Licia Florio Project Development Officer Identity Federations in Europe

Transcription

1 APAN Conference Honolulu, Hawaii 24 January 2008 Licia Florio Project Development Officer Identity Federations in Europe

2 Outline Networking Organisations in Europe Requirements for Identity Federations eduroam: the first working example Overview of federations in Europe edugain and DAMe Future work

3 Networking Organisations in Europe Two major networking organisations in Europe DANTE - Delivery of Advanced Networking To Europe Ltd. Operational organisation running the pan-european network backbone and managing the project that fund the GEANT2 network TERENA Trans European Research and Education Networking Organisation Collaborative organisation promoting research and innovation in technology testing and services TERENA does not run any network!

4 European R&E Networking Commercial Networks GÉANT2 Research Network Other Continents NREN 1 NREN 2 Campus1 Regional Network Campus2 Services TERENA Task Forces EU Projects Campus1 SCS TACAR

5 Identity Federations

6 How all started in Europe Problem to solve Provide wireless access only to authenticated users On-line anywhere, anytime Requirements Identify users uniquely at the edge of the network Multiple devices to get on-line from Guest access Scalable solution Following the model authenticate local, act global Easy to install and to use Open standards

7 The granny of federations: eduroam eduroam = education roaming To provide federated network access For the institutions participating in eduroam Started in a very simple way: NRENs active in the TERENA task-force on mobility share their wireless connections eduroam technology 802.1X + RADIUS

8 Eduroam Participating Countries Eduroam in EU and APAN 500+ institutions connected

9 eduroam Today Since 2005 part of GÉANT2 Federation of national eduroam federations eduroam European policy under approval within GÉANT2 Only regulates the EU peering National policies applies at national level GÉANT2 eduroam European Service launched in September 2007 Monitoring and trouble ticketing system

10 TERENA Role in eduroam TERENA is involved in the GÉANT2 eduroam service activity Part of the operational team (OT) Website Monitoring tool RADIUS admins database eduroam trademark still belongs to TERENA

11 Beyond network access Research community requirements go beyond network access Increasing dynamics in the education system Students can access courses in other faculties Students take some course units abroad On-line courses are more common Users want to access the same services no matter where they are Grid: example of access to distributed resources More institutions dealing with the same users means: Multiple registration of users Overhead to manage guest users Increased possibility of error in managing the users records

12 Identity Federations Why Identity Federation: To enable sharing of educational resources Network (Wireless and/or not) Applications Online learning systems What is needed to set-up an Identity Federation: Require agreement on: Legal Framework and Policies Trust Technology Security Common Language Interoperability Identity Federations key element: authentication performed by user home institution authz performed by the service provider

13 Identity Federations building blocks Identity Provider (IdP) Organisation that performs the identity verification for the users For resources belonging to the federation Service Provider (SP) Service offered to the user based on the authentication provided by the Identity Provider

14 Identity Federations Model Trust Identity Provider Service Provider SAML request SAML response redirect

15 European Landscape Identity Federations (or simply federations) are being developed at national level by the NRENs: Italy, Germany, Ireland, Czech Republic starting now Different (open source) technologies are used Shibboleth: UK, Finland, Switzerland,Germany Most used technology But not the only one :-) PAPI: Spain A-Select: the Netherlands Sun Federation Manager based upon Liberty Alliance specification: Norway

16 Identity Federations Interoperability All these solutions are now inter-operable They all recognize Security Assertion Markup Language (SAML) as the standard to transfer information (assertions) among each other Today converging towards SAML2.0 edugain is the way federations communicate in Europe Inter-operability between eduroam and SAMLbased federations being worked on via DAMe project

17 edugain Problem to solve: Allow different identity federations (with different semantics too) to interoperate Solution: Translate technologies via bridging elements Translate semantics via attribute mapping definitions Create repository of all known IdPs: the edugain MetaDataService (MDS) Works like a repository to publish metadata Very lightway model

18 edugain Status edugain is currently: Pilot status Some applications are starting using it Starting to apply edugain beyond Web access like perfsonar or DAMe

19 Introducing SAML in eduroam: DAMe DAMe = Deploying Authentication Mechanisms for federated service in eduroam architecture Project funded via GÉANT2 Project started in 2006 and carried over by: University of Murcia (Spain), University of Stuttgart (Germany), DFN (German NREN), RedIRIS (Spanish NREN) DAMe first objective: Original eduroam: AuthN <=> AuthZ DAMe eduroam: AuthZ is made from AuthN (RADIUS) plus attributes (SAML)

20 DAMe New Generation DAMe now: eduroam infrastructure extended to generate (at user home institution) a signed SAML (1.1) token Token contains authn info Token stored on the user s device Token is used when user access some protected resources in other federations Via edugain

21 Plugging other technologies New technologies are coming along: OpenId (based on the user centric approach) gaining momentum In OpenId your URL is your ID URLs globally unique Users have control on the content accessed via the URL Mainly used for wikis, blogs etc The idea is to extend the national federation to support OpenId or other emerging technologies FEIDE and PAPI already support gateway to OpenId

22 TERENA support TF-EMC2 Task force on Middleware technologies in higher education TF-Mobility Task force on Mobility ECAM Steering committee for middleware activities REFEDS: Research and Education Federations Only looking at higher education federations Aim of the group: discuss technical specifications as well as policies to define procedures and guidelines to allow for interoperability of federations. First international REFEDS meeting:prague September 2007 Next REFEDS meeting: May 18, 2008 during the TERENA Conference

23 Conclusions There will not be one unique multipurpose federation Different federations to fit different communities No matter what technology as long as it is standardbased (SAML) solution Confederations are the way to bridge the various federations edugain models proves to work It is easy to plug new technologies edugain policy is under preparation In this context eduroam will become one of edugain services TERENA is much engaged to support these developments

24 Links TF-EMC2: TF-Mobility REFEDS: Survey of current federations: ECAM: DAME: eduroam: GÉANT2: