UK federation development Access Management Transition Meeting, 30 May 2007. Josh Howlett, UKERNA.
Overview <ul><li>Improving Discovery </li></ul><ul><li>Extending our use of metadata </li></ul><ul><li>Shibboleth 2.0 </li...
Discovery <ul><li>What is the ‘discovery problem’? </li></ul><ul><ul><li>SAML 1.x </li></ul></ul><ul><ul><ul><li>‘ IdP-fir...
Discovery <ul><li>Service Provider side discovery </li></ul><ul><ul><li>Preferred approach. </li></ul></ul><ul><ul><li>SPs...
Metadata <ul><li>What is federation metadata? </li></ul><ul><ul><ul><li>“ In architecture, a keystone is the stone at the ...
Metadata <ul><li>Trust </li></ul><ul><ul><li>PKI trust (today) </li></ul></ul><ul><ul><ul><li>Entity metadata gives the  c...
Metadata <ul><li>Trust </li></ul><ul><ul><li>Direct key operation </li></ul></ul><ul><ul><ul><li>Public keys embedded dire...
Shibboleth 2.0 <ul><li>Shibboleth 2.0 </li></ul><ul><ul><li>Virtually a complete re-write. </li></ul></ul><ul><ul><li>Supp...
Other AM solutions <ul><li>Shibboleth is the recommended AM software. </li></ul><ul><ul><li>Designed for education and res...
Shibboleth on Windows <ul><li>Shibboleth IdP currently runs on Windows, although installation is complex. </li></ul><ul><l...
Inter-federation <ul><li>Multiple emerging federations for education and research. </li></ul><ul><li>Diverse policy and te...
Inter-federation <ul><li>Inter-federation </li></ul><ul><ul><li>Leveraged federation </li></ul></ul><ul><ul><ul><li>Group ...
Integration with eduroam <ul><li>RAGS </li></ul><ul><ul><li>Experimental out-sourced IdP using eduroam for authentication....
Thank you for your attention <ul><li>Any questions, ideas or requirements? </li></ul>
Upcoming SlideShare
Loading in...5
×

Technical Developments within the UK Access Management Federation

1,656

Published on

Presentation at the JISC Access Management Transition Programme from Josh Howlett, UKERNA. This presentation describes the technical developments that are planned within the UK Access Management Federation

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,656
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
39
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Technical Developments within the UK Access Management Federation

