Скачать презентацию AA Systems Do you like to puzzle 1 Скачать презентацию AA Systems Do you like to puzzle 1

d34bc7790cf7c7117044b5357904f036.ppt

  • Количество слайдов: 36

AA Systems Do you like to puzzle? 1 st Euro. CAMP - Turin March, AA Systems Do you like to puzzle? 1 st Euro. CAMP - Turin March, 3 rd, 2005 Ton. Verschuren@SURFnet. nl

Roadmap • Drivers for an AAI • The pieces of the puzzle: network and Roadmap • Drivers for an AAI • The pieces of the puzzle: network and application access, login, authentication, authorisation, identity management • Assessments of current AA systems • Federations • Standards • Homework Euro. CAMP 2005, Torino 2

Why AAI? Personalised service provisioning! Euro. CAMP 2005, Torino 3 Why AAI? Personalised service provisioning! Euro. CAMP 2005, Torino 3

Why AAI? Educational mobility! Euro. CAMP 2005, Torino 4 Why AAI? Educational mobility! Euro. CAMP 2005, Torino 4

Why AAI? Network mobility! Euro. CAMP 2005, Torino 5 Why AAI? Network mobility! Euro. CAMP 2005, Torino 5

Why AAI? Reduce the digital key ring! X X Euro. CAMP 2005, Torino X Why AAI? Reduce the digital key ring! X X Euro. CAMP 2005, Torino X 6

Ingredients of an AAI Network Authorisation (web)Application Authentication Login xxx Administration xxx Euro. CAMP Ingredients of an AAI Network Authorisation (web)Application Authentication Login xxx Administration xxx Euro. CAMP 2005, Torino xxx 7

Network access: roaming Euro. CAMP 2005, Torino 8 Network access: roaming Euro. CAMP 2005, Torino 8

Network access: user-controlled light paths UDDI/ WSIL A-Select token Applications AAA Broker SURFnet 6 Network access: user-controlled light paths UDDI/ WSIL A-Select token Applications AAA Broker SURFnet 6 Euro. CAMP 2005, Torino Services AAA Broker Nether. Ligh t Applications Services AAA Broker Starlight AAA Broker OMNInet 9

Application access: centralise intelligence Euro. CAMP 2005, Torino 10 Application access: centralise intelligence Euro. CAMP 2005, Torino 10

Application access: centralise intelligence Euro. CAMP 2005, Torino 11 Application access: centralise intelligence Euro. CAMP 2005, Torino 11

Login server: intermediary between application and AA Euro. CAMP 2005, Torino 12 Login server: intermediary between application and AA Euro. CAMP 2005, Torino 12

Authentication: user perspective Euro. CAMP 2005, Torino 13 Authentication: user perspective Euro. CAMP 2005, Torino 13

Authentication: choose your own method • IP address • Username / password – LDAP Authentication: choose your own method • IP address • Username / password – LDAP – RADIUS – SQL • Passfaces • PKI certificate • OTP through SMS • OTP through internet banking • Tokens (Secur. ID, Vasco, …) • Biometrics Euro. CAMP 2005, Torino 14

Authorisation: Policy engines Euro. CAMP 2005, Torino 15 Authorisation: Policy engines Euro. CAMP 2005, Torino 15

Authorisation: Policy engines Euro. CAMP 2005, Torino 16 Authorisation: Policy engines Euro. CAMP 2005, Torino 16

Authorisation: 3 scenario’s 1. Authentication = authorisation 2. Identity plus a few attributes 3. Authorisation: 3 scenario’s 1. Authentication = authorisation 2. Identity plus a few attributes 3. Privacy-preserving negotiation about attributes to be exchanged Euro. CAMP 2005, Torino 17

Authorisation: privilege management Euro. CAMP 2005, Torino 18 Authorisation: privilege management Euro. CAMP 2005, Torino 18

Administration: Identity Management • How to record the identities, credentials (attributes or roles), and Administration: Identity Management • How to record the identities, credentials (attributes or roles), and privileges? • Enterprise (or meta) directory to glue all sources of information together • It’s the underlying basis for an AAI! • …and it’s a hype… • But since yesterday you know this all Euro. CAMP 2005, Torino 19

