SlideShare a Scribd company logo
1 of 36
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
0
100
Versatility of Federated Services and its Applications
14th BdNOG Conference
Date: 01 July 2022
Time: 14:30 hrs [GMT+6]
Presented by
Mohammad Tawrit, CEO
and
Khandakar Rashedul Arefin, Manager
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
Video on BdREN
• Video Link:
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
What is Federation?
Without Identity Federation With Identity Federation
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
Federated Services => Benefits
• Ease of Access to services
• To improve the user experience through Single
Sign-on
• Improved security
• Ease of Management of users
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
Metadata Theory => Bilateral Connectivity
Bi-Lateral Connections
Connecting an IdP and SP together through directly sharing metadata between each.
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
Bilateral Connectivity => doesn’t scale
For each services connected to an
IdP
• An agreement with each SP
• Swapping metadata though
some agreed process (each SP
may have their own process for
sharing metadata)
• IdP needs to be modified for
each new SP added (manual
process)
• If the IdPs metadata changes
(e.g certificate renewal) all SP
need to refresh their version of
the IdPs metadata
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
Bilateral Connectivity => doesn’t scale
For each IdP a service connects to
• An agreement with each IdP
• Swapping metadata though some
agreed process (each IdP may have their
own process for sharing metadata)
• SP needs to be modified for each new
IdP added (manual process)
• If the SPs metadata changes (e.g
certificate renewal) all IdPs need to
refresh their version of the SPs
metadata
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
Federation Architecture
The IdP
• Users
• IdP Metadata
The SP
• A service being offered to users
• SP Metadata
The Federation
• Federation Policy
• Metadata Registration Practice Statement (MRPS)
• Metadata Signing Key
• Signed Federation Metadata
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
IdP Joins Federation
An IdP Joins the federation…
• Using Jagger it
• Registers its metadata
• Connects with the federation
The Federation Operator will…
• Verify the organisation based on
rules in the MRPS
Jagger will
• Validate the metadata provided
• Add the metadata to federation
metadata
• Sign and publish the updated
metadata.
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
SP Joins Federation
A SP Joins the federation…
• Using Jagger it
• Registers its metadata
• Connects with the federation
The Federation Operator will…
• Verify the organisation based on
rules in the MRPS
Jagger will
• Validate the metadata provided
• Add the metadata to federation
metadata
• Sign and publish the updated
metadata.
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
Getting the Signing key
IdPs and SP need a copy of the
metadata signing key.
• Download the key from a known location
• Verify the key
• Add the key to their configuration
The Federation operator must make the signing
key available for download
• MUST key the private half of the key private!
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
Get the Federation Metadata
IdPs and SPs get the common signed
metadata file from the federation operator
• Download the file
• Verify it has not been modified using the
signing key
• Repeat every hour
When IdP or SP metadata changes…
• The change is made in Jagger
• It is published to the federation
metadata and signed
The change is then consumed by all
federation members
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
How Federation Works?
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
Applications
• eduGAIN
• eduroam
• OpenRoaming
• Research Paper Access
• Zoom as a Service
• Other Applications
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
eduGAIN Metadata
Now to extend into eduGAIN…
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
eduGAIN Metadata
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
eduGAIN Metadata
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
eduGAIN Metadata
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
eduGAIN Metadata
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
eduGAIN Metadata
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
eduGAIN Metadata
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
eduGAIN links
What is eduGAIN… https://edugain.org/
Who is participating… https://technical.edugain.org/status
What services are available… https://technical.edugain.org/entities
Which IdPs are participating… https://technical.edugain.org/entities
What about the policy… https://technical.edugain.org/documents
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
eduroam => what it is?
• eduroam is a global WiFi roaming consortium which gives
