connect. communicate. collaborate aai scenario: how autobahn system will use the edugain federation...
TRANSCRIPT
![Page 1: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/1.jpg)
Connect. Communicate. Collaborate
AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization
Simon Muyal, [email protected]
Victor Reijs, [email protected]
TNC2007 – TERENA Technical Workshop
Lyngby, 20 May 2007
![Page 2: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/2.jpg)
Connect. Communicate. CollaborateAgenda
• AutoBAHN service overview…• Authentication and Authorization Infrastructure…
– Overview– AA Scenario
• Home domain’s User AuthNAutomated & Human user
• Inter-domain AuthR– Policy module and attributes
• Progress…
![Page 3: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/3.jpg)
Connect. Communicate. CollaborateAutoBAHN service overview
• AutoBAHN is a research activity for engineering, automating and streamlining the inter-domain setup of guaranteed capacity (Gbit/s) end-to-end paths
• AutoBAHN = Joint Research Activity 3 of the GN2 project– GN2 is an EC-funded Integrated Infrastructure Initiative (I3) project,
with all NRENs as partners (DANTE: coordinator)– GN2 includes:
• Networking Activities (NAs) (Human networks)• Service Activities (SAs) (deployment of GÉANT2 with focus on
services)• Joint Research Activities (JRAs) (applied technological research)
![Page 4: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/4.jpg)
Connect. Communicate. CollaborateMulti-domain environment
• Multi-technology, multi-disciplinary environment• Control and provisioning has to be distributed• Business-layer related interactions include AA, policies, advance
reservations, etc.• Security and control of intra-domain resources must be safeguarded
![Page 5: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/5.jpg)
Connect. Communicate. CollaborateA distributed approach
User interface
Inter-Domain Manager
Domain Manager
Client equipment IP domain
NMS
GE domain
L2 MPLS VPN
SDH domain
Native Ethernet GFP over SDH
GMPLS signalling
Client equipment
User interface
Inter-Domain Manager
Domain Manager
User interface
Inter-Domain Manager
Domain Manager
(1)
(2)
(4)
(5)
(6)
(7)
(3)Inter-domain path-finding
(8)(9)(10)
Home & Source domain
Linking domain Destination domain
![Page 6: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/6.jpg)
Connect. Communicate. CollaborateAutoBAHN processes
• Topology updating processA regular update of the inter-domain abstract topology model
• BoD requestA path request from an automated or human user
• PathfindingFinding a path through the abstract topology model
• Resource scheduling processCheck feasibility of the found path in a chained way and if feasible to make path, schedule the resource.
• Signaling processAt the right moment signal the domains to make the path
![Page 7: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/7.jpg)
Connect. Communicate. CollaborateAgenda
• AutoBAHN service overview…• AAI in AutoBAHN…
– Overview– AA Scenario
• Home domain’s User AuthNAutomated & Human user
• Inter-domain AuthR– Policy module and attributes
• Progress…
![Page 8: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/8.jpg)
Connect. Communicate. CollaborateOverview
• Based on the work made by another GN2 project research activity (GN2-JRA5) – EduGAIN, a federator of already established AAIs all
over European countries for inter-domain services• A chained-solution is adopted:
– A user is authenticated and his/her BoD request is authorized successively in each domain on the path where bandwidth should be scheduled.
– The scheduled resource are enabled in each domain by the Domain Manager (DM) only after AA
![Page 9: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/9.jpg)
Connect. Communicate. Collaborate
AutoBAHN interactions with AAI1. Home domain’s user AuthN
Interaction with the local AAI to authenticate the user and retrieve his/her/its attributes
2. WebServices WS communication (e.g. IDMs and DMs)Existing trust between IDMs and between IDM-DMUsing X.509 certificates signed by eduGAIN (using ssl)
3. Inter module communications; no AAI needed
2
2 222
1
![Page 10: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/10.jpg)
Connect. Communicate. Collaborate
AAI and the AutoBAHN processes
• Topology updating processWS communication (between IDMs and IDM-DM)interaction 2
• BoD requestCommunication with automated or human user: interaction 1
• PathfindingInter module communication (IDM): interaction 3
• Resource scheduling processWS communication (between IDMs and IDM-DM)interaction 2
• Signaling processWS communication (between IDMs and IDM-DM)interaction 2
![Page 11: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/11.jpg)
Connect. Communicate. CollaborateHome domain’s user AuthN
• An eduGAIN filter intercepts the user requests and interact with the local AAI
• Two possible user cases:– An automated user makes a BoD request
• WebServices are used for communication between the automated user and AutoBAHN application (IDM)
• Automated user has certificate: The automated user can directly send the AuthN information (no interaction needed for a login + AuthN information like in human user case)
– A human user makes a BoD request via a web portal• The user is redirected to its local AAI using http redirections
• AuthR (after AuthN) is common for both user cases.
