voip service in dame/eduroam
Post on 25-Feb-2016
51 Views
Preview:
DESCRIPTION
TRANSCRIPT
University of MurciaGabriel López
Network authentication in eduroam and SSO token distribution◦ RADIUS hierarchy◦ Token based on SAML
Network authorization based on end user attributes◦ Based on eduGAIN BEs◦ XACML authorization policies
Web authN and authZ profile Beside:
◦ Integrated with Shibboleth and PAPI idPs◦ Support for LoA (Level of Assurance)◦ RadSec deployment in progress
New services for SSO Based on the SSO token provided by DAMe Provide APIs for BEs:
Token generation Token validation Authorization
Unified SSO token perfsonar, DAMe, etc
Provide optional authorization for VoIP services based on end user attributes
SIP protocol for testing
Home InstitutionRemote Institution
Invite (Bob)
R-SIP Registar
SIP
SIPUA
Register ()
H-SIP Registar
authentication
401 Unauthorized
SIP
401 Unauthorized
Register (authz_data) Register (authz_data)
200 OK200 OK
R-SIP Proxy
H-SIP Proxy
Register ()
Invite (Bob)
401 Unauthorized 401 Unauthorized
Invite (Bob,authz_data)
Trying
Invite (Bob,authz_data) authentication
Trying
Session in progress
SIP SIP
alice@home.in
Reg
istr
atio
nC
all i
nitia
tion
Profile 1: The user has a valid SSO token◦ From the end user network authentication (DAMe)◦ New registration method required◦ Token validation through BEs◦ Extending registration method for authorization
Profile 2: The end user does not have a valid SSO token◦ Receives a new SSO token for further authentications
(VoIP, Web, etc…)◦ Who does the end user authentication?
VoIP Registrar vs idP◦ Who does the token generation? BEs vs idP
Profile 2: SSO token generation delegated to the BEs (DAMe-based)
Profile 2.1 Traditional authentication in the registrar server (HTTP-Digest) Authentication in the registrar server
Profile 2.2 Authentication based on HTTP (HTTP-redirect) Authentication in the idP
Profile 2.3 in-line/native authentication (new method) Authentication in the idP
◦
Home InstitutionRemote Institution
Register (Token)
AuthZRequest(token)
Network authentication
R-SIP Registar
eduGAINR-BE idP Authn
Attrib.
SIP
Federation specificSOAP
Attribute request
Attribute response
Authorizationpolicy
ok200 OK
SIPUA
eduGAINH-BE
Attribute request
Attribute response
SOAP
Register (Token)
H-SIP Registar
AuthNRequest(token)token
validationAutnNResponse200 OK
SOAPSIP
alice@home.in
Reg
istr
atio
n
Extension of SIP messages:◦ Register (token)◦ New authentication method
Extension of SIP proxies:◦ Token validation BEs◦ Authorization based on end user and environment
attributes BEs Authorization process (attributes recovery and PDP requests
are transparent for proxies )
Home InstitutionRemote Institution
R-SIP Registar
eduGAINR-BE idP Authn
Attrib.
SIPFederation specificSOAP
SIPUA
eduGAINH-BE
SOAP
H-SIP Registar
Register (authz_data)
AuthNQuery(user)
AuthnResponse
200 OK (Token)
Authn query (user)
Authentication
Register
401 Unauthorized
SSO token
Register
401 Unauthorized
Register (authz_data)
200 OK (Token)
SIP SOAP
alice@home.in
Reg
istr
atio
n
Authorization
Extension of SIP messages:◦ OK 200 (token)◦ Classic authentication
Extension of SIP proxies:◦ Token generation request BEs◦ Authorization based on end user and environment
attributes BEs
Home InstitutionRemote Institution
R-SIP Registar
eduGAINR-BE idP Authn
Attrib.
