UPKI-Federation based on Shibboleth National Institute of Informatics Motonori Nakamura Toshiyuki Kataoka, Kyoto University Yasuo Okabe 1
OUTLINE 1. Overview of UPKI and UPKIFed 2. UPKI Single Sing-On Trial 3. Roadmap 2
What is UPKI? n n We are undertaking the construction of University Public Key Infrastructure (UPKI), which is intended to achieve an inter-university cooperation that makes use of educational and research computing systems, digital contents, networks, and business systems at almost 800 universities and other institutions in Japan, in safe, convenient, and effective ways. We are promoting an Inter-university authentication federation by developing UPKI common specifications, and by developing applications using the PKI. 3
1. Overview of UPKI 4
UPKI Three-layer Architecture 5
UPKI Three-Layer Architecture n Open Domain PKI (Public PKI) p p n Campus PKI p p p n Using for authentication, signature and encryption on the internet. Issuing public certs for servers and individuals in the internet by PKI service provider. Using to campus network for secure access and secure transaction. SSO, VPN, 802. 1 X, e-Approval, etc. Issuing certs for server and faculty staff/students in campus network by each organization. Grid PKI p p Using to authentication for NAREGI. Issuing certs for HPC resources and NAREGI users by NAREGICA. 6
UPKI Activities Open Domain Webサーバ PKI Web Srv. NII Pub CA Server Certificates S/MIME Other Pub CA S/MIME Webサーバ Certificates S/MIME Webサーバ S/MIME Web Srv. Auth, UPKI Common Sign, A Univ. Encrypt. Specification CA Campus PKI CA Start-Pack Proxy Eduroam Auth, Sign, Encrypt. Shibboleth 学内用 学内用 EE EE EE Server, Super Computer Student, Faculty S/MIME B Univ. CA EE 学内用 A Univ. NAREGI CA NAREGI PKI Sign, Encrypt. EE NAREGI-CA B Univ. Computing Grid NAREGI CA Enhancement Proxy Server, Super Computer EE EE EE Student, Faculty 7
UPKI-Fed Inter-Univerisity SSO Architecuture n n Leveraging PKI and Shibboleth (SAML) technologies, UPKI-Federation that enables secure Single Sign-On for inter. Universities services such as electronic journals is under development. The project is trial stage since Sept. 2008. 8
UPKI-Fed Inter-University SSO Architecture UPKI-Federation SP E-Journal CiNii、・・ Discovery Service - Policy - System Spec. University Auth. N Faculty University ・・・ Support Portal University ・・・ Academic Society Auth. N Secure access from off-campus, other campus Campus ・・・ System UPKI-Id. P Metadata Repository Operational Organization Id. P Account Issuance, e-Learning Wireless LAN・・ LAN・ Cert. Issuance Server Cert. Academic Society Federation using Shibboleth and PKI ・・・ Auth. N Student Society member Single Sign-On 9
2. UPKI-FED SSO TRIAL 10
UPKI-Fed Test-bed B University Attributes Management Commercial Service Attributes Management SP Id. P Admin. Campus CA Admin. User is authenticated by Id. P of his/her University Au Au th th N N Client Cert. Isssuance Participant of Commercial Service User (B Univ. ) SSO User (A Univ. ) SSO SSO SSO Ci. Nii UPKI Open Domain CA CMS(Plone 1) CMS(Plone 2) DS CMS(Moodle) Id. P_00 Repository Id. P_01 UPKI-Fed 11
Feasibility Study Schedule (FY 2008) n n n Preparation - Setup documents - VMWare Image for Id. P - test-bed including DS, repository Explanatory meeting (July 2008, twice) - Ask to attend both IT people and librarians from each institutes Development - developed test SP - support institutes to setup Id. P, SP - metadata distribution - feasibility test instruction - share information by wiki, mailing-list, mail magazine Participants meeting (Nov. 2008) - report status from all institutions Preparation for next step - discussion and development of policy for pilot operation Demonstration at UPKI Symposium 2009 (Feb. 2009) 12
Participants n n n 27 Institutions 30 Id. P sites 18 SP sites 30 Sites IdP 20 Sites Completed connection to Elsevier ! 18 Sites 10 Sites SP 10 Sites Aug. Sep. Oct. Nov. Dec. Jan. Feb. 13
