Upload
frayne
View
49
Download
0
Embed Size (px)
DESCRIPTION
Authentication and Authorization Infrastructure. Martin Sutter, Head of NetServices Thomas Lenggenhager, Deputy Project Manager AAI Christoph Graf, Head of Network Security. Agenda. AAI deployment in Switzerland SWITCHaai key issues AAI & Grid Outlook EUGridPMA. Motivation for SWITCHaai. - PowerPoint PPT Presentation
Citation preview
2005 © SWITCH
Authentication and Authorization Infrastructure
Martin Sutter, Head of NetServicesThomas Lenggenhager, Deputy Project Manager AAI
Christoph Graf, Head of Network Security
2005 © SWITCH 2SWITCHaai
Agenda
• AAI deployment in Switzerland
• SWITCHaai key issues
• AAI & Grid
• Outlook
• EUGridPMA
2005 © SWITCH 3SWITCHaai
Motivation for SWITCHaai
• Need for SWITCHaai spawned by
Swiss Virtual Campus,
a large national e-learning project.
- About 30 projects developing e-learning contents involving
at least three different sites
Authentication & Authorization not to be solved
by each project individually
2005 © SWITCH 4SWITCHaai
IdentityProviders
(Home Orgs)
Service Providers
(Resources)
OrganizationalFramework
Interoperation
CentralServices Funding
SWITCHaai Building Blocks
2005 © SWITCH 5SWITCHaai
SWITCH acts as SWITCHaai Federation service providerFederation membership is based on signed service agreements
Organization
Organizational Framework
2005 © SWITCH 6SWITCHaai
Interoperation
Interoperation
Requires agreement on technical details like• Standards
- SAML 1.1
• Software versions (as per May 2005)- Shibboleth 1.1 for identity providers
Shibboleth 1.2.1 for service providers
• Accepted certificate authorities- SWITCHpki
plus Thawte, Trustcenter, VeriSign
• Attribute specification- swissEduPerson
2005 © SWITCH 7SWITCHaai
• Criteria for attribute specification- Start simple, extend as required- Common understanding on interpretation- Already widely used
swissEduPerson
• Attribute usage by applications- Use minimal set required- Data protection principle
Interoperation
Interoperation: Attributes
2005 © SWITCH 8SWITCHaai
Identity Provider Integration
AAI-enabled Identity Provider
UserDirectory
AuthenticationSystem
AAI
Currently in use in SWITCHaai:• Authentication Systems
• OpenLDAP with CAS or Pubcookie• Kerberos AuthN with Active Directory • Windows AuthN with IIS
• User Directory• OpenLDAP• Active Directory
Identity Providers
2005 © SWITCH 9SWITCHaai
Identity Providers in SWITCHaai
Operational AAI Identity Provider
ETH Zurich
UniversityZurich
VirtualHomeOrg
SWITCH
University Geneva
110’000 Swiss Higher Ed usershave an AAI-Account (≈ 50% of all)
Zurich University of Applied Sciences Winterthur
AAI Identity Provider getting ready University HospitalZurich
UniversityLucerneUniversity
Fribourg
University Berne
UniversityLausanne
Identity Providers
2005 © SWITCH 10SWITCHaai
Federation Member
IdentityProvider
ResourceOwner
End UserAdmin
Some end userswithout
identity provider
VHO Service @SWITCH User Dir
VHO PolicyIdentity Providers
Virtual Home Organization – VHO
Integrate end users without Identity Provider- Resource owner creates ‘AAI-enabled’ accounts @VHO
for users without an identity provider- A VHO account is only usable for the resource(s) managed
by the resource owner
2005 © SWITCH 11SWITCHaai
Types of Service Providers
e-learning libraries
other web applications
DOITDOITVITELSVITELS
Vista@SVCVista@SVC
AD Learn & CoAD Learn & Co
Vconf-ReservationVconf-Reservation
SMS-GatewaySMS-Gateway
EZproxyEZproxy
commercial
ScienceDirectScienceDirectWebCT@ETHZWebCT@ETHZOLATOLAT
MoodleMoodleBSCWBSCW
BlackboardBlackboard
SwissLexSwissLex
IS-AcademiaIS-AcademiaJobs@BWIJobs@BWI
ILIASILIAS
TWikiTWikieShopseShops
Service Providers
……
50 ‘shibbolized’ servers 10’000 active AAI Users
2005 © SWITCH 12SWITCHaai
Service Provider Example: DOIT
University Zurich
UniversityLausanne
AAI Identity Provider
UniversityBerne
AAI Service Provider
DOIT: Dermatology Online with Interactive Technology
500 AAI Users
Access Rule:IdP = UniZH | UniBE | UniLAffiliation = studentstudyBranch = medicinestudyLevel = 15
Service Providers
2005 © SWITCH 13SWITCHaai
Service Providers
Integration of „Blackboxes“
AAIportal (open source, GPL)
• Authentication / authorization gateway• Portal functionalities (optional)• User management (optional)
• Adaptors to blackbox applications:- WebCT Vista- WebCT CE- …
AAIportal SignOn
A1
...
A2 APIApplication
Shibboleth
2005 © SWITCH 14SWITCHaai
Central Services
Central AAI Services
• Strategy & marketing
• International contacts
• Support, consulting, training
• Providing federation-specific files and configuration guides
• Operating WAYF server
• Testing parties (identity provider service provider)
• Jump-start service
• Virtual Home Organization
‘Where are you from?’
2005 © SWITCH 15SWITCHaai
Key Issues in SWITCHaai
• Structure of SWITCHaai Federation- Switzerland is strongly federal
solve problems at the lowest level coordinate where useful
• AAI is more than Shibboleth- SWITCHaai designed to be extensible
policies federation
• SAML 2 and Shibboleth 2 will allow interoperabilitywith other SAML based infrastructures
2005 © SWITCH 16SWITCHaai
AAI and Grid
• SWITCHaai concept is ready for Grid integration
• Current Shibboleth version not yet Grid ready
• GridShib, an Internet2 project, links upcomingShibboleth 1.3 with Globus Toolkit 4.1
- first phase to be implemented until autumn 2005
- second phase to be implemented until second half of 2006
- http://grid.ncsa.uiuc.edu/GridShib/
• Extension to other n-tier use cases possible
2005 © SWITCH 17SWITCHaai
Outlook 2005 – 2007
• More national AAI related projects
- supported by federal grants (on matching funds)
• Non-web browser based service providers (like Grid)
• Study on AAI and ECTS
• Study on extending AAI to AAAI
- accounting, but not limited to billing
• Integration of federation partners- resources from non-members
- other federations
http://www.switch.ch/aai
2005 © SWITCH 18SWITCHaai
EUGridPMA
• What the EUGridPMA does- A useful job for Grid projects (evaluating CP/CPSs)- Impressive PR: made it into eIRG papers (together with TACAR)
• NREN perspective:- NRENs engaging in PKIs need something similar to interwork- But we will need more than one assurance level (Grid strength certs and
basic strength certs)• The predicted future of EUGridPMA:
- Perish: If they stay Grid-specific- Flourish: if they become relevant beyond the Grid
• Recommendation:- NRENs to collaborate and eventually host EUGridPMA activities- Terena to play an important role (how about TACAR++?)