identity internetworking with edugain
play

Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS - PowerPoint PPT Presentation

Jun 03, 2023 •275 likes •510 views

Connect. Communicate. Collaborate Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate Federations Connect. Communicate. Collaborate Same federating principles applied to federations themselves Own

  1. Connect. Communicate. Collaborate Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS

  2. Confederations Federate Federations Connect. Communicate. Collaborate • Same federating principles applied to federations themselves – Own policies and technologies are locally applied • Independent management – Identity and authentication-authorization must be properly handled by the participating federations • Commonly agreed policy – Linking individual federation policies – Coarser than them • Trust fabric entangling participants – Without affecting each federation’s fabric – E2E trust must be dynamically built

  3. Applying Confederation Concepts in eduGAIN Connect. Communicate. Collaborate • An eduGAIN confederation is a loosely-coupled set of cooperating federations – That handle identity management, authentication and authorization using their own policies • Trust between any two participants in different federations is dynamically established – Members of a participant federation do not know in advance about members in the other federations • Syntax and semantics are adapted to a common language – Through an abstract service definition

  4. The eduGAIN Model Connect. Communicate. Collaborate Connect. Communicate. Collaborate Metadata Query MDS Metadata Metadata Publish Publish R-FPP H-FPP R-BE H-BE AA Interaction AA AA Interaction Interaction Resource(s) Id Repository(ies)

  5. An Adaptable Model Connect. Communicate. Collaborate Connect. Communicate. Collaborate From centralized structures... MDS FPP FPP BE BE IdP IdP SP SP IdP IdP SP IdP SP SP SP SP SP IdP IdP SP

  6. An Adaptable Model Connect. Communicate. Collaborate Connect. Communicate. Collaborate ...to fully E2E ones... MDS SP IdP SP BE BE BE SP BE SP IdP SP IdP BE BE BE BE IdP BE SP SP BE IdP BE IdP BE SP SP BE IdP BE BE BE

  7. An Adaptable Model Connect. Communicate. Collaborate Connect. Communicate. Collaborate ...including any mix of them MDS FPP IdP FPP BE BE IdP IdP BE BE IdP BE SP SP SP SP IdP BE SP BE IdP SP SP SP BE BE IdP SP

  8. Component Identifiers Connect. Communicate. Collaborate • eduGAIN operations strongly depend on having unique, structured and well-defined component identifiers • Based on URNs delegated by the eduGAIN registry to the participating federation • Identifiers establish the kind of component they apply to by means of normalized prefixes • Identifiers follow the hierarchy of the trust establishing process

  9. The (X.509) Trust Fabric Connect. Communicate. Collaborate • Validation procedures include – Normal certificate validation • Trust path evaluation, signatures, revocation,… – Peer identification • Certificates hold the component identifier • It must match the appropriate metadata • Applicable to – TLS connections between components • Two-way validation is mandatory – Verification of signed XML assertions

  10. eduGAIN Trust Framework Connect. Communicate. Collaborate Connect. Communicate. Collaborate eduGAIN Certificate Policy eduGAINSCA Acc CA1 . . . . Acc CAN eduGAIN Name Registry MDS server(s) CId urn:geant:a:b:c:... CId urn:geant:g:h:i:... . . . . . . CId urn:geant:d:e:f:... CId urn:geant:j:k:l:...

  11. Metadata Service Connect. Communicate. Collaborate • Based on REST interfaces transporting SAML 2.0 metadata – Usable by non-eduGAIN components • Metadata are published through POST operations • Metadata are retrieved through GET operations • URLs are built as MDSBaseURL/FederationID/entityID?queryString – Using component names – The query string transports data intended to locate the appropriate home BE (Home Locators) • Hints provided by the user • Contents of certificate extensions ( SubjectAlternateName SubjectInformationAccess )

  12. A General Model for eduGAIN Interactions Connect. Communicate. Collaborate Connect. Communicate. Collaborate https://mds.geant.net/ MDS ?cid=someURN <EntityDescriptor . . . <samlp:Response . . . <samlp:Request . . . entityID= ResponseID=”092e50a08…” RequestID=”e70c3e9e6…” ”urn:geant2:..:responder"> InResponseTo=“e70c3e9e…”> IssueInstant=“2006-06…”> TLS Channel . . . . . . . . . <SingleSignOnService . . . </samlp:Request> </samlp:Response> Location= “https://responder.dom/” /> . . . urn:geant2:...:requester → TLS Channel(s) Requester Responder ← urn:geant2:...:responder Resource Id Repository

