Agenda
• AAI deployment in Switzerland
• SWITCHaai key issues
• AAI & Grid
• Outlook
• EUGridPMA
2005 © SWITCH 3SWITCHaai
Motivation for SWITCHaai
• Need for SWITCHaai spawned by
Swiss Virtual Campus,
a large national e-learning project.
- About 30 projects developing e-learning contents involving
at least three different sites
Authentication & Authorization not to be solved
by each project individually
2005 © SWITCH 4SWITCHaai
IdentityProviders
(Home Orgs)
Service Providers
(Resources)
OrganizationalFramework
Interoperation
CentralServices Funding
SWITCHaai Building Blocks
2005 © SWITCH 5SWITCHaai
SWITCH acts as SWITCHaai Federation service providerFederation membership is based on signed service agreements
Organization
Organizational Framework
2005 © SWITCH 6SWITCHaai
Interoperation
Interoperation
Requires agreement on technical details like• Standards
- SAML 1.1
• Software versions (as per May 2005)- Shibboleth 1.1 for identity providers
Shibboleth 1.2.1 for service providers
• Accepted certificate authorities- SWITCHpki
plus Thawte, Trustcenter, VeriSign
• Attribute specification- swissEduPerson
2005 © SWITCH 7SWITCHaai
• Criteria for attribute specification- Start simple, extend as required- Common understanding on interpretation- Already widely used
swissEduPerson
• Attribute usage by applications- Use minimal set required- Data protection principle
Interoperation
Interoperation: Attributes
2005 © SWITCH 8SWITCHaai
Identity Provider Integration
AAI-enabled Identity Provider
UserDirectory
AuthenticationSystem
AAI
Currently in use in SWITCHaai:• Authentication Systems
• OpenLDAP with CAS or Pubcookie• Kerberos AuthN with Active Directory • Windows AuthN with IIS
• User Directory• OpenLDAP• Active Directory
Identity Providers
2005 © SWITCH 9SWITCHaai
Identity Providers in SWITCHaai
Operational AAI Identity Provider
ETH Zurich
UniversityZurich
VirtualHomeOrg
SWITCH
University Geneva
110’000 Swiss Higher Ed usershave an AAI-Account (≈ 50% of all)
Zurich University of Applied Sciences Winterthur
AAI Identity Provider getting ready University HospitalZurich
UniversityLucerneUniversity
Fribourg
University Berne
UniversityLausanne
Identity Providers
2005 © SWITCH 10SWITCHaai
Federation Member
IdentityProvider
ResourceOwner
End UserAdmin
Some end userswithout
identity provider
VHO Service @SWITCH User Dir
VHO PolicyIdentity Providers
Virtual Home Organization – VHO
Integrate end users without Identity Provider- Resource owner creates ‘AAI-enabled’ accounts @VHO
for users without an identity provider- A VHO account is only usable for the resource(s) managed
by the resource owner
2005 © SWITCH 11SWITCHaai
Types of Service Providers
e-learning libraries
other web applications
DOITDOITVITELSVITELS
Vista@SVCVista@SVC
AD Learn & CoAD Learn & Co
Vconf-ReservationVconf-Reservation
SMS-GatewaySMS-Gateway
EZproxyEZproxy
commercial
ScienceDirectScienceDirectWebCT@ETHZWebCT@ETHZOLATOLAT
MoodleMoodleBSCWBSCW
BlackboardBlackboard
SwissLexSwissLex
IS-AcademiaIS-AcademiaJobs@BWIJobs@BWI
ILIASILIAS
TWikiTWikieShopseShops
Service Providers
……
50 ‘shibbolized’ servers 10’000 active AAI Users
2005 © SWITCH 12SWITCHaai
Service Provider Example: DOIT
University Zurich
UniversityLausanne
AAI Identity Provider
UniversityBerne
AAI Service Provider
DOIT: Dermatology Online with Interactive Technology
500 AAI Users
Access Rule:IdP = UniZH | UniBE | UniLAffiliation = studentstudyBranch = medicinestudyLevel = 15
Service Providers
2005 © SWITCH 13SWITCHaai
Service Providers
Integration of „Blackboxes“
AAIportal (open source, GPL)
• Authentication / authorization gateway• Portal functionalities (optional)• User management (optional)
• Adaptors to blackbox applications:- WebCT Vista- WebCT CE- …
AAIportal SignOn
A1
...
A2 APIApplication
Shibboleth
2005 © SWITCH 14SWITCHaai
Central Services
Central AAI Services
• Strategy & marketing
• International contacts
• Support, consulting, training
• Providing federation-specific files and configuration guides
• Operating WAYF server
• Testing parties (identity provider service provider)
• Jump-start service
• Virtual Home Organization
‘Where are you from?’
2005 © SWITCH 15SWITCHaai
Key Issues in SWITCHaai
• Structure of SWITCHaai Federation- Switzerland is strongly federal
solve problems at the lowest level coordinate where useful
• AAI is more than Shibboleth- SWITCHaai designed to be extensible
policies federation
• SAML 2 and Shibboleth 2 will allow interoperabilitywith other SAML based infrastructures
2005 © SWITCH 16SWITCHaai
AAI and Grid
• SWITCHaai concept is ready for Grid integration
• Current Shibboleth version not yet Grid ready
• GridShib, an Internet2 project, links upcomingShibboleth 1.3 with Globus Toolkit 4.1
- first phase to be implemented until autumn 2005
- second phase to be implemented until second half of 2006
- http://grid.ncsa.uiuc.edu/GridShib/
• Extension to other n-tier use cases possible
2005 © SWITCH 17SWITCHaai
Outlook 2005 – 2007
• More national AAI related projects
- supported by federal grants (on matching funds)
• Non-web browser based service providers (like Grid)
• Study on AAI and ECTS
• Study on extending AAI to AAAI
- accounting, but not limited to billing
• Integration of federation partners- resources from non-members
- other federations
http://www.switch.ch/aai
2005 © SWITCH 18SWITCHaai
EUGridPMA
• What the EUGridPMA does- A useful job for Grid projects (evaluating CP/CPSs)- Impressive PR: made it into eIRG papers (together with TACAR)
• NREN perspective:- NRENs engaging in PKIs need something similar to interwork- But we will need more than one assurance level (Grid strength certs and
basic strength certs)• The predicted future of EUGridPMA:
- Perish: If they stay Grid-specific- Flourish: if they become relevant beyond the Grid
• Recommendation:- NRENs to collaborate and eventually host EUGridPMA activities- Terena to play an important role (how about TACAR++?)