Do you like to puzzle?
description
Transcript of Do you like to puzzle?
![Page 1: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/1.jpg)
Do you like to puzzle?…build an AA Infrastructure!
DELAMAN Access Group Workshop
November, 30th, 2004
xxx
xxxxxx
xxx
xxxxxx
![Page 2: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/2.jpg)
2
Presentation contents
• Drivers for an AAI;• The pieces of the AAI-puzzle;
– network and application access, login, authentication, authorisation, identity management;
• Federations;• Shibboleth;• E2E Middleware Diagnostics;• Standards;• Developments;
![Page 3: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/3.jpg)
3
Authentication and Authorisation Infrastructure (AAI)
The Authentication and Authorisation Services, components for Identity and Privilege Management and the entities responsible for these services - constitute an Authentication and Authorisation Infrastructure.
![Page 4: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/4.jpg)
4
Why AAI?Personalised service provisioning
![Page 5: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/5.jpg)
5
Why AAI?Educational mobility
![Page 6: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/6.jpg)
6
Why AAI?Network mobility
![Page 7: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/7.jpg)
7
Why AAI?Reduce the digital key ring
XXX
![Page 8: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/8.jpg)
8
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Ingredients of an AAI
![Page 9: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/9.jpg)
9
Network access: RADIUS proxy hierarchy
Organisational RADIUS Server
B
Organisational RADIUS Server
C
National RADIUSProxy Server
National RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
Organisational RADIUS Server
A
network
![Page 10: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/10.jpg)
10
Network access: User-controlled light path provisioning
Application
AAA
Broker
SURFnet6
Applications
Broker
NetherLight
Application
Broker
OMNInet
Applications
Broker
Starlight
Services Services Services
AAA AAA AAA
UDDI/WSIL
A-Select
token
network
![Page 11: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/11.jpg)
11
Application access:centralise intelligence
applications
![Page 12: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/12.jpg)
12
Application access:centralise intelligence
applications
![Page 13: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/13.jpg)
13
Login server:intermediary between application and AA: provide SSO login
![Page 14: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/14.jpg)
14
Authentication:choose your own method (and strength)
• IP address• Username / password
– LDAP / Active Directory– RADIUS– SQL
• Passfaces• PKI certificate• OTP through SMS• OTP through internet banking• Tokens (SecurID, Vasco, …)• Biometrics• …
authentication
![Page 15: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/15.jpg)
15
Authentication:solutions for webenvironments
• Web Initial Sign-on (WebISO)
– A-Select, SURFnet – CAS, Yale – Cosign, Michigan – Distauth, UC Davis– eIdentity Web Authentication, Colorado State – PAPI, RedIRIS – Pubcookie – Web AuthN/AuthZ, Michigan Tech – WebAuth, Stanford– ... Etcetera...
authentication
![Page 16: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/16.jpg)
16
Authorisation:Policy engines authorisation
![Page 17: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/17.jpg)
17
Authorisation:Policy engines: f.e. use ‘roles’ authorisation
![Page 18: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/18.jpg)
18
Authorisation:3 scenario’s
1. Authentication = authorisation (‘simple’)
2. Identity plus a few attributes (‘commonly used’)
3. Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’)
authorisation
![Page 19: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/19.jpg)
20
Administration:Identity Management
• How to record the identities (schema’s), credentials (attributes or roles), and privileges?
• Enterprise (or meta) directory to glue all sources of information together;
• Quality of registration is CRUCIAL for AuthN and AuthZ;• It’s the underlying basis for an AAI;• …and it’s a hype…
administration
![Page 20: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/20.jpg)
21
SAP/HR Local Admin
LDAPADS
Admin. layer
Exchange W2K/XP RADIUS CAB
Directory layer
Application layerPortfolio
Administration:Identity Management - layers example administration
Network layer802.1x WLAN Dial-UP
![Page 21: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/21.jpg)
22
Presentation contents
Drivers for an AAI; The pieces of the AAI-puzzle;
network and application access, login, authentication, authorisation, identity management;
Federations; • Shibboleth;• E2E Middleware Diagnostics;• Standards;• Developments;
![Page 22: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/22.jpg)
23
Federations:
A Federation is a group of organisations, whose members have agreed to cooperate in an area such as operating an inter-organisational AAI - a Federated AAI or an AAI Federation.