Cross-domain AA: Federations Euro. CAMP 2005, Torino 20 Cross-domain AA: Federations Euro. CAMP 2005, Torino 20

Cross-domain AA: Ingredients • Policies (e. g. In. Common): – Federation Operating Practices and Cross-domain AA: Ingredients • Policies (e. g. In. Common): – Federation Operating Practices and Procedures – Participant Agreement – Participant Operating Practices • Technologies: – PKI – Schema’s Euro. CAMP 2005, Torino 21

Quick assessment of current AA systems • Web login (authentication) systems – A-Select, CAS, Quick assessment of current AA systems • Web login (authentication) systems – A-Select, CAS, Cosign, pubcookie – Portal products (Oracle, Site. Minder, Sun One, u. Portal) • Authorisation systems – Athens, FEIDE, PAPI, PERMIS, Shibboleth, SPOCP – Portal products Euro. CAMP 2005, Torino 22

Web login systems (A-Select, CAS, Cosign, Pubcookie) Network Authorisation Authentication Login (web)Application Administration Euro. Web login systems (A-Select, CAS, Cosign, Pubcookie) Network Authorisation Authentication Login (web)Application Administration Euro. CAMP 2005, Torino 23

Authorisation Athens Network Authorisation Authentication Login (web)Application Administration Euro. CAMP 2005, Torino 24 Authorisation Athens Network Authorisation Authentication Login (web)Application Administration Euro. CAMP 2005, Torino 24

Authorisation PAPI Network Authorisation Authentication Login (web)Application Administration Euro. CAMP 2005, Torino 25 Authorisation PAPI Network Authorisation Authentication Login (web)Application Administration Euro. CAMP 2005, Torino 25

Authorisation PERMIS, SPOCP Network Authorisation Authentication Login (web)Application Administration Euro. CAMP 2005, Torino 26 Authorisation PERMIS, SPOCP Network Authorisation Authentication Login (web)Application Administration Euro. CAMP 2005, Torino 26

Portal products Oracle, Site. Minder, Sun One, u. Portal Network Authorisation Authentication Login (web)Application Portal products Oracle, Site. Minder, Sun One, u. Portal Network Authorisation Authentication Login (web)Application Administration Euro. CAMP 2005, Torino 27

Authorisation Shibboleth Euro. CAMP 2005, Torino Group A Group B 28 Authorisation Shibboleth Euro. CAMP 2005, Torino Group A Group B 28

What about… …standards? ? ? ? • Currently many proprietary solutions (sockets, cookies, redirects, What about… …standards? ? ? ? • Currently many proprietary solutions (sockets, cookies, redirects, …) • Webservices (SOAP, XML RPC, WSDL, WS-*) • SAML • For federations: – WS-Federation (Microsoft, IBM) – SAML (OASIS: 150 companies, Internet 2) – Liberty Alliance (Sun, 170 companies) Euro. CAMP 2005, Torino 29

And the future…? • Converging or dominant standard(s) – Means better interoperability between the And the future…? • Converging or dominant standard(s) – Means better interoperability between the pieces of the puzzle • Universal single sign-on across network and application domain – Convergence of Edu. Roam and weblogin services – Including non-web-based applications Euro. CAMP 2005, Torino 30

Homework: Manage your identities! Euro. CAMP 2005, Torino 31 Homework: Manage your identities! Euro. CAMP 2005, Torino 31

Homework: Manage your identities! Euro. CAMP 2005, Torino 32 Homework: Manage your identities! Euro. CAMP 2005, Torino 32

Homework: Manage your identities! Euro. CAMP 2005, Torino 33 Homework: Manage your identities! Euro. CAMP 2005, Torino 33

Homework: Start building an AAI! Network Authorisation (web)Application Authentication Login xxx Administration xxx Euro. Homework: Start building an AAI! Network Authorisation (web)Application Authentication Login xxx Administration xxx Euro. CAMP 2005, Torino xxx 34

References • • Identity Management Edu. Roam A-Select weblogin Privilege Management Intro on federations References • • Identity Management Edu. Roam A-Select weblogin Privilege Management Intro on federations Internet 2 Federation Swiss Federation End-to-end diagnostics Euro. CAMP 2005, Torino 35

Thank you! Questions? Thank you! Questions?