Authentication and Authorization Infrastructure

2005 © SWITCH

Authentication and Authorization Infrastructure

Martin Sutter, Head of NetServicesThomas Lenggenhager, Deputy Project Manager AAI

Christoph Graf, Head of Network Security

2005 © SWITCH 2SWITCHaai

Agenda

• AAI deployment in Switzerland

• SWITCHaai key issues

• AAI & Grid

• Outlook

• EUGridPMA


Motivation for SWITCHaai

• Need for SWITCHaai spawned by

Swiss Virtual Campus,

a large national e-learning project.

- About 30 projects developing e-learning contents involving

at least three different sites

Authentication & Authorization not to be solved

by each project individually


IdentityProviders

(Home Orgs)

Service Providers

(Resources)

OrganizationalFramework

Interoperation

CentralServices Funding

SWITCHaai Building Blocks


SWITCH acts as SWITCHaai Federation service providerFederation membership is based on signed service agreements

Organization

Organizational Framework


Interoperation

Interoperation

Requires agreement on technical details like• Standards

- SAML 1.1

• Software versions (as per May 2005)- Shibboleth 1.1 for identity providers

Shibboleth 1.2.1 for service providers

• Accepted certificate authorities- SWITCHpki

plus Thawte, Trustcenter, VeriSign

• Attribute specification- swissEduPerson


• Criteria for attribute specification- Start simple, extend as required- Common understanding on interpretation- Already widely used

swissEduPerson

• Attribute usage by applications- Use minimal set required- Data protection principle

Interoperation

Interoperation: Attributes


Identity Provider Integration

AAI-enabled Identity Provider

UserDirectory

AuthenticationSystem

AAI

Currently in use in SWITCHaai:• Authentication Systems

• OpenLDAP with CAS or Pubcookie• Kerberos AuthN with Active Directory • Windows AuthN with IIS

• User Directory• OpenLDAP• Active Directory

Identity Providers


Identity Providers in SWITCHaai

Operational AAI Identity Provider

ETH Zurich

UniversityZurich

VirtualHomeOrg

SWITCH

University Geneva

110’000 Swiss Higher Ed usershave an AAI-Account (≈ 50% of all)

Zurich University of Applied Sciences Winterthur

AAI Identity Provider getting ready University HospitalZurich

UniversityLucerneUniversity

Fribourg

University Berne

UniversityLausanne

Identity Providers


Federation Member

IdentityProvider

ResourceOwner

End UserAdmin

Some end userswithout

identity provider

VHO Service @SWITCH User Dir

VHO PolicyIdentity Providers

Virtual Home Organization – VHO

Integrate end users without Identity Provider- Resource owner creates ‘AAI-enabled’ accounts @VHO

for users without an identity provider- A VHO account is only usable for the resource(s) managed

by the resource owner


Types of Service Providers

e-learning libraries

other web applications

DOITDOITVITELSVITELS

Vista@SVCVista@SVC

AD Learn & CoAD Learn & Co

Vconf-ReservationVconf-Reservation

SMS-GatewaySMS-Gateway

EZproxyEZproxy

commercial

ScienceDirectScienceDirectWebCT@ETHZWebCT@ETHZOLATOLAT

MoodleMoodleBSCWBSCW

BlackboardBlackboard

SwissLexSwissLex

IS-AcademiaIS-AcademiaJobs@BWIJobs@BWI

ILIASILIAS

TWikiTWikieShopseShops

Service Providers

……

50 ‘shibbolized’ servers 10’000 active AAI Users


Service Provider Example: DOIT

University Zurich

UniversityLausanne

AAI Identity Provider

UniversityBerne

AAI Service Provider

DOIT: Dermatology Online with Interactive Technology

500 AAI Users

Access Rule:IdP = UniZH | UniBE | UniLAffiliation = studentstudyBranch = medicinestudyLevel = 15

Service Providers


Service Providers

Integration of „Blackboxes“

AAIportal (open source, GPL)

• Authentication / authorization gateway• Portal functionalities (optional)• User management (optional)

• Adaptors to blackbox applications:- WebCT Vista- WebCT CE- …

AAIportal SignOn

A1

...

A2 APIApplication

Shibboleth


Central Services

Central AAI Services

• Strategy & marketing

• International contacts

• Support, consulting, training

• Providing federation-specific files and configuration guides

• Operating WAYF server

• Testing parties (identity provider service provider)

• Jump-start service

• Virtual Home Organization

‘Where are you from?’


Key Issues in SWITCHaai

• Structure of SWITCHaai Federation- Switzerland is strongly federal

solve problems at the lowest level coordinate where useful

• AAI is more than Shibboleth- SWITCHaai designed to be extensible

policies federation

• SAML 2 and Shibboleth 2 will allow interoperabilitywith other SAML based infrastructures


AAI and Grid

• SWITCHaai concept is ready for Grid integration

• Current Shibboleth version not yet Grid ready

• GridShib, an Internet2 project, links upcomingShibboleth 1.3 with Globus Toolkit 4.1

- first phase to be implemented until autumn 2005

- second phase to be implemented until second half of 2006

- http://grid.ncsa.uiuc.edu/GridShib/

• Extension to other n-tier use cases possible


Outlook 2005 – 2007

• More national AAI related projects

- supported by federal grants (on matching funds)

• Non-web browser based service providers (like Grid)

• Study on AAI and ECTS

• Study on extending AAI to AAAI

- accounting, but not limited to billing

• Integration of federation partners- resources from non-members

- other federations

http://www.switch.ch/aai


EUGridPMA

• What the EUGridPMA does- A useful job for Grid projects (evaluating CP/CPSs)- Impressive PR: made it into eIRG papers (together with TACAR)

• NREN perspective:- NRENs engaging in PKIs need something similar to interwork- But we will need more than one assurance level (Grid strength certs and

basic strength certs)• The predicted future of EUGridPMA:

- Perish: If they stay Grid-specific- Flourish: if they become relevant beyond the Grid

• Recommendation:- NRENs to collaborate and eventually host EUGridPMA activities- Terena to play an important role (how about TACAR++?)

Documents

Authentication and Authorization Infrastructure