Group A Group B
![Page 23: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/23.jpg)
24
Cross-domain AA:Ingredients for a federation
• Policies (e.g. InCommon* from Internet2): – Federation Operating Practices and Procedures– Participant Agreement – Participant Operating Practices
• Technologies:– Protocols / language– Schema’s– Trust / PKI
* http://www.incommonfederation.org/
Group A Group B
![Page 24: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/24.jpg)
25
Cross-domain AA:Federation organisational Group A Group B
![Page 25: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/25.jpg)
26
Birdseye view of Shibboleth Suite
• What is Shibboleth?– An Internet2/MACE project than provides a framework and
technology for inter institutional authorisation for (web) resources. A major feature is to offer authorisation without compromising the users privacy. Trust relations are created within a federation;
• What does Shibboleth offer?– authorisation, attribute gathering and privacy safe transport of
attributes;
• What doesn’t Shibboleth do?– Out of the box authentication, choose a WebISO (f.e. A-Select)
• Results at a protected resource after Shibboleth process:– user ID-x with the attributes X,Y wants access to resource Z
![Page 26: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/26.jpg)
27
Shibbolethmapping of AAI components Group A Group B
![Page 27: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/27.jpg)
29
E2E Middleware diagnostics:what if there’s an error?
Security Related Events
Middleware Related Events
Network Related Events
Collection and Normalization of Events
Dissemination Network
X
Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets
Group A Group B
![Page 28: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/28.jpg)
30
Archiveand
NetworkForensics
Archive
Netflow
Host 7
Network Devices
Host 3
Host 1
Host 2
CombinedForensics
andReporting
Host 5
Host 8
GeneralForensics
AndReporting
Host 6
UserDiag App
Host 9
Application, System or Security Events
LDAP,DNS
Web-App
Enterprise Federation
Network Events
E2E Middleware diagnostics:what if there’s an error?
XGroup A Group B
![Page 29: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/29.jpg)
31
What about……standards?
• Currently many proprietary solutions(sockets, cookies, redirects, …)
• Webservices (SOAP, XML RPC, WSDL, WS-*)
• SAML
• For federations:– WS-Federation (Microsoft, IBM)– SAML (OASIS: 150 companies, Internet2)– Liberty Alliance (Sun, 170 companies)
?? ??? ?
![Page 30: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/30.jpg)
32
What about……developments (in the research world)?
• Australia: start with Shibboleth• Europe: combination of Shibboleth and ‘home-grown’• USA: Shibboleth
• European Project Geant2: – GN2-JRA5: focus on European AAI, SSO for network and applications
• Need for:– Converging or dominant standard(s), means better interoperability
between the pieces of the puzzle– Universal Single Sign-On across network and application domain– Attention to non-web-based applications
?? ??? ?
![Page 31: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/31.jpg)
33
References
• Identity Management• AAI Terminology• EduRoam• A-Select weblogin• Privilege Management• Intro on federations• Internet2 Federation• Swiss Federation• End-to-end diagnostics
![Page 32: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/32.jpg)
Questions ?
![Page 33: Do you like to puzzle?](https://reader035.fdocuments.in/reader035/viewer/2022062323/568167cb550346895ddd1a5f/html5/thumbnails/33.jpg)
35
Adv
isor
y C
omm
ittee
Ope
ratio
ns C
omm
ittee
Board of Founders
Delaman Foundation
Central AAI Services
Foundation Members
Service Provider
Delaman Federation
To conclude: a possible future: DELAMAN Federation based on Shibboleth?
Institutes, Research, Universities, Libraries
Home organi- sation
resource resourceresource
resource resourceresource
Home organi- sation
Foundation Partners
resourceresourceresource
Service subscription
Resource registration