Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS - - PowerPoint PPT Presentation

identity internetworking with edugain
SMART_READER_LITE
LIVE PREVIEW

Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS - - PowerPoint PPT Presentation

Jun 03, 2023 275 likes •513 views

Connect. Communicate. Collaborate Identity internetworking with eduGAIN Diego R. Lopez - RedIRIS Confederations Federate Federations Connect. Communicate. Collaborate Same federating principles applied to federations themselves Own

slide-1
SLIDE 1
  • Connect. Communicate. Collaborate

Identity internetworking with eduGAIN

Diego R. Lopez - RedIRIS

slide-2
SLIDE 2
  • Connect. Communicate. Collaborate

Confederations Federate Federations

  • Same federating principles applied to federations themselves

– Own policies and technologies are locally applied

  • Independent management

– Identity and authentication-authorization must be properly handled by the participating federations

  • Commonly agreed policy

– Linking individual federation policies – Coarser than them

  • Trust fabric entangling participants

– Without affecting each federation’s fabric – E2E trust must be dynamically built

slide-3
SLIDE 3
  • Connect. Communicate. Collaborate

Applying Confederation Concepts in eduGAIN

  • An eduGAIN confederation is a loosely-coupled set of

cooperating federations – That handle identity management, authentication and authorization using their own policies

  • Trust between any two participants in different federations

is dynamically established – Members of a participant federation do not know in advance about members in the other federations

  • Syntax and semantics are adapted to a common language

– Through an abstract service definition

slide-4
SLIDE 4
  • Connect. Communicate. Collaborate

The eduGAIN Model

  • Connect. Communicate. Collaborate

Id Repository(ies) Resource(s) MDS R-FPP

Metadata Publish

R-BE

Metadata Query AA Interaction

H-FPP

Metadata Publish

H-BE

AA Interaction AA Interaction

slide-5
SLIDE 5
  • Connect. Communicate. Collaborate

An Adaptable Model

From centralized structures...

  • Connect. Communicate. Collaborate

MDS FPP BE FPP BE

SP SP SP SP SP

IdP IdP IdP IdP IdP IdP IdP

SP SP SP SP

slide-6
SLIDE 6
  • Connect. Communicate. Collaborate

An Adaptable Model

...to fully E2E ones...

  • Connect. Communicate. Collaborate

MDS

SP

BE

IdP

BE

SP

BE

SP

BE

SP

BE

SP

BE

IdP

BE

IdP

BE

IdP

BE

SP

BE

IdP

BE

IdP

BE

IdP

BE

SP

BE

SP

BE

SP

BE

slide-7
SLIDE 7
  • Connect. Communicate. Collaborate

An Adaptable Model

...including any mix of them

  • Connect. Communicate. Collaborate

MDS

SP

BE

IdP

BE

IdP

BE

IdP

BE

SP

BE

SP

BE

SP

BE

FPP BE

SP SP SP SP SP

IdP IdP IdP IdP

BE

FPP

slide-8
SLIDE 8
  • Connect. Communicate. Collaborate

Component Identifiers

  • eduGAIN operations strongly depend on having

unique, structured and well-defined component identifiers

  • Based on URNs delegated by the eduGAIN

registry to the participating federation

  • Identifiers establish the kind of component they

apply to by means of normalized prefixes

  • Identifiers follow the hierarchy of the trust

establishing process

slide-9
SLIDE 9
  • Connect. Communicate. Collaborate

The (X.509) Trust Fabric

  • Validation procedures include

– Normal certificate validation

  • Trust path evaluation, signatures, revocation,…

– Peer identification

  • Certificates hold the component identifier
  • It must match the appropriate metadata
  • Applicable to

– TLS connections between components

  • Two-way validation is mandatory

– Verification of signed XML assertions

slide-10
SLIDE 10
  • Connect. Communicate. Collaborate

eduGAIN Certificate Policy

Acc CAN Acc CA1 . . . . eduGAINSCA

eduGAIN Trust Framework

  • Connect. Communicate. Collaborate

CId urn:geant:g:h:i:... CId urn:geant:j:k:l:...

. . .

MDS server(s) CId urn:geant:a:b:c:... CId urn:geant:d:e:f:...

