The document discusses eduroam and Shibboleth federations. It provides an overview of eduroam including how authentication works using 802.1X and RADIUS. Stats are presented on early eduroam usage in Canada. Recommendations are made for institutions implementing eduroam including not filtering or shaping bandwidth. Concerns around NATing are discussed. The onboarding process for new eduroam sites is outlined. Growth stats for eduroam in Canada and the US are presented. Questions about eduroam and Shibboleth federations are solicited from attendees.
Navigating The Clouds With An Enterprise IT Strategyredmiller1
Presentation delivered at the EDUCAUSE Enterprise IT Leadership conference 2013. Joint presentation with the EDUCAUSE security conference. Focuses on cloud computing strategy and the importance of identity management with cloud solutions.
Patterns and Antipatterns in Enterprise SecurityWSO2
To view recording of this webinar please use below URL:
Attacks against information systems is on the rise making enterprise security a major concern. It’s important to identify and address security needs such as confidentiality, integrity, availability and auditability of information. Enterprise security patterns facilitate balanced and informed decisions about security needs, as well as provide a rationale for the evolution of security needs over time. Antipatterns, which are fostered by misapplications of concepts and misunderstandings of security concerns, should be avoided. Enterprise security patterns and antipatterns solve these security concerns by addressing recurrent problems and challenges. These security patterns facilitate balanced and informed decisions about security needs, avoid the misapplication of concepts and misunderstanding of security concerns and provide a rationale for evolution of security needs over time.
This webinar will
Deep dive into enterprise security patterns and antipatterns
Explore the importance of using them
Discuss how to apply them with WSO2 Identity Server
Navigating The Clouds With An Enterprise IT Strategyredmiller1
Presentation delivered at the EDUCAUSE Enterprise IT Leadership conference 2013. Joint presentation with the EDUCAUSE security conference. Focuses on cloud computing strategy and the importance of identity management with cloud solutions.
Patterns and Antipatterns in Enterprise SecurityWSO2
To view recording of this webinar please use below URL:
Attacks against information systems is on the rise making enterprise security a major concern. It’s important to identify and address security needs such as confidentiality, integrity, availability and auditability of information. Enterprise security patterns facilitate balanced and informed decisions about security needs, as well as provide a rationale for the evolution of security needs over time. Antipatterns, which are fostered by misapplications of concepts and misunderstandings of security concerns, should be avoided. Enterprise security patterns and antipatterns solve these security concerns by addressing recurrent problems and challenges. These security patterns facilitate balanced and informed decisions about security needs, avoid the misapplication of concepts and misunderstanding of security concerns and provide a rationale for evolution of security needs over time.
This webinar will
Deep dive into enterprise security patterns and antipatterns
Explore the importance of using them
Discuss how to apply them with WSO2 Identity Server
Enterprise & Web based Federated Identity Management & Data Access Controls Kingsley Uyi Idehen
This presentation breaks down issues associated with federated identity management and protected resource access controls (policies). Specifically, it uses Virtuoso and RDF to demonstrate how this longstanding issue has been addressed using the combination of RDF based entity relationship semantics and Linked Open Data.
Marjorie M.K. Hlava, President and founder of Access Innovations, Inc., unveils the newest version and module updates of the Data Harmony indexing software suite.
CIS14: SCIM: Why It’s More Important, and More Simple, Than You ThinkCloudIDSummit
Kelly Grizzle, SailPoint
Why the Simple Cloud Identity Management (SCIM) specification should be supported by IAM vendors and SaaS vendors and their customers to improve manageability and
governance for cloud applications, with demonstration of some of the available open-source tools that allow it to easily be integrated into the IAM infrastructure.
IT Professional Expertise in SailPoint Identity IQ, IdentityNow, Identity Management, Identity Access Management, Identity Access Governance, Role Bases Access Management, Life Cycle Manager, Work Flow, Separaton Of Duties, Application On-boarding, Writing Custom Connector, Workflow, Certification, Rules, Policy, Implementing Business Requirement. worked on Different Silpoint Connectors like AD, Databases, Lotus Notes, SAP GRC, Mainframe (RACF, ACF2, TopSecret)
Today enterprise solutions adopt products and services from multiple cloud providers in order to accomplish various business requirements. This means that it is no longer sufficient to maintain user identities only in corporate LDAP. In most cases, SaaS providers also need dedicated user accounts created for the cloud service users, which raises the need of identity provisioning mechanisms to be in place.
