DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture



Similar documents
Title: A Client Middleware for Token-Based Unified Single Sign On to edugain

A Federated Authorization and Authentication Infrastructure for Unified Single Sign On

Licia Florio Project Development Officer Identity Federations in Europe

An Infocard-based proposal for unified SSO to eduroam

Shibboleth Identity Provider (IdP) Sebastian Rieger

Belnet Networking Conference 2013

Разработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, November 2009 Joost van Dijk - SURFnet

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

Federations 101. An Introduction to Federated Identity Management. Peter Gietz, Martin Haase

netld External Authentication Setup Guide

Identity and Access Management for Federated Resource Sharing: Shibboleth Stories

SAML:The Cross-Domain SSO Use Case

Joint Research Activity 5 Task Force Mobility

A Shibboleth View of Federated Identity. Steven Carmody Brown Univ./Internet2 March 6, 2007 Giornata AA - GARR

Authentication Integration

Web Services Security: OpenSSO and Access Management for SOA. Sang Shin Java Technology Evangelist Sun Microsystems, Inc. javapassion.

S P I E Information Environments Shibboleth and Its Integration into Security Architectures. EDUCAUSE & Internet 2 Security Professionals Conference

Middleware integration in the Sympa mailing list software. Olivier Salaün - CRU

Microsoft Office365 with Active Directory Federated Services (ADFS) Authenticating Users Using SecurAccess Server by SecurEnvoy

A practical guide to Eduroam

OPENIAM ACCESS MANAGER. Web Access Management made Easy

Canadian Access Federation: Trust Assertion Document (TAD)

Copyright

Federated AAA middleware and the QUT SSO environment

Please return this document to when complete.

Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

Single Sign-On: Reviewing the Field

AAI for Mobile Apps How mobile Apps can use SAML Authentication and Attributes. Lukas Hämmerle

How To Connect A Gemalto To A Germanto Server To A Joniper Ssl Vpn On A Pb.Net 2.Net (Net 2) On A Gmaalto.Com Web Server

Adding Federated Identity Management to OpenStack

IdentiFi and Eduroam Roaming Wireless Service Integration CONFIGURATION GUIDE

Secure WiFi Access in Schools and Educational Institutions. WPA2 / 802.1X and Captive Portal based Access Security

Integrating EJBCA and OpenSSO

Distributed Identity Management Model for Digital Ecosystems

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Building blocks for establishing federation with organizations like ESA

Authentication Methods

Secure the Web: OpenSSO

Application of the PAPI authn and authz system to the TJ-II Remote Participation environment. Madrid, 21 March 2003

Identity, Privacy, and Data Protection in the Cloud XACML. David Brossard Product Manager, Axiomatics

Cisco ASA Adaptive Security Appliance Single Sign-On: Solution Brief

Biometric Single Sign-on using SAML

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

Entrust IdentityGuard Comprehensive

Biometric Single Sign-on using SAML Architecture & Design Strategies

External Authentication with Cisco VPN 3000 Concentrator Authenticating Users Using SecurAccess Server by SecurEnvoy

Delegated Administration Quick Start

Protect Everything: Networks, Applications and Cloud Services

Centralized Oracle Database Authentication and Authorization in a Directory

Authentication and Single Sign On

Monitoring of RADIUS Infrastructure Best Practice Document

Configuring the Cisco ISA500 for Active Directory/LDAP and RADIUS Authentication

Connecting Web and Kerberos Single Sign On

STUDY ON IMPROVING WEB SECURITY USING SAML TOKEN

Remote Authentication and Single Sign-on Support in Tk20

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

The Role of Federation in Identity Management

Open Source Identity Integration with OpenSSO

5 Day Imprivata Certification Course Agenda

Cloud federation. Prelude to Hybrid Clouds. CHEP 2015 Okinawa, Japan. Marek Denis CERN Geneva, Switzerland

Enabling Applications to Use Your Identity Management System

Integrating Apex into Federated Environment using SAML 2.0. Jon Tupman Portalsoft Solutions Ltd

What s New in Juniper s SSL VPN Version 6.0

A Data Synchronization based Single Sign-on Schema Supporting Heterogeneous Systems and Multi-Management Mode

UFTP AUTHENTICATION SERVICE

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

FreeRADIUS server. Defining clients Access Points and RADIUS servers

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Cisco TrustSec How-To Guide: Guest Services

Get Success in Passing Your Certification Exam at first attempt!

