carsi
play

CARSI: Cross University Identity Management and Resource Sharing - PowerPoint PPT Presentation

Feb 20, 2024 •350 likes •758 views

CARSI: Cross University Identity Management and Resource Sharing over CERNET Prof. PING CHEN Peking University, Beijing, China Feb, 24 th , 2011 CARSI & Peking University Agenda n Current IdM Situation in CERNET n What is

  1. CARSI: Cross University Identity Management and Resource Sharing over CERNET Prof. PING CHEN Peking University, Beijing, China Feb, 24 th , 2011 CARSI & ���� Peking University

  2. Agenda n Current IdM Situation in CERNET n What is CARSI? n What are we doing? n What will we do next? CARSI & ���� Peking University

  3. Authentication is developing. CARSI & ���� Peking University

  4. In CERNET, most univ are … CARSI & ���� Peking University

  5. In CERNET, some univ are … CARSI & ���� Peking University

  6. In CERNET, some univ. are … CARSI & ���� Peking University

  7. CERNET AAI situation summary n Almost all Univ. have campus-wide IDM, for library, campus network, MIS systems, or other applications n Most Univ. have SSO, but SSO effecting scope differs greatly q One SSO serves the all kinds of applications q Multiple SSOs serve for different classes of applications q Multiple SSOs using the same user database by visiting one physical user database or by visiting multiple synchronized physical user databases n Not everyone likes SSO, scope is an issue CARSI & ���� Peking University

  8. Authentication is developing. Cross-univ. authn makes large scope of resource sharing possible CARSI & ���� Peking University

  9. What is Resource Sharing? n Resource & Sharing q User authentic identity resource, shared from one univ. campus to CERNET, to industry q Application resource, built by one univ, shared to more users under control CARSI & ���� Peking University

  10. What is CARSI? CERNET Authentication and Resource Sharing Infrastructure n Goals: q To integrate university IDMs to a CERNET federation q To share univ. authentic user info resources over CERNET q To share existing protected web applications to more users q To help industry control whom he serves for in more fine grained q To make full use of limited univ. funds for people with the most strong desire q To provide a fundamental AAI middleware for CERNET applications q To push new applications among universities CARSI & ���� Peking University

  11. CARSI’s short history n Initiated in 2005, being one part of a network security project n Extended to 4 univ. in 2008 n Extended to 30 univ. in 2010 n Till now, sponsored primarily by national research projects CARSI & ���� Peking University

  12. What are we doing? n A CNGI pre-commercial project spreading to 30 univ. n End in June, 2011 n Topic: federation-wide campus learning and living Communication n Applications include BulletinBoard Systems, Blog, library, lecture videos, learning materials, entertainment videos, job seeking info, shopping, net disk, etc. CARSI & ���� Peking University

  13. CARSI Components CARSI & ���� Peking University

  14. What are we doing? n CARSI-Fed: cross-domain federation n CARSI-portal q A web portal for federation user to login q A web portal providing a resource list n CARSI-WAYF/DS: where are you from, directory service n CARSI-Person: CARSI User Attribute Specification q CARSI-Uid (Universal user identity): localid@domainid n CARSI-IdP: shibboleth IdP + n CARSI-SP: shibboleth SP + CARSI & ���� Peking University

  15. CARSI Workflow Way 1: n 1. Portal login -> 2. select application from resource list -> 3. visit web application -> 4. visit other applications, SSO Way 2: n 1. visit a web application -> 2. redirected to portal to login -> 3. visit application -> 4. visit other applications, SSO CARSI & ���� Peking University

  16. Shibboleth Workflow Referenced from SWITCH CARSI & ���� Peking University

  17. CARSI Workflow – Way 1 Demo CARSI & ���� Peking University

  18. CARSI Workflow – Way 1 Demo CARSI & ���� Peking University

  19. CARSI Workflow – Way 1 Demo CARSI & ���� Peking University

  20. CARSI Workflow – Way 1 Demo CARSI & ���� Peking University

  21. CARSI Workflow – Way 1 Demo CARSI & ���� Peking University

  22. What are we doing? FPR, VRD, OpenIdP n CARSI FPR: Federation Provider Registry q A system for federation members to manage his IdP/SP q Role based Administrator management: FedAdmin, OrgAdmin, IdPAdmin, SPAdmin n q IdP/SP management based on policy n CARSI VRD: Virtual Resource Directory q A list of sharing web applications q Synchronized with FPR-registered SPs q Classified and exhibited for user access n CARSI-OpenIdP q An open identity provider q Freely registered CARSI & ���� Peking University

