1. Canadian Access Federation
What Do I need to do on my campus to enable eduroam & Shibboleth?
July 5,2011
Chris Phillips chris.phillips@canarie.ca

2. Agenda
Per Service
Value proposition
Technical profile
Skills required
Time required
Eduroam
detailed tech slides at the end
Shibboleth
Also detailed tech slides at the end
More to be found at: http://bit.ly/fedapps (link to prezi)
2
3. Use Case Wireless Access
Without eduRoam
User arrives, needs to get onto wireless
Needs to talk to IT staff to get credential in system created and a password set
User waits for account
User uses known password, signs into wireless
When user is complete, IT should be notified to delete account and terminate access (right?)
IT deletes account(right?)
Done
With eduRoam
User arrives, needs to get onto wireless, has eduRoam enabled ID
Open laptop
User is authenticated to home system and is online
Done
3
4. Eduroam impact
Reduces
effort supporting guest network ids
Support callsHow do I?
Guest account footprint in your systems
Only available on wireless systems, not others
4
5. eduRoam @ CANHEIT2011 - McMaster
5
6. Canadian eduRoamCoverage
6
7. How does eduroam work?
802.1X - to authenticate clients before allowing access to the network
EAP framework with secure EAP methods to protect user credentials
RADIUS - authentication server infrastructure
RADIUS proxying to route authentication requests to a users home institution
Separate IP address space treated as external to institution (compliance with service agreements, etc)
End Users have standard internet access with as few filters as possible (if any at all).
8. Sample Deployment: Queens
8
9. Cisco ACS Config
9
10. Reciprocity
Eduroam is about you treating guest credentials how you would like to be treated:
Just think about what you would like when you travel:
No filtered connections
No traffic shaping
Public IP address (where possible)
NAT is not necessarily appropriate, but if you already private IP folks now, probably works out ok.
10
11. Onboarding Process
Canada has ~28 of 92 universities on eduroam.
US has slightly less in number (25) but 3,000 plus insitutions
Eduroam operator:
Standard template for connecting new sites
Policy sign-off followed by technical implementation
Estimated time for Canada federation-level RADIUS server personnel:
on-board a new member site: a few hours to two person-days, depending on member site expertise
general maintenance:~one person-day per month
Eduroam site:
Local implementation from 4 hours to 4 weeks depending on capabilities
Skill: operate/install RADIUS on your choice of platform (Cisco ACS, Microsoft NPS, FreeRADIUS)
Operational maintenance: same as your AuthN server now
11
12. Rapid Growth
12
13. Eduroam Questions?
13
14. Shibboleth Federations Worldwide
14
15. Past Presentations
This presentation builds on CANHEIT 2010:
Prezi on Building federated applications:
http://bit.ly/fedapps
15
16. Use Case New Employee Access toOnline Resources
Without Shibboleth
User arrives, needs to have access to web resource for
Active Directory
Twiki.canarie.ca
Staff.canarie.ca
Collaborate.canarie.ca
Shared online resources in 3rd party wiki
Needs to talk to staff for each service to get credential in each system created and a password set
User waits for account for each service
User uses known password, signs into each service and sets a password
When user leaves the organization, each service should be notified to delete account and terminate access everywhere (right?)
Each service deletes account(right?)
Done
With Shibboleth
User arrives, needs to have access to web resource for
Active Directory
Twiki.canarie.ca
Staff.canarie.ca
Collaborate.canarie.ca
Shared online resources in 3rd party wiki
IT staff creates central account and assigns privileges to access resources centrally.
User waits for account
User changes password and all services rely on this password.
When user leaves the organization, this one account should be notified for deletion (right?)
Done
16
17. Shib Value Proposition
Game changer for integration effort with shib ready services
Reduces integration from customization to configuration
Avoid weeks of custom project integration and then maintenance until, well, forever
Lowers cost of doing business do better with less.
Establishes a centralized policy enforcement point and easier auditability
For new work, establishes publicly accepted framework to implement to & not your own homegrown framework
17
18. Rightsize Your Information Sharing
Log in, share NetID+attr.
Log in, share Opaque ID
Log in, share NetID
Log in, share nothing
Wireless
External
Website
personal-
ization
is desired
Internal
Website
personal-
ization
is desired
linkage
elsewhere
desired
Internal
Website
personal-
ization
is desired
linkage
elsewhere
desired
Data
needed
(ghosted)
SAML as conduit for Information release
19. Infrastructure & Skills
Infrastructure is a single server for Identity provider (IdP) (preferably 2 for redundancy)
IdP is java & runs in its own servlet container on Jetty, Tomcat, or JBOSS
Can cohabitate with existing SSO or be the SSO service itself entirely
Skills/Type of Person
The same person managing your SSO environment would be be beneficial.
Operational effort is log watching and XML configuration
19
20. Where would you like to go next?
20
21. Extra Slides
21
22. Secure Wireless 802.1X
April 27th 2010
Canada eduroam
Slide 22
Wireless Encryption Established
secure.wireless.ubc.ca
ssid:ubcsecure
id:jdoe
1)Negotiate Authentication Method
EAP-PEAPv0-MSCHAPv2
2)Certificate Validation
Prevents man-in-the-middle attack
3)Establish Secure Tunnel
Prevents eavesdropping
Using MSCHAPv2
4)Perform authentication through tunnel
5)Authentication successful
Establish encryption, connect to net
6)Client acquires IP address (DHCP)
23. Eduroam - Roaming User
April 27th 2010
Canada eduroam
Slide 23
Federation Server
realm: ca
ssid:eduroam
Cert: eduroam.sfu.ca
Institution Servers
id: joe@sfu.ca
realm: ubc.ca
realm: sfu.ca
1) Negotiate EAP type
EAP-TTLS-PAP
2) Outer Request
Validate cert.
