Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

Transcription

1 Разработка программного обеспечения промежуточного слоя TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

2 Contents - SURFnet Middleware Services department: - eduroam, SURFfederatie, DNS, DNSSEC, Certificate Service, honeyspider network, IDS, IPv6, RADIUS, edugain, Mobile PKI, OpenID, CERT,... - Today s topics: - SURFfederatie: Identity Federation for Web Single Signon - eduroam: network roaming - TCS: TERENA Certificate Service 2

3 Identity Federations for Web Single Sign-on and beyond Joost van Dijk - SURFnet 17/11/2009

4 What is Federation? 4

5 Identity Federation - Idea: - Users log in at their Identity Provider (IDP), - using their own credentials, - to access resources at Service Providers (SPs) - Identity Federation components: - (A) technical infrastructure - (B) contracts/policies - (A) can be minimal - (B) is needed for SPs to trust IDPs (and vice versa) 5 - The federation operator (eg. NREN) is a Trusted Third Party

6 Towards federation Local External Federative DB DB LDAP SP LDAP IDP LDAP SP HTTP SP SAML (HTTP) IDP HTTP B HTTP HTTP B B 6

7 Demo: google Apps

8 SAML authn request <AuthnRequest Destination=" IssueInstant=" T20:12:35.971Z" ID="..."... xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"> <saml:issuer>sp.example.com</saml:issuer>... </AuthnRequest> 8

9 SAML authn response <Response InResponseTo="..." IssueInstant=" T09:46:55.934Z"...> <saml:issuer>idp.example.org</saml:issuer> <Status><StatusCode Value="...:Success"/></Status> <saml:assertion IssueInstant=" T09:46:55.947Z"...> <saml:issuer>idp.example.org</saml:issuer> <ds:signature>...</ds:signature> <saml:subject> <saml:nameid...>...</saml:nameid> <saml:subjectconfirmation Method="..."> <saml:subjectconfirmationdata... Recipient=" </saml:subjectconfirmation> </saml:subject> <saml:conditions NotOnOrAfter=" T09:51:55.947Z" NotBefore=" T09:41:55.947Z">... </saml:conditions> <saml:authnstatement AuthnInstant=" T09:46:55.946Z"...>... </saml:authnstatement> <saml:attributestatement...> <saml:attribute... Name="...:displayName"> <saml:attributevalue>joost van Dijk</saml:AttributeValue> </saml:attribute> </saml:attributestatement> 9 </saml:assertion> </Response>

10 Federation Architecture 1-1 n x n n + n IDP SP IDP SP IDP SP IDP SP IDP SP IDP SP IDP CFC SP 10

11 IDP Discovery Where are you from? 11

12

13

14

15 SP Metadata <EntityDescriptor... entityid=" <SPSSODescriptor...>... <AssertionConsumerService... Location=" </SPSSODescriptor> </EntityDescriptor> 15

16 IDP Metadata <EntityDescriptor... entityid=" <IDPSSODescriptor...> <KeyDescriptor> <ds:keyinfo...>... </ds:keyinfo> </KeyDescriptor>... <SingleSignOnService... Location=" </IDPSSODescriptor>... </EntityDescriptor> 16

17 Federation Metadata <EntityDescriptor... entityid='sfs.surfnet.nl' ID='...'> <ds:signature>...</ds:signature> <SPSSODescriptor...> <KeyDescriptor use='signing'> <ds:keyinfo>...</ds:keyinfo> </KeyDescriptor>... <AssertionConsumerService... Location=' </SPSSODescriptor> <IDPSSODescriptor...> <KeyDescriptor use='signing'> <ds:keyinfo>...</ds:keyinfo> </KeyDescriptor>... <SingleSignOnService Location=' </IDPSSODescriptor> </EntityDescriptor> 17

18 18 Case study:

19 SURFfederatie: Identity Providers 19

20 SURFfederatie: Service Providers 20

21 Federation Gateway IDP SURFfederation Service SP A-Select Cross A-Select Cross SAML 2.0 Gateway Shibboleth SAML 2.0 WS-Fed / ADFS WS-Fed / ADFS 21

22 Connections 8 - Federation Protocols - IDP: - SAML 2.0 (5), - ADFS (15), - A-Select (10) - SP: - SAML 2.0 (5), - Shibboleth 1.3 (5), - A-Select (3) - Federation Products - Microsoft ADFS, - Shibboleth (1/2), - A-Select, - Novell Access Manager, - simplesamlphp, - Oracle IdM, - PingFederate

23 Authentication Redirect Flow web service SP SFS IDP authentication backend browser request auth request SSO 1 request SSO 2 request LDAP/Radius/.. SSO 2 response SSO 1 response auth response access & attributes 23 (C) SURFnet B.V.

24 Experiences - Multi-protocol abilities speed up institutional deployment: fits in their home ICT environment (!= JAVA, = Microsoft) - Identity-As-A-Service: service provider issues (metadata updates, attribute release policies) are handled for IDPs - SAML 2.0 implementations are hard (specs/products/ knowledge) -> slow SP take-up - Scalability is ok: up to national level - Trust model of centralized federation is functionally equivalent to distributed federations: federationoperator is TTP (signed responses vs. signed metadata) 11

25 Future Developments - Web-services (gateway as WS-Trust STS!) - Cross-layer identity (unified SSO) - Identity-as-a-Service extensions - User Centric privacy extensions: user consent - Microsoft Geneva - SURFnet services: OpenID - Confederations: Kennisnet, EduGAIN 12

26 Key Benefits - For users: - Single Login, Single Sign-on - For IDPs: - use credentials within own domain exclusively - For SPs: - out-sourcing of authentication and authorisation based on pre-established trust 26