Connect. Communicate. Collaborate Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS
Confederations Federate Federations Connect. Communicate. Collaborate • Same federating principles applied to federations themselves – Own policies and technologies are locally applied • Independent management – Identity and authentication-authorization must be properly handled by the participating federations • Commonly agreed policy – Linking individual federation policies – Coarser than them • Trust fabric entangling participants – Without affecting each federation’s fabric – E2E trust must be dynamically built
Applying Confederation Concepts in eduGAIN Connect. Communicate. Collaborate • An eduGAIN confederation is a loosely-coupled set of cooperating federations – That handle identity management, authentication and authorization using their own policies • Trust between any two participants in different federations is dynamically established – Members of a participant federation do not know in advance about members in the other federations • Syntax and semantics are adapted to a common language – Through an abstract service definition
The eduGAIN Model Connect. Communicate. Collaborate Connect. Communicate. Collaborate Metadata Query MDS Metadata Metadata Publish Publish R-FPP H-FPP R-BE H-BE AA Interaction AA AA Interaction Interaction Resource(s) Id Repository(ies)
An Adaptable Model Connect. Communicate. Collaborate Connect. Communicate. Collaborate From centralized structures... MDS FPP FPP BE BE IdP IdP SP SP IdP IdP SP IdP SP SP SP SP SP IdP IdP SP
An Adaptable Model Connect. Communicate. Collaborate Connect. Communicate. Collaborate ...to fully E2E ones... MDS SP IdP SP BE BE BE SP BE SP IdP SP IdP BE BE BE BE IdP BE SP SP BE IdP BE IdP BE SP SP BE IdP BE BE BE
An Adaptable Model Connect. Communicate. Collaborate Connect. Communicate. Collaborate ...including any mix of them MDS FPP IdP FPP BE BE IdP IdP BE BE IdP BE SP SP SP SP IdP BE SP BE IdP SP SP SP BE BE IdP SP
Component Identifiers Connect. Communicate. Collaborate • eduGAIN operations strongly depend on having unique, structured and well-defined component identifiers • Based on URNs delegated by the eduGAIN registry to the participating federation • Identifiers establish the kind of component they apply to by means of normalized prefixes • Identifiers follow the hierarchy of the trust establishing process
The (X.509) Trust Fabric Connect. Communicate. Collaborate • Validation procedures include – Normal certificate validation • Trust path evaluation, signatures, revocation,… – Peer identification • Certificates hold the component identifier • It must match the appropriate metadata • Applicable to – TLS connections between components • Two-way validation is mandatory – Verification of signed XML assertions
eduGAIN Trust Framework Connect. Communicate. Collaborate Connect. Communicate. Collaborate eduGAIN Certificate Policy eduGAINSCA Acc CA1 . . . . Acc CAN eduGAIN Name Registry MDS server(s) CId urn:geant:a:b:c:... CId urn:geant:g:h:i:... . . . . . . CId urn:geant:d:e:f:... CId urn:geant:j:k:l:...
Metadata Service Connect. Communicate. Collaborate • Based on REST interfaces transporting SAML 2.0 metadata – Usable by non-eduGAIN components • Metadata are published through POST operations • Metadata are retrieved through GET operations • URLs are built as MDSBaseURL/FederationID/entityID?queryString – Using component names – The query string transports data intended to locate the appropriate home BE (Home Locators) • Hints provided by the user • Contents of certificate extensions ( SubjectAlternateName SubjectInformationAccess )
A General Model for eduGAIN Interactions Connect. Communicate. Collaborate Connect. Communicate. Collaborate https://mds.geant.net/ MDS ?cid=someURN <EntityDescriptor . . . <samlp:Response . . . <samlp:Request . . . entityID= ResponseID=”092e50a08…” RequestID=”e70c3e9e6…” ”urn:geant2:..:responder"> InResponseTo=“e70c3e9e…”> IssueInstant=“2006-06…”> TLS Channel . . . . . . . . . <SingleSignOnService . . . </samlp:Request> </samlp:Response> Location= “https://responder.dom/” /> . . . urn:geant2:...:requester → TLS Channel(s) Requester Responder ← urn:geant2:...:responder Resource Id Repository
The eduGAIN APIs: Trust Evaluation Connect. Communicate. Collaborate Connect. Communicate. Collaborate Is this trust material (cert/signature) valid? Does it correspond to component X*? Configuration Valid/not valid Corresponds to component X eduGAINVal Key Store Sign this piece of data Signature Trust Store Which trust material to use for connecting Trust material
The eduGAIN APIs: Metadata Access Connect. Communicate. Collaborate Connect. Communicate. Collaborate Publish these metadata through MDS server Publishing result Which component(s) can be queried to retrieve data about someone with these eduGAINMeta Configuration Home Locators? Component metadata Give me metadata about this part of eduGAINVal eduGAIN Metadata
The eduGAIN APIs: Abstract Service Connect. Communicate. Collaborate Connect. Communicate. Collaborate Create/manipulate an abstract service object Abstract service object Transform these abstract service object to/from wire protocol eduGAINBase Configuration Abstract service object or Protocol element eduGAINMeta Send ASO: (AuthN/Attr/AuthR) request ( Vanilla profile ) eduGAINVal Corresponding ASO response
The eduGAIN APIs: Profile Access Connect. Communicate. Collaborate Connect. Communicate. Collaborate Is this AuthN/Attr material valid? Valid/not valid Provide data from the requester Configuration Data eduGAIN Profile API Create/modify a security token eduGAINBase Token eduGAINMeta Should this request be authorized? eduGAINVal Authorization response
eduGAIN Profiles Connect. Communicate. Collaborate • Oriented to – Enable direct federation interaction – Enable services in a confederated environment • Four profiles discussed so far – WebSSO (Shibboleth browser/POST) – AC (automated client: no human interaction) – UbC (user behind non-Web client: use of SASL-CA) – WE (WebSSO enhanced client: delegation) • Others envisaged – Extended Web SSO (allowing the send of POST data) – eduGAIN usage from roaming clients (DAMe) • Based on SAML 1.1 – Mapping to SAML 2.0 profiles along the transition period
The WebSSO Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate
The AC Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate
The UbC Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate
The WE Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate
Where We Are Connect. Communicate. Collaborate • Several eduGAIN enabled resources already available using WebSSO – Eight federations already participating • Moving into pilot service – Registry + PKI + MDS • Other profiles already demonstrated – Network monitoring (PerfSONAR) – Bandwidth-on-demand (AutoBAHN) • Waiting for you to join – It ain’t difficult
Recommend
More recommend