. . . eduGAIN Name Registry

slide-11
SLIDE 11
  • Connect. Communicate. Collaborate

Metadata Service

  • Based on REST interfaces transporting SAML 2.0 metadata

– Usable by non-eduGAIN components

  • Metadata are published through POST operations
  • Metadata are retrieved through GET operations
  • URLs are built as

MDSBaseURL/FederationID/entityID?queryString – Using component names – The query string transports data intended to locate the appropriate home BE (Home Locators)

  • Hints provided by the user
  • Contents of certificate extensions (SubjectAlternateName

SubjectInformationAccess)

slide-12
SLIDE 12
  • Connect. Communicate. Collaborate

A General Model for eduGAIN Interactions

  • Connect. Communicate. Collaborate

Requester Responder Id Repository Resource TLS Channel(s) MDS TLS Channel https://mds.geant.net/ ?cid=someURN

<EntityDescriptor . . . entityID= ”urn:geant2:..:responder"> . . . <SingleSignOnService . . . Location= “https://responder.dom/” /> . . .

<samlp:Request . . . RequestID=”e70c3e9e6…” IssueInstant=“2006-06…”> . . . </samlp:Request> <samlp:Response . . . ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”> . . . </samlp:Response>

←urn:geant2:...:responder urn:geant2:...:requester→

slide-13
SLIDE 13
  • Connect. Communicate. Collaborate

The eduGAIN APIs: Trust Evaluation

  • Connect. Communicate. Collaborate

eduGAINVal Configuration Key Store Trust Store Is this trust material (cert/signature) valid? Does it correspond to component X*? Valid/not valid Corresponds to component X Sign this piece of data Signature Which trust material to use for connecting Trust material

slide-14
SLIDE 14
  • Connect. Communicate. Collaborate

The eduGAIN APIs: Metadata Access

  • Connect. Communicate. Collaborate

eduGAINMeta Configuration Publish these metadata through MDS server Component metadata Give me metadata about this part of eduGAIN Metadata

eduGAINVal

Publishing result Which component(s) can be queried to retrieve data about someone with these Home Locators?

slide-15
SLIDE 15
  • Connect. Communicate. Collaborate

The eduGAIN APIs: Abstract Service

  • Connect. Communicate. Collaborate

eduGAINBase Configuration Create/manipulate an abstract service

  • bject

Abstract service object or Protocol element Send ASO: (AuthN/Attr/AuthR) request (Vanilla profile) Corresponding ASO response Abstract service object Transform these abstract service object to/from wire protocol

eduGAINMeta eduGAINVal

slide-16
SLIDE 16
  • Connect. Communicate. Collaborate

The eduGAIN APIs: Profile Access

  • Connect. Communicate. Collaborate

eduGAIN Profile API Configuration Is this AuthN/Attr material valid? Valid/not valid Provide data from the requester Data Create/modify a security token Token

eduGAINBase eduGAINMeta eduGAINVal

Should this request be authorized? Authorization response

slide-17
SLIDE 17
  • Connect. Communicate. Collaborate

eduGAIN Profiles

  • Oriented to

– Enable direct federation interaction – Enable services in a confederated environment

  • Four profiles discussed so far

– WebSSO (Shibboleth browser/POST) – AC (automated client: no human interaction) – UbC (user behind non-Web client: use of SASL-CA) – WE (WebSSO enhanced client: delegation)

  • Others envisaged

– Extended Web SSO (allowing the send of POST data) – eduGAIN usage from roaming clients (DAMe)

  • Based on SAML 1.1

– Mapping to SAML 2.0 profiles along the transition period

slide-18
SLIDE 18
  • Connect. Communicate. Collaborate

The WebSSO Profile

  • Connect. Communicate. Collaborate
slide-19
SLIDE 19
  • Connect. Communicate. Collaborate

The AC Profile

  • Connect. Communicate. Collaborate
slide-20
SLIDE 20
  • Connect. Communicate. Collaborate

The UbC Profile

  • Connect. Communicate. Collaborate
slide-21
SLIDE 21
  • Connect. Communicate. Collaborate

The WE Profile

  • Connect. Communicate. Collaborate
slide-22
SLIDE 22
  • Connect. Communicate. Collaborate

Where We Are

  • Several eduGAIN enabled resources already available

using WebSSO – Eight federations already participating

  • Moving into pilot service

– Registry + PKI + MDS

  • Other profiles already demonstrated

– Network monitoring (PerfSONAR) – Bandwidth-on-demand (AutoBAHN)

  • Waiting for you to join

– It ain’t difficult