Do you like to puzzle? …build an AA Infrastructure! DELAMAN Access Group Workshop November, 30th,...
-
date post
19-Dec-2015 -
Category
Documents
-
view
223 -
download
0
Transcript of Do you like to puzzle? …build an AA Infrastructure! DELAMAN Access Group Workshop November, 30th,...
Do you like to puzzle?
…build an AA Infrastructure!
DELAMAN Access Group Workshop
November, 30th, 2004
xxx
xxxxxx
xxx
xxxxxx
2
Presentation contents
• Drivers for an AAI;
• The pieces of the AAI-puzzle;– network and application access, login, authentication,
authorisation, identity management;
• Federations;
• Shibboleth;
• E2E Middleware Diagnostics;
• Standards;
• Developments;
3
Authentication and Authorisation Infrastructure (AAI)
The Authentication and Authorisation Services, components for Identity and Privilege Management and the entities responsible for these services - constitute an Authentication and Authorisation Infrastructure.
9
Network access: RADIUS proxy hierarchy
Organisational RADIUS Server
B
Organisational RADIUS Server
B
Organisational RADIUS Server
C
Organisational RADIUS Server
C
National RADIUSProxy Server
National RADIUSProxy Server
National RADIUSProxy Server
National RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
Organisational RADIUS Server
A
Organisational RADIUS Server
A
network
10
Network access: User-controlled light path provisioning
Application
AAA
Broker
SURFnet6
Applications
Broker
NetherLight
Application
Broker
OMNInet
Applications
Broker
Starlight
Services ServicesServices
AAA AAAAAA
UDDI/WSIL
A-Select
token
network
14
Authentication:choose your own method (and strength)
• IP address
• Username / password– LDAP / Active Directory
– RADIUS
– SQL
• Passfaces
• PKI certificate
• OTP through SMS
• OTP through internet banking
• Tokens (SecurID, Vasco, …)
• Biometrics
• …
authentication
15
Authentication:solutions for webenvironments
• Web Initial Sign-on (WebISO)
– A-Select, SURFnet – CAS, Yale – Cosign, Michigan – Distauth, UC Davis– eIdentity Web Authentication, Colorado State – PAPI, RedIRIS – Pubcookie – Web AuthN/AuthZ, Michigan Tech – WebAuth, Stanford– ... Etcetera...
authentication
18
Authorisation:3 scenario’s
1. Authentication = authorisation (‘simple’)
2. Identity plus a few attributes (‘commonly used’)
3. Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’)
authorisation
20
Administration:Identity Management
• How to record the identities (schema’s), credentials (attributes or roles), and privileges?
• Enterprise (or meta) directory to glue all sources of information together;
• Quality of registration is CRUCIAL for AuthN and AuthZ;
• It’s the underlying basis for an AAI;
• …and it’s a hype…
administration
21
SAP/HR Local Admin
LDAPADS
Admin. layer
Exchange W2K/XP RADIUS CAB
Directory layer
Application layerPortfolio
Administration:Identity Management - layers example administration
Network layer802.1x WLAN Dial-UP
22
Presentation contents
Drivers for an AAI; The pieces of the AAI-puzzle;
network and application access, login, authentication, authorisation, identity management;
Federations;
• Shibboleth;
• E2E Middleware Diagnostics;
• Standards;
• Developments;
23
Federations:
A Federation is a group of organisations, whose members have agreed to cooperate in an area such as operating an inter-organisational AAI - a Federated AAI or an AAI Federation.
Group A Group B
24
Cross-domain AA:Ingredients for a federation
• Policies (e.g. InCommon* from Internet2): – Federation Operating Practices and Procedures– Participant Agreement – Participant Operating Practices
• Technologies:– Protocols / language– Schema’s– Trust / PKI
* http://www.incommonfederation.org/
Group A Group B
26
Birdseye view of Shibboleth Suite
• What is Shibboleth?– An Internet2/MACE project than provides a framework and
technology for inter institutional authorisation for (web) resources. A major feature is to offer authorisation without compromising the users privacy. Trust relations are created within a federation;
• What does Shibboleth offer?– authorisation, attribute gathering and privacy safe transport of
attributes;
• What doesn’t Shibboleth do?– Out of the box authentication, choose a WebISO (f.e. A-Select)
• Results at a protected resource after Shibboleth process:– user ID-x with the attributes X,Y wants access to resource Z
29
E2E Middleware diagnostics:what if there’s an error?
Security Related Events
Middleware Related Events
Network Related Events
Collection and Normalization of Events
Dissemination Network
X
Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets
Group A Group B
30
Archiveand
NetworkForensics
Archive
Netflow
Host 7
Network Devices
Host 3
Host 1
Host 2
CombinedForensics
andReporting
Host 5
Host 8
GeneralForensics
AndReporting
Host 6
UserDiag App
Host 9
Application, System or Security Events
LDAP,DNS
Web-App
Enterprise Federation
Network Events
E2E Middleware diagnostics:what if there’s an error?
XGroup A Group B
31
What about……standards?
• Currently many proprietary solutions(sockets, cookies, redirects, …)
• Webservices (SOAP, XML RPC, WSDL, WS-*)
• SAML
• For federations:– WS-Federation (Microsoft, IBM)– SAML (OASIS: 150 companies, Internet2)– Liberty Alliance (Sun, 170 companies)
?
? ?
?? ?
32
What about……developments (in the research world)?
• Australia: start with Shibboleth• Europe: combination of Shibboleth and ‘home-grown’• USA: Shibboleth
• European Project Geant2: – GN2-JRA5: focus on European AAI, SSO for network and applications
• Need for:– Converging or dominant standard(s), means better interoperability
between the pieces of the puzzle– Universal Single Sign-On across network and application domain– Attention to non-web-based applications
?
? ?
?? ?
33
References
• Identity Management• AAI Terminology• EduRoam• A-Select weblogin• Privilege Management• Intro on federations• Internet2 Federation• Swiss Federation• End-to-end diagnostics
35
Ad
viso
ry C
om
mitt
ee
Op
era
tion
s C
om
mitt
ee
Board of Founders
Delaman Foundation
Central AAI Services
Foundation Members
Service Provider
Delaman Federation
To conclude: a possible future: DELAMAN Federation based on Shibboleth?
Institutes, Research, Universities, Libraries
Home organi- sation
resource resourceresource
resource resourceresource
Home organi- sation
Foundation Partners
resourceresource
resource
Service subscription
Resource registration