high-quality internet for higher education and research do you like to puzzle, build an aai ! xxx aa...
TRANSCRIPT
High-quality Internet for higher education and research
do you like to puzzle, build an AAI !
xxxxxx
AA systems
2nd EuroCAMP - PortoNovember 8, [email protected]
High-quality Internet for higher education and research
Presentation outline
• Drivers for an AAI;
• The pieces of the AAI-puzzle;
– network and application access, login, authentication, authorisation, identity management;
• Assessments of some AA systems;• Federations;
• Standards;
• Developments;
High-quality Internet for higher education and research
Why AAI?Network mobility
High-quality Internet for higher education and research
Why AAI?Educational mobility
High-quality Internet for higher education and research
Why AAI?Personalised service provisioning
High-quality Internet for higher education and research
Why AAI?Reduce the digital key ring
XX
X
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Ingredients of an AAI
High-quality Internet for higher education and research
Network access: RADIUS infrastructure
Organisational RADIUS Server
B
Organisational RADIUS Server
B
Organisational RADIUS Server
C
Organisational RADIUS Server
C
National RADIUSProxy Server
National RADIUSProxy Server
National RADIUSProxy Server
National RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
Organisational RADIUS Server
A
Organisational RADIUS Server
A
network
High-quality Internet for higher education and research
Network access: User-controlled light path provisioning
Application
AAA
Broker
SURFnet6
Applications
Broker
NetherLight
Application
Broker
OMNInet
Applications
Broker
Starlight
Services ServicesServices
AAA AAAAAA
UDDI/WSIL
A-Select
token
network
High-quality Internet for higher education and research
applications
Application access:centralise intelligence
High-quality Internet for higher education and research
applications
Application access:centralise intelligence
High-quality Internet for higher education and research
Login server:intermediary between application and AA: provide SSO
login
High-quality Internet for higher education and research
Authentication:choose your own method (and strength)
• IP address• Username / password
– LDAP / Active Directory– RADIUS– SQL
• Passfaces• PKI certificate• OTP through SMS• OTP through internet banking• Tokens (SecurID, Vasco, …)• Biometrics• …
authentication
High-quality Internet for higher education and research
Authorisation:Policy engines
authorisation
High-quality Internet for higher education and research
Authorisation:Policy engines: f.e. use ‘roles’
authorisation
High-quality Internet for higher education and research
Authorisation:3 scenario’s
1. Authentication = authorisation (‘simple’)
2. Identity plus a few attributes (‘commonly used’)
3. Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’)
authorisation
High-quality Internet for higher education and research
Administration:Identity Management
• How to record the identities (schema’s), credentials (attributes or roles), and privileges?
• Enterprise (or meta) directory to glue all sources of information together;
• Quality of registration is CRUCIAL for AuthN and AuthZ;• It’s the underlying basis for an AAI;• …and it’s a hype…
administration
High-quality Internet for higher education and research
Quick assessment of current AA systems
• Web login (authentication) systems– Athens, A-Select, CAS, CoSign, Pubcookie
• Authorisation systems– PAPI, PERMIS, Shibboleth, SPOCP– Portal products (Oracle, SiteMinder, Sun One, uPortal)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Web login systems(A-Select, CAS, CoSign, Pubcookie, …)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Web login systems(Athens)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Portal products(Oracle, SiteMinder, Sun One, uPortal)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Authorisation products(PERMIS, SPOCP)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Authorisation products(PAPI)
High-quality Internet for higher education and research
Authorisation productsShibboleth
Group A Group B
High-quality Internet for higher education and research
Cross-domain AA:Ingredients for a federation
• Policies (e.g. InCommon* from Internet2): – Federation Operating Practices and Procedures– Participant Agreement – Participant Operating Practices
• Technologies:– Protocols / language– Schema’s– Trust / PKI
* http://www.incommonfederation.org/
Group A Group B
High-quality Internet for higher education and research
What about……standards?
• Currently many proprietary solutions(sockets, cookies, redirects, …)
• Webservices (SOAP, XML RPC, WSDL, WS-*)
• SAML
(1.1 -> 2.0)
• For federations:– WS-Federation (Microsoft, IBM)– SAML (OASIS: 150 companies, Internet2)– Liberty Alliance (Sun, 170 companies)
?
? ?
?? ?
High-quality Internet for higher education and research
What about……future developments (in the research world)?
• Need for:– Converging or dominant standard(s), means better
interoperability between the pieces of the puzzle
– Attention to non-web-based applications (eg. Grids)
– Universal Single Sign-On across network and application domain
– (Error-) Diagnostics across federations!
?
? ?
?? ?
High-quality Internet for higher education and research
Middleware diagnostics:what if there’s an error?
Security Related Events
Middleware Related Events
Network Related Events
Collection and Normalization of Events
Dissemination Network
X
Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets
Group A Group B
High-quality Internet for higher education and research
Homework
but before that...
Manage your identities...
High-quality Internet for higher education and research
References
• AAI terminology• Athens• A-Select• CAS• CoSign• eduroam• Internet2 Federation• Middleware diagnostics• NSF Middleware Initiative• Privilege Management• Shibboleth• Swiss Federation
High-quality Internet for higher education and research
Thank you!
Questions?