Trusting External Identity Providers for Global Research Collaborationsjbasney
Presented at:
https://www.eugridpma.org/meetings/2016-09/
Abstract:
Who do we trust to provide identity and access management services for our research collaborations? When do we decide to implement it ourselves versus relying on others? How do we create incentives for establishing trust? How do we bridge the gaps in trust, functionality, and reliability? In this presentation, Jim will review lessons learned from his experiences working with IGTF certificates, eduGAIN SAML assertions, and OpenID Connect claims for access to scientific research applications. What new challenges appear when moving from 1 to 10 to 100 to 1000 identity providers? Why does identity information flow more easily in some federations and not others? How do we determine what levels of assurance we need and find providers who can meet those needs? How do we mitigate the risks? How do we effectively federate services operated by the research community, higher education institutions, NRENs, and commercial providers?
Bio:
Dr. Jim Basney is a senior research scientist in the cybersecurity group at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign. He is Principal Investigator of the CILogon project and co-PI of the Center for Trustworthy Scientific Cyberinfrastructure and Software Assurance Marketplace projects. Jim also contributes to LIGO, LSST, and XSEDE. He has operated IGTF-accredited certificate authorities since 2007 and was a member of the InCommon federation's technical advisory committee for 6 years. Jim received his PhD in computer sciences from the University of Wisconsin-Madison in 2001.
A Focus on Salesforce1 Platform: Customizing and Multi-org ArchitectureSalesforce.org
Customize the Platform to Engage Students and Staff:
The Salesforce platform has many strengths, including its flexibility. However, in reality, to use it as an environment that engages students and staff, some customization is needed. Learn how UC Hastings used third party tools and development environments to take advantage of the solid schema developed to produce informative, timely, and, most importantly, attractive pages that are designed to foster a lively community.
Architecting the Force.com Platform at Yale: A Multi-Org Challenge:
Discover how Yale Information Technology Services is learning from past experiences and planning for future growth on the force.com platform in a decentralized, multi-org environment. Hear about completed and current projects, efforts around defining a standard architecture and roadmap, and get a glimpse into what the future holds for force.com at Yale.
A simple Document Management System using Liferay 7 along with User and Report management for large level of data and documents. This solution approach also describe little-bit about Content and Auto Archival Management..
To view recording of this webinar please use below URL:
http://wso2.com/library/webinars/2016/05/end-to-end-identity-management/
In today’s rapidly evolving world, enterprise identity management has proven to be challenging due to the constant changes in associated systems, corporate policies and stakeholder requirements. Therefore, managing identities and their privileges among the systems need to be handled in a flexible manner to save resources when governing identities and controlling access.
There are various specifications of industry standards in this domain making it difficult to select the correct one. Some of them may address the same problem with slight variations and some may look similar but address completely different problems.
This webinar will discuss
The real problems that need to be addressed when managing enterprise identity
Key challenges when implementing concepts
How to overcome these challenges and build a future proof identity and access management system with WSO2 Identity Server
How to deploy SharePoint 2010 to external users?rlsoft
A presentation about all the different aspects to be aware of when deploying SharePoint 2010 as an extranet platform, as well as the available options for network topologies and authentication methods.
To view recording of this webinar please use the below URL:
http://wso2.com/library/webinars/2016/06/enterprise-security-requirements/
Meeting enterprise security requirements has now become challenging due to development of orthogonal aspects. Systems are diverse because a single vendor can’t cater to all these needs. Some enterprise also introduce public SaaS in addition to their internal on-premise system. APIs are used to make data in these systems readily available in order to integrate with other systems and automate processes. Identity and access management (IAM) systems are expected to provide centralized authentication and authorization despite the increase in complexity of data, systems and identities.
