kerver

advertisement
Do you like to puzzle?
…build an AA Infrastructure!
DELAMAN Access Group Workshop
xxx
November, 30th, 2004
Bart.Kerver@SURFnet.nl
xxx
xxx
Presentation contents
• Drivers for an AAI;
• The pieces of the AAI-puzzle;
– network and application access, login, authentication,
authorisation, identity management;
• Federations;
• Shibboleth;
• E2E Middleware Diagnostics;
• Standards;
• Developments;
2
Authentication and Authorisation
Infrastructure (AAI)
The Authentication and Authorisation Services,
components for Identity and Privilege
Management and the entities responsible for these
services - constitute an Authentication and
Authorisation Infrastructure.
3
Why AAI?
Personalised service provisioning
4
Why AAI?
Educational mobility
5
Why AAI?
Network mobility
6
Why AAI?
Reduce the digital key ring
X
X
X
7
Ingredients of an AAI
Network
Authentication
Authorisation
(web)Application
Login
Administration
8
Network access:
network
RADIUS proxy hierarchy
European RADIUS
Proxy Server
National RADIUS
Proxy Server
anisational
IUS Server
A
Organisational
RADIUS Server
B
European RADIUS
Proxy Server
National RADIUS
Proxy Server
Organisational
RADIUS Server
C
9
Network access:
network
User-controlled light path provisioning
A-Select
UDDI/
WSIL
token
Application
Applications
Services
AAA
Broker
SURFnet6
Services
Services
AAA
AAA
Broker
Broker
NetherLight
Application
Applications
Starlight
AAA
Broker
OMNInet
10
Application access:
applications
centralise intelligence
11
Application access:
applications
centralise intelligence
12
Login server:
intermediary between application and AA: provide SSO
login
13
Authentication:
choose your own method (and strength)
•
•
authentication
IP address
Username / password
– LDAP / Active Directory
– RADIUS
– SQL
•
•
•
•
•
•
•
Passfaces
PKI certificate
OTP through SMS
OTP through internet banking
Tokens (SecurID, Vasco, …)
Biometrics
…
14
Authentication:
authentication
solutions for webenvironments
• Web Initial Sign-on (WebISO)
– A-Select, SURFnet
– CAS, Yale
– Cosign, Michigan
– Distauth, UC Davis
– eIdentity Web Authentication, Colorado State
– PAPI, RedIRIS
– Pubcookie
– Web AuthN/AuthZ, Michigan Tech
– WebAuth, Stanford
– ... Etcetera...
15
Authorisation:
Policy engines
authorisation
16
Authorisation:
Policy engines: f.e. use ‘roles’
authorisation
17
Authorisation:
3 scenario’s
authorisation
1. Authentication = authorisation (‘simple’)
2. Identity plus a few attributes (‘commonly used’)
3. Privacy-preserving negotiation about attributes to be
exchanged (‘ideal and upcoming’)
18
Administration:
Identity Management
administration
• How to record the identities (schema’s), credentials
(attributes or roles), and privileges?
• Enterprise (or meta) directory to glue all sources of
information together;
• Quality of registration is CRUCIAL for AuthN and AuthZ;
• It’s the underlying basis for an AAI;
• …and it’s a hype…
20
Administration:
administration
Identity Management - layers example
Local Admin
SAP/HR
Admin. layer
Directory layer
LDAP
ADS
Exchange
Portfolio
W2K/XP
RADIUS
802.1x WLAN
CAB
Dial-UP
Application layer
Network layer
21
Presentation contents
 Drivers for an AAI;
 The pieces of the AAI-puzzle;
network and application access, login, authentication,
authorisation, identity management;
 Federations;
• Shibboleth;
• E2E Middleware Diagnostics;
• Standards;
• Developments;
22
Federations:
Group A
Group B
A Federation is a group of organisations, whose
members have agreed to cooperate in an area
such as operating an inter-organisational AAI - a
Federated AAI or an AAI Federation.
23
Cross-domain AA:
Ingredients for a federation
Group A
Group B
• Policies (e.g. InCommon* from Internet2):
– Federation Operating Practices and Procedures
– Participant Agreement
– Participant Operating Practices
• Technologies:
– Protocols / language
– Schema’s
– Trust / PKI
* http://www.incommonfederation.org/
24
Cross-domain AA:
Federation organisational
Group A
Group B
25
Birdseye view of Shibboleth Suite
•
What is Shibboleth?
– An Internet2/MACE project than provides a framework and
technology for inter institutional authorisation for (web) resources.
A major feature is to offer authorisation without compromising the
users privacy. Trust relations are created within a federation;
•
What does Shibboleth offer?
– authorisation, attribute gathering and privacy safe transport of
attributes;
•
What doesn’t Shibboleth do?
– Out of the box authentication, choose a WebISO (f.e. A-Select)
•
Results at a protected resource after Shibboleth process:
– user ID-x with the attributes X,Y wants access to resource Z
26
Shibboleth
mapping of AAI components
Group A
Group B
27
X
E2E Middleware diagnostics:
what if there’s an error?
Group A
Group B
Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets
Dissemination Network
Collection and Normalization of Events
Middleware
Related Events
Network Related
Events
Security Related
Events
29
X
E2E Middleware diagnostics:
what if there’s an error?
Group A
Group B
Host 1
Application,
System or
Security
Events
Web-App
Archive
Host 3
Combined
Forensics
and
Reporting
Host 5
Enterprise
General
Forensics
And
Reporting
Host 6
Federation
LDAP,
DNS
Host 2
Netflow
Network
Events
Network
Devices
Host 7
Archive
and
Network
Forensics
User
Diag App
Host 8
Host 9
30
What about…
…standards?
? ?
? ?
? ?
• Currently many proprietary solutions
(sockets, cookies, redirects, …)
• Webservices
(SOAP, XML RPC, WSDL, WS-*)
• SAML
• For federations:
– WS-Federation (Microsoft, IBM)
– SAML (OASIS: 150 companies, Internet2)
– Liberty Alliance (Sun, 170 companies)
31
What about…
…developments (in the research world)?
•
•
•
Australia: start with Shibboleth
Europe: combination of Shibboleth and ‘home-grown’
USA: Shibboleth
•
European Project Geant2:
? ?
? ?
? ?
– GN2-JRA5: focus on European AAI, SSO for network and applications
•
Need for:
– Converging or dominant standard(s), means better interoperability
between the pieces of the puzzle
– Universal Single Sign-On across network and application domain
– Attention to non-web-based applications
32
References
•
•
•
•
•
•
•
•
•
Identity Management
AAI Terminology
EduRoam
A-Select weblogin
Privilege Management
Intro on federations
Internet2 Federation
Swiss Federation
End-to-end diagnostics
33
Questions ?
To conclude: a possible future:
DELAMAN Federation based on Shibboleth?
Service
Provider
Board of Founders
Service subscription
Resource registration
Delaman Foundation
Operations Committee
Foundation
Members
Advisory Committee
Central AAI Services
Foundation
Partners
Home
organisation
resource
resource
resource
Home
organisation
resource
resource
resource
resource
resource
resource
Institutes, Research, Universities, Libraries
Delaman Federation
35
Download