eduroam Delegate Authentication System with Shibboleth SSO
description
Transcript of eduroam Delegate Authentication System with Shibboleth SSO
1
eduroam Delegate Authentication System with Shibboleth SSO
Hideaki Goto, Hideaki Sone Tohoku Univ. / NIIIchiro Yamaguchi, Takaaki Suzuki Tohoku Univ.
29th APAN MeetingFeb. 8-11, 2010, Sydney, Australia
2
A great challenge …
How many higher education institutionsare there in Japan?
765 universities (86 national, 90 public) 481 two-year colleges and vocational
colleges
eduroam deployment: 11 / 1200 = 0.9%
1,200+ (govt. survey in year 2008)
3
Problems A large number of institutions (1,200+) Difficulties in RADIUS deployment Laborious eduroam connection / management work
Our solutions Federated Delegate Authentication System
with centralized RADIUS server remove RADIUS IdP at each institution Federation using Shibboleth SSO simplify RADIUS tree (higher stability) solve some privacy and security issues
Web-based eduroam IdP / SP management system reduce the work at both the eduroam JP office
and each institution
4
Easy-to-join eduroam system
RADIUSIdP
RADIUSproxy
auth requests
<secret key 2>
Institution’sRADIUS server
access points
1. Delegate Authentication System (DEAS)
nationaltop-level
2. eduroam IdP/SP management web
<secret key 1>
5
Federated Delegate Authentication System
Account Issuer as a Shibboleth SP of Japan’s UPKI inter-university federation
Centralized RADIUS server to simplify the RADIUS proxy tree
3 types depending on the needs and federation level
Pseudo-anonymized, fixed-term, and traceable roaming IDs
6
Delegate Authentication System - Type I
IdM
RADIUSserver
Institutions
IdM
Manual account issue requests by administrators.
• The system can be used even without IdM.• Issuing Guest IDs is possible.
Japan’s centralizedaccount issuer
The accountis temporary and expires within 6 months.
pseudonymousaccounts
Web UI
7
Delegate Authentication System – Type II
IdM
RADIUSserver
Institutions
IdM
ID federation using Shibboleth/SAMLfor administrators only.
• Administrators can request for user accounts in bulk.• Issuing Guest IDs is possible.
Japan’s centralizedaccount issuer
pseudonymousaccount
Web UI
The accountis temporary and expires within 6 months.
8
Delegate Authentication System – Type III
IdM
RADIUSserver
Institutions
IdM
ID federation using Shibboleth/SAML
• End user can request for personal accounts only.
Japan’s centralizedaccount issuer
The accountis temporary and expires within a month.
pseudonymousaccount
9
Web-based eduroam IdP / SP management system
Application for eduroam IdP / SP connectionvia eduroam JP website Online sign-up for institutional administrator(s)
( require approval by the national admin. ) Online registration of institution data
Management console for institutions RADIUS server address and secret setting Enable or disable Self-IdP / DEAS / SP(AP)
Remote authentication self-testing (planned)
development under wayFeatures:
10
NEWS Negotiation is under way
with a commercial Wi-Fi Service ProviderWe will have hundreds of eduroam APs
in the central Tokyo !
Outsourcing campus Wi-Fi system would be a key to success of large-scale deployment.
11
Summary
Large-scale eduroam deployment in Japan-- A great challenge --
Delegate Authentication System ease eduroam deployment Federated ID issuer as a Shibboleth SP simplify eduroam network
= stabilize eduroam authentication Web-based eduroam IdP / SP management
make eduroam easy-to-join simplify connection and administration work
at the national administrative body at each institution
12
Supplementary slides
13
Problem details in large-scale deployment Difficult and laborious configurations of RADIUS /
APs at each organization. Difficulties in newly constructing an “eduroam acco
unt database” or making a RADIUS-IdM bridge for each organization.
Many universities do not have Federated IdM yet. Laborious work for institution connection.
A lot of paper work RADIUS configuration support Connection testing Troubleshooting … etc.
Impossible to deal with hundreds of institutions!
14
eduroam JP in UPKI project An activity in NII’s UPKI project
Promotion and Operation of eduroam JP 11 institutions connected (Feb. 2010)
Tutorial & technical documents R&D to solve problems
Easy configurations Guest use of local IP addresses Location privacy, etc.
Talks with commercial W-ISPsfor roaming Shared access points possible? Negotiations are under way.
15
Threats of ID/PW leakage
User ID is logged at proxy servers along the AAA path.Location privacy problem.
PW could be logged due to inappropriate configuration by the user.
Critical security breach if an important PW is used.
APRADIUS Access RequestRADIUS Access Accept / Reject
Worldwide RADIUS tree
logged
logged
logged
logged
ID database
potentialleakage