high-quality internet for higher education and research do you like to puzzle, build an aai ! xxx aa...
TRANSCRIPT
![Page 1: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/1.jpg)
High-quality Internet for higher education and research
do you like to puzzle, build an AAI !
xxxxxx
AA systems
2nd EuroCAMP - PortoNovember 8, [email protected]
![Page 2: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/2.jpg)
High-quality Internet for higher education and research
Presentation outline
• Drivers for an AAI;
• The pieces of the AAI-puzzle;
– network and application access, login, authentication, authorisation, identity management;
• Assessments of some AA systems;• Federations;
• Standards;
• Developments;
![Page 3: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/3.jpg)
High-quality Internet for higher education and research
Why AAI?Network mobility
![Page 4: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/4.jpg)
High-quality Internet for higher education and research
Why AAI?Educational mobility
![Page 5: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/5.jpg)
High-quality Internet for higher education and research
Why AAI?Personalised service provisioning
![Page 6: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/6.jpg)
High-quality Internet for higher education and research
Why AAI?Reduce the digital key ring
XX
X
![Page 7: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/7.jpg)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Ingredients of an AAI
![Page 8: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/8.jpg)
High-quality Internet for higher education and research
Network access: RADIUS infrastructure
Organisational RADIUS Server
B
Organisational RADIUS Server
B
Organisational RADIUS Server
C
Organisational RADIUS Server
C
National RADIUSProxy Server
National RADIUSProxy Server
National RADIUSProxy Server
National RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
European RADIUSProxy Server
Organisational RADIUS Server
A
Organisational RADIUS Server
A
network
![Page 9: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/9.jpg)
High-quality Internet for higher education and research
Network access: User-controlled light path provisioning
Application
AAA
Broker
SURFnet6
Applications
Broker
NetherLight
Application
Broker
OMNInet
Applications
Broker
Starlight
Services ServicesServices
AAA AAAAAA
UDDI/WSIL
A-Select
token
network
![Page 10: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/10.jpg)
High-quality Internet for higher education and research
applications
Application access:centralise intelligence
![Page 11: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/11.jpg)
High-quality Internet for higher education and research
applications
Application access:centralise intelligence
![Page 12: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/12.jpg)
High-quality Internet for higher education and research
Login server:intermediary between application and AA: provide SSO
login
![Page 13: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/13.jpg)
High-quality Internet for higher education and research
Authentication:choose your own method (and strength)
• IP address• Username / password
– LDAP / Active Directory– RADIUS– SQL
• Passfaces• PKI certificate• OTP through SMS• OTP through internet banking• Tokens (SecurID, Vasco, …)• Biometrics• …
authentication
![Page 14: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/14.jpg)
High-quality Internet for higher education and research
Authorisation:Policy engines
authorisation
![Page 15: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/15.jpg)
High-quality Internet for higher education and research
Authorisation:Policy engines: f.e. use ‘roles’
authorisation
![Page 16: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/16.jpg)
High-quality Internet for higher education and research
Authorisation:3 scenario’s
1. Authentication = authorisation (‘simple’)
2. Identity plus a few attributes (‘commonly used’)
3. Privacy-preserving negotiation about attributes to be exchanged (‘ideal and upcoming’)
authorisation
![Page 17: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/17.jpg)
High-quality Internet for higher education and research
Administration:Identity Management
• How to record the identities (schema’s), credentials (attributes or roles), and privileges?
• Enterprise (or meta) directory to glue all sources of information together;
• Quality of registration is CRUCIAL for AuthN and AuthZ;• It’s the underlying basis for an AAI;• …and it’s a hype…
administration
![Page 18: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/18.jpg)
High-quality Internet for higher education and research
Quick assessment of current AA systems
• Web login (authentication) systems– Athens, A-Select, CAS, CoSign, Pubcookie
• Authorisation systems– PAPI, PERMIS, Shibboleth, SPOCP– Portal products (Oracle, SiteMinder, Sun One, uPortal)
![Page 19: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/19.jpg)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Web login systems(A-Select, CAS, CoSign, Pubcookie, …)
![Page 20: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/20.jpg)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Web login systems(Athens)
![Page 21: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/21.jpg)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Portal products(Oracle, SiteMinder, Sun One, uPortal)
![Page 22: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/22.jpg)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Authorisation products(PERMIS, SPOCP)
![Page 23: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/23.jpg)
High-quality Internet for higher education and research
Login
(web)Application
Administration
AuthorisationNetwork
Authentication
Authorisation products(PAPI)
![Page 24: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/24.jpg)
High-quality Internet for higher education and research
Authorisation productsShibboleth
Group A Group B
![Page 25: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/25.jpg)
High-quality Internet for higher education and research
Cross-domain AA:Ingredients for a federation
• Policies (e.g. InCommon* from Internet2): – Federation Operating Practices and Procedures– Participant Agreement – Participant Operating Practices
• Technologies:– Protocols / language– Schema’s– Trust / PKI
* http://www.incommonfederation.org/
Group A Group B
![Page 26: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/26.jpg)
High-quality Internet for higher education and research
What about……standards?
• Currently many proprietary solutions(sockets, cookies, redirects, …)
• Webservices (SOAP, XML RPC, WSDL, WS-*)
• SAML
(1.1 -> 2.0)
• For federations:– WS-Federation (Microsoft, IBM)– SAML (OASIS: 150 companies, Internet2)– Liberty Alliance (Sun, 170 companies)
?
? ?
?? ?
![Page 27: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/27.jpg)
High-quality Internet for higher education and research
What about……future developments (in the research world)?
• Need for:– Converging or dominant standard(s), means better
interoperability between the pieces of the puzzle
– Attention to non-web-based applications (eg. Grids)
– Universal Single Sign-On across network and application domain
– (Error-) Diagnostics across federations!
?
? ?
?? ?
![Page 28: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/28.jpg)
High-quality Internet for higher education and research
Middleware diagnostics:what if there’s an error?
Security Related Events
Middleware Related Events
Network Related Events
Collection and Normalization of Events
Dissemination Network
X
Diagnostic applications (Middleware, Network, Security) can extract event data from multiple data sets
Group A Group B
![Page 29: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/29.jpg)
High-quality Internet for higher education and research
Homework
but before that...
Manage your identities...
![Page 30: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/30.jpg)
High-quality Internet for higher education and research
References
• AAI terminology• Athens• A-Select• CAS• CoSign• eduroam• Internet2 Federation• Middleware diagnostics• NSF Middleware Initiative• Privilege Management• Shibboleth• Swiss Federation
![Page 31: High-quality Internet for higher education and research do you like to puzzle, build an AAI ! xxx AA systems 2nd EuroCAMP - Porto November 8, 2005 Bart.Kerver@SURFnet.nl](https://reader036.vdocument.in/reader036/viewer/2022062321/56649ebb5503460f94bc42f6/html5/thumbnails/31.jpg)
High-quality Internet for higher education and research
Thank you!
Questions?