![Page 12: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/12.jpg)
Connect. Communicate. Collaborate
JRA3 blockeduGAIN block
AAI local block
Home domain’s user AuthNAutomated user
Step 1’ Step 2’
User
Local AAI: IDP/web SSO Shibboleth, PAPI, etc
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
1’
User sends the AuthN information
eduGAIN filter sends this information to the local AAI to authenticate the user
JRA3 IDM2’
User info
… Attributes store & identity provider
3’
certificate
User info
…
Local AAI: IDP/web SSO Shibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
4’
The local AAI sends the response with the user attributes associated to AutoBAHN
JRA3 IDM
Usercertificate
5’6’
5-6: The filter sends the AuthN response and the user replies sending the BoD request to the IDM
![Page 13: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/13.jpg)
Connect. Communicate. Collaborate
JRA3 blockeduGAIN block
AAI local block
User
Local AAI: IDP/web SSO Shibboleth, PAPI, etc
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
1
2, 3
HTTP Redirect:
eduGAIN filter redirects the user to its local AAI
JRA3 IDM
User
User info
…
Local AAI: IDP/web SSO Shibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
5
6
User AuthN in its local AAI
4
JRA3 IDM
Home domain’s user AuthNHuman user
Step 1 Step 2
![Page 14: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/14.jpg)
Connect. Communicate. Collaborate
User
User info
…
Local AAI: IDP/web SSO Shibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
7
The IDP redirects the user to the JRA3 service
The user attributes associated to autoBAHN are also sent
JRA3 IDM
User
User info
…
Local AAI: IDP/web SSO Shibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
The IDM sends the BoD request and the user fills in the parameters
8
9
JRA3 IDM
Home domain’s user AuthNHuman user
Step 3 Step 4
![Page 15: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/15.jpg)
Connect. Communicate. Collaborate
User
User info
…
Local AAI: IDP/web SSO Shibboleth, PAPI, etc
Attributes store & identity provider
JRA3 IDM
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
10
11
12 13
14
The BoD request is sent to the policy module and the attributes are retrieved
User info
…
Local AAI: IDP/web SSO Shibboleth, PAPI, etc
Attributes store & identity provider
JRA3 IDM
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
15,16
17
The policy module retrieves the rules in the JRA3 DB and compare it to the BoD request
18
Home domain AuthRStep A Step B
![Page 16: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/16.jpg)
Connect. Communicate. Collaborate
User
User info
…
Local AAI: IDP/web SSO Shibboleth, PAPI, etc
Attributes store & identity provider
Existing trust between IDM’s
XML X.509
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
eduGAIN module: concatenation BoD params + attributes
User Access Module & other modules
AAI/policy Module
JRA3 DB
19
21,22 20
BoD Id BoD param attr
eduGAIN module: extraction of BoD params & attributes
23JRA3 IDM JRA3 IDM
24
Inter-domain AuthRStep C
![Page 17: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/17.jpg)
Connect. Communicate. Collaborate
User
User info
…
Local AAI: IDP/web SSO Shibboleth, PAPI, etc
Attributes store & identity provider
User Access Module & other modules
AAI/policy Module
eduGAIN filter
JRA3 DB
32
JRA3 IDM
User Access Module & other modules
AAI/policy Module
JRA3 DB
25
31
JRA3 IDM
User Access Module & other modules
AAI/policy Module
JRA3 DB
27,28 26
JRA3 IDM
30
29
Home & Source domain Linking domain Destination domain
Inter-domain AuthRStep D
JRA3 blockeduGAIN block
AAI local block
![Page 18: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/18.jpg)
Connect. Communicate. Collaborate
Policy module and attributes (1/2)
• AuthR information is stored in the JRA3 DB– The eduGAIN filter avoids problems of different rule
formats stored in local AAIs• Define entries like:
jra3.renater.projects.DEISA• Apply rules for these entries:
jra3.*.projects.DEISA = 1Gbit/s• Advantages
– Granularity and accuracy (if wanted) of rules– Easy maintenance and flexibility
• Existing AuthR engines like PERMIS will be used
![Page 19: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/19.jpg)
Connect. Communicate. Collaborate
Policy module and attributes (2/2)
• The user attributes which can be used for AuthR are:– Role– Project– Home network domain– NREN– This list can be updated
• These attributes are stored in the local AAI• Mapping with BoD information stored in the JRA3 DB to
authorize a BoD request• Use of GIdP (GN2 activity) if a local AAI doesn’t exist for
the user making the BoD request
![Page 20: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/20.jpg)
Connect. Communicate. CollaborateAgenda
• AutoBAHN service overview…• AAI in AutoBAHN…
– Overview– AAI Scenario
• Home domain’s User AuthNAutomated & Human user
• Inter-domain AuthR– Policy module and attributes
• Progress…
![Page 21: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/21.jpg)
Connect. Communicate. CollaborateProgress
• AuthN– Interface:
• Automated user: Being implemented by GN2 JRA3. Has to be adapted to eduGAIN filter (certificate).
• Human user: Web portal to make BoD request. Implemented by GN2 JRA3 : ~ Q3 2007
– eduGAIN filter for user AuthN:• Automated user: Will be implemented by GN2 JRA5. • Human user: Being implemented by GN2 JRA5. First version
ready next month• AuthR
– Work started to analyze how to use PERMIS in AutoBAHN
![Page 22: Connect. Communicate. Collaborate AAI scenario: How AutoBAHN system will use the eduGAIN federation for Authentication and Authorization Simon Muyal, simon@renater.fr](https://reader036.vdocuments.us/reader036/viewer/2022081603/5697bf711a28abf838c7e15c/html5/thumbnails/22.jpg)
Connect. Communicate. CollaborateQuestions?