  23. What are we doing? FIVA Federation Inter-visit Analysis n Goal: How many and what kind of influences does cross-domain AAI bring q to users(IdP) and applications(SP)? How is cross-domain AAI being used? q What’s user’s using habit? q n Methods: Federation log recording, aggregating and analysing: IdP log, SP q log, DS log, etc. Resource sharing statistics q Based on IdP, how many IdP users visit other-domain applications, their using n behaviour, etc Based on SP, which domain and what kind of users visit it, what is the peak n visiting time, etc User’s behavior and action tracking q Tracing user’s visiting sequence n Which visiting sequence is more adopted? n How cross-domain AAI benefit them? n CARSI & ���� Peking University

  24. What are we doing? FIVA Federation Inter-visit Analysis

  25. What are we doing? FIVA Federation Inter-visit Analysis

  26. What are we doing? IdP + Local IdM n Two ways are mainly used: q IdP + local SSO q IdP + customized local authentication interface + authentic user database CARSI & ���� Peking University

  27. What are we doing? IdP + Local SSO CARSI & ���� Peking University

  28. What are we doing? IdP + Local SSO CARSI & ���� Peking University

  29. What are we doing? IdP + Local SSO What happen, if an app support both SSO & SP? CARSI & ���� Peking University

  30. What are we doing? IdP + Local SSO What happen, if another federation is CARSI SP? CARSI & ���� Peking University

  31. What are we doing? IdP + CLAI +AUDB CARSI & ���� Peking University

  32. What are we doing? SP + Application n Current Situations: q CARSI candidate applications have different authn and access control requirements and implementing ways. q Resource diversity increases CARSI federation integration difficulty. n Goals: q To simplify the application federation migration with no or little code modification. CARSI & ���� Peking University

  33. Applications: Before joining CARSI Fed n Some app. required authn with simple or no authr policies. n Some app. already had authn and authr policies implemented in modules loosely coupled with application logic. n Some app. already had authn and authr policies dispersed in application codes, and difficult to be separated. n Some app. support some kind of campus-wide identity management. n Some app. was planning to enforce access control. n Some had been shibbolethed. CARSI & ���� Peking University

  34. CARSI Web Application Classification Authn- Authr- Authn Impl. Authr Impl. Required Required AOA – Yes No CARSI no Authn only App FAA – Yes Yes CARSI Application Fed Attribute- relying App AAIA – Yes Yes CARSI CARSI Authn & Authr Independent App AAEA – Yes Yes CARSI & Application Application Authn & Authr Embedded App CARSI & ���� Peking University

  35. CARSI Web Application Classification Authn- Authr- Authn Impl. Authr Impl. Required Required AOR – Yes No CARSI no Authn only Res FAR – Yes Yes CARSI Application Fed Attribute- relying Res. AAIR – Yes Yes CARSI CARSI Authn & Authr Independent Res AAER – Yes Yes CARSI & Application Application Authn & Authr Embedded Res CARSI & ���� Peking University

  36. CARSI Web Application Classification Authn- Authr- Authn Impl. Authr Impl. Required Required AOR – Yes No CARSI no Authn only Res FAR – Yes Yes CARSI Application Fed Attribute- relying Res. AAIR – Yes Yes CARSI CARSI Authn & Authr Independent Res AAER – Yes Yes CARSI & Application Application Authn & Authr Embedded Res CARSI & ���� Peking University

  37. CARSI Web Application Classification Authn- Authr- Authn Impl. Authr Impl. Required Required AOR – Yes No CARSI no Authn only Res FAR – Yes Yes CARSI Application Fed Attribute- relying Res. AAIR – Yes Yes CARSI CARSI Authn & Authr Independent Res AAER – Yes Yes CARSI & Application Application Authn & Authr Embedded Res CARSI & ���� Peking University

  38. CARSI Web Application Classification Authn- Authr- Authn Impl. Authr Impl. Required Required AOR – Yes No CARSI no Authn only Res FAR – Yes Yes CARSI Application Fed Attribute- relying Res. AAIR – Yes Yes CARSI CARSI Authn & Authr Independent Res AAER – Yes Yes CARSI & Application Application Authn & Authr Embedded Res CARSI & ���� Peking University

More recommend