DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture

Size: px

Start display at page:

Download "DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture"

Liliana Greer
8 years ago
Views:

1 DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture Sascha Neinert Marseille, , Sascha Neinert, Seite 1

2 Overview Project Goals Partners Network Authorization Unified Single Sign On, Sascha Neinert, Seite 2

3 Project Goals 1. Network Authorization Further development of eduroam, the Europe-wide NREN roaming federation Fine-grained network access control based on attributes For properties of the network 2. Unified Single Sign On Using edugain, the European AAI confederation architecture Interoperability with existing AAIs based on Shibboleth, PAPI, Token-based authentication for web services Unified Single Sign On for network, web- and Grid services, Sascha Neinert, Seite 3

access control based on attributes For properties of the network 2.

4 Partners, Sascha Neinert, Seite 4

5 Goal 1: Network Authorization, Sascha Neinert, Seite 5

6 Network AuthZ Components XSupplicant Recovery and storage of the edutoken FreeRadius Request of the edutoken from the HomeBE Delivery of the edutoken using a TLV in the tunneled success message New RADIUS attribute in the response with the user's handle LDAP_RemoteBE Receives the user's handle via LDAP Requests the user's attributes using edugain Consults the PDP to get the user's network properties PDP Implemented as a servlet and using the XACML library Using the XACML policies, decides the network properties based on the user's attributes, Sascha Neinert, Seite 6

user's handle via LDAP Requests the user's attributes using edugain Consults the PDP to get the user's network properties PDP Implemented as a

7 Animated Workflow by University of Murcia Network AuthZ Workflow The Access-Accept The properties are sent message is sent including back as an LDAP response The The the request handle network is is forwarded used properties to to request the home the Radius network Acting The PDP as BE, is consulted this element The The supplicant user requests properties to the LDAP requests using the the attributes user s attributes to get the network properties stores access The The the supplicant token properties the network are enforced and is the notified Network properties User s attributes about access the success is granted The Shibboleth request The Based An user authn is on is validated authenticated Authn assertion ARP using and The request is validated It authenticates the user and the DN Assertion based only its identity using The of the requesting BE a key shared is built using is sent the back handle handle The handle is included to edutoken with requests The as edutoken an the attribute authn is sent in assertion the to the the based Radius on the server assertion identify the user, the to user the Radius through AuthnHomeBE response the PEAP tunnel The request attributes are recovered is forwarded from the LDAP and sent to Shibboleth back, Sascha Neinert, Seite 7

attributes user s attributes to get the network properties stores access The The the supplicant token properties the network are enforced and is the notified Network properties User s attributes

8 Goal 2: unified SSO Visited Domain eduroam confederation Home Domain Access Point (802.1X) Network Access Server (RADIUS) eduroam Authentication Authority (RADIUS) User s Device (Supplicant + Token Client) Service Domain Service Provider (Shibboleth, PAPI,...) Network Authentication (RADIUS/EAP/SAML) edugain confederation edugain Web Authentication and Authorization (HTTPS/SOAP/SAML) Attribute Authority (Shibboleth, PAPI,...), Sascha Neinert, Seite 8

Client) Service Domain Service Provider (Shibboleth, PAPI,.

9 usso Components DameTokenManager Java Client Application (edugain + opensaml libraries) Receives edutoken from supplicant Provides edutoken to DameTokenFetcher DameTokenFetcher Signed Java Applet Fetches edutoken from DameTokenManager Sends edutoken to DameTokenServlet DameTokenServlet Java HttpServlet (edugain + opensaml libraries) Receives edutoken from DameTokenFetcher Create Shibboleth assertions and send to Service Provider Using fromsaml and toshibbolethsaml of Shibboleth remote Bridging Element, Sascha Neinert, Seite 9

DameTokenServlet DameTokenServlet Java HttpServlet (edugain + opensaml libraries) Receives edutoken from DameTokenFetcher Create

10 usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager Username Password, Sascha Neinert, Seite 10

11 usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager Access-Accept + edutoken, Sascha Neinert, Seite 11

12 usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager enter URL Authentication needed Web/Grid Service + Shibboleth SP DameTokenServlet (edugain r-be), Sascha Neinert, Seite 12

13 usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager enter URL DameTokenFetcher Web/Grid Service + Shibboleth SP DameTokenServlet (edugain r-be), Sascha Neinert, Seite 13

14 usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager enter URL Web/Grid Service + Shibboleth SP Validate Token Create Assertion DameTokenServlet (edugain r-be), Sascha Neinert, Seite 14

15 usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager enter URL Grant Access Web/Grid Service + Shibboleth SP DameTokenServlet (edugain r-be), Sascha Neinert, Seite 15

16 Questions? Any questions or comments? Visit the DAMe website: see DAMe-2, Sascha Neinert, Seite 16

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

Title: A Client Middleware for Token-Based Unified Single Sign On to edugain Sascha Neinert Computing Centre University of Stuttgart, Allmandring 30a, 70550 Stuttgart, Germany e-mail: sascha.neinert@rus.uni-stuttgart.de