Establish TLS tunnel
PAP through tunnel secure!
3) Inner Request
4) Success
Connect to network
Establish encryption.
24. Eduroam International Roaming
April 27th 2010
Canada eduroam
Slide 24
Confederation Server
Federation Server
realm: ca
realm: edu
id: pam@mit.edu
realm: ubc.ca
realm: sfu.ca
realm: mit.edu
realm: ucla.edu
25. Dispelling Some Shibboleth Myths
25
26. My App Cant Be Federated in CAF Because
It is limited to regionally/specific identities
Reply: No problem! This is a Virtual Organization
A Virtual Organization (VO) is anycollective groupthat operates in a coordinated wayto enableshared activities on one ormore topicswith common tools or governance.
VOs can exist within institutionalboundaries butare most effective when constitutedto operateacross and to unify participantsin differentphysical or institutionallimits.
Primarypurpose is to pursue theshared topicor topics.
26
27. Virtual Organization pt 2
CAF is an environment where VOsflourish:
Virtual Organizations typically form around Service Provider(s) withIdPsproviding consumers & complying to attribute profiles to participate
Autonomy is retained by the VO & its members to focus on the topic
-CAF focus is on the dialtone infrastructure for collaboration IdP&Spmanagement practices and operations and middleware elements
Examplesin Canada are:
Regional Learning Management Systems
Transcript or Application management
Research 'desktops' that aggregate tools for researchers
Techniques to implement on SP end:
Use the Shib2.xml & other configurations to whitelist participants[1]
Consider using eduPersonEntitlement to express fine grain filtering at the application level:
eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscope
eduPersonEntitlement:http://publisher.example.com/contract/GL12
[1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter
27
28. My App Cant Be Federated in CAF Because
I need to exchange special attributes
Reply: No Problem!
CAFs default is shared nothing
eduPerson is the default attributes set
Where insufficient, the SP should work out the details with its partners on what extra elements it needs
CAF recommends that the SP have proper OIDs (can be registered with IANA for free) for their attributes
OIDs provide uniqueness, but us humans like text names that are unique too.
28
29. Enhancing Attribute Exchanges
Shared nothing today, but uses eduPerson schema
Finding that this may be paradox of choice
Very interesting space to explore, but keep in mind principles:
Low friction to participate (ie, simplicity is good)
Scalable and high degree of relevancy and utility
Dont punish the end user or IdP owner.
Interop across Canada and internationally
Many areas to explore
Use SHAC[1] technique for attributes?
"urn:schac:dom.ain:Attribute:value
UseAustralian[2] approach for precise control and strong typing and vocabulary?
Require full participation in various attribute sets (ie MUST populate all fields) but in different categories of SPs (category 1, 2,3 etc)?
Hybrid??
[1] http://www.terena.org/mail-archives/schac/msg00371.html
[2] http://www.aaf.edu.au/technical/aaf-core-attributes/
29
30. My App Cant Be Federated in CAF Because
I need a Higher Level of Assurance for a user
Reply: OK, we want this too, what are your requirements?
Challenge is how do you want to express it and what are your criteria for the higher level of assurance?
Part of a larger conversation
What is the yardstick?
NIST 800-63?
NSTIC, OIX, KANTARA audit requirements
Audit of SP against their own statements?
If you want to be part of this conversation see Chris Phillips & or join mailing list.
30
31. My App Cant Be Federated in CAF Because
I need to sign in on the command line
Reply: Ok, we want this too.
Already participating internationally with UK-JISC on project moonshot.Combo environment of eduroam RADIUS and SAML attribute assertions
Live CDs of the sample dev environment available from Chris.
Again, if you want to be part of this conversation see Chris Phillips & or join mailing list.
31
32. My App Cant Be Federated in CAF Because
I need to sign in Social identities (Google, OpenID)
Reply: No problem, it can be done
Already participating internationally with REFEDS & inCommon on Social Identity risk assessment and gateway designs[1]
Certain gateways exist from uPenn & Sweden [2]
Many unquantified risks at this time, but does work
User behind keyboard is unknown
Attributes are self asserted
No knowledge of value of the account to the person
This is an active area of conversation.
[1] https://spaces.internet2.edu/display/socialid/Using+SAML+and+Social+Identities--Guidelines+and+Considerations+for+Managers+and+Developers
[2] https://tnc2011.terena.org/getfile/558
32
33. My App Cant Be Federated in CAF Because
I dont think the CAF has as highly available as I want them to be
Reply: OK, did you know the following?
CAF services reside in 3 provinces (Ontario, BC, and Quebec), and have redundant DNS entrieswith live failover
What are your service criteria so we may understand them better?
33
34. FYI about availability
34
35. Your Turn
Looking for more conversation and discussion?
Join the CAF-Shib technical list to discuss the topics:
CAF-SHIBBOLETH-TECHNICAL-L-request@LISTSERV.UWINDSOR.CA
35
36. 36