members of education and research Community access to
the internet for free on all eduroam hotspots on the planet.
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
eduroam hierarchical structure
.bd
BdREN NRSs
BdREN SUST SAU
SBAU BUET IUB
MBSTU JUST
PSTU
PUST
DUET BRUR KUET IU BSMRAU
IUT
CUET
EU
BoU
.bd
Federation
Operators
IdPs and SPs
Inter-
Federation
Operatos
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
Service/Identity Provider
Eduroam -->> flow of authentication (local)
BdREN NRS
HERNET/AARnet TLR
mafiz@ru.ac.bd
mafiz@ru.ac.bd mafiz@ru.ac.bd
RU IRS
DTU IRS
Rajshahi University
Technical University of Denmark
DeIC NRS
Local Authentication
Access Accept/Reject
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
Eduroam -->> flow of authentication (In-Roamer)
BdREN NRS
HERNET/AARNet TLR
Martin@dtu.dk Martin @dtu.dk
Martin@dtu.dk
Martin@dtu.dk
Martin@dtu.dk
RU IRS
DTU IRS
Rajshahi University
Technical University of Denmark
DeIC NRS
Martin@dtu.dk
Martin@dtu.dk
Foreign Authentication
Access Accept/Reject
Service Provider
Identity Provider
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
eduroam security
Concern (is it safe?)
AUTHENTICATION:
802.1x
AUTHENTICATION
[INNER TUNNEL]
MSCHAPV2.0
AUTHENTICATION
[Outer TUNNEL]
EAP-TLS
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
MSCHAPv2.0 -->> Inner Tunnel Authentication
I would like to login, username: james
Here’s your challenge message:
15472a309fe22789efa522d45c7af9ad
pass111+
15472a309fe22789efa522d45c7af9ad
Hashing
Expected challenge response:
db3fc40e6439d4d972870252ccc11f99
Pass111+
15472a309fe22789efa522d45c7af9ad
Hashing
Challenge response:
db3fc40e6439d4d972870252ccc11f99
Challenge Response:
db3fc40e6439d4d972870252ccc11f99
Access Accept
Username: james
Password: pass111
MSCHAP Server
Client
Challenge Response Matched
Challenge Message
15472a309fe22789efa522d45c7af9ad
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
eduroam authentication -->> full flow
Supplicant Radius Server
Authentication Server Certificate
Supplicant Certificate
Authentication Server Certificate
Supplicant Username, Password Hash
Exchange of Information and Creation of Outer Tunnel
MSCHAP Challenge
Authenticator
EAP Request-ID
EAP Response ID Radius Request ID
EAP-TLS Start
Client Hello
Radius Server’s
Public Key Supplicant’s
Public Key
Radius Server’s
Public Key
 Client and Server both have valid
Certificate containing their “Public Key”
 Client and Server share their Certificate
thereby share their “Public Key”
 Client encrypts its credentials using
Server’s Public Key
 Server encrypts its traffic using Client’s
Public Key
Outer Tunnel: EAP-TLS
Provide/Reject Access
Initialization
Outer Tunnel
Inner Tunnel
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
Eduroam security
• Framework 802.1x:
– Radius with tunneled EAP (TTLS, PEAP)
Outer Tunnel
Outer Tunnel
Inner Tunnel
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
• ISPs can come forward to allow their hotspots under the coverage of
eduroam for the benefit of education and research community.
What ISPs will require?
 Access Point with Dual SSID broadcast facility
 Access Point having 802.1x authentication feature
Hotel Airport
Fervent Appeal
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
• Challenges:
• Routing Radius Request:
• Need an hierarchy same as NRENs
• IRS  NRS  TLR/eTLR
• Also can be accomplished by dynamic resolution of RADIUS service from Domain
Name Server using SRV record resolution [Overcome using OpenRoaming]
• Billing:
• Not an NREN concern as NRENs are non-profit organizations
• A real challenge for ISPs as they need to charge the subscribers [Yes, it can be
accomplished using OpenRoaming as well]
Can Commercial ISPs do it?
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
OpenRoaming -- >> Architecture
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
OpenRoaming => Authentication Flow
Configure DNS
Enterprise
based security
and Hotspot
2.0
IDP Discovery
EAP/TLS
Authentication, Policy and Accounting
WPA2
EAP/TLS
WPA2
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate
OpenRoaming Requirements
• Wireless Networks
• Cisco Wireless Networks
• Cisco AireOS based WLC running AireOS 8.3 or later plus Cisco DNA Spaces SEE
• Cisco Catalyst 9800 WLC running IOS-XE 16.12 or later plus Cisco DNA Spaces SEE
• Cisco Meraki® plus Cisco DNA Spaces SEE
• Service Provider
• Top Venues in the world including Cannery Wharf, Clair and the Fira de Barcelona
• Identity Provider
• Samsung, Boingo Wireless
• Apple ID
• Google ID
• End device
• Samsung Devices [Android 10 or higher] using Native OS
• iPhone [iOS 13.3 or higher] using OpenRoaming Mobile App
• Android [Android 9.0 or higher] using OpenRoaming Mobile App
• Google Pixel [Android 11.0 or higher] using Native OS
© Bangladesh Research and Education Network, All Rights Reserved
Connect
Collaborate
Innovate

