Upload
huyen
View
30
Download
1
Embed Size (px)
DESCRIPTION
JRA5 Meeting DAMe Project Sascha Neinert Computing Center University of Stuttgart 27th March 2007. Overview. Current Status: eduroam + NAS-SAML, testbed Unified Single SignOn: Proposal(s). Current Status. Basic eduroam: - PowerPoint PPT Presentation
Citation preview
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 1 D
AM
e Pr
o jec
t
JRA5 Meeting
DAMe Project
Sascha NeinertComputing Center University of Stuttgart
27th March 2007
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 2 D
AM
e Pr
o jec
t
Overview
Current Status: eduroam + NAS-SAML, testbed
Unified Single SignOn: Proposal(s)
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 3 D
AM
e Pr
o jec
t
Current Status
Basic eduroam:
1. eduroam / RADIUS infrastructure is used for AuthN:Username + Password are sent via tunnel
2. home RADIUS returns Access-Accept
eduroam + NAS-SAML:
3. visited RADIUS executes nassaml_authz-Module4. AuthZ-Request is sent to visited NAS-SAML (target domain)5. target domain sends AttributeRequest
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 4 D
AM
e Pr
o jec
t
eduroam + NAS-SAML
5. Target domain sends AttributeRequest6. Home domain fetches Attributes from Attribute Authority7. if Attribute Release Policy allows it, Attributes are sent in an
AttributeAssertion to the target domain8. Target domain consults Policy Decision Point9. Policies are evaluated according to the sent Attributes10. AuthZ-Decision is sent back to visited RADIUS
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 5 D
AM
e Pr
o jec
t
Sequence Diagram
Target Domain Home Domain
RADIUS eduroam
Access – Request: credentials
Access - Accept
RADIUSDiameterNAS-SAML
DiameterNAS-SAML
AttributeRequest
AttributeAssertion
AuthZDecision
evaluate Policy
AuthZRequestevaluate Attribute
Release Policy
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 6 D
AM
e Pr
o jec
t
Testbed
RADIUS– FreeRADIUS 1.1.4– OpenSAML-c-1.1– Additional Module: rlm_nassaml_authz (Status: prototype for testing)– Realms: dame.uni-stuttgart.de + dame.um.es– Configuration: PEAP with MSCHAPv2, use_tunneled_reply = no, calling
nassaml_authz in post_auth-Section of radiusd.conf Diameter
– OpenDiameter 1.0.7-h– OpenSAML-c-1.1– NAS-SAML application (home domain + target domain)– Jakarta Tomcat 4.1.30– WebApps for PDP and Attribute Authority (AA)
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 7 D
AM
e Pr
o jec
t
Step 1 reached
Step 1: Do authentication via eduroam infrastructure Establish direct link between DIAMETER (NAS-SAML) servers
next to each institutional RADIUS (eduroam) server Transmit information from RADIUS to DIAMETER via translator Do authorization via NAS-SAML, based on SAML attributes and
assertions
Gains: Information exchange in standard languages (SAML, XACML) Fine-grained access control based on user attributes Role based access control
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 8 D
AM
e Pr
o jec
t
Unified Single SignOn
1. Authentication for network access, via eduroam / NAS-SAML2. Fetch eduGAIN signed tokens3. Bootstrap eduGAIN authentication from the NAS-SAML one4. No need to re-authenticate
Gains: Enhanced security and user-friendliness by offering Single-
SignOn
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 9 D
AM
e Pr
o jec
t
uSSO Proposal
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 10 D
AM
e Pr
o jec
t
uSSO Proposal
New Entity: SAML AuthN Authority at home domain extend RADIUS AuthN with it Sends AuthN-Statement through PEAP tunnel, before Attributes
are exchanged
The user receives the AuthN-Statement, to use it as an SSO-Token
Attribute exchange is next, but optional It is done via Diameter / NAS-SAML
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 11 D
AM
e Pr
o jec
t
Proposal with SAMLArtifact
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 12 D
AM
e Pr
o jec
t
Proposal with SAMLArtifact
SSO token: It should be short to fit in RADIUS TLV Use SAML-Artifact, which contains:
– AssertionHandle: 20Byte random number, referencing a real Assertion (for a few minutes)
– SourceLocation: URI of Home-IdP It contains no username, no attributes no private data One time use urn:oasis:names:tc:saml:1.0:profiles:artifact-02
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 13 D
AM
e Pr
o jec
t
Proposal with SAMLArtifact
1. Short Artifact-Token is sent via RADIUS / PEAP. User gets network access from NAS-SAML+eduroam
2. The assertion is automatically fetched with the AssertionHandle via HTTPS
3. The Assertion is used for Authenticating the user for service access
Process is similar to: Browser/Artifact Profile of SAML
Both proposals are still being discussed, and at some pointwill be “merged” into one.
Communication SystemsComputing Center
University of Stuttgart 13
. Mär
z 20
02, A
lexa
nder
Dau
enst
eine
r
DAMe Project, Sascha Neinert, 27.03.2007 Page 14 D
AM
e Pr
o jec
t
Questions?
Any questions or comments?
Thank you for listening!
Visit the DAMe website:http://dame.inf.um.es/