an edugain update
play

An eduGAIN Update Diego R. Lopez RedIRIS TF-EMC2. Utrecht, - PowerPoint PPT Presentation

Apr 11, 2023 •481 likes •712 views

Connect. Communicate. Collaborate An eduGAIN Update Diego R. Lopez RedIRIS TF-EMC2. Utrecht, December 2008 What eduGAIN Offers Connect. Communicate. Collaborate Take advantage of existing identity infrastructures Easing the path to a

  1. Connect. Communicate. Collaborate An eduGAIN Update Diego R. Lopez RedIRIS TF-EMC2. Utrecht, December 2008

  2. What eduGAIN Offers Connect. Communicate. Collaborate • Take advantage of existing identity infrastructures – Easing the path to a global system – Keeping the federation promise • Oriented towards the confederation schema – But can support the others • SAML 1.1 (and soon SAML 2.0) is the lingua franca – Profiles for WebSSO and other scenarios • Software – Base, Conversion and Validation libraries (Java) – simpleSAMLphp (PHP) – eduGAINFilter (javax.servlet.filter), a.k.a. Java SP – Direct use of Shibboleth 2.0 being investigated

  3. eduGAIN Elements Connect. Communicate. Collaborate • The Metadata Service – MDS – Updated by authorised components – Queried by user interfaces or autonomous services • PKI – Multi-rooted – Includes component identifiers • Identifier Registry, based on URNs – Unique, well-structured component identifiers – Delegation schema • Bridging Elements – BE – Are the eduGAIN endpoints – Adapt protocols when required – Should we talk of different BE types? • BE -> Federation gateway • IFEP ( Inter-federation endpoint ) -> Direct connection to eduGAIN

  4. eduGAIN Architecture Connect. Communicate. Collaborate Connect. Communicate. Collaborate MDS FPP IdP FPP BE BE IdP IdP BE BE IdP BE SP SP SP SP IdP BE BE SP IdP SP SP SP BE BE IdP SP

  5. eduGAIN Architecture (rewritten) Connect. Communicate. Collaborate Connect. Communicate. Collaborate MDS FPP IdP FPP IFEP BE IdP IdP IFEP IFEP IdP IFEP SP SP SP SP IdP IFEP IFEP SP IdP SP SP SP IFEP IFEP IdP SP

  6. The Current eduGAIN Architecture Connect. Communicate. Collaborate Connect. Communicate. Collaborate MDS FPP FPP BE BE IdP IdP SP SP IdP IdP SP IdP SP SP SP SP SP IdP IdP SP

  7. eduGAIN Profiles Connect. Communicate. Collaborate • Different clients - different profiles – WebSSO: Stand-alone web-based application – Automated Client (AC): Client without human interaction – Client in a Web containEr (WE): Web-based applications – User behind a Client (UbC): Non-web applications • Transmission of credentials (except in Web SSO) – Clients embed security tokens in their requests – According to the Web Service Security (WS-SEC) standard

  8. The Web SSO Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate 1: User tries to 2: R-BE redirect access Resource User Resource R-BE 7: Response 6: SSO response 3: SSO redirect 5: SSO response + 4: Authenticate SAML assertion H-BE • Current status • Compatible with Shibboleth 1.3 • Tested in direct connections to Shibboleth SPs • SAML 2.0 profile defined • Aligned with the SAML2 basic inter-federation profile

  9. Preparing for WebSSO Connect. Communicate. Collaborate • Select a suitable BE/IFEP and put it at the appropriate place – Top of your federation (BE!) – Co-located with your SP/IdP (IFEP) – As your only SP/IdP (IFEP) • Optionally, register with your local federation • Get component identifier(s) • Obtain certificate containing component identifier(s) • Deploy the BE/IFEP using the certificate • Register your metadata at the MDS

  10. Neutral Access with eduGAIN Connect. Communicate. Collaborate • Registry controls the entities able to use it – Delegation supports distributed management • PKI leverage X.509-based profiles – Information can be derived from certificate extensions • MDS allows the link from credentials to attribute sources – Dynamic association • eduGAIN libraries provide an abstraction layer – Abstract operational model – Plus attribute translation if required • BEs/IFEPs provide identity source adaptation

  11. The AC profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate 1: Send a request + 2: Forwards X.509 certificate X.509 certificate Client Resource R-BE 6: Sends a response 5: Returns the authR decision 3: Attribute request 4: Attribute response H-BE • Unique and non-transferable ID for each client – URN obtained from eduGAIN registry service • Certificate in the eduGAIN trust fabric – Subject Alternative Name of the cert contains the URN – Obtained from the eduGAIN PKI • Authentication information is based on the X.509 certificate

