Your SlideShare is downloading. ×
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

CANARIE Eduroam and Shibboleth Lessons & Areas of interest

1,045

Published on

Shibboleth Eduroam and some of the key discussion points as it rolls out in Canada

Shibboleth Eduroam and some of the key discussion points as it rolls out in Canada

Published in: Education, Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,045
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Current as of May 2011
  • Key to our success- developing a streamlined, standardized approach for connecting schools. Additional ongoing support from participating institutions as part of Community of Practice.
  • Conscription of users
  • Conscription of users
  • Transcript

    • 1. Canadian Access Federation
      Federated Application Building
      &
      eduroamlessons learned
      May 2011
      Chris Phillips –chris.phillips@canarie.ca
    • 2. Agenda
      Eduroam
      Less content than Shib (less complexity)
      Shibboleth
      See my previous presentation!
      http://bit.ly/fedapps(link to prezi)
      There will be a test at the end….really!
      2
    • 3. Canadian eduRoam Participants
      3
    • 4. How does eduroam work?
      802.1X - to authenticate clients before allowing access to the network
      EAP framework – with secure EAP methods to protect user credentials
      RADIUS - authentication server infrastructure
      RADIUS proxying – to route authentication requests to a users home institution
      Separate IP address space – treated as external to institution (compliance with service agreements, etc)
      End Users have standard internet access with as few filters as possible (if any at all).
    • 5. Sample Deployment: Queen’s
      5
    • 6. Cisco ACS Config
      6
    • 7. What NOT to do…
      Invisibly allow your users to drop the scope of the sign in
      Punishes everyone. The mobile user can’t login. Support is called and invoked. Mitigation: use <netid>@homeinst.ca
      Filter connections
      Reciprocity is a great thing. Treat eduroam mobile users on your infrastructure as you would want to be treated at their institution
      Constrain/shape bandwidth
      Again, the reciprocity principal holds here. If abuse is ocuring your netflow info should reveal or trigger alarms
      7
    • 8. Known Concerns
      NAT
      NATing is frowned upon centrally but is known to be a tenuous position given ipv4 conditions and wireless
      Recommendations
      Continue to treat users how you would like to be treated.
      8
    • 9. Stats & Some Thoughts
      Day 1 eduRoam Stats first 6hrs for CANHEIT
      # authN Domain
             1 mcgill.ca
             1 polymtl.ca
             1 ryerson.ca
             2 mtroyal.ca
             2 ucalgary.ca
             2 unb.ca
             3 bcnet.ca
             3 cunet.carleton.ca
             3 dal.ca
             4 sfu.ca
             4 ubc.ca
             4 uvic.ca
             6 brocku.ca
             6 canarie.ca
             6 mun.ca
             6 queensu.ca
             6 ualberta.ca
             6 uottawa.ca
             6 utoronto.ca
             8 usask.ca
            10 uwo.ca
            17 uoguelph.ca
            28 uwaterloo.ca
      Average day @ Queen’s sees ~ 50 ppl on eduroam with about 5 from outside domains
      Posit that institutions can broadcast only eduroam SSID
      Still have chicken and egg problem how to get on, but same problem as WPA2…
      Communication is key
      captive portal SSID and show the one page could work, but ideas welcome
      9
    • 10. eduRoam @ McMaster
      10
    • 11. Onboarding Process
      Standard template for connecting new sites
      Policy sign-off followed by technical implementation
      Estimated time for Canada federation-level RADIUS server personnel:
      on-board a new member site: a few hours to two person-days, depending on member site expertise
      general maintenance: ~one person-day per month
      Local implementation from 4 hours to 4 weeks
      11
    • 12. Rapid Growth
      12
    • 13. More Stats
      Canada has ~28 of 92 universities on eduroam.
      US has slightly less in number (25) but 3,000 plus insitutions
      Hooray! We are leading the way in North America!
      13
    • 14. Eduroam Questions?
      14
    • 15. Shibboleth Federations Worldwide
      15
    • 16. Past Presentations
      This presentation builds on CANHEIT 2011:
      Prezi on Building federated applications:
      http://bit.ly/fedapps
      16
    • 17. Rightsize Your Information Sharing
      Log in, share NetID+attr.
      Log in, share Opaque ID
      Log in, share NetID
      Log in, share nothing
      Wireless
      External
      Website
      personal-
      ization
      is desired
      Internal
      Website
      personal-
      ization
      is desired
      linkage
      elsewhere
      desired
      Internal
      Website
      personal-
      ization
      is desired
      linkage
      elsewhere
      desired
      Data
      needed
      (ghosted)‏
      SAML as conduit for Information release
    • 18. Dispelling Some Myths
      18
    • 19. My App Can’t Be Federated in CAF Because…
      It is limited to regionally/specific identities
      Reply: No problem! This is a Virtual Organization
      A Virtual Organization (VO) is any collective group that operates in a coordinated way to enable shared activities on one or more topics with common tools or governance.
      VOs can exist within institutional boundaries but are most effective when constituted to operate across and to unify participants in different physical or institutional limits.
      Primary purpose is to pursue the shared topic or topics.
      19
    • 20. Virtual Organization pt 2
      CAF is an environment where VO’s flourish:
      Virtual Organizations typically form around Service Provider(s) with IdPs providing consumers & complying to attribute profiles to participate
      Autonomy is retained by the VO & it’s members to focus on the topic 
