Date post: | 19-Dec-2015 |
Category: |
Documents |
View: | 221 times |
Download: | 0 times |
Do you like to puzzle?
…build an AA Infrastructure!
DELAMAN Access Group Workshop
November, 30th, 2004
xxx
xxxxxx
xxx
xxxxxx
2
Presentation contents
• Drivers for an AAI;
• The pieces of the AAI-puzzle;– network and application access, login, authentication,
authorisation, identity management;
• Federations;
• Shibboleth;
• E2E Middleware Diagnostics;
• Standards;
• Developments;
3
Authentication and Authorisation Infrastructure (AAI)
The Authentication and Authorisation Services, components for Identity and Privilege Management and the entities responsible for these services - constitute an Authentication and Authorisation Infrastructure.
9
Network access: RADIUS proxy hierarchy
Organisational RADIUS Server
B
Organisational RADIUS Server
B
Organisational RADIUS Server
C
Organisational RADIUS Server
C
National RADIUSProxy Server
National RADIUSProxy Server
National RADIUSProxy Server
National RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
Organisational RADIUS Server
A
Organisational RADIUS Server
A
network
10
Network access: User-controlled light path provisioning
Application
AAA
Broker
SURFnet6
Applications
Broker
NetherLight
Application
Broker
OMNInet
Applications
Broker
Starlight
Services ServicesServices
AAA AAAAAA
UDDI/WSIL
A-Select
token
network
14
Authentication:choose your own method (and strength)
• IP address
• Username / password– LDAP / Active Directory
– RADIUS
– SQL
• Passfaces
• PKI certificate
• OTP through SMS
• OTP through internet banking
• Tokens (SecurID, Vasco, …)
• Biometrics
• …
authentication
15
Authentication:solutions for webenvironments
• Web Initial Sign-on (WebISO)
– A-Select, SURFnet – CAS, Yale – Cosign, Michigan – Distauth, UC Davis– eIdentity Web Authentication, Colorado State – PAPI, RedIRIS – Pubcookie – Web AuthN/AuthZ, Michigan Tech – WebAuth, Stanford– ... Etcetera...
authentication
18
Authorisation:3 scenario’s
1. Authentication = authorisation (‘simple’)
2. Identity plus a few attributes (‘commonly used’)
3. Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’)
authorisation
20
Administration:Identity Management
• How to record the identities (schema’s), credentials (attributes or roles), and privileges?
• Enterprise (or meta) directory to glue all sources of information together;
• Quality of registration is CRUCIAL for AuthN and AuthZ;
• It’s the underlying basis for an AAI;
• …and it’s a hype…
administration
21
SAP/HR Local Admin
LDAPADS
Admin. layer
Exchange W2K/XP RADIUS CAB
Directory layer
Application layerPortfolio
Administration:Identity Management - layers example administration
Network layer802.1x WLAN Dial-UP
22
Presentation contents
Drivers for an AAI; The pieces of the AAI-puzzle;
network and application access, login, authentication, authorisation, identity management;
Federations;
• Shibboleth;
• E2E Middleware Diagnostics;
• Standards;
• Developments;
23
Federations:
A Federation is a group of organisations, whose members have agreed to cooperate in an area such as operating an inter-organisational AAI - a Federated AAI or an AAI Federation.
Group A Group B
24
Cross-domain AA:Ingredients for a federation
• Policies (e.g. InCommon* from Internet2): – Federation Operating Practices and Procedures– Participant Agreement – Participant Operating Practices
• Technologies:– Protocols / language– Schema’s– Trust / PKI
* http://www.incommonfederation.org/
Group A Group B
26
Birdseye view of Shibboleth Suite
• What is Shibboleth?– An Internet2/MACE project than provides a framework and
technology for inter institutional authorisation for (web) resources. A major feature is to offer authorisation without compromising the users privacy. Trust relations are created within a federation;
• What does Shibboleth offer?– authorisation, attribute gathering and privacy safe transport of
attributes;
• What doesn’t Shibboleth do?– Out of the box authentication, choose a WebISO (f.e. A-Select)
• Results at a protected resource after Shibboleth process:– user ID-x with the attributes X,Y wants access to resource Z
29
E2E Middleware diagnostics:what if there’s an error?
Security Related Events
Middleware Related Events
Network Related Events
Collection and Normalization of Events
Dissemination Network
X
Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets
Group A Group B
30
Archiveand
NetworkForensics
Archive
Netflow
Host 7
Network Devices
Host 3
Host 1
Host 2
CombinedForensics
andReporting
Host 5
Host 8
GeneralForensics
AndReporting
Host 6
UserDiag App
Host 9
Application, System or Security Events
LDAP,DNS
Web-App
Enterprise Federation
Network Events
E2E Middleware diagnostics:what if there’s an error?
XGroup A Group B
31
What about……standards?
• Currently many proprietary solutions(sockets, cookies, redirects, …)
• Webservices (SOAP, XML RPC, WSDL, WS-*)
• SAML
• For federations:– WS-Federation (Microsoft, IBM)– SAML (OASIS: 150 companies, Internet2)– Liberty Alliance (Sun, 170 companies)
?
? ?
?? ?
32
What about……developments (in the research world)?
• Australia: start with Shibboleth• Europe: combination of Shibboleth and ‘home-grown’• USA: Shibboleth
• European Project Geant2: – GN2-JRA5: focus on European AAI, SSO for network and applications
• Need for:– Converging or dominant standard(s), means better interoperability
between the pieces of the puzzle– Universal Single Sign-On across network and application domain– Attention to non-web-based applications
?
? ?
?? ?
33
References
• Identity Management• AAI Terminology• EduRoam• A-Select weblogin• Privilege Management• Intro on federations• Internet2 Federation• Swiss Federation• End-to-end diagnostics
35
Ad
viso
ry C
om
mitt
ee
Op
era
tion
s C
om
mitt
ee
Board of Founders
Delaman Foundation
Central AAI Services
Foundation Members
Service Provider
Delaman Federation
To conclude: a possible future: DELAMAN Federation based on Shibboleth?
Institutes, Research, Universities, Libraries
Home organi- sation
resource resourceresource
resource resourceresource
Home organi- sation
Foundation Partners
resourceresource
resource
Service subscription
Resource registration