  1. 1. UK federation development Access Management Transition Meeting, 30 May 2007. Josh Howlett, UKERNA.
  2. 2. Overview <ul><li>Improving Discovery </li></ul><ul><li>Extending our use of metadata </li></ul><ul><li>Shibboleth 2.0 </li></ul><ul><li>Other access management products </li></ul><ul><li>Inter-federation </li></ul><ul><li>Integration with eduroam </li></ul>
  3. 3. Discovery <ul><li>What is the ‘discovery problem’? </li></ul><ul><ul><li>SAML 1.x </li></ul></ul><ul><ul><ul><li>‘ IdP-first’ only </li></ul></ul></ul><ul><ul><ul><li>Intended for small numbers of known partners; discovery is managed by the application. </li></ul></ul></ul><ul><ul><li>Shibboleth 1.x </li></ul></ul><ul><ul><ul><li>Shibboleth Authentication Request Profile is ‘SP-first’. </li></ul></ul></ul><ul><ul><ul><li>Intended for large numbers of possible partners; discovery is typically managed by the WAYF service. </li></ul></ul></ul><ul><ul><li>WAYF issues: usability and scalability </li></ul></ul>
  4. 4. Discovery <ul><li>Service Provider side discovery </li></ul><ul><ul><li>Preferred approach. </li></ul></ul><ul><ul><li>SPs know their customers. </li></ul></ul><ul><ul><li>Shibboleth 2.0 SP will probably provide some assistance. </li></ul></ul><ul><li>Discovery service </li></ul><ul><ul><li>Enables an SP to hand over discovery to a third-party. </li></ul></ul><ul><ul><li>Potential for use of heuristics such as IP address of user agent. </li></ul></ul>
  5. 5. Metadata <ul><li>What is federation metadata? </li></ul><ul><ul><ul><li>“ In architecture, a keystone is the stone at the top of an arch. It the supporting element for the entire arch — without it the arch would collapse.” – Wikipedia </li></ul></ul></ul><ul><ul><li>Functions </li></ul></ul><ul><ul><ul><li>A directory of federation participants – where ? </li></ul></ul></ul><ul><ul><ul><li>A description of their capabilities – what ? </li></ul></ul></ul><ul><ul><ul><li>Establishment of technical trust – who ? </li></ul></ul></ul>
  6. 6. Metadata <ul><li>Trust </li></ul><ul><ul><li>PKI trust (today) </li></ul></ul><ul><ul><ul><li>Entity metadata gives the claimed “KeyName”. </li></ul></ul></ul><ul><ul><ul><li>The “KeyName” must match that given in an entity’s certificate, issued by a trusted CA. </li></ul></ul></ul><ul><ul><li>Problems </li></ul></ul><ul><ul><ul><li>Trust validation is expensive and contains redundancy. </li></ul></ul></ul><ul><ul><ul><li>PKI can be difficult  support problems. </li></ul></ul></ul><ul><ul><ul><li>Some SAML 2.0 features (eg. attribute encryption) require access to entities’ public keys. </li></ul></ul></ul>
  7. 7. Metadata <ul><li>Trust </li></ul><ul><ul><li>Direct key operation </li></ul></ul><ul><ul><ul><li>Public keys embedded directly in metadata (or wrapped within certificate in metadata). </li></ul></ul></ul><ul><ul><ul><li>Available in Shibboleth 1.3+. </li></ul></ul></ul><ul><ul><li>Hybrid operation </li></ul></ul><ul><ul><ul><li>Use both PKI trust and direct key. </li></ul></ul></ul><ul><ul><ul><li>Currently in testing; may be made more widely available in the future. </li></ul></ul></ul>
  8. 8. Shibboleth 2.0 <ul><li>Shibboleth 2.0 </li></ul><ul><ul><li>Virtually a complete re-write. </li></ul></ul><ul><ul><li>Support for (some of) SAML 2.0 </li></ul></ul><ul><ul><ul><li>Web SSO and Single Log-out profiles. </li></ul></ul></ul><ul><ul><ul><li>Additional capabilities likely in future releases. </li></ul></ul></ul><ul><ul><li>IdP </li></ul></ul><ul><ul><ul><li>More powerful ARP expression. </li></ul></ul></ul><ul><ul><ul><li>Scripting for enhanced attribute resolution. </li></ul></ul></ul>
  9. 9. Other AM solutions <ul><li>Shibboleth is the recommended AM software. </li></ul><ul><ul><li>Designed for education and research. </li></ul></ul><ul><li>Many other SAML implementations exist. </li></ul><ul><li>The moves towards Shibboleth 2.0 and SAML 2.0 should improve interoperability. </li></ul><ul><li>We need to understand more about these other products and their suitability. </li></ul>
  10. 10. Shibboleth on Windows <ul><li>Shibboleth IdP currently runs on Windows, although installation is complex. </li></ul><ul><li>Windows installer is in development. </li></ul><ul><li>We’re looking for: </li></ul><ul><ul><li>Ideas, wish lists, etc. </li></ul></ul><ul><ul><li>Guinea pigs. </li></ul></ul>
  11. 11. Inter-federation <ul><li>Multiple emerging federations for education and research. </li></ul><ul><li>Diverse policy and technological strategies. </li></ul><ul><li>Use cases </li></ul><ul><ul><li>Reduce burden on publishers </li></ul></ul><ul><ul><li>Facilitate cross-federation access to resources such as wikis, VLEs, etc. </li></ul></ul>
  12. 12. Inter-federation <ul><li>Inter-federation </li></ul><ul><ul><li>Leveraged federation </li></ul></ul><ul><ul><ul><li>Group within a group </li></ul></ul></ul><ul><ul><li>Federation peering </li></ul></ul><ul><ul><ul><li>Bilateral agreement </li></ul></ul></ul><ul><ul><li>Confederation </li></ul></ul><ul><ul><ul><li>Federation of federations </li></ul></ul></ul>
  13. 13. Integration with eduroam <ul><li>RAGS </li></ul><ul><ul><li>Experimental out-sourced IdP using eduroam for authentication. </li></ul></ul><ul><li>RADIUS-SAML </li></ul><ul><ul><li>Internet2 proposal to use SAML for eduroam authorisation. </li></ul></ul>
  14. 14. Thank you for your attention <ul><li>Any questions, ideas or requirements? </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×