This webinar will discuss how to
Enable SSO for heterogeneous systems
Handle different types of enterprise identities
Protect your data and APIs
Implement centralized authorization and authentication management
Enterprise & Web based Federated Identity Management & Data Access Controls Kingsley Uyi Idehen
This presentation breaks down issues associated with federated identity management and protected resource access controls (policies). Specifically, it uses Virtuoso and RDF to demonstrate how this longstanding issue has been addressed using the combination of RDF based entity relationship semantics and Linked Open Data.
Marjorie M.K. Hlava, President and founder of Access Innovations, Inc., unveils the newest version and module updates of the Data Harmony indexing software suite.
CIS14: SCIM: Why It’s More Important, and More Simple, Than You ThinkCloudIDSummit
Kelly Grizzle, SailPoint
Why the Simple Cloud Identity Management (SCIM) specification should be supported by IAM vendors and SaaS vendors and their customers to improve manageability and
governance for cloud applications, with demonstration of some of the available open-source tools that allow it to easily be integrated into the IAM infrastructure.
IT Professional Expertise in SailPoint Identity IQ, IdentityNow, Identity Management, Identity Access Management, Identity Access Governance, Role Bases Access Management, Life Cycle Manager, Work Flow, Separaton Of Duties, Application On-boarding, Writing Custom Connector, Workflow, Certification, Rules, Policy, Implementing Business Requirement. worked on Different Silpoint Connectors like AD, Databases, Lotus Notes, SAP GRC, Mainframe (RACF, ACF2, TopSecret)
Today enterprise solutions adopt products and services from multiple cloud providers in order to accomplish various business requirements. This means that it is no longer sufficient to maintain user identities only in corporate LDAP. In most cases, SaaS providers also need dedicated user accounts created for the cloud service users, which raises the need of identity provisioning mechanisms to be in place.
Trusting External Identity Providers for Global Research Collaborationsjbasney
Presented at:
https://www.eugridpma.org/meetings/2016-09/
Abstract:
Who do we trust to provide identity and access management services for our research collaborations? When do we decide to implement it ourselves versus relying on others? How do we create incentives for establishing trust? How do we bridge the gaps in trust, functionality, and reliability? In this presentation, Jim will review lessons learned from his experiences working with IGTF certificates, eduGAIN SAML assertions, and OpenID Connect claims for access to scientific research applications. What new challenges appear when moving from 1 to 10 to 100 to 1000 identity providers? Why does identity information flow more easily in some federations and not others? How do we determine what levels of assurance we need and find providers who can meet those needs? How do we mitigate the risks? How do we effectively federate services operated by the research community, higher education institutions, NRENs, and commercial providers?
Bio:
Dr. Jim Basney is a senior research scientist in the cybersecurity group at the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign. He is Principal Investigator of the CILogon project and co-PI of the Center for Trustworthy Scientific Cyberinfrastructure and Software Assurance Marketplace projects. Jim also contributes to LIGO, LSST, and XSEDE. He has operated IGTF-accredited certificate authorities since 2007 and was a member of the InCommon federation's technical advisory committee for 6 years. Jim received his PhD in computer sciences from the University of Wisconsin-Madison in 2001.
A Focus on Salesforce1 Platform: Customizing and Multi-org ArchitectureSalesforce.org
Customize the Platform to Engage Students and Staff:
The Salesforce platform has many strengths, including its flexibility. However, in reality, to use it as an environment that engages students and staff, some customization is needed. Learn how UC Hastings used third party tools and development environments to take advantage of the solid schema developed to produce informative, timely, and, most importantly, attractive pages that are designed to foster a lively community.
Architecting the Force.com Platform at Yale: A Multi-Org Challenge:
Discover how Yale Information Technology Services is learning from past experiences and planning for future growth on the force.com platform in a decentralized, multi-org environment. Hear about completed and current projects, efforts around defining a standard architecture and roadmap, and get a glimpse into what the future holds for force.com at Yale.
A simple Document Management System using Liferay 7 along with User and Report management for large level of data and documents. This solution approach also describe little-bit about Content and Auto Archival Management..
To view recording of this webinar please use below URL:
http://wso2.com/library/webinars/2016/05/end-to-end-identity-management/
In today’s rapidly evolving world, enterprise identity management has proven to be challenging due to the constant changes in associated systems, corporate policies and stakeholder requirements. Therefore, managing identities and their privileges among the systems need to be handled in a flexible manner to save resources when governing identities and controlling access.
