AA Systems
Do you like to puzzle?
1st EuroCAMP - TurinMarch, 3rd, [email protected]
xxx
xxxxxx
xxx
xxxxxx
2EuroCAMP 2005, Torino
Roadmap
• Drivers for an AAI• The pieces of the puzzle: network and application
access, login, authentication, authorisation, identity management
• Assessments of current AA systems• Federations• Standards• Homework
xxx
xxxxxx
xxx
xxxxxx
3EuroCAMP 2005, Torino
Why AAI?Personalised service provisioning! xxx
xxxxxx
xxx
xxxxxx
4EuroCAMP 2005, Torino
Why AAI?Educational mobility!
xxx
xxxxxx
xxx
xxxxxx
5EuroCAMP 2005, Torino
Why AAI?Network mobility!
xxx
xxxxxx
xxx
xxxxxx
6EuroCAMP 2005, Torino
Why AAI?Reduce the digital key ring!
XXX
xxx
xxxxxx
xxx
xxxxxx
7EuroCAMP 2005, Torino
xxxAuthentication
xxx
Network
Login
(web)ApplicationAuthorisation
xxx Administration
Ingredients of an AAI
8EuroCAMP 2005, Torino
Network access: roaming
9EuroCAMP 2005, Torino
Network access: user-controlled light paths
Application
AAA
Broker
SURFnet6
Applications
Broker
NetherLight
Application
Broker
OMNInet
Applications
Broker
Starlight
Services Services Services
AAA AAA AAA
UDDI/WSIL
A-Select
token
10EuroCAMP 2005, Torino
Application access:centralise intelligence
11EuroCAMP 2005, Torino
Application access:centralise intelligence
12EuroCAMP 2005, Torino
Login server:intermediary between application and AA
13EuroCAMP 2005, Torino
Authentication:user perspective
14EuroCAMP 2005, Torino
Authentication:choose your own method• IP address• Username / password
– LDAP– RADIUS– SQL
• Passfaces• PKI certificate• OTP through SMS• OTP through internet banking• Tokens (SecurID, Vasco, …)• Biometrics
15EuroCAMP 2005, Torino
Authorisation:Policy engines
16EuroCAMP 2005, Torino
Authorisation:Policy engines
17EuroCAMP 2005, Torino
Authorisation:3 scenario’s1. Authentication = authorisation
2. Identity plus a few attributes
3. Privacy-preserving negotiation about attributes to be exchanged
18EuroCAMP 2005, Torino
Authorisation:privilege management
19EuroCAMP 2005, Torino
Administration:Identity Management
• How to record the identities, credentials (attributes or roles), and privileges?
• Enterprise (or meta) directory to glue all sources of information together
• It’s the underlying basis for an AAI!• …and it’s a hype…
• But since yesterday you know this all
20EuroCAMP 2005, Torino
Cross-domain AA:Federations
xxx
xxxxxx
xxx
xxxxxx
xxx
xxxxxx
xxx
xxxxxx
21EuroCAMP 2005, Torino
Cross-domain AA:Ingredients• Policies (e.g. InCommon):
– Federation Operating Practices and Procedures– Participant Agreement – Participant Operating Practices
• Technologies:– PKI– Schema’s
xxx
xxxxxx
xxx
xxxxxx
xxx
xxxxxx
xxx
xxxxxx
22EuroCAMP 2005, Torino
Quick assessment of current AA systems• Web login (authentication) systems
– A-Select, CAS, Cosign, pubcookie– Portal products (Oracle, SiteMinder, Sun One,
uPortal)• Authorisation systems
– Athens, FEIDE, PAPI, PERMIS, Shibboleth, SPOCP– Portal products
xxx
xxxxxx
xxx
xxxxxx
23EuroCAMP 2005, Torino
Web login systems(A-Select, CAS, Cosign, Pubcookie) xxx
xxxxxx
xxx
xxxxxx
Authentication
Network
Login
(web)Application
Authorisation
Administration
24EuroCAMP 2005, Torino
Authorisation Athens
Authentication
Network
Login
(web)Application
Authorisation
Administration
xxx
xxxxxx
xxx
xxxxxx
25EuroCAMP 2005, Torino
Authorisation PAPI
Authentication
Network
Login
Authorisation
Administration
xxx
xxxxxx
xxx
xxxxxx
(web)Application
26EuroCAMP 2005, Torino
AuthorisationPERMIS, SPOCP
Authentication
Network
Login
Authorisation
Administration
(web)Application
xxx
xxxxxx
xxx
xxxxxx
27EuroCAMP 2005, Torino
Portal productsOracle, SiteMinder, Sun One, uPortal
Authentication
Network
Login
Authorisation
Administration
xxx
xxxxxx
xxx
xxxxxx
(web)Application
28EuroCAMP 2005, Torino
AuthorisationShibboleth Group A Group B
29EuroCAMP 2005, Torino
What about……standards?• Currently many proprietary solutions
(sockets, cookies, redirects, …)• Webservices
(SOAP, XML RPC, WSDL, WS-*)• SAML
• For federations:– WS-Federation (Microsoft, IBM)– SAML (OASIS: 150 companies, Internet2)– Liberty Alliance (Sun, 170 companies)
xxx
xxxxxx
xxx
xxxxxx
??
??
? ?
30EuroCAMP 2005, Torino
And the future…?
• Converging or dominant standard(s)– Means better interoperability between the pieces
of the puzzle• Universal single sign-on across network and
application domain– Convergence of EduRoam and weblogin services– Including non-web-based applications
xxx
xxxxxx
xxx
xxxxxx
31EuroCAMP 2005, Torino
Homework:Manage your identities!
xxx
xxxxxx
xxx
xxxxxx
32EuroCAMP 2005, Torino
Homework:Manage your identities!
xxx
xxxxxx
xxx
xxxxxx
33EuroCAMP 2005, Torino
Homework:Manage your identities!
xxx
xxxxxx
xxx
xxxxxx
34EuroCAMP 2005, Torino
Homework:Start building an AAI!
xxx
xxxxxx
xxx
xxxxxx
xxxAuthentication
xxx
Network
Login
(web)ApplicationAuthorisation
xxx Administration
35EuroCAMP 2005, Torino
References
• Identity Management• EduRoam• A-Select weblogin• Privilege Management• Intro on federations• Internet2 Federation• Swiss Federation• End-to-end diagnostics
xxx
xxxxxx
xxx
xxxxxx
Thank you!Questions?
xxx
xxxxxx
xxx
xxxxxx