CARSI: Cross University Identity Management and Resource Sharing - - PowerPoint PPT Presentation

carsi
SMART_READER_LITE
LIVE PREVIEW

CARSI: Cross University Identity Management and Resource Sharing - - PowerPoint PPT Presentation

Feb 20, 2024 350 likes •759 views

CARSI: Cross University Identity Management and Resource Sharing over CERNET Prof. PING CHEN Peking University, Beijing, China Feb, 24 th , 2011 CARSI & Peking University Agenda n Current IdM Situation in CERNET n What is

slide-1
SLIDE 1

CARSI:

Cross University Identity Management and Resource Sharing over CERNET

  • Prof. PING CHEN

Peking University, Beijing, China Feb, 24th, 2011

CARSI &Peking University

slide-2
SLIDE 2

Agenda

n Current IdM Situation in CERNET n What is CARSI? n What are we doing? n What will we do next?

CARSI &Peking University

slide-3
SLIDE 3

Authentication is developing.

CARSI &Peking University

slide-4
SLIDE 4

In CERNET, most univ are …

CARSI &Peking University

slide-5
SLIDE 5

In CERNET, some univ are …

CARSI &Peking University

slide-6
SLIDE 6

In CERNET, some univ. are …

CARSI &Peking University

slide-7
SLIDE 7

CERNET AAI situation summary

n Almost all Univ. have campus-wide IDM, for library,

campus network, MIS systems, or other applications

n Most Univ. have SSO, but SSO effecting scope

differs greatly

q One SSO serves the all kinds of applications q Multiple SSOs serve for different classes of applications q Multiple SSOs using the same user database by visiting one

physical user database or by visiting multiple synchronized physical user databases

n Not everyone likes SSO, scope is an issue

CARSI &Peking University

slide-8
SLIDE 8

Authentication is developing.

Cross-univ. authn makes large scope of resource sharing possible CARSI &Peking University

slide-9
SLIDE 9

What is Resource Sharing?

n Resource & Sharing

q User authentic identity resource, shared from one

  • univ. campus to CERNET, to industry

q Application resource, built by one univ, shared to

more users under control

CARSI &Peking University

slide-10
SLIDE 10

What is CARSI?

CERNET Authentication and Resource Sharing Infrastructure

n Goals:

q To integrate university IDMs to a CERNET federation q To share univ. authentic user info resources over CERNET q To share existing protected web applications to more users q To help industry control whom he serves for in more fine

grained

q To make full use of limited univ. funds for people with the

most strong desire

q To provide a fundamental AAI middleware for CERNET

applications

q To push new applications among universities

CARSI &Peking University

slide-11
SLIDE 11

CARSI’s short history

n Initiated in 2005, being one part of a network

security project

n Extended to 4 univ. in 2008 n Extended to 30 univ. in 2010 n Till now, sponsored primarily by national

research projects

CARSI &Peking University

slide-12
SLIDE 12

What are we doing?

n A CNGI pre-commercial project spreading to

30 univ.

n End in June, 2011 n Topic: federation-wide campus learning and

living Communication

n Applications include BulletinBoard Systems,

Blog, library, lecture videos, learning materials, entertainment videos, job seeking info, shopping, net disk, etc.

CARSI &Peking University

slide-13
SLIDE 13

CARSI Components

CARSI &Peking University

slide-14
SLIDE 14

What are we doing?

n CARSI-Fed: cross-domain federation n CARSI-portal

q A web portal for federation user to login q A web portal providing a resource list

n CARSI-WAYF/DS: where are you from, directory

service

n CARSI-Person: CARSI User Attribute Specification

q CARSI-Uid (Universal user identity): localid@domainid

n CARSI-IdP: shibboleth IdP + n CARSI-SP: shibboleth SP +

CARSI &Peking University

slide-15
SLIDE 15

CARSI Workflow

n

Way 1:

  • 1. Portal login
  • > 2. select application from resource list
  • > 3. visit web application
  • > 4. visit other applications, SSO

n

Way 2:

  • 1. visit a web application
  • > 2. redirected to portal to login
  • > 3. visit application
  • > 4. visit other applications, SSO

CARSI &Peking University

slide-16
SLIDE 16

Shibboleth Workflow

Referenced from SWITCH

CARSI &Peking University

slide-17
SLIDE 17

CARSI Workflow – Way 1 Demo

CARSI &Peking University

slide-18
SLIDE 18

CARSI Workflow – Way 1 Demo

CARSI &Peking University

slide-19
SLIDE 19

CARSI Workflow – Way 1 Demo

CARSI &Peking University

slide-20
SLIDE 20

CARSI Workflow – Way 1 Demo

CARSI &Peking University

slide-21
SLIDE 21

CARSI Workflow – Way 1 Demo

CARSI &Peking University

slide-22
SLIDE 22

What are we doing? FPR, VRD, OpenIdP

n CARSI FPR: Federation Provider Registry

q A system for federation members to manage his IdP/SP q Role based Administrator management:

n

FedAdmin, OrgAdmin, IdPAdmin, SPAdmin

q IdP/SP management based on policy

n CARSI VRD: Virtual Resource Directory

q A list of sharing web applications q Synchronized with FPR-registered SPs q Classified and exhibited for user access

n CARSI-OpenIdP

q An open identity provider q Freely registered

CARSI &Peking University

slide-23
SLIDE 23

What are we doing? FIVA

Federation Inter-visit Analysis

n Goal:

q

How many and what kind of influences does cross-domain AAI bring to users(IdP) and applications(SP)?

