do you like to puzzle, build an aai !
DESCRIPTION
do you like to puzzle, build an AAI !. AA systems. xxx. xxx. 2 n d EuroCAMP - Porto Novem ber 8, 2005 [email protected]. Presentation outline. Drivers for an AAI; The pieces of the AAI-puzzle; - PowerPoint PPT PresentationTRANSCRIPT
High-quality Internet for higher education and research
do you like to puzzle, build an AAI !
xxxxxx
AA systems
2nd EuroCAMP - PortoNovember 8, [email protected]
High-quality Internet for higher education and research
Presentation outline
• Drivers for an AAI;• The pieces of the AAI-puzzle;
– network and application access, login, authentication, authorisation, identity management;
• Assessments of some AA systems;• Federations;• Standards;• Developments;
High-quality Internet for higher education and research
Why AAI?Network mobility
High-quality Internet for higher education and research
Why AAI?Educational mobility
High-quality Internet for higher education and research
Why AAI?Personalised service provisioning
High-quality Internet for higher education and research
Why AAI?Reduce the digital key ring
XXX
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Ingredients of an AAI
High-quality Internet for higher education and research
Network access: RADIUS infrastructure
Organisational RADIUS Server
B
Organisational RADIUS Server
C
National RADIUSProxy Server
National RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
Organisational RADIUS Server
A
network
High-quality Internet for higher education and research
Network access: User-controlled light path provisioning
Application
AAA
Broker
SURFnet6
Applications
Broker
NetherLight
Application
Broker
OMNInet
Applications
Broker
Starlight
Services Services Services
AAA AAA AAA
UDDI/WSIL
A-Select
token
network
High-quality Internet for higher education and research
applications
Application access:centralise intelligence
High-quality Internet for higher education and research
applications
Application access:centralise intelligence
High-quality Internet for higher education and research
Login server:intermediary between application and AA: provide SSO
login
High-quality Internet for higher education and research
Authentication:choose your own method (and strength)
• IP address• Username / password
– LDAP / Active Directory– RADIUS– SQL
• Passfaces• PKI certificate• OTP through SMS• OTP through internet banking• Tokens (SecurID, Vasco, …)• Biometrics• …
authentication
High-quality Internet for higher education and research
Authorisation:Policy engines
authorisation
High-quality Internet for higher education and research
Authorisation:Policy engines: f.e. use ‘roles’
authorisation
High-quality Internet for higher education and research
Authorisation:3 scenario’s
1. Authentication = authorisation (‘simple’)
2. Identity plus a few attributes (‘commonly used’)
3. Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’)
authorisation
High-quality Internet for higher education and research
Administration:Identity Management
• How to record the identities (schema’s), credentials (attributes or roles), and privileges?
• Enterprise (or meta) directory to glue all sources of information together;
• Quality of registration is CRUCIAL for AuthN and AuthZ;• It’s the underlying basis for an AAI;• …and it’s a hype…
administration
High-quality Internet for higher education and research
Quick assessment of current AA systems
• Web login (authentication) systems– Athens, A-Select, CAS, CoSign, Pubcookie
• Authorisation systems– PAPI, PERMIS, Shibboleth, SPOCP– Portal products (Oracle, SiteMinder, Sun One, uPortal)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Web login systems(A-Select, CAS, CoSign, Pubcookie, …)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Web login systems(Athens)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Portal products(Oracle, SiteMinder, Sun One, uPortal)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Authorisation products(PERMIS, SPOCP)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Authorisation products(PAPI)
High-quality Internet for higher education and research
Authorisation productsShibboleth
Group A Group B
High-quality Internet for higher education and research
Cross-domain AA:Ingredients for a federation
• Policies (e.g. InCommon* from Internet2): – Federation Operating Practices and Procedures– Participant Agreement – Participant Operating Practices
• Technologies:– Protocols / language– Schema’s– Trust / PKI
* http://www.incommonfederation.org/
Group A Group B
High-quality Internet for higher education and research
What about……standards?
• Currently many proprietary solutions(sockets, cookies, redirects, …)
• Webservices (SOAP, XML RPC, WSDL, WS-*)
• SAML (1.1 -> 2.0)
• For federations:– WS-Federation (Microsoft, IBM)– SAML (OASIS: 150 companies, Internet2)– Liberty Alliance (Sun, 170 companies)
?? ??? ?
High-quality Internet for higher education and research
What about……future developments (in the research world)?
• Need for:– Converging or dominant standard(s), means better
interoperability between the pieces of the puzzle
– Attention to non-web-based applications (eg. Grids)
– Universal Single Sign-On across network and application domain
– (Error-) Diagnostics across federations!
?? ??? ?
High-quality Internet for higher education and research
Middleware diagnostics:what if there’s an error?
Security Related Events
Middleware Related Events
Network Related Events
Collection and Normalization of Events
Dissemination Network
XDiagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets
Group A Group B
High-quality Internet for higher education and research
Homework
but before that...
Manage your identities...
High-quality Internet for higher education and research
References
• AAI terminology• Athens• A-Select• CAS• CoSign• eduroam• Internet2 Federation• Middleware diagnostics• NSF Middleware Initiative• Privilege Management• Shibboleth• Swiss Federation
High-quality Internet for higher education and research
Thank you!Questions?