  13. The eduGAIN APIs: Trust Evaluation Connect. Communicate. Collaborate Connect. Communicate. Collaborate Is this trust material (cert/signature) valid? Does it correspond to component X*? Configuration Valid/not valid Corresponds to component X eduGAINVal Key Store Sign this piece of data Signature Trust Store Which trust material to use for connecting Trust material

  14. The eduGAIN APIs: Metadata Access Connect. Communicate. Collaborate Connect. Communicate. Collaborate Publish these metadata through MDS server Publishing result Which component(s) can be queried to retrieve data about someone with these eduGAINMeta Configuration Home Locators? Component metadata Give me metadata about this part of eduGAINVal eduGAIN Metadata

  15. The eduGAIN APIs: Abstract Service Connect. Communicate. Collaborate Connect. Communicate. Collaborate Create/manipulate an abstract service object Abstract service object Transform these abstract service object to/from wire protocol eduGAINBase Configuration Abstract service object or Protocol element eduGAINMeta Send ASO: (AuthN/Attr/AuthR) request ( Vanilla profile ) eduGAINVal Corresponding ASO response

  16. The eduGAIN APIs: Profile Access Connect. Communicate. Collaborate Connect. Communicate. Collaborate Is this AuthN/Attr material valid? Valid/not valid Provide data from the requester Configuration Data eduGAIN Profile API Create/modify a security token eduGAINBase Token eduGAINMeta Should this request be authorized? eduGAINVal Authorization response

  17. eduGAIN Profiles Connect. Communicate. Collaborate • Oriented to – Enable direct federation interaction – Enable services in a confederated environment • Four profiles discussed so far – WebSSO (Shibboleth browser/POST) – AC (automated client: no human interaction) – UbC (user behind non-Web client: use of SASL-CA) – WE (WebSSO enhanced client: delegation) • Others envisaged – Extended Web SSO (allowing the send of POST data) – eduGAIN usage from roaming clients (DAMe) • Based on SAML 1.1 – Mapping to SAML 2.0 profiles along the transition period

  18. The WebSSO Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate

  19. The AC Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate

  20. The UbC Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate

  21. The WE Profile Connect. Communicate. Collaborate Connect. Communicate. Collaborate

  22. Where We Are Connect. Communicate. Collaborate • Several eduGAIN enabled resources already available using WebSSO – Eight federations already participating • Moving into pilot service – Registry + PKI + MDS • Other profiles already demonstrated – Network monitoring (PerfSONAR) – Bandwidth-on-demand (AutoBAHN) • Waiting for you to join – It ain’t difficult

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &amp;

Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &amp;

Introduction to Identity Federations Brook Schofield eduGAIN Task Leader, GN3 Project &amp; Project Development Officer, TERENA schofield@terena.org 15 October 2012 Building Federated Identity Policy, GN3 Symposium, Vienna, Austria Innovation

157 views • 12 slides
An eduGAIN Update Diego R. Lopez RedIRIS TF-EMC2. Utrecht, December 2008 What eduGAIN Offers

An eduGAIN Update Diego R. Lopez RedIRIS TF-EMC2. Utrecht, December 2008 What eduGAIN Offers

Connect. Communicate. Collaborate An eduGAIN Update Diego R. Lopez RedIRIS TF-EMC2. Utrecht, December 2008 What eduGAIN Offers Connect. Communicate. Collaborate Take advantage of existing identity infrastructures Easing the path to a

712 views • 21 slides
eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project

eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project

eduGAIN: Interfederation and Policy Brook Schofield eduGAIN Task Leader, GN3 Project schofield@terena.org Innovation through participation Agenda What is eduGAIN? Project Expectations Current Status Policy Framework Roadmap

1.01k views • 14 slides
15-213 The course that gives CMU its Zip! Internetworking Internetworking Nov 19, 2002

15-213 The course that gives CMU its Zip! Internetworking Internetworking Nov 19, 2002

15-213 The course that gives CMU its Zip! Internetworking Internetworking Nov 19, 2002 Nov 19, 2002 Topics Topics Client-server programming model Networks Internetworks Global IP Internet IP addresses Domain

715 views • 32 slides
Internetworking There is more than One Network Simple Internetworking Two issues to be

Internetworking There is more than One Network Simple Internetworking Two issues to be