q

How is cross-domain AAI being used?

q

What’s user’s using habit?

n Methods:

q

Federation log recording, aggregating and analysing: IdP log, SP log, DS log, etc.

q

Resource sharing statistics

n

Based on IdP, how many IdP users visit other-domain applications, their using behaviour, etc

n

Based on SP, which domain and what kind of users visit it, what is the peak visiting time, etc

q

User’s behavior and action tracking

n

Tracing user’s visiting sequence

n

Which visiting sequence is more adopted?

n

How cross-domain AAI benefit them?

CARSI &Peking University

slide-24
SLIDE 24

What are we doing? FIVA

Federation Inter-visit Analysis

slide-25
SLIDE 25

What are we doing? FIVA

Federation Inter-visit Analysis

slide-26
SLIDE 26

n Two ways are mainly used:

q IdP + local SSO q IdP

+ customized local authentication interface + authentic user database

What are we doing? IdP + Local IdM

CARSI &Peking University

slide-27
SLIDE 27

What are we doing? IdP + Local SSO

CARSI &Peking University

slide-28
SLIDE 28

What are we doing? IdP + Local SSO

CARSI &Peking University

slide-29
SLIDE 29

What are we doing? IdP + Local SSO

What happen, if an app support both SSO & SP?

CARSI &Peking University

slide-30
SLIDE 30

What are we doing? IdP + Local SSO

What happen, if another federation is CARSI SP?

CARSI &Peking University

slide-31
SLIDE 31

What are we doing? IdP + CLAI +AUDB

CARSI &Peking University

slide-32
SLIDE 32

n Current Situations:

q CARSI candidate applications have different

authn and access control requirements and implementing ways.

q Resource diversity increases CARSI federation

integration difficulty.

n Goals:

q To simplify the application federation migration

with no or little code modification.

What are we doing? SP + Application

CARSI &Peking University

slide-33
SLIDE 33

Applications: Before joining CARSI Fed

n Some app. required authn with simple or no authr policies. n Some app. already had authn and authr policies implemented in

modules loosely coupled with application logic.

n Some app. already had authn and authr policies dispersed in

application codes, and difficult to be separated.

n Some app. support some kind of campus-wide identity

management.

n Some app. was planning to enforce access control. n Some had been shibbolethed.

CARSI &Peking University

slide-34
SLIDE 34

Authn- Required Authr- Required Authn Impl. Authr Impl. AOA – Authn only App Yes No CARSI no FAA – Fed Attribute- relying App Yes Yes CARSI Application AAIA – Authn & Authr Independent App Yes Yes CARSI CARSI AAEA – Authn & Authr Embedded App Yes Yes CARSI & Application Application

CARSI Web Application Classification

CARSI &Peking University

slide-35
SLIDE 35

Authn- Required Authr- Required Authn Impl. Authr Impl. AOR – Authn only Res Yes No CARSI no FAR – Fed Attribute- relying Res. Yes Yes CARSI Application AAIR – Authn & Authr Independent Res Yes Yes CARSI CARSI AAER – Authn & Authr Embedded Res Yes Yes CARSI & Application Application

CARSI Web Application Classification

CARSI &Peking University

slide-36
SLIDE 36

Authn- Required Authr- Required Authn Impl. Authr Impl. AOR – Authn only Res Yes No CARSI no FAR – Fed Attribute- relying Res. Yes Yes CARSI Application AAIR – Authn & Authr Independent Res Yes Yes CARSI CARSI AAER – Authn & Authr Embedded Res Yes Yes CARSI & Application Application

CARSI Web Application Classification

CARSI &Peking University

slide-37
SLIDE 37

Authn- Required Authr- Required Authn Impl. Authr Impl. AOR – Authn only Res Yes No CARSI no FAR – Fed Attribute- relying Res. Yes Yes CARSI Application AAIR – Authn & Authr Independent Res Yes Yes CARSI CARSI AAER – Authn & Authr Embedded Res Yes Yes CARSI & Application Application

CARSI Web Application Classification

CARSI &Peking University

slide-38
SLIDE 38

Authn- Required Authr- Required Authn Impl. Authr Impl. AOR – Authn only Res Yes No CARSI no FAR – Fed Attribute- relying Res. Yes Yes CARSI Application AAIR – Authn & Authr Independent Res Yes Yes CARSI CARSI AAER – Authn & Authr Embedded Res Yes Yes CARSI & Application Application

CARSI Web Application Classification

CARSI &Peking University

slide-39
SLIDE 39

What will we do next?

n After the CNGI project, how to continue our work? Not sure! n A little more progresses than before, some Chinese users began

to know the technology

q Thomson Reuters + Tsinghua Univ. library q Shenzhen Univ. library q Discussion with Microsoft is on-going

n More work to do on

q still in experimental phase q Making more people know it q Finding good solutions for technical problems

CARSI &Peking University

slide-40
SLIDE 40

Thank You!

CARSI: http://www.carsi.edu.cn Email: carsi@pku.edu.cn