Authentication and Authorization Infrastructure Martin Sutter Head of

Authentication and Authorization Infrastructure Martin Sutter, Head of Net. Services Thomas Lenggenhager, Deputy Project Manager AAI Christoph Graf, Head of Network Security 2005 © SWITCH

Agenda • AAI deployment in Switzerland • SWITCHaai key issues • AAI & Grid • Outlook • EUGrid. PMA 2005 © SWITCHaai 2

Motivation for SWITCHaai • Need for SWITCHaai spawned by Swiss Virtual Campus, a large national e-learning project. - About 30 projects developing e-learning contents involving at least three different sites Authentication & Authorization not to be solved by each project individually 2005 © SWITCHaai 3

SWITCHaai Building Blocks Interoperation Organizational Framework Identity Providers (Home Orgs) Central Services 2005 © SWITCH Service Providers (Resources) Funding SWITCHaai 4

Organizational Framework Organization SWITCH acts as SWITCHaai Federation service provider Federation membership is based on signed service agreements 2005 © SWITCHaai 5

Interoperation Requires agreement on technical details like • Standards - SAML 1. 1 • Software versions (as per May 2005) - Shibboleth 1. 1 for identity providers Shibboleth 1. 2. 1 for service providers • Accepted certificate authorities - SWITCHpki plus Thawte, Trustcenter, Veri. Sign • Attribute specification - swiss. Edu. Person 2005 © SWITCH Interoperation SWITCHaai 6

Interoperation: Attributes • Criteria for attribute specification - Start simple, extend as required - Common understanding on interpretation - Already widely used swiss. Edu. Person • Attribute usage by applications - Use minimal set required - Data protection principle Interoperation 2005 © SWITCHaai 7

Identity Provider Integration AAI-enabled Identity Provider Authentication System AAI User Directory Currently in use in SWITCHaai: • Authentication Systems • Open. LDAP with CAS or Pubcookie • Kerberos Auth. N with Active Directory • Windows Auth. N with IIS • User Directory • Open. LDAP • Active Directory Identity Providers 2005 © SWITCHaai 8

Identity Providers in SWITCHaai Operational AAI Identity Provider University Hospital Zurich AAI Identity Provider getting ready Zurich University of Applied Sciences Winterthur University Zurich SWITCH University Berne University Fribourg ETH Zurich University Lucerne Virtual Home Org University Lausanne University Geneva Identity Providers 110’ 000 Swiss Higher Ed users have an AAI-Account (≈ 50% of all) 2005 © SWITCHaai 9

Virtual Home Organization – VHO Integrate end users without Identity Provider - Resource owner creates ‘AAI-enabled’ accounts @VHO for users without an identity provider - A VHO account is only usable for the resource(s) managed by the resource owner Some end users without identity provider Federation Member Identity Provider Resource Owner End User Admin VHO Policy VHO Service @SWITCH 2005 © SWITCH User Dir SWITCHaai Identity Providers 10

Types of Service Providers e-learning OLAT libraries Vista@SVC EZproxy Web. CT@ETHZ VITELS Blackboard DOIT Moodle AD Learn & Co ILIAS Science. Direct … BSCW other web applications commercial Vconf-Reservation Swiss. Lex TWiki e. Shops SMS-Gateway IS-Academia Jobs@BWI 2005 © SWITCH 50 ‘shibbolized’ servers 10’ 000 active AAI Users SWITCHaai Service Providers 11

Service Provider Example: DOIT: Dermatology Online with Interactive Technology AAI Identity Provider AAI Service Provider University Zurich Access Rule: Id. P = Uni. ZH | Uni. BE | Uni. L Affiliation = student study. Branch = medicine study. Level = 15 University Berne University Lausanne Service Providers 500 AAI Users 2005 © SWITCHaai 12

Integration of „Blackboxes“ AAIportal (open source, GPL) • Authentication / authorization gateway • Portal functionalities (optional) • User management (optional) Application A 1 AAIportal A 2. . . Sign On API Shibboleth • Adaptors to blackbox applications: - Web. CT Vista - Web. CT CE - … Service Providers 2005 © SWITCHaai 13

Central AAI Services • Strategy & marketing • International contacts • Support, consulting, training • Providing federation-specific files and configuration guides • Operating WAYF server ‘Where are you from? ’ • Testing parties (identity provider service provider) • Jump-start service • Virtual Home Organization Central Services 2005 © SWITCHaai 14

Key Issues in SWITCHaai • Structure of SWITCHaai Federation - Switzerland is strongly federal o o solve problems at the lowest level coordinate where useful • AAI is more than Shibboleth - SWITCHaai designed to be extensible o o policies federation • SAML 2 and Shibboleth 2 will allow interoperability with other SAML based infrastructures 2005 © SWITCHaai 15

AAI and Grid • SWITCHaai concept is ready for Grid integration • Current Shibboleth version not yet Grid ready • Grid. Shib, an Internet 2 project, links upcoming Shibboleth 1. 3 with Globus Toolkit 4. 1 - first phase to be implemented until autumn 2005 - second phase to be implemented until second half of 2006 - http: //grid. ncsa. uiuc. edu/Grid. Shib/ • Extension to other n-tier use cases possible 2005 © SWITCHaai 16

Outlook 2005 – 2007 • More national AAI related projects - supported by federal grants (on matching funds) • Non-web browser based service providers (like Grid) • Study on AAI and ECTS • Study on extending AAI to AAAI - accounting, but not limited to billing • Integration of federation partners - resources from non-members - other federations http: //www. switch. ch/aai 2005 © SWITCHaai 17

EUGrid. PMA • What the EUGrid. PMA does - A useful job for Grid projects (evaluating CP/CPSs) - Impressive PR: made it into e. IRG papers (together with TACAR) • NREN perspective: - NRENs engaging in PKIs need something similar to interwork - But we will need more than one assurance level (Grid strength certs and basic strength certs) • The predicted future of EUGrid. PMA: - Perish: If they stay Grid-specific - Flourish: if they become relevant beyond the Grid • Recommendation: - NRENs to collaborate and eventually host EUGrid. PMA activities - Terena to play an important role (how about TACAR++? ) 2005 © SWITCHaai 18