University of MurciaGabriel López

Network authentication in eduroam and SSO token distribution◦ RADIUS hierarchy◦ Token based on SAML

Network authorization based on end user attributes◦ Based on eduGAIN BEs◦ XACML authorization policies

Web authN and authZ profile Beside:

◦ Integrated with Shibboleth and PAPI idPs◦ Support for LoA (Level of Assurance)◦ RadSec deployment in progress

New services for SSO Based on the SSO token provided by DAMe Provide APIs for BEs:

Token generation Token validation Authorization

Unified SSO token perfsonar, DAMe, etc

Provide optional authorization for VoIP services based on end user attributes

SIP protocol for testing

Home InstitutionRemote Institution

Invite (Bob)

R-SIP Registar

SIP

SIPUA

Register ()

H-SIP Registar

authentication

401 Unauthorized

SIP

401 Unauthorized

Register (authz_data) Register (authz_data)

200 OK200 OK

R-SIP Proxy

H-SIP Proxy

Register ()

Invite (Bob)

401 Unauthorized 401 Unauthorized

Invite (Bob,authz_data)

Trying

Invite (Bob,authz_data) authentication

Trying

Session in progress

SIP SIP

alice@home.in

Reg

istr

atio

nC

all i

nitia

tion

Profile 1: The user has a valid SSO token◦ From the end user network authentication (DAMe)◦ New registration method required◦ Token validation through BEs◦ Extending registration method for authorization

Profile 2: The end user does not have a valid SSO token◦ Receives a new SSO token for further authentications

(VoIP, Web, etc…)◦ Who does the end user authentication?

VoIP Registrar vs idP◦ Who does the token generation? BEs vs idP

Profile 2: SSO token generation delegated to the BEs (DAMe-based)

Profile 2.1 Traditional authentication in the registrar server (HTTP-Digest) Authentication in the registrar server

Profile 2.2 Authentication based on HTTP (HTTP-redirect) Authentication in the idP

Profile 2.3 in-line/native authentication (new method) Authentication in the idP

◦

Home InstitutionRemote Institution

Register (Token)

AuthZRequest(token)

Network authentication

R-SIP Registar

eduGAINR-BE idP Authn

Attrib.

SIP

Federation specificSOAP

Attribute request

Attribute response

Authorizationpolicy

ok200 OK

SIPUA

eduGAINH-BE

Attribute request

Attribute response

SOAP

Register (Token)

H-SIP Registar

AuthNRequest(token)token

validationAutnNResponse200 OK

SOAPSIP

alice@home.in

Reg

istr

atio

n

Extension of SIP messages:◦ Register (token)◦ New authentication method

Extension of SIP proxies:◦ Token validation BEs◦ Authorization based on end user and environment

attributes BEs Authorization process (attributes recovery and PDP requests

are transparent for proxies )

Home InstitutionRemote Institution

R-SIP Registar

eduGAINR-BE idP Authn

Attrib.

SIPFederation specificSOAP

SIPUA

eduGAINH-BE

SOAP

H-SIP Registar

Register (authz_data)

AuthNQuery(user)

AuthnResponse

200 OK (Token)

Authn query (user)

Authentication

Register

401 Unauthorized

SSO token

Register

401 Unauthorized

Register (authz_data)

200 OK (Token)

SIP SOAP

alice@home.in

Reg

istr

atio

n

Authorization

Extension of SIP messages:◦ OK 200 (token)◦ Classic authentication

Extension of SIP proxies:◦ Token generation request BEs◦ Authorization based on end user and environment

attributes BEs

Home InstitutionRemote Institution

R-SIP Registar

eduGAINR-BE idP Authn

Attrib.

SIP Federation specific

SOAP

SIPUA

eduGAINH-BE

SOAP

H-SIP Registar

authentication

200 OK (Token)

AuthnRequest (user:pass)

artifact

Register

401 Unauthorized

Register

401 Unauthorized

Register (artifact) Register (artifact)

200 OK (Token)

Recover statementAuthNRequest(artifact)

SSO token

SIP SOAP

HTTP/Federation specific

alice@home.in

Reg

istr

atio

n

Authorization

Extension of SIP messages:◦ REGISTER (artifact)◦ OK 200 (token)◦ HTTP redirection authN

Extension of SIP proxies:◦ Token generation request BEs◦ Authorization based on end user and environment

attributes BEs

Home InstitutionRemote Institution

R-SIP Registar

eduGAINR-BE idP Authn

Attrib.

SIP Federation specific

SOAP

SIPUA

eduGAINH-BE

SOAP

H-SIP Registar

authentication

200 OK (token)

Register (creds)

Register

401 Unauthorized

Register

401 Unauthorized

200 OK (token)

AuthNRequest(creds)

Authen statement

Register (creds)

SSO Token

SIP SOAP

AuthNRequest(creds)

alice@home.in

Reg

istr

atio

n

Authorization

Extension of SIP messages:◦ OK 200 (token)◦ Register includes end user creds (protected channel

needed) Extension of SIP proxies:

◦ Token generation request BEs◦ Authorization based on end user and environment

attributes BEs

AuthnRequest(SSOToken): Boolean◦ SSOToken validation (profile 1)

Validity Period, signature (PKC chain, trust anchors, etc) AuthnQuery(user): SSOToken

◦ Requests authentication statement from idP (profile 2.1)◦ Generates SSO token

AuthnRequest(artifact): SSOToken◦ AuthN statement recovery from idP (profile 2.2)◦ SSO token generation

AuthnRequest(creds): SSOToken◦ Sends authentication requests (application specific to idP)

(profile 2.3)◦ SSO token generation

AuthzRequest(SSOToken): Boolean (+obligations)◦ Recover end user attributes from home domain

Through eduGAIN BEs Directly from the AttributeProvider

◦ Request an Authorization Decision To the local PDP Based on End User id, End User attributes, resource, action,

other info (date/time, network load, etc.)

SIP allows the extension of standard messages◦ Extension Service Instruction

Authentication methods have already been proposed in other works

BE-API valid for other services? Compliant with other SAML/SIP proposals

(Tschofenig) Security of the token

◦ alice R-SIP Registrar◦ SIP/SSL, IPSec, token encryption

backup

Home Institution

Remote Insitution

SAMLResp.AttributeStat.

attributes

Access-Accept (with handle)

translateobligations

ACCESS-ACCEPT+ propertiesEAP-SUCCESS

eduroam

SearchRequest(uid:handle, action,

resource)

SearchResult(obligations)

Network authentication

RADIUSRADIUS

End User

NAP eduGAINBE

PDP(AuthZEngine)

eduGAINBE

idP Authn

Attrib.

SAMLRequestAttributeQuery

handle

EAPOL

EAPRADIUS

Federation specific

RADIUS / EAP

SOAP

LDAP SOAP

XACMLResourceAccessPolicy

SAMLResponseXACMLAuthZDecSt.

XACMLResponseresult obligs.

SAMLRequestXACMLAuthZDecisionQ

XACMLRequesthandle

res. actionevidence

attrs.

User’s Device

Service Provider Domain

Request Access

Receive eduToken

User

NAP SPR-BE

(token-enabled)

uSSOClient

SupplicantToken

Manager

RMI PEAP

Browser(Java

plugin)

Network authentication

Encrypt and store eduToken

Redirect

WAYF

Redirect

Select „via eduToken“

Token Fetcher Applet

Fetch eduToken

Decrypt eduToken

Return eduToken

POST eduToken

ValidateeduToken

Create Assertion

Send AssertionGrant Access

HTTPS

HTTPS

HTTPS

HTTPS HTTPS