1 DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture Sascha Neinert Marseille, , Sascha Neinert, Seite 1
2 Overview Project Goals Partners Network Authorization Unified Single Sign On, Sascha Neinert, Seite 2
3 Project Goals 1. Network Authorization Further development of eduroam, the Europe-wide NREN roaming federation Fine-grained network access control based on attributes For properties of the network 2. Unified Single Sign On Using edugain, the European AAI confederation architecture Interoperability with existing AAIs based on Shibboleth, PAPI, Token-based authentication for web services Unified Single Sign On for network, web- and Grid services, Sascha Neinert, Seite 3
4 Partners, Sascha Neinert, Seite 4
5 Goal 1: Network Authorization, Sascha Neinert, Seite 5
6 Network AuthZ Components XSupplicant Recovery and storage of the edutoken FreeRadius Request of the edutoken from the HomeBE Delivery of the edutoken using a TLV in the tunneled success message New RADIUS attribute in the response with the user's handle LDAP_RemoteBE Receives the user's handle via LDAP Requests the user's attributes using edugain Consults the PDP to get the user's network properties PDP Implemented as a servlet and using the XACML library Using the XACML policies, decides the network properties based on the user's attributes, Sascha Neinert, Seite 6
7 Animated Workflow by University of Murcia Network AuthZ Workflow The Access-Accept The properties are sent message is sent including back as an LDAP response The The the request handle network is is forwarded used properties to to request the home the Radius network Acting The PDP as BE, is consulted this element The The supplicant user requests properties to the LDAP requests using the the attributes user s attributes to get the network properties stores access The The the supplicant token properties the network are enforced and is the notified Network properties User s attributes about access the success is granted The Shibboleth request The Based An user authn is on is validated authenticated Authn assertion ARP using and The request is validated It authenticates the user and the DN Assertion based only its identity using The of the requesting BE a key shared is built using is sent the back handle handle The handle is included to edutoken with requests The as edutoken an the attribute authn is sent in assertion the to the the based Radius on the server assertion identify the user, the to user the Radius through AuthnHomeBE response the PEAP tunnel The request attributes are recovered is forwarded from the LDAP and sent to Shibboleth back, Sascha Neinert, Seite 7
8 Goal 2: unified SSO Visited Domain eduroam confederation Home Domain Access Point (802.1X) Network Access Server (RADIUS) eduroam Authentication Authority (RADIUS) User s Device (Supplicant + Token Client) Service Domain Service Provider (Shibboleth, PAPI,...) Network Authentication (RADIUS/EAP/SAML) edugain confederation edugain Web Authentication and Authorization (HTTPS/SOAP/SAML) Attribute Authority (Shibboleth, PAPI,...), Sascha Neinert, Seite 8
9 usso Components DameTokenManager Java Client Application (edugain + opensaml libraries) Receives edutoken from supplicant Provides edutoken to DameTokenFetcher DameTokenFetcher Signed Java Applet Fetches edutoken from DameTokenManager Sends edutoken to DameTokenServlet DameTokenServlet Java HttpServlet (edugain + opensaml libraries) Receives edutoken from DameTokenFetcher Create Shibboleth assertions and send to Service Provider Using fromsaml and toshibbolethsaml of Shibboleth remote Bridging Element, Sascha Neinert, Seite 9
10 usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager Username Password, Sascha Neinert, Seite 10
11 usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager Access-Accept + edutoken, Sascha Neinert, Seite 11
12 usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager enter URL Authentication needed Web/Grid Service + Shibboleth SP DameTokenServlet (edugain r-be), Sascha Neinert, Seite 12
13 usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager enter URL DameTokenFetcher Web/Grid Service + Shibboleth SP DameTokenServlet (edugain r-be), Sascha Neinert, Seite 13
14 usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager enter URL Web/Grid Service + Shibboleth SP Validate Token Create Assertion DameTokenServlet (edugain r-be), Sascha Neinert, Seite 14
15 usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager enter URL Grant Access Web/Grid Service + Shibboleth SP DameTokenServlet (edugain r-be), Sascha Neinert, Seite 15
16 Questions? Any questions or comments? Visit the DAMe website: see DAMe-2, Sascha Neinert, Seite 16
Middleware integration in the Sympa mailing list software Olivier Salaün - CRU 1. Sympa, its middleware connectors 2. Sympa web authentication 3. CAS authentication 4. Shibboleth authentication 5. Sympa
This video will look the different versions of Active Directory Federation Services. This includes which features are available in each one and which operating system you need in order to use these features.