There are various specifications of industry standards in this domain making it difficult to select the correct one. Some of them may address the same problem with slight variations and some may look similar but address completely different problems.
This webinar will discuss
The real problems that need to be addressed when managing enterprise identity
Key challenges when implementing concepts
How to overcome these challenges and build a future proof identity and access management system with WSO2 Identity Server
How to deploy SharePoint 2010 to external users?rlsoft
A presentation about all the different aspects to be aware of when deploying SharePoint 2010 as an extranet platform, as well as the available options for network topologies and authentication methods.
To view recording of this webinar please use the below URL:
http://wso2.com/library/webinars/2016/06/enterprise-security-requirements/
Meeting enterprise security requirements has now become challenging due to development of orthogonal aspects. Systems are diverse because a single vendor can’t cater to all these needs. Some enterprise also introduce public SaaS in addition to their internal on-premise system. APIs are used to make data in these systems readily available in order to integrate with other systems and automate processes. Identity and access management (IAM) systems are expected to provide centralized authentication and authorization despite the increase in complexity of data, systems and identities.
This webinar will discuss how to
Enable SSO for heterogeneous systems
Handle different types of enterprise identities
Protect your data and APIs
Implement centralized authorization and authentication management
Identity and Access Management for User login and departmental level and federation level. User can be easily manageable through identity and access Management
Directions Answer each question individual and respond with full .docxmariona83
Directions: Answer each question individual and respond with full knowledge and understanding. Use 100% original work and turn in on before or date requested..
1. How did you apply the knowledge, skills, and attitudes from previous courses to the application of your capstone project? What did you learn from those experiences that prepared you for the capstone?
2. After implementing your capstone, you will have an opportunity to conduct a post-assessment and evaluate the success of the project. Before getting the results, what do you expect to learn from the post-assessment? Do you feel your capstone project was successful? What could you have done differently or improved upon?
3. Now that you have finished your capstone project, reflect on its function, purpose, and success with your classmates. What do you wish you had known before starting? If you wanted to continue the project, what would be your next steps?
4. During this topic, you will compile a leadership portfolio that encapsulates key assignments that helped shape you as a leader. How will this portfolio reflect your vision as a leader? How does it demonstrate your growth throughout the program?
School of Computer & Information Sciences
ITS-532 Cloud Computing
Chapter 5 – Identity as a Service (IDaaS)
Content from:
Primary Textbook: Jamsa, K. A. (2013). Cloud computing: SaaS, PaaS, IaaS, virtualization, business models, mobile, security and more. Burlington, MA: Jones & Bartlett Learning.
Secondary Textbook: Erl, T., Mahmood, Z., & Puttini, R. (2014). Cloud computing: concepts, technology, & architecture. Upper Saddle River, NJ: Prentice Hall.
1
Learning Objectives
Describe challenges related to ID management.
Describe and discuss single sign-on (SSO) capabilities.
List the advantages of IDaaS solutions.
Discuss IDaaS solutions offered by various companies.
IDaaS Defined
Identity (or identification) as a service (IDaaS)—Cloud-based approaches to managing user identities, including usernames, passwords, and access. Also sometimes referred to as “identity management as a service.
Identity and Access Management (IAM)
Identity and Access Management includes the components and policies necessary to control user identify and access privileges.
Authentication
Username/Password, digital signatures, digital certificates, biometrics
Authorization
Granular controls for mapping identities and rights
User Management
Creation and administration of new user identities, groups, passwords, and policies
Credential Management
Establishes identities and access control rules for user accounts
4
(Erl, 2014)
Single Sign-On (SSO)
Single sign-on (SSO)—PA process that allows a user to log into a central authority and then access other sites and services for which he or she has credentials.
Advantages of SSO
Fewer username and password combinations for users to remember and manage
Less password fatigue caused by the stress of managing multiple passwords
Less user time con.