  12. Preparing for AC Connect. Communicate. Collaborate • Incorporate software able to generate requests according to the profile – Currently, part of the perfSONAR codebase – Seems easy to generalize • Deploy and configure a BE/IFEP (H-BE) if you do not have one – Including registration and certificate • Register an URN/branch for your client(s) – Optionally, assign individual identifiers • Obtain certificate(s) containing component identifier(s) • Incorporate data about the clients at your H-BE • Deploy the clients

  13. The Current UbC profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate 6: Attribute response H-BE 5: Attribute request 2: SASL -> Get 3: Send a request + 4: Forwards X.509 certificate X.509 certificate X.509 certificate User Client Resource R-BE 1: User starts 8: Sends a response 7: Returns the authR decision some procedure MDS • Similar to AC • Online CA providing the certficate • SASL CA

  14. Preparing for UbC Connect. Communicate. Collaborate • Incorporate software able to generate requests according to the profile – Currently, part of the perfSONAR codebase – Seems easy to generalize • Deploy and configure a BE/IFEP (H-BE) if you do not have one – Including registration and certificate • Deploy and configure a SASL online CA – Including certificate – It must have direct access to user credentials – It must be able to provide a session to user attributes • Deploy the clients

  15. Why Current UbC Does Not Fly... And How To Fix It Connect. Communicate. Collaborate • Deployment and configuration of the SASLCA – Certificate... Stretches CA policy to the limit – User credentials... Where to locate it – Session to user attributes... How to establish the link • Use an already existing credential exchange infrastructure – Aligned with CA policies – Pervasive – With a profile allowing attribute retrieval • Hey, we have the eduroam infrastructure! – DAMe extensions to convey attributes – And RadSec to enable H-BE location

  16. The UbC Profile Revisited Connect. Communicate. Collaborate Connect. Communicate. Collaborate 4: Sends a request + 5: Forwards relayed-trust 1: User tries to relayed-trust SAML assertion SAML assertion access client User Client Resource R-BE 8: Returns the authR decision 9: Sends a response 3: Get credentials + 2: Authentication SAML assertions 6: Attribute request H-BE 7: Attribute response • Authentication protocols • RADIUS/Radsec, applying results from DAMe • HTTP Auth

  17. Preparing for New UbC Connect. Communicate. Collaborate • Incorporate software able to generate requests according to the profile – Can be based on the DAMe codebase – And the relayed-trust management library • Deploy and configure a BE/IFEP (H-BE) if you do not have one – Including registration and certificate • Deploy and configure a RadSec server – Including certificate – Several choices: FreeRadius, radsecproxy,... – Enable the DAMe extensions • Deploy the clients

  18. The WE Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate 1: User tries to 5: Sends a request + 6: Forwards relayed-trust access client relayed-trust SAML assertion SAML assertion User Client Resource R-BE 2: SSO redirect 7: Returns the authR decision 8: Sends a response 4: SSO response + 3: Authenticate SAML assertion H-BE • SAML assertions contain user’s credentials • Clients must have a certificate in the eduGAIN trust fabric

  19. Preparing for WE Connect. Communicate. Collaborate • Deploy a H-BE according to WebSSO requirements • Deploy and configure eduGAINFilter as R-BE for the client – Similar solution for other environments being considered • Install and configure the relayed-trust software – In the perfSONAR codebase – Working in its generalization – Needs a specific identifier and certificate

  20. External Attribute Authorities Connect. Communicate. Collaborate Connect. Communicate. Collaborate 4: Sends a request + 5: Forwards relayed-trust 1: User tries to relayed-trust SAML assertion SAML assertion access client User Client Resource R-BE 8: Returns the authR decision 9: Sends a response 3: Get credentials + 2: Authentication 6: Attribute request 7: Attribute response SAML assertions H-BE AA • R-BE has configured a list of Attribute Authorities • AA is connected to a set of Attribute Stores

  21. Where We Are Connect. Communicate. Collaborate • Not at service level – MDS, PKI and registry in operation • Policies being discussed – In use by demonstrators and perfSONAR • Software available – As RC4 – Previous to first official release • Polishing general information resources – www.edugain.org • Discussing how the service shall look like – And how to evolve it

Recommend

eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project

eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project

eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project schofield@terena.org Innovation through participation Agenda What is eduGAIN? Project Expectations Current Status Policy Framework Roadmap

1.01k views • 14 slides
Tuakiri update: eduGAIN & service status Vlad Mencl Wallace Chase 1 Tuakiri update:

Tuakiri update: eduGAIN & service status Vlad Mencl Wallace Chase 1 Tuakiri update:

