Technical Developments within the UK Access Management Federation
-
Upload
jiscam -
Category
Technology
-
view
1.631 -
download
1
description
Transcript of Technical Developments within the UK Access Management Federation
Copyright JNT Association 2005 1Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 1
UK federationdevelopment
Access Management Transition Meeting, 30 May 2007.
Josh Howlett, UKERNA.
Copyright JNT Association 2005 2Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 2
Overview
• Improving Discovery
• Extending our use of metadata
• Shibboleth 2.0
• Other access management products
• Inter-federation
• Integration with eduroam
Copyright JNT Association 2005 3Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 3
Discovery
• What is the ‘discovery problem’?– SAML 1.x
• ‘IdP-first’ only• Intended for small numbers of known partners;
discovery is managed by the application.
– Shibboleth 1.x• Shibboleth Authentication Request Profile is ‘SP-first’.• Intended for large numbers of possible partners;
discovery is typically managed by the WAYF service.
– WAYF issues: usability and scalability
Copyright JNT Association 2005 4Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 4
Discovery• Service Provider side discovery
– Preferred approach.– SPs know their customers.– Shibboleth 2.0 SP will probably provide some
assistance.• Discovery service
– Enables an SP to hand over discovery to a third-party.
– Potential for use of heuristics such as IP address of user agent.
Copyright JNT Association 2005 5Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 5
Metadata
• What is federation metadata?“In architecture, a keystone is the stone at the top of an
arch. It the supporting element for the entire arch — without it the arch would collapse.” – Wikipedia
– Functions• A directory of federation participants – where ?• A description of their capabilities – what ?• Establishment of technical trust – who ?
Copyright JNT Association 2005 6Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 6
Metadata
• Trust– PKI trust (today)
• Entity metadata gives the claimed “KeyName”.• The “KeyName” must match that given in an entity’s
certificate, issued by a trusted CA.
– Problems• Trust validation is expensive and contains redundancy.• PKI can be difficult support problems.• Some SAML 2.0 features (eg. attribute encryption)
require access to entities’ public keys.
Copyright JNT Association 2005 7Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 7
Metadata
• Trust– Direct key operation
• Public keys embedded directly in metadata (or wrapped within certificate in metadata).
• Available in Shibboleth 1.3+.
– Hybrid operation• Use both PKI trust and direct key.• Currently in testing; may be made more widely
available in the future.
Copyright JNT Association 2005 8Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 8
Shibboleth 2.0
• Shibboleth 2.0– Virtually a complete re-write.– Support for (some of) SAML 2.0
• Web SSO and Single Log-out profiles.• Additional capabilities likely in future releases.
– IdP• More powerful ARP expression.• Scripting for enhanced attribute resolution.
Copyright JNT Association 2005 9Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 9
Other AM solutions
• Shibboleth is the recommended AM software.– Designed for education and research.
• Many other SAML implementations exist.• The moves towards Shibboleth 2.0 and
SAML 2.0 should improve interoperability.• We need to understand more about these
other products and their suitability.
Copyright JNT Association 2005 10Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 10
Shibboleth on Windows
• Shibboleth IdP currently runs on Windows, although installation is complex.
• Windows installer is in development.
• We’re looking for:– Ideas, wish lists, etc.– Guinea pigs.
Copyright JNT Association 2005 11Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 11
Inter-federation
• Multiple emerging federations for education and research.
• Diverse policy and technological strategies.
• Use cases– Reduce burden on publishers– Facilitate cross-federation access to
resources such as wikis, VLEs, etc.
Copyright JNT Association 2005 12Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 12
Inter-federation
• Inter-federation– Leveraged federation
• Group within a group
– Federation peering• Bilateral agreement
– Confederation• Federation of federations
Copyright JNT Association 2005 13Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 13
Integration with eduroam
• RAGS– Experimental out-sourced IdP using
eduroam for authentication.
• RADIUS-SAML– Internet2 proposal to use SAML for
eduroam authorisation.
Copyright JNT Association 2005 14Optionalwww.ukfederation.org.ukCopyright JNT Association 2007 14
Thank you for your attention
Any questions, ideas or requirements?