Chat application through client server management system project.pdfKamal Acharya
This project focused on creating a chatting application with communication environment. The objective of our project is to build a chatting system to facilitate the communication between two or more clients to obtain an effective channel among the clients themselves. For the application itself, this system can serve as a link to reach out for all clients. The design of the system depends on socket concept where is a software endpoint that establishes bidirectional communication between a server program and one or more client programs. Languages that will be used for the development of this system: Java Development Kit (JDK): is a development environment for building applications and components using the Java programming language.
Web 2.0: How Should IT Services and the Library Respond?lisbk
Slides used by Brian Kelly, UKOLN at a meeting on "Web 2.0: How Should IT Services and the Library Respond?" held at the University of Nottingham, on 16 November 2006.
Implementing a Data Mesh with Apache Kafka with Adam Bellemare | Kafka Summit...HostedbyConfluent
Have you heard about Data Mesh but never really understood how you actually build one? Data mesh is a relatively recent term that describes a set of principles that good modern data systems uphold. Although the data mesh is not a technology specific pattern, it requires that organizations make choices and investments into specific technologies and operational policies when implementing the mesh. Establishing ""paved roads"" for creating, publishing, evolving, deprecating, and discovering data products is essential for bringing the benefits of the mesh to those who would use it.
In this talk, Adam covers implementing a self-service data mesh with events streams in Apache Kafka®. Event streams as a data product are an essential part of a real-world data mesh, as they enable both operational and analytical workloads from a common source of truth. Event streams provide full historical data along with realtime updates, letting each individual data product consumer decide what to consume, how to remodel it, and where to store it to best suit their needs.
Adam structures this talk by seeking to answer a hypothetical SaaS business question of ""what is the relationship between feature usage and user retention?"" This example explores each team's role in the data mesh, including the data products they would (and wouldn't) publish, how other teams could use the products, and the organizational dynamics and principles underpinning it all.
Identity federations play a pivotal role in facilitating easier collaboration and sharing of services around the globe. While the protocols, technology, and best practices of federations and their services are reasonably mature, the adoption and installation of needed tools and services to participate with them can be significantly improved.
A digital divide appears to have developed and is growing between those who are participating and those who want to, but feel they cannot. Pinpointing why this divide exists and how to close the gap is a source of debate but some simple statements can be made:
● Reducing the time to deploy services will help relieve pressure on time and resources for all
● Easier deployment of local components benefits both new participants grappling with the technology adoption curve and existing participants by growing the community
● Embedding best practices and core principles of security and service operation help avoid re-inventing the wheel for new participants as well as help maintain overall quality for the whole community.
Attempting to address this divide has been the work of a number of federation operators and NRENs each at different stages of their plans. This presentation will explore and discuss the various approaches that the NREN community has undertaken and contrast them with how SUNET’s SWAMID and CANARIE’s CAF collaboratively created approach compares. A key component of the approach is to streamline software deployments to support eduroam federated 802.1x authentication using FreeRADIUS and SAML2 federation services using Shibboleth software on a single VM instance. While each service on their own may have been done in the past, combining them in a federation aware context, and simplifying the overall experience is relatively new and revealed a great deal of overlap and efficiencies that could be gained doing so.
The presentation will discuss the various collaboration and decision challenges encountered with implementers in two different federations on two different continents and an eye to other federation’s needs. The implementers feel that design decisions have led to an implementation that is able to be extended to other federations which will also be explored and discussed. Time permitting, a demonstration of the solution deployment process will be shown.
On April 28th, a hands-on workshop was held at BCNet2014 in Vancouver by CANARIE's Canadian Access Federation (CAF) team.
The first part of the workshop explored CAF’s Identity Provider (IdP) Installer tool that automates the installation of FreeRADIUS for eduroam and Shibboleth for Federated SSO. The second part of the workshop will be dedicated to exploring CAF's new Federation Manager, an online tool that enables sites to manage their new or installed Shibboleth IdP installation, and easily manage attributes and enable services.
CANARIE operates the Canadian Access Federation, a program with a set of services delivering Federated Single Sign On (FedSSO), and eduroam as services.
This presentation at REFED.org's day at Internet2 identity week is a high level view of what CAF is engaged in and interested in.