August 19th, 2020, REANNZ Lunchtime session Tuakiri update: eduGAIN & service status Vlad Mencl Wallace Chase 1 Tuakiri update: eduGAIN and service status, August 19th, 2020 Outline Tuakiri: brief introduction Update:

641 views • 23 slides
Challenges of supporting education and research to make use of eduGAIN Ioannis Kakavas,

Challenges of supporting education and research to make use of eduGAIN Ioannis Kakavas,

Challenges of supporting education and research to make use of eduGAIN Ioannis Kakavas, GRNET,GANT 1 Outline Quick eduGAIN primer Challenges Work with research communities Suggestions and best practices 2 eduGAIN

365 views • 19 slides
within eduGAIN Research Project: 2 Supervisor: Brook Schofield GANT Marcel den Reijer

within eduGAIN Research Project: 2 Supervisor: Brook Schofield GANT Marcel den Reijer

Calculating metadata propagation time within eduGAIN Research Project: 2 Supervisor: Brook Schofield GANT Marcel den Reijer Thursday July 4, 2019 UvA System & Network Engineering 1 of 18 In Introduction eduGAIN

389 views • 19 slides
Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &

Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &

Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project & Project Development Officer, TERENA schofield@terena.org 15 October 2012 Building Federated Identity Policy, GN3 Symposium, Vienna, Austria Innovation

157 views • 12 slides
Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate

Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate

Connect. Communicate. Collaborate Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate Federations Connect. Communicate. Collaborate Same federating principles applied to federations themselves Own

510 views • 22 slides
SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline

SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline

Fondation RESTENA euroCAMP 04 April 2006 SAML 1.1 and its uses in eduGAIN Stefan Winter <stefan.winter@restena.lu> 1 Outline SAML 1.1 overview Abstract operations vs. SAML profile Abstract operations: changes since

165 views • 14 slides
OOC General Meeting- June 5, 2013 BSEE Update Agenda Regulatory Update NTL Update Alternate

OOC General Meeting- June 5, 2013 BSEE Update Agenda Regulatory Update NTL Update Alternate

OOC General Meeting- June 5, 2013 BSEE Update Agenda Regulatory Update NTL Update Alternate Compliance Update Idle Iron Update Supplemental Bonding/Decommissioning Cost Update SEMS Update Other Questions/ Beat Up Regulator? Final Rule

769 views • 29 slides
Enrollment Update 2 Enrollment Update K-12 3 Enrollment Update K-5 4 Enrollment Update 6-8 5

Enrollment Update 2 Enrollment Update K-12 3 Enrollment Update K-5 4 Enrollment Update 6-8 5

Enrollment Update 2 Enrollment Update K-12 3 Enrollment Update K-5 4 Enrollment Update 6-8 5 Enrollment Update 9-12 6 BOE Declining Enrollment Resolution During the June 8, 2018, the Board of Education Meeting approved the Declining

716 views • 29 slides
Integrating User Community Content with Systems Management Aaron Prayther, aprayther@lce.com

Integrating User Community Content with Systems Management Aaron Prayther, aprayther@lce.com

Integrating User Community Content with Systems Management Aaron Prayther, aprayther@lce.com James Labocki, jlabocki@redhat.com 05.06.11 3 4 Update 5 Update Update Update Update Update Update Update Update Update Update Update

799 views • 65 slides
Data Protection Code of Conduct for Service Providers (DP CoC) VAMP workshop 7.9.2012

Data Protection Code of Conduct for Service Providers (DP CoC) VAMP workshop 7.9.2012

Data Protection Code of Conduct for Service Providers (DP CoC) VAMP workshop 7.9.2012 Mikael.Linden@csc.fi eduGAIN policy subtask and REFEDS attribute release workgroup Innovation through participation Outline Problem statement Goal of the

396 views • 16 slides
Legal Update Legal Update Legal Update Legal Update Title Issues Conveyances of causes of

Legal Update Legal Update Legal Update Legal Update Title Issues Conveyances of causes of

Legal Update Legal Update Legal Update Legal Update Title Issues Conveyances of causes of action Injury occurred before Plaintiff owned the property Prior owners did not convey the cause of action in deed Discovery Rule

437 views • 18 slides
Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client

Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client

Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client software combines tools and utilities to extend a Web Application to: Enable login via federated SSO like eduGAIN Retrieve a SAML2 Identity Assertion

385 views • 24 slides
1/23/2014 NWC Redevelopment Programme Update Procurement Update Demolition Update

1/23/2014 NWC Redevelopment Programme Update Procurement Update Demolition Update

1/23/2014 NWC Redevelopment Programme Update Procurement Update Demolition Update Programme Communications & Engagement Next Steps NWC Redevelopment Project Update Alignment to Councils Objectives New Walk Site

319 views • 4 slides
Spokesmans update: Contents: Update Evolution of organisation Towards Step IV

