Manuel Snchez mscdif'um'es

1
Bootstrapping a global SSO from network access
control mechanisms
EuroPKI 2007
Fourth European PKI Workshop Theory and
Practice28 30 June, 2007, Mallorca, Balearic
Islands (Spain)

• Manuel Sánchez (msc_at_dif.um.es)
• Gabriel López (gabilm_at_dif.um.es)
• Óscar Cánovas (ocanovas_at_ditec.um.es)
• Antonio F. Gómez-Skarmeta (skarmeta_at_dif.um.es)

2
Agenda
EuroPKI 2007

• Introduction
• DAMe project
• eduGAIN
• SSO scenario
• Proposal
• Conclusions
• Future Work

3
Agenda
EuroPKI 2007

• Introduction
• DAMe project
• eduGAIN
• SSO scenario
• Proposal
• Conclusions
• Future Work

4
Federations
EuroPKI 2007

• Emergence of federated approaches to resource
  sharing
• Trust link established among different autonomous
  institutions
• Shared resources, single identity
• Main examples eduroam, InCommon, HAKA, SWITCH
• Underlying technologies
• Shibboleth, PAPI, Liberty Alliance
• More focused on authentication than authorization
• It requires efforts related to mobility, exchange
  of secure information, heterogeneous proposals

Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
5
eduroam
EuroPKI 2007

• TERENA Mobility Task Force defined an intern-NREN
  roaming architecture (eduroam) based on the
  802.1X standard and AAA servers (RADIUS)
• Top RADIUS server provided by TERENA
• National RADIUS servers from NRENs connect to
  this one
• Institutions connect to its national RADIUS
• However, the eduroam infrastructure is only used
  for authentication
• Different services cannot be provided to
  different users
• No additional information is taken into account
  (users attributes)
• Authorized users may have additional resources at
  their disposal

Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
6
eduroam in use
EuroPKI 2007

• User from Inst. A wants to access to eduroam
  network in Inst. B

• User associates with the wireless AP, which
  contacts the local RADIUS server in order to
  authenticate the user

• The server identifies the user belongs to a
  different domain (user identifier). The
  authentication request is forwarded through the
  hierarchy to the server in the home institution

• User is authenticated and the response is routed
  back to Inst. B, where the AP enables the
  requested connection

Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
7
Agenda
EuroPKI 2007

• Introduction
• DAMe project
• eduGAIN
• SSO scenario
• Proposal
• Conclusions
• Future Work

8
Partners
EuroPKI 2007

• DFN (German NREN)
• RedIris (Spanish NREN)
• University of Stuttgart
• University of Murcia

Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
9
Main goals
EuroPKI 2007

• Authentication, but also authorization are needed
  in order to provide an appropriate network access
• Users identity is not enough
• Institutions can offer different QoS parameters
  for different users
• Decision should be taken considering the users
  attributes
• User mobility is becoming more and more frequent
• Several institutions must cooperate at several
  levels
• DAMe defines a unified authn and authz system for
  federated services hosted in the eduroam network
• Application level services can take advantage of
  the network access mechanism in order to
  bootstrap a seamless global SSO

Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
10
uSSO motivation
EuroPKI 2007

• Alice belongs to institution A, but she has to
  move to Institution B

• In Inst. B, Alice can access to the network using
  eduroam

• Now Alice want to access to the Protected
  resource from Inst. C

• It could be interesting to take advantage of the
  previous network authentication to authorize
  Alice to access to the resource

• Alice should present to the resource some kind of
  token received in the previous network
  authentication

Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
11
Agenda
EuroPKI 2007

• Introduction
• DAMe project
• eduGAIN
• SSO scenario
• Proposal
• Conclusions
• Future Work