Eduroam: A current view of the worldwide serviceChris Phillips
For over 11 years eduroam has been streamlining the mobile user experience and making it easier for researchers and students on the go to collaborate and innovate. With millions of transactions a day across over 60 countries the eduroam approach has scaled and kept abreast of the fast pace of change in ICT and explosive growth in mobile devices. Tapping into the talent pool of the eduroam community has been instrumental to keeping the service relevant and meaningful for the past decade and for more years to come. We'll share how we do this and some of the activities and areas of focus ahead.
CANARIE is the operator for eduroam in Canada and is active both domestically and internationally working on improvements and expanding the reach of eduroam. Our activities are diverse and we would like to update the community with developments in the following areas:
Eduroam operations: The number of eduroam sites in Canada is growing and so is the traffic as more and more mobile users carry multiple devices. Maintaining a high quality experience is important where the ultimate assessment is in the hands of the users. This portion of the presentation will discuss specific areas that we focused on and how they have improved, as well as eduroam traffic patterns and analysis tools.
Helping eduroam sites streamline eduroam configuration using CATS: CAT is short for Configuration Assistant Tool, a centrally managed service tool created by eduroam.org that allows site admins to monitor and remotely test their eduroam site from international locations. It uses federated access (using CAF & eduGAIN) to permit site operators to manage their own site-specific settings, and help streamline eduroam deployment and local support.
Looking to the future: Exploring enhancements to eduroam infrastructure – eduroam has been in service for just over ten years using the same durable RADIUS technology. This portion of the presentation will explore some of the next generation approaches to keep eduroam growing and working even better for the next decade. Topics in this section will be improved ways to interconnect eduroam servers using DNSSEC, as well as DANE cryptographic enhancements for dynamic server discovery.
How to Make a Field invisible in Odoo 17Celine George
It is possible to hide or invisible some fields in odoo. Commonly using “invisible” attribute in the field definition to invisible the fields. This slide will show how to make a field invisible in odoo 17.
Safalta Digital marketing institute in Noida, provide complete applications that encompass a huge range of virtual advertising and marketing additives, which includes search engine optimization, virtual communication advertising, pay-per-click on marketing, content material advertising, internet analytics, and greater. These university courses are designed for students who possess a comprehensive understanding of virtual marketing strategies and attributes.Safalta Digital Marketing Institute in Noida is a first choice for young individuals or students who are looking to start their careers in the field of digital advertising. The institute gives specialized courses designed and certification.
for beginners, providing thorough training in areas such as SEO, digital communication marketing, and PPC training in Noida. After finishing the program, students receive the certifications recognised by top different universitie, setting a strong foundation for a successful career in digital marketing.
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Honest Reviews of Tim Han LMA Course Program.pptxtimhan337
Personal development courses are widely available today, with each one promising life-changing outcomes. Tim Han’s Life Mastery Achievers (LMA) Course has drawn a lot of interest. In addition to offering my frank assessment of Success Insider’s LMA Course, this piece examines the course’s effects via a variety of Tim Han LMA course reviews and Success Insider comments.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
Macroeconomics- Movie Location
This will be used as part of your Personal Professional Portfolio once graded.
Objective:
Prepare a presentation or a paper using research, basic comparative analysis, data organization and application of economic information. You will make an informed assessment of an economic climate outside of the United States to accomplish an entertainment industry objective.
A Survey of Techniques for Maximizing LLM Performance.pptx
CANARIE Eduroam and Shibboleth Lessons & Areas of interest
1. Canadian Access Federation Federated Application Building & eduroamlessons learned May 2011 Chris Phillips –chris.phillips@canarie.ca
2. Agenda Eduroam Less content than Shib (less complexity) Shibboleth See my previous presentation! http://bit.ly/fedapps(link to prezi) There will be a test at the end….really! 2
4. How does eduroam work? 802.1X - to authenticate clients before allowing access to the network EAP framework – with secure EAP methods to protect user credentials RADIUS - authentication server infrastructure RADIUS proxying – to route authentication requests to a users home institution Separate IP address space – treated as external to institution (compliance with service agreements, etc) End Users have standard internet access with as few filters as possible (if any at all).