Evaluation of different Open Source Identity management Systems

CA Performance Center

Introduction to Identity and Access Management for the engineers. Radovan Semančík April 2014

Single Sign-On Access Management A Technical Framework on Access Management Systems

Integrating Multi-Factor Authentication into Your Campus Identity Management System

The increasing popularity of mobile devices is rapidly changing how and where we

Management of Identity and related Topics in Kitami Institute of Technology

Requirements Collax Security Gateway Collax Business Server or Collax Platform Server including Collax SSL VPN module

External Authentication with Juniper SSL VPN appliance Authenticating Users Using SecurAccess Server by SecurEnvoy

Computer Systems Security 2013/2014. Single Sign-On. Bruno Maia Pedro Borges

Building Secure Applications. James Tedrick

Federated Identity Management for the EUDAT Data e-infrastructure

Transcription:

DAMe Deploying Authorization Mechanisms for Federated Services in the eduroam Architecture Sascha Neinert Marseille, 06.02.2008, Sascha Neinert, 06.02.2008 Seite 1

Overview Project Goals Partners Network Authorization Unified Single Sign On, Sascha Neinert, 06.02.2008 Seite 2

Project Goals 1. Network Authorization Further development of eduroam, the Europe-wide NREN roaming federation Fine-grained network access control based on attributes For properties of the network 2. Unified Single Sign On Using edugain, the European AAI confederation architecture Interoperability with existing AAIs based on Shibboleth, PAPI, Token-based authentication for web services Unified Single Sign On for network, web- and Grid services, Sascha Neinert, 06.02.2008 Seite 3

Partners, Sascha Neinert, 06.02.2008 Seite 4

Goal 1: Network Authorization, Sascha Neinert, 06.02.2008 Seite 5

Network AuthZ Components XSupplicant Recovery and storage of the edutoken FreeRadius Request of the edutoken from the HomeBE Delivery of the edutoken using a TLV in the tunneled success message New RADIUS attribute in the response with the user's handle LDAP_RemoteBE Receives the user's handle via LDAP Requests the user's attributes using edugain Consults the PDP to get the user's network properties PDP Implemented as a servlet and using the XACML library Using the XACML policies, decides the network properties based on the user's attributes, Sascha Neinert, 06.02.2008 Seite 6

Animated Workflow by University of Murcia Network AuthZ Workflow The Access-Accept The properties are sent message is sent including back as an LDAP response The The the request handle network is is forwarded used properties to to request the home the Radius network Acting The PDP as BE, is consulted this element The The supplicant user requests properties to the LDAP requests using the the attributes user s attributes to get the network properties stores access The The the supplicant token properties the network are enforced and is the notified Network properties User s attributes about access the success is granted The Shibboleth request The Based An user authn is on is validated authenticated Authn assertion ARP using and The request is validated It authenticates the user and the DN Assertion based only its identity using The of the requesting BE a key shared is built using is sent the back handle handle The handle is included to edutoken with requests The as edutoken an the attribute authn is sent in assertion the to the the based Radius on the server assertion identify the user, the to user the Radius through AuthnHomeBE response the PEAP tunnel The request attributes are recovered is forwarded from the LDAP and sent to Shibboleth back, Sascha Neinert, 06.02.2008 Seite 7

Goal 2: unified SSO Visited Domain eduroam confederation Home Domain Access Point (802.1X) Network Access Server (RADIUS) eduroam Authentication Authority (RADIUS) User s Device (Supplicant + Token Client) Service Domain Service Provider (Shibboleth, PAPI,...) Network Authentication (RADIUS/EAP/SAML) edugain confederation edugain Web Authentication and Authorization (HTTPS/SOAP/SAML) Attribute Authority (Shibboleth, PAPI,...), Sascha Neinert, 06.02.2008 Seite 8

usso Components DameTokenManager Java Client Application (edugain + opensaml libraries) Receives edutoken from supplicant Provides edutoken to DameTokenFetcher DameTokenFetcher Signed Java Applet Fetches edutoken from DameTokenManager Sends edutoken to DameTokenServlet DameTokenServlet Java HttpServlet (edugain + opensaml libraries) Receives edutoken from DameTokenFetcher Create Shibboleth assertions and send to Service Provider Using fromsaml and toshibbolethsaml of Shibboleth remote Bridging Element, Sascha Neinert, 06.02.2008 Seite 9

usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager Username Password, Sascha Neinert, 06.02.2008 Seite 10

usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager Access-Accept + edutoken, Sascha Neinert, 06.02.2008 Seite 11

usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager enter URL Authentication needed Web/Grid Service + Shibboleth SP DameTokenServlet (edugain r-be), Sascha Neinert, 06.02.2008 Seite 12

usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager enter URL DameTokenFetcher Web/Grid Service + Shibboleth SP DameTokenServlet (edugain r-be), Sascha Neinert, 06.02.2008 Seite 13

usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager enter URL Web/Grid Service + Shibboleth SP Validate Token Create Assertion DameTokenServlet (edugain r-be), Sascha Neinert, 06.02.2008 Seite 14

usso Workflow 802.1X Access Point RADIUS eduroam DameTokenManager enter URL Grant Access Web/Grid Service + Shibboleth SP DameTokenServlet (edugain r-be), Sascha Neinert, 06.02.2008 Seite 15

Questions? Any questions or comments? Visit the DAMe website: http://dame.inf.um.es/ see you @ DAMe-2, Sascha Neinert, 06.02.2008 Seite 16