Internetworking There is more than One Network Simple Internetworking Two issues to be addressed when Best Effort Service Model Global Addressing Scheme connecting networks Datagram Forwarding in IP Address Translation

314 views • 7 slides
Challenges of supporting education and research to make use of eduGAIN Ioannis Kakavas,

Challenges of supporting education and research to make use of eduGAIN Ioannis Kakavas,

Challenges of supporting education and research to make use of eduGAIN Ioannis Kakavas, GRNET,GANT 1 Outline Quick eduGAIN primer Challenges Work with research communities Suggestions and best practices 2 eduGAIN

365 views • 19 slides
Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client

Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client

Kipper a Grid bridge to Identity Federation Andrey Kiryanov Brief The Kipper client software combines tools and utilities to extend a Web Application to: Enable login via federated SSO like eduGAIN Retrieve a SAML2 Identity Assertion

385 views • 24 slides
within eduGAIN Research Project: 2 Supervisor: Brook Schofield GANT Marcel den Reijer

within eduGAIN Research Project: 2 Supervisor: Brook Schofield GANT Marcel den Reijer

Calculating metadata propagation time within eduGAIN Research Project: 2 Supervisor: Brook Schofield GANT Marcel den Reijer Thursday July 4, 2019 UvA System &amp; Network Engineering 1 of 18 In Introduction eduGAIN

389 views • 19 slides
Simple Internetworking Network 1 (Ethernet) Internetworking Network 2 (Ethernet) H1 H2 H3 H7

Simple Internetworking Network 1 (Ethernet) Internetworking Network 2 (Ethernet) H1 H2 H3 H7

Simple Internetworking Network 1 (Ethernet) Internetworking Network 2 (Ethernet) H1 H2 H3 H7 R3 H8 Network 4 (point-to-point) R1 R2 Kameswari Chebrolu H4 Network 3 (FDDI) Router Dept. of Electrical Engineering, IIT Kanpur H6 H5

543 views • 4 slides
Basic Internetworking (IP) CSCI 466: Networks Keith

Basic Internetworking (IP) CSCI 466: Networks Keith

Basic Internetworking (IP) CSCI 466: Networks Keith Vertanen Fall 2011 Overview Internetworking Service model Internet protocol (IP)

604 views • 35 slides
Internetworking Outline Best Effort Service Model Global Addressing Scheme 1 Internetworking

Internetworking Outline Best Effort Service Model Global Addressing Scheme 1 Internetworking

Internetworking Outline Best Effort Service Model Global Addressing Scheme 1 Internetworking Concatenation of Different Networks Network 1 (Ethernet) H7 R3 H8 H1 H2 H3 Network 4 (point-to-point) Network 2 (Ethernet) R1 R2 H4

540 views • 7 slides
Tuakiri update: eduGAIN &amp; service status Vlad Mencl Wallace Chase 1 Tuakiri update:

Tuakiri update: eduGAIN &amp; service status Vlad Mencl Wallace Chase 1 Tuakiri update:

August 19th, 2020, REANNZ Lunchtime session Tuakiri update: eduGAIN &amp; service status Vlad Mencl Wallace Chase 1 Tuakiri update: eduGAIN and service status, August 19th, 2020 Outline Tuakiri: brief introduction Update:

641 views • 23 slides
Computer Networks I Internetworking Prof. Dr.-Ing. Lars Wolf IBR, TU Braunschweig

Computer Networks I Internetworking Prof. Dr.-Ing. Lars Wolf IBR, TU Braunschweig

Computer Networks I Internetworking Prof. Dr.-Ing. Lars Wolf IBR, TU Braunschweig Mhlenpfordtstr. 23, D-38106 Braunschweig, Germany, 1 Email: wolf@ibr.cs.tu-bs.de l2gate.ppt Internetworking Scope www.ibr.cs.tu-bs.de Computer Networks 1

602 views • 30 slides
Identity Theft Identity Theft Identity theft occurs when your personal information is stolen

Identity Theft Identity Theft Identity theft occurs when your personal information is stolen

Identity Theft Identity Theft Identity theft occurs when your personal information is stolen and used without your knowledge to commit fraud or other crimes Identity theft can cost you time and money. Tips for Preventing Identity Theft

322 views • 10 slides
Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase

Identity and Access Management Using Identity Management and Identity Governance to increase Automation and Security. Identity Management (IAM, IdM) defining and managing the roles and access privileges of individual network users, and the