Spokesmans update: Contents: Update Evolution of organisation Towards Step IV

K. Long, 12 December, 2013 Spokesmans update: Contents: Update Evolution of organisation Towards Step IV CM38 Napa California, 24-26 February 2014 Spokesmans update Update: R. Preece (and TS) will cover progress, so: Just

390 views • 11 slides
.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry

.ke DNSSec Update Toilem Poriot Godwin .ke DNSsec update Update on what .ke registry experienced 30th April 2015-- Longest mornings I have ever had. Day started as usual but takes a turn at 9:30am Great day turns to a

449 views • 11 slides
Agenda 1. Update on Elder Selection / Chiller purchase Kim C 2. Update from Finance Team Laurie

Agenda 1. Update on Elder Selection / Chiller purchase Kim C 2. Update from Finance Team Laurie

12/2 Congregation Meeting Agenda 1. Update on Elder Selection / Chiller purchase Kim C 2. Update from Finance Team Laurie Wallis 3. Update on Gerald Farley Report Kirby J 4. Update on Communications Drew Hoey 5. Update on Governance Dan

682 views • 42 slides
NC F1RST COVID-19 Update H. Tasaico April 24, 2020 NC F!RST COVID19 Update COVID19 -

NC F1RST COVID-19 Update H. Tasaico April 24, 2020 NC F!RST COVID19 Update COVID19 -

NC F1RST COVID-19 Update H. Tasaico April 24, 2020 NC F!RST COVID19 Update COVID19 - Confirmed Deaths 2 NC F!RST COVID19 Update The Great Lockdown Unemployment Claims 4/21 NC Update: 700K 4/23 US Update: 26.5M Source: FT, Trading

151 views • 14 slides
ARENA RENOVATION ARENA RENOVATION ARENA RENOVATION ARENA RENOVATION UPDATE UPDATE UPDATE

ARENA RENOVATION ARENA RENOVATION ARENA RENOVATION ARENA RENOVATION UPDATE UPDATE UPDATE

ARENA RENOVATION ARENA RENOVATION ARENA RENOVATION ARENA RENOVATION UPDATE UPDATE UPDATE UPDATE August 8, 2019 ENVIRONMENTAL QUALITY AND SUSTAINABILITY COMMISSION Update on City Update on City Update on City- Update on City - -

313 views • 13 slides
IQCS Update from MRS Debrah Harding Managing Director MRS Topics for Today - Update from MRS

IQCS Update from MRS Debrah Harding Managing Director MRS Topics for Today - Update from MRS

IQCS Update from MRS Debrah Harding Managing Director MRS Topics for Today - Update from MRS - New MRS initiatives for 2019/20: Launch of the MRS/AQR RAS Training Update to the MRS Code of Conduct Update to ISO 20252: 2019 Update on GDPR

351 views • 33 slides
IQCS AGM Update from MRS Debrah Harding Managing Director MRS Topics for Today - Update from

IQCS AGM Update from MRS Debrah Harding Managing Director MRS Topics for Today - Update from

IQCS AGM Update from MRS Debrah Harding Managing Director MRS Topics for Today - Update from MRS - New MRS initiatives for 2019/20: Launch of the MRS/AQR RAS Training Update to the MRS Code of Conduct Update to ISO 20252: 2019 Update on

539 views • 33 slides
MRL CRG Cleanaway Update 21 May 2020 Operations Update Fill progression 4B-2 (Lift 4) is now

MRL CRG Cleanaway Update 21 May 2020 Operations Update Fill progression 4B-2 (Lift 4) is now

MRL CRG Cleanaway Update 21 May 2020 Operations Update Fill progression 4B-2 (Lift 4) is now 50% complete Elevation | 2 Operations Update Landfill Gas Collection Update The 40 new vertical extraction gas wells completed in

448 views • 15 slides
Programme Update Status Update, Six Month Report & Change Request Status Update Lake

Programme Update Status Update, Six Month Report & Change Request Status Update Lake

Programme Update Status Update, Six Month Report & Change Request Status Update Lake Rotorua Low Nitrogen Land Use Fund Round 2 Recommendations. Incentives Scheme 20T Achieved, 25T in pipeline. Strategic Review for new

149 views • 12 slides
Illinois Legal Update Patrick M. Miller, Partner ILLINOIS Legal Update Case Law Update:

Illinois Legal Update Patrick M. Miller, Partner ILLINOIS Legal Update Case Law Update:

Illinois Legal Update Patrick M. Miller, Partner ILLINOIS Legal Update Case Law Update: Limitations periods applicable to construction related and indemnification claims Strict application of affidavit requirements in Mechanics Lien

721 views • 35 slides

More recommend