![Page 1: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/1.jpg)
CHUV
AAI @ CHUV
Vincent BexSystems Engineer
Patrick ZossoInfrastructure Project Manager
![Page 2: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/2.jpg)
CHUV
• Presentation of the CHUV
• Security concepts at CHUV
• The challenge
• AAI implementation for UNIL students
Agenda
![Page 3: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/3.jpg)
CHUV
Some indicators• 7100 Employees + 400 Students
• 1300 Beds
• 2 campuses and several small remotesites
Presentation
![Page 4: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/4.jpg)
CHUVPresentation
• Equipments• PC 7000
• Printers 1930
• Servers 250
• Applications 750
• Storage• 70Tbytes
![Page 5: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/5.jpg)
CHUVPresentation
• Locations• One LAN spread on 2 main campuses
• 23 Small remote sites
• 385 network equipments• VPN
• Firewalls
• Routers
• Switches
• WiFi
• …
![Page 6: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/6.jpg)
CHUV
• Security concepts at CHUV
• The challenge
• AAI implementation for UNIL students
Agenda
![Page 7: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/7.jpg)
CHUV
Internet
Intranet
DataCenter
DMZ
tcp any
http://www.switch.aaiOrhttp://kodc2.nfrdi.re.kr:8001
Security concepts at CHUV
![Page 8: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/8.jpg)
CHUV
Internet
Intranet
DataCenter
DMZHTTPProxy
tcp 8080
tcp any
Security concepts at CHUV
![Page 9: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/9.jpg)
CHUV
Internet
Intranet
DataCenter
DMZ
UnilStudent
HTTPProxy
tcp 8080
tcp any
LDAP
HTTPProxy
Security concepts at CHUV
![Page 10: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/10.jpg)
CHUV
• The challenge
• AAI implementation for UNIL students
Agenda
![Page 11: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/11.jpg)
CHUVThe Challenge
The situation:
• Users who are not CHUV employees (UNIL students) needto access internet from our premises
• They use specific PCs from the library
• They use PCs configured to automatically logon with ageneric account
![Page 12: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/12.jpg)
CHUVThe Challenge
The needs:
• We need to identify the users who access internet forpolicy enforcement purpose
![Page 13: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/13.jpg)
CHUVThe Challenge
The environment:
• Our proxies are currently BlueCoat appliances
• BlueCoat does not support mod_shib authentication
• Shibboleth is “easy” to implement on IIS or Apache
• We need to force the PCs to use the proxy
![Page 14: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/14.jpg)
CHUVThe Challenge
The solution:
• A dedicated BlueCoat proxy
• A Service Provider on Debian 4.0
• Apache 2.2 with mod_shib enabled
• Open LDAP
• Two CGI scripts
• A GPO to force the user’s PCs to use the proxy
![Page 15: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/15.jpg)
CHUV
• AAI implementation for UNIL students
Agenda
![Page 16: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/16.jpg)
CHUVAAI implementation for UNIL students
Internet1
HTTPRequest/response
1 Internet access request
HTTP Proxy
![Page 17: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/17.jpg)
CHUV
Internet
HTTP Redirection
2
HTTP Proxy
2 Redirection to a perl script protected by ShibbolethHTTP
Request/response
AAI implementation for UNIL students
![Page 18: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/18.jpg)
CHUV
InternetServer to server connection
3
3
HTTP Proxy
3 AAI authenticationHTTP
Request/response
HTTP Redirection
AAI implementation for UNIL students
![Page 19: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/19.jpg)
CHUV
Internet
4
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP Redirection
4 Creating the LDAP user
AAI implementation for UNIL students
![Page 20: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/20.jpg)
CHUV
Internet
5
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP Redirection
5 Creating and sending the authentication form
AAI implementation for UNIL students
![Page 21: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/21.jpg)
CHUV
Internet
6
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP Redirection
6 The proxy requests authentication to the LDAP server
AAI implementation for UNIL students
![Page 22: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/22.jpg)
CHUV
Internet
7
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP Redirection
7 LDAP user gets deleted
AAI implementation for UNIL students
![Page 23: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/23.jpg)
CHUV
Internet
8
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP Redirection
8 Redirection to the requested URL
AAI implementation for UNIL students
![Page 24: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/24.jpg)
CHUV
Internet9
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP Redirection
9 Internet access
AAI implementation for UNIL students
![Page 25: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/25.jpg)
CHUV
Internet1
2
3
3
7
5
4
9
1 Internet access request2 Redirection to a perl script protected by Shibboleth3 AAI authentication4 Creating the LDAP user
8
5 Creating and sending the authentication form6 The proxy requests authentication to the LDAP server7 LDAP user gets deleted8 Redirection to the requested URL9 Internet access
6
HTTP Proxy
Server to server connection
HTTPRequest/response
HTTP redirect
AAI implementation for UNIL students
![Page 26: AAI @ CHUV - SWITCH · 2010. 8. 27. · •Presentation of the CHUV ... 3 AAI authentication 4 Creating the LDAP user 8 5 Creating and sending the authentication form 6 The proxy](https://reader034.vdocuments.us/reader034/viewer/2022051804/5fed6404b6c4a4174e26a67b/html5/thumbnails/26.jpg)
CHUV
Q&A
Q&A