Oracle Access Management Complete, Integrated, Scalable Access Management Solution O R A C L E W H I T E P A P E R M A Y 2 0 1 5 Disclaimer The following is intended to outline our general product direction.
Multi-Tenancy Authorization System with Federated Identity for Cloud-Based Environments Using Shibboleth Marcos A. P. Leandro, Tiago J. Nascimento, Daniel R. dos Santos, Carla M. Westphall, Carlos B. Westphall
RSA Authentication Manager 8.1 Help Desk Administrator s Guide Revision 1 Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm
IdentiFi and Eduroam Roaming Wireless Service Integration CONFIGURATION GUIDE TABLE OF CONTENTS Introduction... 3 Prerequisites... 3 Design and Deployment Overview... 4 Configuring the wireless SSID and
Configuration Guide BES12 Version 12.1 Published: 2015-04-22 SWD-20150422113638568 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12... 8 Product documentation...
Mobile Security Policies, Standards, Frameworks, Guidelines Guidelines for Managing and Securing Mobile Devices in the Enterprise (SP 800-124 Rev. 1) http://csrc.nist.gov/publications/drafts/800-124r1/draft_sp800-124-rev1.pdf
Cloud Authentication Getting Started Guide Version 2.1.0.06 ii Copyright 2011 SafeNet, Inc. All rights reserved. All attempts have been made to make the information in this document complete and accurate.
Siebel Security Guide Siebel Innovation Pack 2013 Version 8.1/8.2 September 2013 Copyright 2005, 2013 Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
Secure Credential Federation for Hybrid Cloud Environment with SAML Enabled Multifactor Authentication using Biometrics B.Prasanalakshmi Assistant Professor Department of CSE Thirumalai Engineering College
SAS 9.4 Intelligence Platform Middle-Tier Administration Guide Third Edition SAS Documentation The correct bibliographic citation for this manual is as follows: SAS Institute Inc. 2015. SAS 9.4 Intelligence
Web Application Hosting Cloud Architecture Executive Overview This paper describes vendor neutral best practices for hosting web applications using cloud computing. The architectural elements described
Page 1 of 8 Mithi Connect Server deployment options aintroduction 2 Mail servers 2 Single/Standalone server setups 2 Multiple server setups 4 Co-existence with proprietary mailing solutions such as Exchange
The Essential Security Checklist for Enterprise Endpoint Backup IT administrators face considerable challenges protecting and securing valuable corporate data for today s mobile workforce, with users accessing
Windows Phone 8 Security Overview This white paper is part of a series of technical papers designed to help IT professionals evaluate Windows Phone 8 and understand how it can play a role in their organizations.
Evaluation Guide Powerful & Immediate Business Web Security via the Cloud Contents 1 Introduction & Product highlights 2 Set up & Configuration 3 Managing your WebTitan Cloud Service 4 Reporting 5 Support
Medical Services Administration Bureau of Medicaid Financial Services LTC Reimbursement and Rate Setting Section LTC File Transfer Application User Manual LTC File Transfer User Manual Version 1 May 1,
Guidance for using the East Sussex County Council Secure Email system ESCC February 2010 Using the ESCC SecureMail system The ESCC SecureMail system is an email system that provides a high level of security
RSA Authentication Manager 8.1 Planning Guide Revision 1 Contact Information Go to the RSA corporate website for regional Customer Support telephone and fax numbers: www.emc.com/domains/rsa/index.htm Trademarks
GlassFish Security Secure your GlassFish installation, Web applications, EJB applications, application client module, and Web Services using Java EE and GlassFish security measures Masoud Kalali PUBLISHING
Web Drive Limited TERMS AND CONDITIONS FOR THE SUPPLY OF SERVER HOSTING Application of Terms Agreement to these terms requires agreement to Web Drive s Standard Terms & Conditions located online at the