More Related Content

Similar to BdNOG-20220625-MT-v6.0.pptx

Creating Great Developer Experiences with Metrics and Automation
Creating Great Developer Experiences with Metrics and AutomationCreating Great Developer Experiences with Metrics and Automation
Creating Great Developer Experiences with Metrics and AutomationNordic APIs
 
Rocking the Digital Workplace
Rocking the Digital Workplace Rocking the Digital Workplace
Rocking the Digital Workplace Cynthia Clay
 
Router_ Connecting Students through Explaining.pptx
Router_ Connecting Students through Explaining.pptxRouter_ Connecting Students through Explaining.pptx
Router_ Connecting Students through Explaining.pptxssuser5a964f
 
Router_ Connecting Students through Explaining.pptx
Router_ Connecting Students through Explaining.pptxRouter_ Connecting Students through Explaining.pptx
Router_ Connecting Students through Explaining.pptxssuser5a964f
 
Secured Technology Platform Provider in Enterprise IT
Secured Technology Platform Provider in Enterprise IT Secured Technology Platform Provider in Enterprise IT
Secured Technology Platform Provider in Enterprise IT WIKI LABS SDN BHD
 
Forging an Analytics Center of Excellence
Forging an Analytics Center of ExcellenceForging an Analytics Center of Excellence
Forging an Analytics Center of ExcellenceLewandog, Inc,
 
[Webinar] - Adopt QAD & Progress DBA Global Shared Services to Deliver Cost O...
[Webinar] - Adopt QAD & Progress DBA Global Shared Services to Deliver Cost O...[Webinar] - Adopt QAD & Progress DBA Global Shared Services to Deliver Cost O...
[Webinar] - Adopt QAD & Progress DBA Global Shared Services to Deliver Cost O...JK Tech
 
Rocking the Digital Workplace
Rocking the Digital WorkplaceRocking the Digital Workplace
Rocking the Digital WorkplaceCynthia Clay
 
LinkedIn 101: LinkedIn in 10 Minutes or Less
LinkedIn 101: LinkedIn in 10 Minutes or LessLinkedIn 101: LinkedIn in 10 Minutes or Less
LinkedIn 101: LinkedIn in 10 Minutes or LessLinkedIn Higher Education
 
LinkedIn Career Services Webinar Slides - December 2013
LinkedIn Career Services Webinar Slides - December 2013LinkedIn Career Services Webinar Slides - December 2013
LinkedIn Career Services Webinar Slides - December 2013LinkedIn Higher Education
 
123JumpStart 2017 (v1)
123JumpStart 2017 (v1)123JumpStart 2017 (v1)
123JumpStart 2017 (v1)SGTech
 
Computer Power Institute - IT Diploma Pack
Computer Power Institute - IT Diploma PackComputer Power Institute - IT Diploma Pack
Computer Power Institute - IT Diploma PackCPIMarketing
 
OData - The Universal REST API
OData - The Universal REST APIOData - The Universal REST API
OData - The Universal REST APINishanth Kadiyala
 
SPONSORED CONTENT - DV Solutions - Building Relationships With The Federal Fo...
SPONSORED CONTENT - DV Solutions - Building Relationships With The Federal Fo...SPONSORED CONTENT - DV Solutions - Building Relationships With The Federal Fo...
SPONSORED CONTENT - DV Solutions - Building Relationships With The Federal Fo...JSchaus & Associates
 