SIP Federation specific
SOAP
SIPUA
eduGAINH-BE
SOAP
H-SIP Registar
authentication
200 OK (Token)
AuthnRequest (user:pass)
artifact
Register
401 Unauthorized
Register
401 Unauthorized
Register (artifact) Register (artifact)
200 OK (Token)
Recover statementAuthNRequest(artifact)
SSO token
SIP SOAP
HTTP/Federation specific
alice@home.in
Reg
istr
atio
n
Authorization
Extension of SIP messages:◦ REGISTER (artifact)◦ OK 200 (token)◦ HTTP redirection authN
Extension of SIP proxies:◦ Token generation request BEs◦ Authorization based on end user and environment
attributes BEs
Home InstitutionRemote Institution
R-SIP Registar
eduGAINR-BE idP Authn
Attrib.
SIP Federation specific
SOAP
SIPUA
eduGAINH-BE
SOAP
H-SIP Registar
authentication
200 OK (token)
Register (creds)
Register
401 Unauthorized
Register
401 Unauthorized
200 OK (token)
AuthNRequest(creds)
Authen statement
Register (creds)
SSO Token
SIP SOAP
AuthNRequest(creds)
alice@home.in
Reg
istr
atio
n
Authorization
Extension of SIP messages:◦ OK 200 (token)◦ Register includes end user creds (protected channel
needed) Extension of SIP proxies:
◦ Token generation request BEs◦ Authorization based on end user and environment
attributes BEs
AuthnRequest(SSOToken): Boolean◦ SSOToken validation (profile 1)
Validity Period, signature (PKC chain, trust anchors, etc) AuthnQuery(user): SSOToken
◦ Requests authentication statement from idP (profile 2.1)◦ Generates SSO token
AuthnRequest(artifact): SSOToken◦ AuthN statement recovery from idP (profile 2.2)◦ SSO token generation
AuthnRequest(creds): SSOToken◦ Sends authentication requests (application specific to idP)
(profile 2.3)◦ SSO token generation
AuthzRequest(SSOToken): Boolean (+obligations)◦ Recover end user attributes from home domain
Through eduGAIN BEs Directly from the AttributeProvider
◦ Request an Authorization Decision To the local PDP Based on End User id, End User attributes, resource, action,
other info (date/time, network load, etc.)
SIP allows the extension of standard messages◦ Extension Service Instruction
Authentication methods have already been proposed in other works
BE-API valid for other services? Compliant with other SAML/SIP proposals
(Tschofenig) Security of the token
◦ alice R-SIP Registrar◦ SIP/SSL, IPSec, token encryption
backup
Home Institution
Remote Insitution
SAMLResp.AttributeStat.
attributes
Access-Accept (with handle)
translateobligations
ACCESS-ACCEPT+ propertiesEAP-SUCCESS
eduroam
SearchRequest(uid:handle, action,
resource)
SearchResult(obligations)
Network authentication
RADIUSRADIUS
End User
NAP eduGAINBE
PDP(AuthZEngine)
eduGAINBE
idP Authn
Attrib.
SAMLRequestAttributeQuery
handle
EAPOL
EAPRADIUS
Federation specific
RADIUS / EAP
SOAP
LDAP SOAP
XACMLResourceAccessPolicy
SAMLResponseXACMLAuthZDecSt.
XACMLResponseresult obligs.
SAMLRequestXACMLAuthZDecisionQ
XACMLRequesthandle
res. actionevidence
attrs.
User’s Device
Service Provider Domain
Request Access
Receive eduToken
User
NAP SPR-BE
(token-enabled)
uSSOClient
SupplicantToken
Manager
RMI PEAP
Browser(Java
plugin)
Network authentication
Encrypt and store eduToken
Redirect
WAYF
Redirect
Select „via eduToken“
Token Fetcher Applet
Fetch eduToken
Decrypt eduToken
Return eduToken
POST eduToken
ValidateeduToken
Create Assertion
Send AssertionGrant Access
HTTPS
HTTPS
HTTPS
HTTPS HTTPS
top related