Do you like to puzzle?

…build an AA Infrastructure!

DELAMAN Access Group Workshop

November, 30th, 2004

Bart.Kerver@SURFnet.nl

xxx

xxxxxx

xxx

xxxxxx

2

Presentation contents

• Drivers for an AAI;

• The pieces of the AAI-puzzle;– network and application access, login, authentication,

authorisation, identity management;

• Federations;

• Shibboleth;

• E2E Middleware Diagnostics;

• Standards;

• Developments;

3

Authentication and Authorisation Infrastructure (AAI)

The Authentication and Authorisation Services, components for Identity and Privilege Management and the entities responsible for these services - constitute an Authentication and Authorisation Infrastructure.

4

Why AAI?Personalised service provisioning

5

Why AAI?Educational mobility

6

Why AAI?Network mobility

7

Why AAI?Reduce the digital key ring

XX

X

8

Login

(web)Application

Administration

AuthorisationNetwork

Authentication

Ingredients of an AAI

9

Network access: RADIUS proxy hierarchy

Organisational RADIUS Server

B

Organisational RADIUS Server

B

Organisational RADIUS Server

C

Organisational RADIUS Server

C

National RADIUSProxy Server

National RADIUSProxy Server

National RADIUSProxy Server

National RADIUSProxy Server

European RADIUSProxy Server

European RADIUSProxy Server

European RADIUSProxy Server

European RADIUSProxy Server

Organisational RADIUS Server

A

Organisational RADIUS Server

A

network

10

Network access: User-controlled light path provisioning

Application

AAA

Broker

SURFnet6

Applications

Broker

NetherLight

Application

Broker

OMNInet

Applications

Broker

Starlight

Services ServicesServices

AAA AAAAAA

UDDI/WSIL

A-Select

token

network

11

Application access:centralise intelligence

applications

12

Application access:centralise intelligence

applications

13

Login server:intermediary between application and AA: provide SSO

login

14

Authentication:choose your own method (and strength)

• IP address

• Username / password– LDAP / Active Directory

– RADIUS

– SQL

• Passfaces

• PKI certificate

• OTP through SMS

• OTP through internet banking

• Tokens (SecurID, Vasco, …)

• Biometrics

• …

authentication

15

Authentication:solutions for webenvironments

• Web Initial Sign-on (WebISO)

– A-Select, SURFnet – CAS, Yale – Cosign, Michigan – Distauth, UC Davis– eIdentity Web Authentication, Colorado State – PAPI, RedIRIS – Pubcookie – Web AuthN/AuthZ, Michigan Tech – WebAuth, Stanford– ... Etcetera...

authentication

16

Authorisation:Policy engines authorisation

17

Authorisation:Policy engines: f.e. use ‘roles’ authorisation

18

Authorisation:3 scenario’s

1. Authentication = authorisation (‘simple’)

2. Identity plus a few attributes (‘commonly used’)

3. Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’)

authorisation

20

Administration:Identity Management

• How to record the identities (schema’s), credentials (attributes or roles), and privileges?

• Enterprise (or meta) directory to glue all sources of information together;

• Quality of registration is CRUCIAL for AuthN and AuthZ;

• It’s the underlying basis for an AAI;

• …and it’s a hype…

administration

21

SAP/HR Local Admin

LDAPADS

Admin. layer

Exchange W2K/XP RADIUS CAB

Directory layer

Application layerPortfolio

Administration:Identity Management - layers example administration

Network layer802.1x WLAN Dial-UP

22

Presentation contents

Drivers for an AAI; The pieces of the AAI-puzzle;

network and application access, login, authentication, authorisation, identity management;

Federations;

• Shibboleth;

• E2E Middleware Diagnostics;

• Standards;

• Developments;

23

Federations:

A Federation is a group of organisations, whose members have agreed to cooperate in an area such as operating an inter-organisational AAI - a Federated AAI or an AAI Federation.

Group A Group B

24

Cross-domain AA:Ingredients for a federation

• Policies (e.g. InCommon* from Internet2): – Federation Operating Practices and Procedures– Participant Agreement – Participant Operating Practices

• Technologies:– Protocols / language– Schema’s– Trust / PKI

* http://www.incommonfederation.org/

Group A Group B

25

Cross-domain AA:Federation organisational Group A Group B

26

Birdseye view of Shibboleth Suite

• What is Shibboleth?– An Internet2/MACE project than provides a framework and

technology for inter institutional authorisation for (web) resources. A major feature is to offer authorisation without compromising the users privacy. Trust relations are created within a federation;

• What does Shibboleth offer?– authorisation, attribute gathering and privacy safe transport of

attributes;

• What doesn’t Shibboleth do?– Out of the box authentication, choose a WebISO (f.e. A-Select)

• Results at a protected resource after Shibboleth process:– user ID-x with the attributes X,Y wants access to resource Z

27

Shibbolethmapping of AAI components Group A Group B

29

E2E Middleware diagnostics:what if there’s an error?

Security Related Events

Middleware Related Events

Network Related Events

Collection and Normalization of Events

Dissemination Network

X

Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets

Group A Group B

30

Archiveand

NetworkForensics

Archive

Netflow

Host 7

Network Devices

Host 3

Host 1

Host 2

CombinedForensics

andReporting

Host 5

Host 8

GeneralForensics

AndReporting

Host 6

UserDiag App

Host 9

Application, System or Security Events

LDAP,DNS

Web-App

Enterprise Federation

Network Events

E2E Middleware diagnostics:what if there’s an error?

XGroup A Group B

31

What about……standards?

• Currently many proprietary solutions(sockets, cookies, redirects, …)

• Webservices (SOAP, XML RPC, WSDL, WS-*)

• SAML

• For federations:– WS-Federation (Microsoft, IBM)– SAML (OASIS: 150 companies, Internet2)– Liberty Alliance (Sun, 170 companies)

?

? ?

?? ?

32

What about……developments (in the research world)?

• Australia: start with Shibboleth• Europe: combination of Shibboleth and ‘home-grown’• USA: Shibboleth

• European Project Geant2: – GN2-JRA5: focus on European AAI, SSO for network and applications

• Need for:– Converging or dominant standard(s), means better interoperability

between the pieces of the puzzle– Universal Single Sign-On across network and application domain– Attention to non-web-based applications

?

? ?

?? ?

33

References

• Identity Management• AAI Terminology• EduRoam• A-Select weblogin• Privilege Management• Intro on federations• Internet2 Federation• Swiss Federation• End-to-end diagnostics

Questions ?

35

Ad

viso

ry C

om

mitt

ee

Op

era

tion

s C

om

mitt

ee

Board of Founders

Delaman Foundation

Central AAI Services

Foundation Members

Service Provider

Delaman Federation

To conclude: a possible future: DELAMAN Federation based on Shibboleth?

Institutes, Research, Universities, Libraries

Home organi- sation

resource resourceresource

resource resourceresource

Home organi- sation

Foundation Partners

resourceresource

resource

Service subscription

Resource registration