Options for integrating the JANET Roaming Service (JRS)

and Shibboleth

Tim Chowntjc@ecs.soton.ac.uk

University of Southampton (UK)

JISC Access Management Showcase EventLondon, 18th July 2006

JRS and Shibboleth

We have two ‘access control’ worlds JRS for network access, as described in the previous talk Shibboleth for (currently) web-based applications

JRS is being widely adopted With support at a European/world scale via eduroam What more value can we get from it?

UK Shibboleth early adopters making progress Can Shibboleth be used for WLAN access control? Could the JRS be used as a back-end for Shibboleth?

JRS components

JRS features

Easy to deploy Most sites use RADIUS already Uses generally long-established open standards

Easy to join Establish one RADIUS peering with national proxy No local access control micro-management required

All-In All sites implicitly trust all other sites

No attributes Purely an authentication scheme Though RADIUS can carry attributes

Question 1

Can we use Shibboleth for network layer access control for roaming users? User powers up in WLAN hotspot Local network gateway blocks all external access until user

authenticates using Shibboleth To authenticate using Shibboleth user needs web access

to the WAYF service and their home authentication service Implies local network gateway must be pre-configured with

at least one allowed web destination per Shibboleth-enabled site that visitors may come from

That doesn’t scale!

Shib for WLAN roaming?

Question 2

Can we use the JRS as a Shibboleth back end? May be able to leverage JRS to boost Shibboleth adoption

- many JRS sites have no Shibboleth deployment

Idea: introduce a Virtual identity provider (VIdP) Functionally equivalent to a normal IdP The VIdP uses the JRS as an authentication back-end Any JRS-enabled site can use the VIdP in place of hosting

its own IdP function The VIdP can proxy on behalf of any number of sites

RADIUS-Aware Gateway to Shibboleth (RAGS)

The RAGS model

Building the VIdP…

Designed to have no changes to WAYF or SP code The IdP is modified to become the VIdP Tools already exist, e.g.:

Apache mod_auth_radius JRadius Java connector, with support for (T)TLS for secure

connection from VIdP to home site The JRS site needs to opt-in

Its entry in the WAYF service points to the VIdP Can customise login appearance based on passed URL

Some policy issues/decisions e.g. its *possible* to add eduroam sites to UK WAYF

Closing observations

Shibboleth and JRS both being adopted Initial adopter sites don’t overlap that much

Shibboleth is unsuitable for WLAN admission JRS *could* be offered as a Shibboleth back end

The VIdP is currently being developed What about attributes?

What classes of attributes will be required? Can use JRadius to query RADIUS-based attributes

More policy questions Would using the JRS be acceptable to the UK federation? Who would manage the VIdP?