2.89k views • 13 slides
IDENTITY What is the Relationship Between Identity and the College Experience? What Role

IDENTITY What is the Relationship Between Identity and the College Experience? What Role

2/15/2019 Jordan Truex Agenda or Summary Layout The Road to SelfAuthorship NonTraditional Students Effective Interview Strategies Meeting the Student Where They Are IDENTITY What is the Relationship Between Identity and the

367 views • 10 slides
YI R alice bob Dha What nodes processeachpacket O to What nodes need to 1 each packet a

YI R alice bob Dha What nodes processeachpacket O to What nodes need to 1 each packet a

Modifiedflood the EO deactivated = Set() on recv(pkt, ifin): if ifin in deactivated: HI return for i in interfaces: if (i !=ifin and i not in deactivated): send(pkt, i) D consider 1 I alice bob 71 1ae R alice bob consider Tht

550 views • 9 slides
1 and customer name for customers who order it. Display product name and category for products

1 and customer name for customers who order it. Display product name and category for products

Q1: What is the output of the following SQL or PL/SQL code segments SQL Statement OUTPUT Select Cname , Pname, Quantity From Customers C , Products P, Order O 1 Where C.Cid = O.Cid AND P.Pid = O.Pid AND Region = Irbid; Select Pname

374 views • 4 slides
Towards a Learning Optimizer for Shared Clouds* Chenggang Wu, Alekh Jindal, Saeed Amizadeh, Hiren

Towards a Learning Optimizer for Shared Clouds* Chenggang Wu, Alekh Jindal, Saeed Amizadeh, Hiren

Towards a Learning Optimizer for Shared Clouds* Chenggang Wu, Alekh Jindal, Saeed Amizadeh, Hiren Patel, Wangchao Le, Shi Qiao, Sriram Rao February 8, 2019 * C. Wu, A. Jindal, S. Amizadeh, H. Patel, W. Le, S. Qiao, and S. Rao. Towards a Learning

728 views • 16 slides
CS5460: Operating Systems Lecture 5: Processes and Threads (Chapters 3-4) CS 5460: Operating

CS5460: Operating Systems Lecture 5: Processes and Threads (Chapters 3-4) CS 5460: Operating

CS5460: Operating Systems Lecture 5: Processes and Threads (Chapters 3-4) CS 5460: Operating Systems Lecture 5 Context Switch Results lab2-15 3.8 us gamow 1.6 us home 1.0 us VirtualBox on lab2-25 170 us

512 views • 18 slides
Querying Relational Data: Algebra Gerome Miklau UMass Amherst CMPSCI 645 Database Systems

Querying Relational Data: Algebra Gerome Miklau UMass Amherst CMPSCI 645 Database Systems

Querying Relational Data: Algebra Gerome Miklau UMass Amherst CMPSCI 645 Database Systems Jan 31, 2008 Some slide content courtesy of Zack Ives, Ramakrishnan &amp; Gehrke, Dan Suciu, Ullman &amp; Widom Next lectures Today

1.34k views • 36 slides
ROHC: compress your VoIP traffic Didier Barvaux didier.barvaux@toulouse.viveris.com

ROHC: compress your VoIP traffic Didier Barvaux didier.barvaux@toulouse.viveris.com

Header compression The ROHC protocol The ROHC library Perspectives ROHC: compress your VoIP traffic Didier Barvaux didier.barvaux@toulouse.viveris.com didier@rohc-lib.org July, 7th 2014 Viveris Technologies ROHC: compress your VoIP traffic

476 views • 26 slides
Relational Database Design Theory Part II CPS 196.3 Introduction to Database Systems 2

Relational Database Design Theory Part II CPS 196.3 Introduction to Database Systems 2

Relational Database Design Theory Part II CPS 196.3 Introduction to Database Systems 2 Announcement ! Project proposal/progress report due today ! Midterm next Thursday in class &quot; Everything up to todays lecture, with a focus on the

301 views • 7 slides
Crash Testing and Coverity The Numbers Caoln McNamara, Red Hat 2015-09-25 1 Caoln McNamara

Crash Testing and Coverity The Numbers Caoln McNamara, Red Hat 2015-09-25 1 Caoln McNamara

Crash Testing and Coverity The Numbers Caoln McNamara, Red Hat 2015-09-25 1 Caoln McNamara Coverity Examples Defect Density Trends Crash Testing Process Trends 2/26 Caoln McNamara Examples 3 Caoln

763 views • 26 slides

More recommend