      -CAF focus is on the  ‘dialtone’ infrastructure for collaboration – IdP & Sp management practices and operations and middleware elements
      –Examples in Canada are:
      •Regional Learning Management Systems
      •Transcript or Application management
      Research 'desktops' that aggregate tools for researchers
      Techniques to implement on SP end:
      Use the Shib2.xml & other configurations to whitelist participants[1]
      Consider using eduPersonEntitlement to express fine grain filtering at the application level:
      eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscope
      eduPersonEntitlement: http://publisher.example.com/contract/GL12
      [1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter
      20
    • 21. My App Can’t Be Federated in CAF Because…
      I need to exchange special attributes
      Reply: No Problem!
      CAF’s default is shared nothing
      eduPerson is the default attributes set
      Where insufficient, the SP should work out the details with it’s partners on what extra elements it needs
      CAF recommends that the SP have proper OIDs (can be registered with IANA for free) for their attributes
      OIDs provide uniqueness, but us humans like text names that are unique too.
      21
    • 22. Enhancing Attribute Exchanges
      Shared nothing today, but uses eduPerson schema
      Finding that this may be paradox of choice
      Very interesting space to explore, but keep in mind principles:
      Low friction to participate (ie, simplicity is good)
      Scalable and high degree of relevancy and utility
      Don’t punish the end user or IdP owner.
      Interop across Canada and internationally
      Many areas to explore
      Use SHAC[1] technique for attributes?
      "urn:schac:dom.ain:Attribute:value”
      UseAustralian[2] approach for precise control and strong typing and vocabulary?
      Require full participation in various attribute sets (ie MUST populate all fields) but in different categories of SPs (category 1, 2,3 etc)?
      Hybrid??
      [1] http://www.terena.org/mail-archives/schac/msg00371.html
      [2] http://www.aaf.edu.au/technical/aaf-core-attributes/
      22
    • 23. My App Can’t Be Federated in CAF Because…
      I need a Higher Level of Assurance for a user
      Reply: OK, we want this too, what are your requirements?
      Challenge is how do you want to express it and what are your criteria for the higher level of assurance?
      Part of a larger conversation
      What is the yardstick?
      NIST 800-63?
      NSTIC, OIX, KANTARA audit requirements
      Audit of SP against their own statements?
      If you want to be part of this conversation see Chris Phillips & or join mailing list.
      23
    • 24. My App Can’t Be Federated in CAF Because…
      I need to sign in on the command line
      Reply: Ok, we want this too.
      Already participating internationally with UK-JISC on project moonshot. Combo environment of eduroam RADIUS and SAML attribute assertions
      Live CD’s of the sample dev environment available from Chris.
      Again, if you want to be part of this conversation see Chris Phillips & or join mailing list.
      24
    • 25. My App Can’t Be Federated in CAF Because…
      I need to sign in Social identities (Google, OpenID)
      Reply: No problem, it can be done
      Already participating internationally with REFEDS & inCommon on Social Identity risk assessment and gateway designs[1]
      Certain gateways exist from uPenn & Sweden [2]
      Many unquantified risks at this time, but does work
      User behind keyboard is unknown
      Attributes are self asserted
      No knowledge of value of the account to the person
      This is an active area of conversation.
      [1] https://spaces.internet2.edu/display/socialid/Using+SAML+and+Social+Identities--Guidelines+and+Considerations+for+Managers+and+Developers
      [2] https://tnc2011.terena.org/getfile/558
      25
    • 26. My App Can’t Be Federated in CAF Because…
      I don’t think the CAF has as highly available as I want them to be
      Reply: OK, did you know the following?
      CAF services reside in 3 provinces (Ontario, BC, and Quebec), and have redundant DNS entrieswith live failover
      What are your service criteria so we may understand them better?
      26
    • 27. FYI about availability
      27
    • 28. Your Turn…
      Poll: What would be your priority ranking of the following activities? http://twtpoll.com/amdcc6
      Looking for more conversation and discussion?
      Join the CAF-Shib technical list to discuss the topics:
      CAF-SHIBBOLETH-TECHNICAL-L-request@LISTSERV.UWINDSOR.CA
      28
    • 29. Extra Slides
      29
    • 30. 30
    • 31. Secure Wireless – 802.1X
      April 27th 2010
      Canada eduroam
      Slide 31
      Wireless Encryption Established
      secure.wireless.ubc.ca
      ssid:ubcsecure
      id:jdoe
      1)Negotiate Authentication Method
      EAP-PEAPv0-MSCHAPv2
      2)Certificate Validation
      Prevents “man-in-the-middle” attack
      3)Establish Secure Tunnel
      Prevents eavesdropping
      Using MSCHAPv2
      4)Perform authentication through tunnel
      5)Authentication successful
      Establish encryption, connect to net
      6)Client acquires IP address (DHCP)
    • 32. Eduroam - Roaming User
      April 27th 2010
      Canada eduroam
      Slide 32
      Federation Server
      realm: ca
      ssid:eduroam
      Cert: eduroam.sfu.ca
      Institution Servers
      id: joe@sfu.ca
      realm: ubc.ca
      realm: sfu.ca
      1) Negotiate EAP type
      EAP-TTLS-PAP
      2) Outer Request
      Validate cert.
      Establish TLS tunnel
      PAP – through tunnel – secure!
      3) Inner Request
      4) Success
      Connect to network
      Establish encryption.
    • 33. Eduroam – International Roaming
      April 27th 2010
      Canada eduroam
      Slide 33
      Confederation Server
      Federation Server
      realm: ca
      realm: edu
      id: pam@mit.edu
      realm: ubc.ca
      realm: sfu.ca
      realm: mit.edu
      realm: ucla.edu

    ×