What's New for Libraries at TechSoup.pdf
What's New for Libraries at TechSoup.pdfWhat's New for Libraries at TechSoup.pdf
What's New for Libraries at TechSoup.pdfTechSoup
 
Webinar for July 2020 - Insights to Solutions Spotlight: Re-imagining Digital...
Webinar for July 2020 - Insights to Solutions Spotlight: Re-imagining Digital...Webinar for July 2020 - Insights to Solutions Spotlight: Re-imagining Digital...
Webinar for July 2020 - Insights to Solutions Spotlight: Re-imagining Digital...The Digital Insurer
 
Transforming Partner Consulting Business to Capture Profit in the Cloud
Transforming  Partner Consulting Business to Capture Profit in the CloudTransforming  Partner Consulting Business to Capture Profit in the Cloud
Transforming Partner Consulting Business to Capture Profit in the CloudSarkis Kerkezian, PMP
 
IOT Training program
IOT Training programIOT Training program
IOT Training programteju281
 

Similar to BdNOG-20220625-MT-v6.0.pptx (20)

Creating Great Developer Experiences with Metrics and Automation
Creating Great Developer Experiences with Metrics and AutomationCreating Great Developer Experiences with Metrics and Automation
Creating Great Developer Experiences with Metrics and Automation
 
Rocking the Digital Workplace
Rocking the Digital Workplace Rocking the Digital Workplace
Rocking the Digital Workplace
 
Router_ Connecting Students through Explaining.pptx
Router_ Connecting Students through Explaining.pptxRouter_ Connecting Students through Explaining.pptx
Router_ Connecting Students through Explaining.pptx
 
Router_ Connecting Students through Explaining.pptx
Router_ Connecting Students through Explaining.pptxRouter_ Connecting Students through Explaining.pptx
Router_ Connecting Students through Explaining.pptx
 
Secured Technology Platform Provider in Enterprise IT
Secured Technology Platform Provider in Enterprise IT Secured Technology Platform Provider in Enterprise IT
Secured Technology Platform Provider in Enterprise IT
 
Forging an Analytics Center of Excellence
Forging an Analytics Center of ExcellenceForging an Analytics Center of Excellence
Forging an Analytics Center of Excellence
 
[Webinar] - Adopt QAD & Progress DBA Global Shared Services to Deliver Cost O...
[Webinar] - Adopt QAD & Progress DBA Global Shared Services to Deliver Cost O...[Webinar] - Adopt QAD & Progress DBA Global Shared Services to Deliver Cost O...
[Webinar] - Adopt QAD & Progress DBA Global Shared Services to Deliver Cost O...
 
Rocking the Digital Workplace
Rocking the Digital WorkplaceRocking the Digital Workplace
Rocking the Digital Workplace
 
LinkedIn 101: LinkedIn in 10 Minutes or Less
LinkedIn 101: LinkedIn in 10 Minutes or LessLinkedIn 101: LinkedIn in 10 Minutes or Less
LinkedIn 101: LinkedIn in 10 Minutes or Less
 
LinkedIn Career Services Webinar Slides - December 2013
LinkedIn Career Services Webinar Slides - December 2013LinkedIn Career Services Webinar Slides - December 2013
LinkedIn Career Services Webinar Slides - December 2013
 
123JumpStart 2017 (v1)
123JumpStart 2017 (v1)123JumpStart 2017 (v1)
123JumpStart 2017 (v1)
 
Computer Power Institute - IT Diploma Pack
Computer Power Institute - IT Diploma PackComputer Power Institute - IT Diploma Pack
Computer Power Institute - IT Diploma Pack
 
It22015 slides
It22015 slidesIt22015 slides
It22015 slides
 
OData - The Universal REST API
OData - The Universal REST APIOData - The Universal REST API
OData - The Universal REST API
 
SPONSORED CONTENT - DV Solutions - Building Relationships With The Federal Fo...
SPONSORED CONTENT - DV Solutions - Building Relationships With The Federal Fo...SPONSORED CONTENT - DV Solutions - Building Relationships With The Federal Fo...
SPONSORED CONTENT - DV Solutions - Building Relationships With The Federal Fo...
 