7. What NOT to do… Invisibly allow your users to drop the scope of the sign in Punishes everyone. The mobile user can’t login. Support is called and invoked. Mitigation: use <netid>@homeinst.ca Filter connections Reciprocity is a great thing. Treat eduroam mobile users on your infrastructure as you would want to be treated at their institution Constrain/shape bandwidth Again, the reciprocity principal holds here. If abuse is ocuring your netflow info should reveal or trigger alarms 7
8. Known Concerns NAT NATing is frowned upon centrally but is known to be a tenuous position given ipv4 conditions and wireless Recommendations Continue to treat users how you would like to be treated. 8
9. Stats & Some Thoughts Day 1 eduRoam Stats first 6hrs for CANHEIT # authN Domain 1 mcgill.ca 1 polymtl.ca 1 ryerson.ca 2 mtroyal.ca 2 ucalgary.ca 2 unb.ca 3 bcnet.ca 3 cunet.carleton.ca 3 dal.ca 4 sfu.ca 4 ubc.ca 4 uvic.ca 6 brocku.ca 6 canarie.ca 6 mun.ca 6 queensu.ca 6 ualberta.ca 6 uottawa.ca 6 utoronto.ca 8 usask.ca 10 uwo.ca 17 uoguelph.ca 28 uwaterloo.ca Average day @ Queen’s sees ~ 50 ppl on eduroam with about 5 from outside domains Posit that institutions can broadcast only eduroam SSID Still have chicken and egg problem how to get on, but same problem as WPA2… Communication is key captive portal SSID and show the one page could work, but ideas welcome 9
11. Onboarding Process Standard template for connecting new sites Policy sign-off followed by technical implementation Estimated time for Canada federation-level RADIUS server personnel: on-board a new member site: a few hours to two person-days, depending on member site expertise general maintenance: ~one person-day per month Local implementation from 4 hours to 4 weeks 11
13. More Stats Canada has ~28 of 92 universities on eduroam. US has slightly less in number (25) but 3,000 plus insitutions Hooray! We are leading the way in North America! 13
16. Past Presentations This presentation builds on CANHEIT 2011: Prezi on Building federated applications: http://bit.ly/fedapps 16
17. Rightsize Your Information Sharing Log in, share NetID+attr. Log in, share Opaque ID Log in, share NetID Log in, share nothing Wireless External Website personal- ization is desired Internal Website personal- ization is desired linkage elsewhere desired Internal Website personal- ization is desired linkage elsewhere desired Data needed (ghosted) SAML as conduit for Information release
19. My App Can’t Be Federated in CAF Because… It is limited to regionally/specific identities Reply: No problem! This is a Virtual Organization A Virtual Organization (VO) is any collective group that operates in a coordinated way to enable shared activities on one or more topics with common tools or governance. VOs can exist within institutional boundaries but are most effective when constituted to operate across and to unify participants in different physical or institutional limits. Primary purpose is to pursue the shared topic or topics. 19
20. Virtual Organization pt 2 CAF is an environment where VO’s flourish: Virtual Organizations typically form around Service Provider(s) with IdPs providing consumers & complying to attribute profiles to participate Autonomy is retained by the VO & it’s members to focus on the topic -CAF focus is on the ‘dialtone’ infrastructure for collaboration – IdP & Sp management practices and operations and middleware elements –Examples in Canada are: •Regional Learning Management Systems •Transcript or Application management Research 'desktops' that aggregate tools for researchers Techniques to implement on SP end: Use the Shib2.xml & other configurations to whitelist participants[1] Consider using eduPersonEntitlement to express fine grain filtering at the application level: eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscope eduPersonEntitlement: http://publisher.example.com/contract/GL12 [1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter 20
21. My App Can’t Be Federated in CAF Because… I need to exchange special attributes Reply: No Problem! CAF’s default is shared nothing eduPerson is the default attributes set Where insufficient, the SP should work out the details with it’s partners on what extra elements it needs CAF recommends that the SP have proper OIDs (can be registered with IANA for free) for their attributes OIDs provide uniqueness, but us humans like text names that are unique too. 21
