Mechanisms for Distributed Global Authentication David R Newman 2 nd February 2017 www. sown. org. uk
The Problem Mechanisms for Global Distributed Authentication Users need to authenticate to use a service But The service provider does not want to manage user credentials And / Or The user already has credentials they want to use 2 nd February 2017 2 www. sown. org. uk
The Solutions Mechanisms for Global Distributed Authentication 2 nd February 2017 3 www. sown. org. uk
Versions of Open. ID Mechanisms for Global Distributed Authentication • • Mechanisms for Open. ID and Open. ID Connect somewhat similar. Open. ID • • Does not require any configuration for the service provider on the identity provider. Service provider decides which identity providers to trust. Most identity providers have either been discontinued (e. g. My. Open. ID) or deprecated in preference to Open. ID Connect (e. g. Google) Open. ID Connect • Uses OAuth 2. 0 to register service as an application on the identity provider. 2 nd February 2017 4 www. sown. org. uk
Open. ID Mechanisms for Global Distributed Authentication 2 nd February 2017 5 www. sown. org. uk
Open. ID Providers Mechanisms for Global Distributed Authentication 2 nd February 2017 www. sown. org. uk
Open. ID Connect Mechanisms for Global Distributed Authentication 2 nd February 2017 7 www. sown. org. uk
Shibboleth Mechanisms for Global Distributed Authentication • Commonly used by higher education institutions. • Requires greater co-operation between service provider and identity provider stakeholders to setup. • Provides a shim on top of existing user and authentication services. • Explicitly designed to support third party discovery services. • Access to user attributes controlled by the identity provider rather than the user 2 nd February 2017 www. sown. org. uk
Setting up a Shibboleth Service Provider (SP) 1. Download Id. P metadata including certificate 4. Get Id. P to download SP metadata including certificate 2. Edit SP configuration to reference Id. P metadata Mechanisms for Global Distributed Authentication Shibboleth Identity Provider (Id. P) 5. Edit Id. P configuration to reference SP metadata 3. Generate key and certificate for SP and reference in configuration 2 nd February 2017 www. sown. org. uk
Shibboleth Authentication Mechanisms for Global Distributed Authentication 4. User requests Id. P login service User 3. SP tell user to authenticate on the Id. P 1. User requests restricted resource 9. Service returns resource or forbidden 2. Service detects login required Shibboleth Service Provider (SP) 8. SP tells Service whether user can access resource Service 6. User provides login credentials 5. Id. P provides login page Shibboleth Identity Provider (Id. P) 7. Id. P provides authentication results and user attributes to SP (via User) 2 nd February 2017 10 www. sown. org. uk
Sharing User Attributes with Shibboleth Service Provider (SP) 2. Id. P checks which attributes SP can be given 3. SP maps the attributes of interest and passes them onto the service Service 2 nd February 2017 Mechanisms for Global Distributed Authentication Shibboleth Identity Provider (Id. P) 1. LDAP attributes mapped to SAML LDAP Server www. sown. org. uk
Shibboleth with Discovery 2 nd February 2017 12 Mechanisms for Global Distributed Authentication www. sown. org. uk
Eduroam Mechanisms for Global Distributed Authentication • International Wi-Fi roaming service • Predominantly available at higher education institutions • Users can login using their institutional username and password • Easily configurable on Windows, Linux, Mac. OS, Android and i. OS • Uses RADIUS to enable 802. 1 x authentication 2 nd February 2017 13 www. sown. org. uk
How RADIUS Works Mechanisms for Global Distributed Authentication 2 nd February 2017 www. sown. org. uk
RADIUS Peering Mechanisms for Global Distributed Authentication • Allows authentications beyond your domain. • Peer directly with another RADIUS server using a “shared secret” • This RADIUS server can then peer with others • Rules in RADIUS configuration determine whether to attempt local authentication or to which server to relay. 2 nd February 2017 www. sown. org. uk
How Eduroam Works Mechanisms for Global Distributed Authentication 2 nd February 2017 www. sown. org. uk
SOWN’s RADIUS Peering Mechanisms for Global Distributed Authentication ECS SOWN Soton Jisc (Janet) 2 nd February 2017 GEANT DFN Münster www. sown. org. uk
SOWN’s Rad. Matrix Mechanisms for Global Distributed Authentication 2 nd February 2017 www. sown. org. uk
Further Reading Mechanisms for Global Distributed Authentication • Open. ID • • http: //openid. net/connect/ http: //openid. net/developers/specs/ https: //developers. google. com/identity/protocols/Open. IDConnect Shibboleth • https: //wiki. shibboleth. net/confluence/display/SHIB 2/Software+Concepts • https: //wiki. shibboleth. net/confluence/display/SHIB 2/Native. SPLinux. RPMIns tall • https: //wiki. shibboleth. net/confluence/display/IDP 30/Home • Eduroam/RADIUS • • https: //www. eduroam. us/node/10 http: //www. sown. org. uk/radmatrix https: //monitor. eduroam. org/mon_direct. php https: //www. eduroam. org/downloads/docs/eduroam_Compliance_Stateme nt_v 1_0. pdf 2 nd February 2017 19 www. sown. org. uk
Next SOWN Talk Mechanisms for Global Distributed Authentication Administering the SOWN Network – David Newman and Chris Malton Probably 2 nd March 2 nd February 2017 20 www. sown. org. uk
Mechanisms for Global Distributed Authentication Questions? 2 nd February 2017 21 www. sown. org. uk
Скачать презентацию Mechanisms for Distributed Global Authentication David R Newman
750068fab4566a9d7c6d79ccda1fed99.ppt