What's New for Libraries at TechSoup.pdf
What's New for Libraries at TechSoup.pdfWhat's New for Libraries at TechSoup.pdf
What's New for Libraries at TechSoup.pdf
 
Webinar for July 2020 - Insights to Solutions Spotlight: Re-imagining Digital...
Webinar for July 2020 - Insights to Solutions Spotlight: Re-imagining Digital...Webinar for July 2020 - Insights to Solutions Spotlight: Re-imagining Digital...
Webinar for July 2020 - Insights to Solutions Spotlight: Re-imagining Digital...
 
Transforming Partner Consulting Business to Capture Profit in the Cloud
Transforming  Partner Consulting Business to Capture Profit in the CloudTransforming  Partner Consulting Business to Capture Profit in the Cloud
Transforming Partner Consulting Business to Capture Profit in the Cloud
 
IOT Training program
IOT Training programIOT Training program
IOT Training program
 
Rahul report
Rahul reportRahul report
Rahul report
 

More from Bangladesh Network Operators Group

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephBangladesh Network Operators Group
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceBangladesh Network Operators Group
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaBangladesh Network Operators Group
 

More from Bangladesh Network Operators Group (20)

Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and CephAccelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
Accelerating Hyper-Converged Enterprise Virtualization using Proxmox and Ceph
 
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJRecent IRR changes by Yoshinobu Matsuzaki, IIJ
Recent IRR changes by Yoshinobu Matsuzaki, IIJ
 
Fact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in BangladeshFact Sheets : Network Status in Bangladesh
Fact Sheets : Network Status in Bangladesh
 
AI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the PyramidAI Driven Wi-Fi for the Bottom of the Pyramid
AI Driven Wi-Fi for the Bottom of the Pyramid
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 
Network eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life ProductNetwork eWaste : Community role to manage end of life Product
Network eWaste : Community role to manage end of life Product
 
A plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s DeploymentA plenarily integrated SIEM solution and it’s Deployment
A plenarily integrated SIEM solution and it’s Deployment
 
IPv6 Deployment in South Asia 2022
IPv6 Deployment in South Asia  2022IPv6 Deployment in South Asia  2022
IPv6 Deployment in South Asia 2022
 
Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)Introduction to Software Defined Networking (SDN)
Introduction to Software Defined Networking (SDN)
 
RPKI Deployment Status in Bangladesh
RPKI Deployment Status in BangladeshRPKI Deployment Status in Bangladesh
RPKI Deployment Status in Bangladesh
 
An Overview about open UDP Services
An Overview about open UDP ServicesAn Overview about open UDP Services
An Overview about open UDP Services
 
12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender12 Years in DNS Security As a Defender
12 Years in DNS Security As a Defender
 
Contents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User ExperienceContents Localization Initiatives to get better User Experience
Contents Localization Initiatives to get better User Experience
 
Route Leak Prevension with BGP Community
Route Leak Prevension with BGP CommunityRoute Leak Prevension with BGP Community
Route Leak Prevension with BGP Community
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
MANRS for Network Operators
MANRS for Network OperatorsMANRS for Network Operators
MANRS for Network Operators
 
Re-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with GrafanaRe-define network visibility for capacity planning & forecasting with Grafana
Re-define network visibility for capacity planning & forecasting with Grafana
 
RPKI ROA updates
RPKI ROA updatesRPKI ROA updates
RPKI ROA updates
 
Blockchain Demystified
Blockchain DemystifiedBlockchain Demystified
Blockchain Demystified
 
Measuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create ValueMeasuring the Internet Economy: How Networks Create Value
Measuring the Internet Economy: How Networks Create Value
 

