identity internetworking with edugain
play

Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS - PowerPoint PPT Presentation

Connect. Communicate. Collaborate Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate Federations Connect. Communicate. Collaborate Same federating principles applied to federations themselves Own


  1. Connect. Communicate. Collaborate Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS

  2. Confederations Federate Federations Connect. Communicate. Collaborate • Same federating principles applied to federations themselves – Own policies and technologies are locally applied • Independent management – Identity and authentication-authorization must be properly handled by the participating federations • Commonly agreed policy – Linking individual federation policies – Coarser than them • Trust fabric entangling participants – Without affecting each federation’s fabric – E2E trust must be dynamically built

  3. Applying Confederation Concepts in eduGAIN Connect. Communicate. Collaborate • An eduGAIN confederation is a loosely-coupled set of cooperating federations – That handle identity management, authentication and authorization using their own policies • Trust between any two participants in different federations is dynamically established – Members of a participant federation do not know in advance about members in the other federations • Syntax and semantics are adapted to a common language – Through an abstract service definition

  4. The eduGAIN Model Connect. Communicate. Collaborate Connect. Communicate. Collaborate Metadata Query MDS Metadata Metadata Publish Publish R-FPP H-FPP R-BE H-BE AA Interaction AA AA Interaction Interaction Resource(s) Id Repository(ies)

  5. An Adaptable Model Connect. Communicate. Collaborate Connect. Communicate. Collaborate From centralized structures... MDS FPP FPP BE BE IdP IdP SP SP IdP IdP SP IdP SP SP SP SP SP IdP IdP SP

  6. An Adaptable Model Connect. Communicate. Collaborate Connect. Communicate. Collaborate ...to fully E2E ones... MDS SP IdP SP BE BE BE SP BE SP IdP SP IdP BE BE BE BE IdP BE SP SP BE IdP BE IdP BE SP SP BE IdP BE BE BE

  7. An Adaptable Model Connect. Communicate. Collaborate Connect. Communicate. Collaborate ...including any mix of them MDS FPP IdP FPP BE BE IdP IdP BE BE IdP BE SP SP SP SP IdP BE SP BE IdP SP SP SP BE BE IdP SP

  8. Component Identifiers Connect. Communicate. Collaborate • eduGAIN operations strongly depend on having unique, structured and well-defined component identifiers • Based on URNs delegated by the eduGAIN registry to the participating federation • Identifiers establish the kind of component they apply to by means of normalized prefixes • Identifiers follow the hierarchy of the trust establishing process

  9. The (X.509) Trust Fabric Connect. Communicate. Collaborate • Validation procedures include – Normal certificate validation • Trust path evaluation, signatures, revocation,… – Peer identification • Certificates hold the component identifier • It must match the appropriate metadata • Applicable to – TLS connections between components • Two-way validation is mandatory – Verification of signed XML assertions

  10. eduGAIN Trust Framework Connect. Communicate. Collaborate Connect. Communicate. Collaborate eduGAIN Certificate Policy eduGAINSCA Acc CA1 . . . . Acc CAN eduGAIN Name Registry MDS server(s) CId urn:geant:a:b:c:... CId urn:geant:g:h:i:... . . . . . . CId urn:geant:d:e:f:... CId urn:geant:j:k:l:...

  11. Metadata Service Connect. Communicate. Collaborate • Based on REST interfaces transporting SAML 2.0 metadata – Usable by non-eduGAIN components • Metadata are published through POST operations • Metadata are retrieved through GET operations • URLs are built as MDSBaseURL/FederationID/entityID?queryString – Using component names – The query string transports data intended to locate the appropriate home BE (Home Locators) • Hints provided by the user • Contents of certificate extensions ( SubjectAlternateName SubjectInformationAccess )

  12. A General Model for eduGAIN Interactions Connect. Communicate. Collaborate Connect. Communicate. Collaborate https://mds.geant.net/ MDS ?cid=someURN <EntityDescriptor . . . <samlp:Response . . . <samlp:Request . . . entityID= ResponseID=”092e50a08…” RequestID=”e70c3e9e6…” ”urn:geant2:..:responder"> InResponseTo=“e70c3e9e…”> IssueInstant=“2006-06…”> TLS Channel . . . . . . . . . <SingleSignOnService . . . </samlp:Request> </samlp:Response> Location= “https://responder.dom/” /> . . . urn:geant2:...:requester → TLS Channel(s) Requester Responder ← urn:geant2:...:responder Resource Id Repository

  13. The eduGAIN APIs: Trust Evaluation Connect. Communicate. Collaborate Connect. Communicate. Collaborate Is this trust material (cert/signature) valid? Does it correspond to component X*? Configuration Valid/not valid Corresponds to component X eduGAINVal Key Store Sign this piece of data Signature Trust Store Which trust material to use for connecting Trust material

  14. The eduGAIN APIs: Metadata Access Connect. Communicate. Collaborate Connect. Communicate. Collaborate Publish these metadata through MDS server Publishing result Which component(s) can be queried to retrieve data about someone with these eduGAINMeta Configuration Home Locators? Component metadata Give me metadata about this part of eduGAINVal eduGAIN Metadata

  15. The eduGAIN APIs: Abstract Service Connect. Communicate. Collaborate Connect. Communicate. Collaborate Create/manipulate an abstract service object Abstract service object Transform these abstract service object to/from wire protocol eduGAINBase Configuration Abstract service object or Protocol element eduGAINMeta Send ASO: (AuthN/Attr/AuthR) request ( Vanilla profile ) eduGAINVal Corresponding ASO response

  16. The eduGAIN APIs: Profile Access Connect. Communicate. Collaborate Connect. Communicate. Collaborate Is this AuthN/Attr material valid? Valid/not valid Provide data from the requester Configuration Data eduGAIN Profile API Create/modify a security token eduGAINBase Token eduGAINMeta Should this request be authorized? eduGAINVal Authorization response

  17. eduGAIN Profiles Connect. Communicate. Collaborate • Oriented to – Enable direct federation interaction – Enable services in a confederated environment • Four profiles discussed so far – WebSSO (Shibboleth browser/POST) – AC (automated client: no human interaction) – UbC (user behind non-Web client: use of SASL-CA) – WE (WebSSO enhanced client: delegation) • Others envisaged – Extended Web SSO (allowing the send of POST data) – eduGAIN usage from roaming clients (DAMe) • Based on SAML 1.1 – Mapping to SAML 2.0 profiles along the transition period

  18. The WebSSO Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate

  19. The AC Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate

  20. The UbC Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate

  21. The WE Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate

  22. Where We Are Connect. Communicate. Collaborate • Several eduGAIN enabled resources already available using WebSSO – Eight federations already participating • Moving into pilot service – Registry + PKI + MDS • Other profiles already demonstrated – Network monitoring (PerfSONAR) – Bandwidth-on-demand (AutoBAHN) • Waiting for you to join – It ain’t difficult

Recommend


More recommend