Deploying Authorization Mechanisms for Federated Services in eduroam Klaas Wierenga, EuroCAMP Helsinki, 17&18th April 2007.

Deploying Authorization Mechanisms for Federated Services in eduroam

Klaas Wierenga, EuroCAMP

Helsinki, 17&18th April 2007

Contents

- Intro- eduroam- The European eduroam

confederation- eduGAIN- DAMe- Summary

Federations in European education

- Enable the sharing of educational resources

- Applications- Shibboleth, PAPI, A-Select, Liberty- Federated with eduGAIN

- Network- eduroam

- Both require agreement on:- Responsibilities- Privacy- Liability- Technology- Language- Standards

eduroam

The goal of eduroam

“open your laptop and be online”

or

• To build an interoperable, scalable and secure authentication infrastructure that will be used all over the world enabling seamless sharing of network resources

eduroam

RADIUS server

University B

RADIUS server

University A

SURFnet

Central RADIUS

Proxy server

Authenticator

(AP or switch) User DB

User DB

Supplicant

Guest

piet@university_b.nl

StudentVLAN

CommercialVLAN

EmployeeVLAN

data

signalling

• Trust based on RADIUS plus policy documents

• 802.1X• (VLAN assigment)

Eduroam interactions

RADIUS@visited RADIUS@home

Id RepositoryResource (AP)

RADIUS + TLS Channel(s)

Tue Oct 10 00:05:15 2006: DEBUG: Packet dump:*** Received from 145.99.133.194 port 1025 ....Code: Access-RequestIdentifier: 1Authentic: k<145><206><152><185><0><0><0><249><26><0><0><208>D<1><16>Attributes: User-Name = "[email protected]" NAS-IP-Address = 145.99.133.194 Called-Station-Id = "001217d45bc7" Calling-Station-Id = "0012f0906ccb" NAS-Identifier = "001217d45bc7" NAS-Port = 55 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 EAP-Message = <2><0><0>-<1>[email protected] Message-Authenticator = <27>`-y<208><232><252><177>.<160><230><177>I<218><243>\

Tue Oct 10 00:17:32 2006: DEBUG: Handling request with Handler 'TunnelledByTTLS=1, Realm=/guest.showcase.surfnet.nl/i'Tue Oct 10 00:17:32 2006: DEBUG: Deleting session for [email protected], 145.99.133.194,Tue Oct 10 00:17:32 2006: DEBUG: Handling with Radius::AuthFILE: SC-GUEST-IDTue Oct 10 00:17:32 2006: DEBUG: Reading users file /etc/radiator/db/showcase-guest-usersTue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE looks for match with [email protected] [[email protected]]Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE ACCEPT: : [email protected] [[email protected]]Tue Oct 10 00:17:32 2006: DEBUG: AuthBy FILE result: ACCEPT,Tue Oct 10 00:17:32 2006: DEBUG: Access accepted for [email protected] Oct 10 00:17:32 2006: DEBUG: Returned TTLS tunnelled Diameter Packet dump:Code: Access-Accept

eduroam hierarchy

- Single technology- RADIUS- 802.1X- EAP

- Authentication = authorisation

European eduroam confederation

eduGAIN

Id Repository(ies)Resource(s)

MDS

R-FPP

MetadataPublish

R-BE

MetadataQuery

AAInteraction

H-FPP

MetadataPublish

H-BE

AAInteraction

AA Interaction

The eduGAIN model

Lingua Franca: SAML

Requester Responder

Id RepositoryResource

TLS Channel(s)

MDS

TLS Channel

https://mds.geant.net/ ?cid=someURN <EntityDescriptor . . .

entityID= ”urn:geant2:..:responder">. . .<SingleSignOnService . . . Location= “https://responder.dom/” /> . . .

<samlp:Request . . . RequestID=”e70c3e9e6…” IssueInstant=“2006-06…”> . . .</samlp:Request>

<samlp:Response . . . ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”> . . .</samlp:Response>

urn:geant2:...:responder

urn:geant2:...:requester

eduGAIN interactions

DAMe

DAMe- Deploying Authorization Mechanisms for Federated

Services in eduroam- DAME is a project that builds upon:

- eduroam, which defines an inter-NREN roaming architecture based on AAA servers (RADIUS) and the 802.1X standard,

- Shibboleth and eduGAIN - NAS-SAML, a network access control approach for

AAA environments, developed by the University of Murcia (Spain), based on SAML (Security Assertion Markup Language) and XACML (eXtensible Access Control Markup Language) standards.

- Universities of Murcia and Stuttgart within Géant2 JRA5

Gast

piet@university_b.nl

RADIUS server

University B

RADIUS server

University A

eduroam

Central RADIUS

Proxy server

Authenticator

(AP or switch) User DB

User DB

Supplicant

data

• User mobility controlled by assertions and policies expressed in SAML and XACML

XACML

Policy Decision Point

SAML

Source Attribute Authority

Signaling

1st: Extension of eduroam with authZ

2nd: eduGAIN AuthN+AuthZ backend

- Link between the AAA servers (now acting as Service Providers) and eduGAIN

3d: Universal Single Sign On

- Users will be authenticated once, during the network access control phase- The eduGAIN authentication would be bootstrapped from the NAS-SAML- New method for delivering authentication credentials and new security middleware- 4th goal: integrating applications, focusing on grids.

eduroam+NAS-SAML in Context

- The proposal is functionally equivalent to the one discussed in I2 SALSA-FWNA for RADIUS-SAML integration- Compatibility and convergence are the natural way forward

- NAS-SAML is- From the inter-realm view, a Diameter binding for SAML

- Already available, thus allowing for fast evaluation of ideas

- Agree in the basics- Data exchanged in RADIUS space- Relevant attributes

Independent AuthZ

Summary

Summary- Convergence to (small number of) standards

- 802.1X+ RADIUS- The SAML orbit

- International confederations are emerging- eduroam- Géant2 AAI (eduGAIN)- The twain will ever meet- Using the same principles and standards

Thank you!

More info: http://dame.inf.um.es/

[email protected]