22. Enhancing Attribute Exchanges Shared nothing today, but uses eduPerson schema Finding that this may be paradox of choice Very interesting space to explore, but keep in mind principles: Low friction to participate (ie, simplicity is good) Scalable and high degree of relevancy and utility Don’t punish the end user or IdP owner. Interop across Canada and internationally Many areas to explore Use SHAC[1] technique for attributes? "urn:schac:dom.ain:Attribute:value” UseAustralian[2] approach for precise control and strong typing and vocabulary? Require full participation in various attribute sets (ie MUST populate all fields) but in different categories of SPs (category 1, 2,3 etc)? Hybrid?? [1] http://www.terena.org/mail-archives/schac/msg00371.html [2] http://www.aaf.edu.au/technical/aaf-core-attributes/ 22
23. My App Can’t Be Federated in CAF Because… I need a Higher Level of Assurance for a user Reply: OK, we want this too, what are your requirements? Challenge is how do you want to express it and what are your criteria for the higher level of assurance? Part of a larger conversation What is the yardstick? NIST 800-63? NSTIC, OIX, KANTARA audit requirements Audit of SP against their own statements? If you want to be part of this conversation see Chris Phillips & or join mailing list. 23
24. My App Can’t Be Federated in CAF Because… I need to sign in on the command line Reply: Ok, we want this too. Already participating internationally with UK-JISC on project moonshot. Combo environment of eduroam RADIUS and SAML attribute assertions Live CD’s of the sample dev environment available from Chris. Again, if you want to be part of this conversation see Chris Phillips & or join mailing list. 24
25. My App Can’t Be Federated in CAF Because… I need to sign in Social identities (Google, OpenID) Reply: No problem, it can be done Already participating internationally with REFEDS & inCommon on Social Identity risk assessment and gateway designs[1] Certain gateways exist from uPenn & Sweden [2] Many unquantified risks at this time, but does work User behind keyboard is unknown Attributes are self asserted No knowledge of value of the account to the person This is an active area of conversation. [1] https://spaces.internet2.edu/display/socialid/Using+SAML+and+Social+Identities--Guidelines+and+Considerations+for+Managers+and+Developers [2] https://tnc2011.terena.org/getfile/558 25
26. My App Can’t Be Federated in CAF Because… I don’t think the CAF has as highly available as I want them to be Reply: OK, did you know the following? CAF services reside in 3 provinces (Ontario, BC, and Quebec), and have redundant DNS entrieswith live failover What are your service criteria so we may understand them better? 26
28. Your Turn… Poll: What would be your priority ranking of the following activities? http://twtpoll.com/amdcc6 Looking for more conversation and discussion? Join the CAF-Shib technical list to discuss the topics: CAF-SHIBBOLETH-TECHNICAL-L-request@LISTSERV.UWINDSOR.CA 28
31. Secure Wireless – 802.1X April 27th 2010 Canada eduroam Slide 31 Wireless Encryption Established secure.wireless.ubc.ca ssid:ubcsecure id:jdoe 1)Negotiate Authentication Method EAP-PEAPv0-MSCHAPv2 2)Certificate Validation Prevents “man-in-the-middle” attack 3)Establish Secure Tunnel Prevents eavesdropping Using MSCHAPv2 4)Perform authentication through tunnel 5)Authentication successful Establish encryption, connect to net 6)Client acquires IP address (DHCP)
32. Eduroam - Roaming User April 27th 2010 Canada eduroam Slide 32 Federation Server realm: ca ssid:eduroam Cert: eduroam.sfu.ca Institution Servers id: joe@sfu.ca realm: ubc.ca realm: sfu.ca 1) Negotiate EAP type EAP-TTLS-PAP 2) Outer Request Validate cert. Establish TLS tunnel PAP – through tunnel – secure! 3) Inner Request 4) Success Connect to network Establish encryption.
33. Eduroam – International Roaming April 27th 2010 Canada eduroam Slide 33 Confederation Server Federation Server realm: ca realm: edu id: pam@mit.edu realm: ubc.ca realm: sfu.ca realm: mit.edu realm: ucla.edu
Editor's Notes
Current as of May 2011
Key to our success- developing a streamlined, standardized approach for connecting schools. Additional ongoing support from participating institutions as part of Community of Practice.