Status of Participating Institutions Name Id. P SP Hokkaido Univ. ○2 - Kanazawa Univ. ○ Tohoku Univ. ○ - File Transfer Service, Digital Contents Publishing (Dspace) Yamagata Univ. ○ - Nagoya Univ. ○ - Fukushima Univ. - - - - - Aichi Prefectural College of Nursing and Health ○ High Energy Accelarator Research Organization Tsukuba Univ. ○ (Local test) Kyoto Univ. ○ Tsukuba Univ. of Technology - - Wireless LAN Account Issuance Service Kyoto Sangyo Univ. ○ (Local test) Chiba Univ. Test - Osaka Univ. ○4 Tokyo Univ. ○ - (Grid Cert. Issuance Service) Tokyo Institute of Technology ○ (Local test) Ehime Univ. - - Tokushima Univ. ○ Ocyanomizu Univ. ○ - Inter-Campus SNS(Open. PNE) Advanced Institute of Industrial Technology ○2 Multi-Mouse AP, (Local test) Hiroshima Univ. ○ - Yamaguchi Univ. ○ SSO Test(Plone) Keio Univ. - - Kyusyu Univ. ○ (Local test) National Institute of Informatics ○3 Ci. Nii Shib-test Kumamoto Univ. ○ - Saga Univ. ○ (Local test)2 14
Feasibility Study n Trial using Shibboleth 2. 0/2. 1. 2 p Single Sign-On connection among Universities’ Id. Ps, SPs, and commercial SPs from abroad p Shibboleth 2. 0 protocol among participants in Japan p Shibboleth 1. 3 protocol to connect to existing commercial SPs from abroad p Metadata automatic download test p Metadata signing, and verification test p Connecting p Attributes Id. P to campus LDAP/AD send/receive test, including Japanese Attributes p Tools test such as Arp. Viewer 15
Connecting to commercial SP from abroad Abroad JAPAN SP SP Test SPs in participating Institutions N th Au The first Shibboleth connection in Asia with e-Journal from abroad ! All Institution member can use Id. P now ! NII Id. P (idp. nii. ac. jp) NII Institution’s AD 16
Connection with commercial SPs from abroad n Completed with Elsevier (Science. Direct, Scopus) Protocol = Shibboleth 1. 3: Changed UPKI-Fed protocol from Shib 2. 0 only to Shib 2. 0/Shib 1. 3 p Certificate: Ask SPs from abroad to use commercial public certificate, because we can’t issue UPKI certificate to abroad p n Connection plan with other commercial SPs soon: Refworks、 Nature、OUP (Oxford University Press)、 LWW/Ovid、Springer、Thomson、EBSCO p Within the next fiscal year(? ): CUP(Cambridge University Press)、Wiley-Blackwell、SAGE、 Pro. Quest、JSTOR、Serials Solutions、Taylor&Francis、APS( American Physical Society) p 17
Connection with Elsevier ログイン 18
3. ROADMAP 19
UPKI-Fed Prospective Plan n Goal: Inter-University Auth. N and Auth. Z Infrastructure for ALL Services p “Feasibility Study” will end in Mar. 2009 p “Pilot Operation” will start from April 2009 FY 2008 FY 2009 FY 2010 Feasibility Study Pilot Operation Practical Operation Connection using test account Connection using real account under campus policies Practical operation with real account and service 20
Preparation for UPKI-Fed Pilot Operation n UPKI-Fed Policy (under development) p “UPKI-Fed Pilot Operation Procedure” (Draft) p “UPKI-Fed System Specification” (Draft) n n Attributes (Specified in above document) p eppn/persistent. ID, o, ou, edu. Person. Affiliation, etc… p Two bytes code support (Japanese) Name, Display. Name, Organization. Name, , , (Discussing to define “jasn”, “ja. Display. Name”, “jao”, , , ) Configuration template p Preparing template for attribute-resolver, attributefilter, attribute-map for UPKI-Fed participants 21
UPKI-Fed Pilot Operation Procedure (Draft) 22
Summary n UPKI-Fed: Japanese Academic Federation Ø Architecture design; Develop suitable architecture on UPKI infrastructure (three layers) taking institutions situations into consideration. Deployment of Shibboleth/SAML Ø Roadmap; FY 2008 Feasibility Study Evaluate and develop architecture using testbed Small start with a few SP services FY 2009 Pilot Operation FY 2010~ Operational 23
Скачать презентацию UPKI-Federation based on Shibboleth National Institute of Informatics
a49aa9679917ee8ad2808323b3ad5ecc.ppt