JRA5 Meeting DAMe Project Sascha Neinert Computing Center University of Stuttgart 27th March 2007

Communication SystemsComputing Center

University of Stuttgart 13

. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r

DAMe Project, Sascha Neinert, 27.03.2007 Page 1 D

AM

e Pr

o jec

t

JRA5 Meeting

DAMe Project

Sascha NeinertComputing Center University of Stuttgart

27th March 2007



. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r


AM

e Pr

o jec

t

Overview

Current Status: eduroam + NAS-SAML, testbed

Unified Single SignOn: Proposal(s)



. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r


AM

e Pr

o jec

t

Current Status

Basic eduroam:

1. eduroam / RADIUS infrastructure is used for AuthN:Username + Password are sent via tunnel

2. home RADIUS returns Access-Accept

eduroam + NAS-SAML:

3. visited RADIUS executes nassaml_authz-Module4. AuthZ-Request is sent to visited NAS-SAML (target domain)5. target domain sends AttributeRequest



. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r


AM

e Pr

o jec

t

eduroam + NAS-SAML

5. Target domain sends AttributeRequest6. Home domain fetches Attributes from Attribute Authority7. if Attribute Release Policy allows it, Attributes are sent in an

AttributeAssertion to the target domain8. Target domain consults Policy Decision Point9. Policies are evaluated according to the sent Attributes10. AuthZ-Decision is sent back to visited RADIUS



. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r


AM

e Pr

o jec

t

Sequence Diagram

Target Domain Home Domain

RADIUS eduroam

Access – Request: credentials

Access - Accept

RADIUSDiameterNAS-SAML

DiameterNAS-SAML

AttributeRequest

AttributeAssertion

AuthZDecision

evaluate Policy

AuthZRequestevaluate Attribute

Release Policy



. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r


AM

e Pr

o jec

t

Testbed

RADIUS– FreeRADIUS 1.1.4– OpenSAML-c-1.1– Additional Module: rlm_nassaml_authz (Status: prototype for testing)– Realms: dame.uni-stuttgart.de + dame.um.es– Configuration: PEAP with MSCHAPv2, use_tunneled_reply = no, calling

nassaml_authz in post_auth-Section of radiusd.conf Diameter

– OpenDiameter 1.0.7-h– OpenSAML-c-1.1– NAS-SAML application (home domain + target domain)– Jakarta Tomcat 4.1.30– WebApps for PDP and Attribute Authority (AA)



. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r


AM

e Pr

o jec

t

Step 1 reached

Step 1: Do authentication via eduroam infrastructure Establish direct link between DIAMETER (NAS-SAML) servers

next to each institutional RADIUS (eduroam) server Transmit information from RADIUS to DIAMETER via translator Do authorization via NAS-SAML, based on SAML attributes and

assertions

Gains: Information exchange in standard languages (SAML, XACML) Fine-grained access control based on user attributes Role based access control



. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r


AM

e Pr

o jec

t

Unified Single SignOn

1. Authentication for network access, via eduroam / NAS-SAML2. Fetch eduGAIN signed tokens3. Bootstrap eduGAIN authentication from the NAS-SAML one4. No need to re-authenticate

Gains: Enhanced security and user-friendliness by offering Single-

SignOn



. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r


AM

e Pr

o jec

t

uSSO Proposal



. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r


AM

e Pr

o jec

t

uSSO Proposal

New Entity: SAML AuthN Authority at home domain extend RADIUS AuthN with it Sends AuthN-Statement through PEAP tunnel, before Attributes

are exchanged

The user receives the AuthN-Statement, to use it as an SSO-Token

Attribute exchange is next, but optional It is done via Diameter / NAS-SAML



. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r


AM

e Pr

o jec

t

Proposal with SAMLArtifact



. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r


AM

e Pr

o jec

t


SSO token: It should be short to fit in RADIUS TLV Use SAML-Artifact, which contains:

– AssertionHandle: 20Byte random number, referencing a real Assertion (for a few minutes)

– SourceLocation: URI of Home-IdP It contains no username, no attributes no private data One time use urn:oasis:names:tc:saml:1.0:profiles:artifact-02



. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r


AM

e Pr

o jec

t


1. Short Artifact-Token is sent via RADIUS / PEAP. User gets network access from NAS-SAML+eduroam

2. The assertion is automatically fetched with the AssertionHandle via HTTPS

3. The Assertion is used for Authenticating the user for service access

Process is similar to: Browser/Artifact Profile of SAML

Both proposals are still being discussed, and at some pointwill be “merged” into one.



. Mär

z 20

02, A

lexa

nder

Dau

enst

eine

r


AM

e Pr

o jec

t

Questions?

Any questions or comments?

Thank you for listening!

Visit the DAMe website:http://dame.inf.um.es/

[email protected]

Documents

JRA5 Meeting DAMe Project Sascha Neinert Computing Center University of Stuttgart 27th March 2007