12
eduGAIN
EuroPKI 2007

• Main goal to build an inter-operable authn and
  authz infrastructure to interconnect different
  existing federations
• In this way, eduGAIN provides the infrastructure
  needed to interconnect federation in DAMe
• eduGAIN is responsible for
• Finding the federation where a roaming user
  belongs to
• Translate messages between fed. languages and
  eduGAIN
• Guarantee the trust among the participant
  institutions
• This is achieved by defining a set of common
  services
• Bridging Element (BE) confederation-aware
  element
• Metadata Service (MDS) point for publishing
  information

Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
13
eduGAIN
EuroPKI 2007

• When a roaming user access to the remote network
• The home federation of the roaming user is
  located by the remote BE obtaining the
  information from the MDS
• Then, the appropriate authn and authz requests
  are translated and routed by the remote BE
  towards the users home institution
• The specific way the authn and authz processes
  are carried out are defined by different
  profiles
• Web SSO compatible with Shibboleth
• Automated client No human intervention

Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
14
Agenda
EuroPKI 2007

• Introduction
• DAMe project
• eduGAIN
• SSO scenario
• Proposal
• Conclusions
• Future Work

15
SSO scenario
EuroPKI 2007

• This proposal follows the guidelines defined by
  GEANT2 in his uSSO framework
• The user owns valid credentials from his home
  institution (HI)
• HI belongs to a federation where its credentials
  are valid
• Authz decisions are taken locally at remote
  institutions (RI)
• The confederation provides mechanisms to exchange
  data
• There is a local federator adaptor (LFA) in each
  federation which decides if messages are
  processed locally or must be sent to another
  federation
• Roaming users authenticate remotely in his HI and
  receive a token
• The token is used later to access to protected
  resources

Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
16
Agenda
EuroPKI 2007

• Introduction
• DAMe project
• eduGAIN
• SSO scenario
• Proposal
• Conclusions
• Future Work

17
Architecture
EuroPKI 2007
Architecture - Network authn - Token delivery -
Resource access
Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
18
Network authentication
EuroPKI 2007
Architecture - Network authn - Token delivery -
Resource access
Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
19
Token delivery
EuroPKI 2007
It is necessary some mechanism to deliver the
token to the user in a secure way
Data is transmitted by means of Type-Length Value
(TLV) objects through the tunnel
Architecture - Network authn - Token delivery -
Resource access
Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
20
Resource access
EuroPKI 2007
Architecture - Network authn - Token delivery -
Resource access
Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
21
Agenda
EuroPKI 2007

• Introduction
• DAMe project
• eduGAIN
• SSO scenario
• Proposal
• Conclusions
• Future Work

22
Conclusions
EuroPKI 2007

• Institutions belonging some federation require
  authentication in order to protect shared
  resources
• These resources range from the network to high
  level services such as the grid
• We identified the design of a unified SSO
  mechanism as an interesting research activity
• One of the main features of this proposal is the
  seamless link of authn processes at different
  levels
• The delivery of a signed token during the network
  access phase provides the desired functionality
  in order to bootstrap the SSO system

Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
23
Conclusions
EuroPKI 2007

• The definition of PEAP-based protocols does not
  impose the use of new authn methods from the
  institution point of view
• The use of eduGAIN guarantees the
  interoperability among different type of
  resources located at different organizations

Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
24
Agenda
EuroPKI 2007

• Introduction
• DAMe project
• eduGAIN
• SSO scenario
• Proposal
• Conclusions
• Future Work

25
Future work
EuroPKI 2007

• We are implementing the PEAP supplicant and
  defining the middleware for managing the SSO
  token obtained by the user

Introduction - DAMe project - eduGAIN - SSO
scenario - Proposal - Conclusions - Future work
26
Bootstrapping a global SSO from network access
control mechanisms
EuroPKI 2007
Fourth European PKI Workshop Theory and
Practice28 30 June, 2007, Mallorca, Balearic
Islands (Spain)

• Manuel Sánchez (msc_at_dif.um.es)?
• Gabriel López (gabilm_at_dif.um.es)?
• Óscar Cánovas (ocanovas_at_ditec.um.es)?
• Antonio F. Gómez-Skarmeta (skarmeta_at_dif.um.es)?