Recently uploaded

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 

Recently uploaded (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 

BdNOG-20220625-MT-v6.0.pptx

  • 1. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate 0 100 Versatility of Federated Services and its Applications 14th BdNOG Conference Date: 01 July 2022 Time: 14:30 hrs [GMT+6] Presented by Mohammad Tawrit, CEO and Khandakar Rashedul Arefin, Manager
  • 2. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Video on BdREN • Video Link:
  • 3. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate What is Federation? Without Identity Federation With Identity Federation
  • 4. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Federated Services => Benefits • Ease of Access to services • To improve the user experience through Single Sign-on • Improved security • Ease of Management of users
  • 5. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Metadata Theory => Bilateral Connectivity Bi-Lateral Connections Connecting an IdP and SP together through directly sharing metadata between each.
  • 6. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Bilateral Connectivity => doesn’t scale For each services connected to an IdP • An agreement with each SP • Swapping metadata though some agreed process (each SP may have their own process for sharing metadata) • IdP needs to be modified for each new SP added (manual process) • If the IdPs metadata changes (e.g certificate renewal) all SP need to refresh their version of the IdPs metadata
  • 7. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Bilateral Connectivity => doesn’t scale For each IdP a service connects to • An agreement with each IdP • Swapping metadata though some agreed process (each IdP may have their own process for sharing metadata) • SP needs to be modified for each new IdP added (manual process) • If the SPs metadata changes (e.g certificate renewal) all IdPs need to refresh their version of the SPs metadata
  • 8. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Federation Architecture The IdP • Users • IdP Metadata The SP • A service being offered to users • SP Metadata The Federation • Federation Policy • Metadata Registration Practice Statement (MRPS) • Metadata Signing Key • Signed Federation Metadata
  • 9. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate IdP Joins Federation An IdP Joins the federation… • Using Jagger it • Registers its metadata • Connects with the federation The Federation Operator will… • Verify the organisation based on rules in the MRPS Jagger will • Validate the metadata provided • Add the metadata to federation metadata • Sign and publish the updated metadata.
  • 10. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate SP Joins Federation A SP Joins the federation… • Using Jagger it • Registers its metadata • Connects with the federation The Federation Operator will… • Verify the organisation based on rules in the MRPS Jagger will • Validate the metadata provided • Add the metadata to federation metadata • Sign and publish the updated metadata.
  • 11. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Getting the Signing key IdPs and SP need a copy of the metadata signing key. • Download the key from a known location • Verify the key • Add the key to their configuration The Federation operator must make the signing key available for download • MUST key the private half of the key private!
  • 12. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Get the Federation Metadata IdPs and SPs get the common signed metadata file from the federation operator • Download the file • Verify it has not been modified using the signing key • Repeat every hour When IdP or SP metadata changes… • The change is made in Jagger • It is published to the federation metadata and signed The change is then consumed by all federation members
  • 13. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate How Federation Works?
  • 14. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Applications • eduGAIN • eduroam • OpenRoaming • Research Paper Access • Zoom as a Service • Other Applications
  • 15. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduGAIN Metadata Now to extend into eduGAIN…
  • 16. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduGAIN Metadata
  • 17. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduGAIN Metadata
  • 18. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduGAIN Metadata
  • 19. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduGAIN Metadata
  • 20. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduGAIN Metadata
  • 21. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduGAIN Metadata
  • 22. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduGAIN links What is eduGAIN… https://edugain.org/ Who is participating… https://technical.edugain.org/status What services are available… https://technical.edugain.org/entities Which IdPs are participating… https://technical.edugain.org/entities What about the policy… https://technical.edugain.org/documents
