CAS s IDP system and resources in Education Cloud DAREN ZHA CANS2015, Chengdu
Outline CAS s IDP system and Education Cloud introduction Problems of interoperation A interoperation plan
CAS s Education Cloud and users Headquarter ERP OA Email Education Cloud apps Admission Course selection On-line courses Institute Institute App App App App App App
SOME SERVICES IN EDUCATION CLOUD Edu Analysis Self Learning E-Learning Platform Digital Course
CAS s IDP system A cloud based identity management system which provides services to applications and users Identity management (100+ institutes, 100,000+users) Single sign on (100+ application,include public services and private applications) Authentication and authorization Certification authority service
CHARACTERISTIC Fast deployment Cloud based Obey security regulations Obey security regulations of Public Security and Cryptographic Management Low cost for investment and maintenance No need to buy or develop new software User privacy protection User s private information only disclose to trusted applications Multi factor Authentication Usb key password onetime password Multi Level security policy Define multiple policy, application can choose appropriate policy
System development Neither commercial or open source solutions is used, All software is developed by ourselves using C++ Using Chinese cryptographic algorithms Design a light-weight single sign on protocol
APPLICATION MODE CAS public services CSTNET services Education Cloud services National Science Library services... Institute app Institute OA Institute portal... CAS s IDP CAS critical app External services Other universities services Public services... CAS ARP system CAS email system...
The detail of CAS s Education Cloud(up to 2015.6) User amount:189,000 Active user in past one year:71,038 Visits in past one year:14,678,591 Num. of App:81 Course site:16,809 Video course:1349 Num. of Dissertation:184,916
THE SCOPE OF APPLICATION(BY 2015) Most institutes of CAS 100+ institutes 100,000+ users 100+ applicat ions and services Cover most critical applicatio n
Outline CAS s IDP system and Education Cloud introduction Problems of interoperation A interoperation plan
Problems of interoperation Algorithm Protocol Security concern Service provider configuration Motivation
Problem1: Algorithm To obey the regulation of cryptographic management authority, CAS s IDP system uses Chinese cryptographic algorithm SM2(signature algorithm) and SM3(Hash algorithm) Most IDPs and service providers use common algorithm such as RSA, SHA1.
Problem2: Protocol To achieve low processing delay and high scalability, CAS s IDP system uses a selfdesigned light weight protocol. InCommon uses standard protocol SAML. Although the two protocols have similar flow and data, the data formats are different
Problem3: Security Concern If federated identity is achieved between CAS and InCommon, how to prevent accidental authentication or authorization faults, and how to mitigate the impact of these faults. The problem is complicate, because, CAS and InCommon have different security policies and how to map the policies need to be solved first.
Problem4: Service provider configuration All service providers join InCommon need to install shibboleth and maintain the metadata It is not practical for many CAS s applications to make that configuration Apply and maintain the metadata will be a big workload for operations staff
Problem5: motivation Why users use the federated identity service? What is good for them? Users adopt federated identity service only if it provide more desired applications and convenient user experience CAS s Education Cloud can supply some interesting education resources From InCommen?
Outline CAS s IDP system and Education Cloud introduction Problems of interoperation A interoperation plan
interoperation plan IDP IDP SP CAS IDP SP SP SP SP Identity Federatio n Gateway CAS IDP CAS APP InCommon CAS APP CAS APP CAS APP
Identity Federation Gateway Act as both IDP and SP Support SAML and our light-weight protocol(may support OAuth or other protocol) Support different algorithms, SM2/RSA/SM3/SHA1 Support security policy mapping between CAS and InCommon Support strict and fine grained access control Provide detailed identity federation audit information
Interoperation flow(cas user access InCommon SP) Redirect the request to the gateway 3 The Gateway provide a Handle to SP SP 5 CAS The Gateway get a token CAS IDP which provide the user s Identity and attributes The SP request user ttributes from the gateway 6 Handle Attribute Identity Federatio n Gateway 4 Token User Access InCommon SP 2 InCommon 1 CA SI DP User Log in to CAS IDP
Interoperation flow(incommon user access CAS APP) The Gateway act as SP and use the standard InCmmon procedure to get The handle and attribute Of the user ID P 4 Handle The Gateway generate a Identity federation token To CAS IDP Redirect The request to Gateway Attribute 3 Redirect The request to CAS IDP Identity Federatio n Gateway 2 5 Token CAS IDP The CAS IDP generate A token to app, which Will open the access to The user User Access CAS APP 1 AP P
Motivation CAS and PKU Open excellent course in MOOC services,historical dissertation and other education resources to each other Provide CAS s high performance computing service to PKU scientist CAS and InCommon MOOC? More education service? To be discussed
Thank YOU