Скачать презентацию Do you like to puzzle build an AA
84f66852355a38f3670fe0fbaecfac0b.ppt
- Количество слайдов: 33
Скачать презентацию Do you like to puzzle build an AA
Скачать презентацию Do you like to puzzle build an AA
Do you like to puzzle? …build an AA Infrastructure! DELAMAN Access Group Workshop November, 30 th, 2004 xxx Bart. Kerver@SURFnet. nl xxx
Presentation contents • Drivers for an AAI; • The pieces of the AAI-puzzle; – network and application access, login, authentication, authorisation, identity management; • Federations; • • Shibboleth; E 2 E Middleware Diagnostics; Standards; Developments; 2
Authentication and Authorisation Infrastructure (AAI) The Authentication and Authorisation Services, components for Identity and Privilege Management and the entities responsible for these services - constitute an Authentication and Authorisation Infrastructure. 3
Why AAI? Personalised service provisioning 4
Why AAI? Educational mobility 5
Why AAI? Network mobility 6
Why AAI? Reduce the digital key ring X X X 7
Ingredients of an AAI Network Authentication Authorisation (web)Application Login Administration 8
Network access: RADIUS proxy hierarchy European RADIUS Proxy Server National RADIUS Proxy Server nisational US Server A Organisational RADIUS Server B network European RADIUS Proxy Server National RADIUS Proxy Server Organisational RADIUS Server C 9
Network access: network User-controlled light path provisioning UDDI/ WSIL A-Select token Applications Services AAA Broker SURFnet 6 AAA Broker Nether. Light Applications Services AAA Broker Starlight AAA Broker OMNInet 10
Application access: centralise intelligence applications 11
Application access: centralise intelligence applications 12
Login server: intermediary between application and AA: provide SSO login 13
Authentication: choose your own method (and strength) • • • authentication IP address Username / password – LDAP / Active Directory – RADIUS – SQL Passfaces PKI certificate OTP through SMS OTP through internet banking Tokens (Secur. ID, Vasco, …) Biometrics … 14
Authentication: solutions for webenvironments authentication • Web Initial Sign-on (Web. ISO) – A-Select, SURFnet – CAS, Yale – Cosign, Michigan – Distauth, UC Davis – e. Identity Web Authentication, Colorado State – PAPI, Red. IRIS – Pubcookie – Web Auth. N/Auth. Z, Michigan Tech – Web. Auth, Stanford –. . . Etcetera. . . 15
Authorisation: Policy engines authorisation 16
Authorisation: Policy engines: f. e. use ‘roles’ authorisation 17
Authorisation: 3 scenario’s authorisation 1. Authentication = authorisation (‘simple’) 2. Identity plus a few attributes (‘commonly used’) 3. Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’) 18
Administration: Identity Management administration • How to record the identities (schema’s), credentials (attributes or roles), and privileges? • Enterprise (or meta) directory to glue all sources of information together; • Quality of registration is CRUCIAL for Auth. N and Auth. Z; • It’s the underlying basis for an AAI; • …and it’s a hype… 20
Administration: Identity Management - layers example Local Admin SAP/HR administration Admin. layer Directory layer LDAP ADS Exchange Portfolio W 2 K/XP RADIUS 802. 1 x WLAN CAB Dial-UP Application layer Network layer 21
Presentation contents ü Drivers for an AAI; ü The pieces of the AAI-puzzle; ünetwork and application access, login, authentication, authorisation, identity management; Ø Federations; • • Shibboleth; E 2 E Middleware Diagnostics; Standards; Developments; 22
Federations: Group A Group B A Federation is a group of organisations, whose members have agreed to cooperate in an area such as operating an inter-organisational AAI - a Federated AAI or an AAI Federation. 23
Cross-domain AA: Ingredients for a federation Group A Group B • Policies (e. g. In. Common* from Internet 2): – Federation Operating Practices and Procedures – Participant Agreement – Participant Operating Practices • Technologies: – Protocols / language – Schema’s – Trust / PKI * http: //www. incommonfederation. org/ 24
Cross-domain AA: Federation organisational Group A Group B 25
Birdseye view of Shibboleth Suite • What is Shibboleth? – An Internet 2/MACE project than provides a framework and technology for inter institutional authorisation for (web) resources. A major feature is to offer authorisation without compromising the users privacy. Trust relations are created within a federation; • What does Shibboleth offer? – authorisation, attribute gathering and privacy safe transport of attributes; • What doesn’t Shibboleth do? – Out of the box authentication, choose a Web. ISO (f. e. A-Select) • Results at a protected resource after Shibboleth process: – user ID-x with the attributes X, Y wants access to resource Z 26
Shibboleth mapping of AAI components Group A Group B 27
X E 2 E Middleware diagnostics: what if there’s an error? Group A Group B Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets Dissemination Network Collection and Normalization of Events Middleware Related Events Network Related Events Security Related Events 29
X E 2 E Middleware diagnostics: what if there’s an error? Group A Group B Host 1 Application, System or Security Events Web-App Archive Host 3 Host 2 LDAP, DNS Network Devices Host 5 Enterprise Netflow Network Events Combined Forensics and Reporting Host 7 General Forensics And Reporting Host 6 Federation Archive and Network Forensics User Diag App Host 8 Host 9 30
What about… …standards? ? ? ? • Currently many proprietary solutions (sockets, cookies, redirects, …) • Webservices (SOAP, XML RPC, WSDL, WS-*) • SAML • For federations: – WS-Federation (Microsoft, IBM) – SAML (OASIS: 150 companies, Internet 2) – Liberty Alliance (Sun, 170 companies) 31
What about… …developments (in the research world)? ? ? ? • • • Australia: start with Shibboleth Europe: combination of Shibboleth and ‘home-grown’ USA: Shibboleth • European Project Geant 2: – GN 2 -JRA 5: focus on European AAI, SSO for network and applications • Need for: – Converging or dominant standard(s), means better interoperability between the pieces of the puzzle – Universal Single Sign-On across network and application domain – Attention to non-web-based applications 32
References • • • Identity Management AAI Terminology Edu. Roam A-Select weblogin Privilege Management Intro on federations Internet 2 Federation Swiss Federation End-to-end diagnostics 33
Questions ?
To conclude: a possible future: DELAMAN Federation based on Shibboleth? Service Provider Board of Founders Service subscription Resource registration Delaman Foundation Operations Committee Foundation Members Advisory Committee Central AAI Services Foundation Partners Home organisation resource resource resource Institutes, Research, Universities, Libraries Delaman Federation 35
Скачать презентацию Do you like to puzzle build an AA
84f66852355a38f3670fe0fbaecfac0b.ppt