  • 23. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduroam => what it is? • eduroam is a global WiFi roaming consortium which gives members of education and research Community access to the internet for free on all eduroam hotspots on the planet.
  • 24. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduroam hierarchical structure .bd BdREN NRSs BdREN SUST SAU SBAU BUET IUB MBSTU JUST PSTU PUST DUET BRUR KUET IU BSMRAU IUT CUET EU BoU .bd Federation Operators IdPs and SPs Inter- Federation Operatos
  • 25. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Service/Identity Provider Eduroam -->> flow of authentication (local) BdREN NRS HERNET/AARnet TLR mafiz@ru.ac.bd mafiz@ru.ac.bd mafiz@ru.ac.bd RU IRS DTU IRS Rajshahi University Technical University of Denmark DeIC NRS Local Authentication Access Accept/Reject
  • 26. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Eduroam -->> flow of authentication (In-Roamer) BdREN NRS HERNET/AARNet TLR Martin@dtu.dk Martin @dtu.dk Martin@dtu.dk Martin@dtu.dk Martin@dtu.dk RU IRS DTU IRS Rajshahi University Technical University of Denmark DeIC NRS Martin@dtu.dk Martin@dtu.dk Foreign Authentication Access Accept/Reject Service Provider Identity Provider
  • 27. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduroam security Concern (is it safe?) AUTHENTICATION: 802.1x AUTHENTICATION [INNER TUNNEL] MSCHAPV2.0 AUTHENTICATION [Outer TUNNEL] EAP-TLS
  • 28. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate MSCHAPv2.0 -->> Inner Tunnel Authentication I would like to login, username: james Here’s your challenge message: 15472a309fe22789efa522d45c7af9ad pass111+ 15472a309fe22789efa522d45c7af9ad Hashing Expected challenge response: db3fc40e6439d4d972870252ccc11f99 Pass111+ 15472a309fe22789efa522d45c7af9ad Hashing Challenge response: db3fc40e6439d4d972870252ccc11f99 Challenge Response: db3fc40e6439d4d972870252ccc11f99 Access Accept Username: james Password: pass111 MSCHAP Server Client Challenge Response Matched Challenge Message 15472a309fe22789efa522d45c7af9ad
  • 29. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate eduroam authentication -->> full flow Supplicant Radius Server Authentication Server Certificate Supplicant Certificate Authentication Server Certificate Supplicant Username, Password Hash Exchange of Information and Creation of Outer Tunnel MSCHAP Challenge Authenticator EAP Request-ID EAP Response ID Radius Request ID EAP-TLS Start Client Hello Radius Server’s Public Key Supplicant’s Public Key Radius Server’s Public Key  Client and Server both have valid Certificate containing their “Public Key”  Client and Server share their Certificate thereby share their “Public Key”  Client encrypts its credentials using Server’s Public Key  Server encrypts its traffic using Client’s Public Key Outer Tunnel: EAP-TLS Provide/Reject Access Initialization Outer Tunnel Inner Tunnel
  • 30. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate Eduroam security • Framework 802.1x: – Radius with tunneled EAP (TTLS, PEAP) Outer Tunnel Outer Tunnel Inner Tunnel
  • 31. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate • ISPs can come forward to allow their hotspots under the coverage of eduroam for the benefit of education and research community. What ISPs will require?  Access Point with Dual SSID broadcast facility  Access Point having 802.1x authentication feature Hotel Airport Fervent Appeal
  • 32. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate • Challenges: • Routing Radius Request: • Need an hierarchy same as NRENs • IRS  NRS  TLR/eTLR • Also can be accomplished by dynamic resolution of RADIUS service from Domain Name Server using SRV record resolution [Overcome using OpenRoaming] • Billing: • Not an NREN concern as NRENs are non-profit organizations • A real challenge for ISPs as they need to charge the subscribers [Yes, it can be accomplished using OpenRoaming as well] Can Commercial ISPs do it?
  • 33. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate OpenRoaming -- >> Architecture
  • 34. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate OpenRoaming => Authentication Flow Configure DNS Enterprise based security and Hotspot 2.0 IDP Discovery EAP/TLS Authentication, Policy and Accounting WPA2 EAP/TLS WPA2
  • 35. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate OpenRoaming Requirements • Wireless Networks • Cisco Wireless Networks • Cisco AireOS based WLC running AireOS 8.3 or later plus Cisco DNA Spaces SEE • Cisco Catalyst 9800 WLC running IOS-XE 16.12 or later plus Cisco DNA Spaces SEE • Cisco Meraki® plus Cisco DNA Spaces SEE • Service Provider • Top Venues in the world including Cannery Wharf, Clair and the Fira de Barcelona • Identity Provider • Samsung, Boingo Wireless • Apple ID • Google ID • End device • Samsung Devices [Android 10 or higher] using Native OS • iPhone [iOS 13.3 or higher] using OpenRoaming Mobile App • Android [Android 9.0 or higher] using OpenRoaming Mobile App • Google Pixel [Android 11.0 or higher] using Native OS
  • 36. © Bangladesh Research and Education Network, All Rights Reserved Connect Collaborate Innovate