Authentication and Authorization
Infrastructure
Martin Sutter, Head of NetServices
Thomas Lenggenhager, Deputy Project Manager AAI
Christoph Graf, Head of Network Security
2005 © SWITCH
Agenda
• AAI deployment in Switzerland
• SWITCHaai key issues
• AAI & Grid
• Outlook
• EUGridPMA
2005 © SWITCH
SWITCHaai
2
Motivation for SWITCHaai
• Need for SWITCHaai spawned by
Swiss Virtual Campus,
a large national e-learning project.
- About 30 projects developing e-learning contents involving
at least three different sites
Authentication & Authorization not to be solved
by each project individually
2005 © SWITCH
SWITCHaai
3
SWITCHaai Building Blocks
Interoperation Organizational
Framework
Identity
Providers
(Home Orgs)
Central
Services
2005 © SWITCH
Service
Providers
(Resources)
Funding
SWITCHaai
4
Organizational Framework
Organization
SWITCH acts as SWITCHaai Federation service provider
Federation membership is based on signed service agreements
2005 © SWITCH
SWITCHaai
5
Interoperation
Requires agreement on technical details like
• Standards
- SAML 1.1
• Software versions (as per May 2005)
- Shibboleth 1.1 for identity providers
Shibboleth 1.2.1 for service providers
• Accepted certificate authorities
- SWITCHpki
plus Thawte, Trustcenter, VeriSign
• Attribute specification
- swissEduPerson
2005 © SWITCH
Interoperation
SWITCHaai
6
Interoperation: Attributes
• Criteria for attribute specification
- Start simple, extend as required
- Common understanding on interpretation
- Already widely used
swissEduPerson
• Attribute usage by applications
- Use minimal set required
- Data protection principle
Interoperation
2005 © SWITCH
SWITCHaai
7
Identity Provider Integration
AAI-enabled
Identity Provider
Authentication
System
AAI
User
Directory
Currently in use in SWITCHaai:
• Authentication Systems
• OpenLDAP with CAS or Pubcookie
• Kerberos AuthN with Active Directory
• Windows AuthN with IIS
• User Directory
• OpenLDAP
• Active Directory
Identity
Providers
2005 © SWITCH
SWITCHaai
8
Identity Providers in SWITCHaai
Operational AAI Identity Provider
University Hospital
Zurich
AAI Identity Provider getting ready
Zurich University of Applied
Sciences Winterthur
University
Zurich
SWITCH
University Berne
University
Fribourg
ETH Zurich
University
Lucerne
Virtual
Home
Org
University
Lausanne
University Geneva
Identity
Providers
110’000 Swiss Higher Ed users
have an AAI-Account (≈ 50% of all)
2005 © SWITCH
SWITCHaai
9
Virtual Home Organization – VHO
Integrate end users without Identity Provider
- Resource owner creates ‘AAI-enabled’ accounts @VHO
for users without an identity provider
- A VHO account is only usable for the resource(s) managed
by the resource owner
Some end users
without
identity provider
Federation Member
Identity
Provider
Resource
Owner
End User
Admin
VHO Policy
VHO Service
@SWITCH
2005 © SWITCH
Identity
Providers
User Dir
SWITCHaai
10
Types of Service Providers
e-learning
OLAT
libraries
Vista@SVC
EZproxy
WebCT@ETHZ
VITELS
Blackboard
DOIT
Moodle
AD Learn & Co
ILIAS
ScienceDirect
…
BSCW
other web applications
commercial
Vconf-Reservation
SwissLex
TWiki
eShops
SMS-Gateway
IS-Academia
Jobs@BWI
2005 © SWITCH
 50 ‘shibbolized’ servers
 10’000 active AAI Users
SWITCHaai
Service
Providers
11
Service Provider Example: DOIT
DOIT: Dermatology Online with Interactive Technology
AAI Identity Provider
AAI Service Provider
University Zurich
Access Rule:
IdP = UniZH | UniBE | UniL
Affiliation
= student
studyBranch = medicine
studyLevel = 15
University
Berne
University
Lausanne
Service
Providers
500 AAI Users
2005 © SWITCH
SWITCHaai
12
Integration of „Blackboxes“
AAIportal (open source, GPL)
• Authentication / authorization gateway
• Portal functionalities (optional)
• User management (optional)
Application
A1
AAIportal
A2
.
.
.
API
Sign
On
Shibboleth
• Adaptors to blackbox applications:
- WebCT Vista
- WebCT CE
- …
Service
Providers
2005 © SWITCH
SWITCHaai
13
Central AAI Services
• Strategy & marketing
• International contacts
• Support, consulting, training
• Providing federation-specific files and configuration guides
• Operating WAYF server
‘Where are you from?’
• Testing parties (identity provider  service provider)
• Jump-start service
• Virtual Home Organization
Central
Services
2005 © SWITCH
SWITCHaai
14
Key Issues in SWITCHaai
• Structure of SWITCHaai Federation
- Switzerland is strongly federal


solve problems at the lowest level
coordinate where useful
• AAI is more than Shibboleth
- SWITCHaai designed to be extensible


policies
federation
• SAML 2 and Shibboleth 2 will allow interoperability
with other SAML based infrastructures
2005 © SWITCH
SWITCHaai
15
AAI and Grid
• SWITCHaai concept is ready for Grid integration
• Current Shibboleth version not yet Grid ready
• GridShib, an Internet2 project, links upcoming
Shibboleth 1.3 with Globus Toolkit 4.1
- first phase to be implemented until autumn 2005
- second phase to be implemented until second half of 2006
- http://grid.ncsa.uiuc.edu/GridShib/
• Extension to other n-tier use cases possible
2005 © SWITCH
SWITCHaai
16
Outlook 2005 – 2007
• More national AAI related projects
- supported by federal grants (on matching funds)
• Non-web browser based service providers (like Grid)
• Study on AAI and ECTS
• Study on extending AAI to AAAI
- accounting, but not limited to billing
• Integration of federation partners
- resources from non-members
- other federations
http://www.switch.ch/aai
2005 © SWITCH
SWITCHaai
17
EUGridPMA
• What the EUGridPMA does
- A useful job for Grid projects (evaluating CP/CPSs)
- Impressive PR: made it into eIRG papers (together with TACAR)
• NREN perspective:
- NRENs engaging in PKIs need something similar to interwork
- But we will need more than one assurance level (Grid strength certs and
basic strength certs)
• The predicted future of EUGridPMA:
- Perish: If they stay Grid-specific
- Flourish: if they become relevant beyond the Grid
• Recommendation:
- NRENs to collaborate and eventually host EUGridPMA activities
- Terena to play an important role (how about TACAR++?)
2005 © SWITCH
SWITCHaai
18