The document discusses eduroam and Shibboleth federations. It provides an overview of eduroam including how authentication works using 802.1X and RADIUS. Stats are presented on early eduroam usage in Canada. Recommendations are made for institutions implementing eduroam including not filtering or shaping bandwidth. Concerns around NATing are discussed. The onboarding process for new eduroam sites is outlined. Growth stats for eduroam in Canada and the US are presented. Questions about eduroam and Shibboleth federations are solicited from attendees.

1. Canadian Access FederationFederated Application Building &eduroamlessons learnedMay 2011Chris Phillips –chris.phillips@canarie.ca

2. AgendaEduroamLess content than Shib (less complexity)ShibbolethSee my previous presentation!http://bit.ly/fedapps(link to prezi)There will be a test at the end….really!2

3. Canadian eduRoam Participants3

4. How does eduroam work?802.1X - to authenticate clients before allowing access to the networkEAP framework – with secure EAP methods to protect user credentialsRADIUS - authentication server infrastructureRADIUS proxying – to route authentication requests to a users home institutionSeparate IP address space – treated as external to institution (compliance with service agreements, etc)End Users have standard internet access with as few filters as possible (if any at all).

5. Sample Deployment: Queen’s5

6. Cisco ACS Config6

7. What NOT to do…Invisibly allow your users to drop the scope of the sign inPunishes everyone. The mobile user can’t login. Support is called and invoked. Mitigation: use <netid>@homeinst.caFilter connectionsReciprocity is a great thing. Treat eduroam mobile users on your infrastructure as you would want to be treated at their institutionConstrain/shape bandwidthAgain, the reciprocity principal holds here. If abuse is ocuring your netflow info should reveal or trigger alarms7

8. Known ConcernsNAT NATing is frowned upon centrally but is known to be a tenuous position given ipv4 conditions and wirelessRecommendationsContinue to treat users how you would like to be treated.8

9. Stats & Some ThoughtsDay 1 eduRoam Stats first 6hrs for CANHEIT# authN Domain 1 mcgill.ca 1 polymtl.ca 1 ryerson.ca 2 mtroyal.ca 2 ucalgary.ca 2 unb.ca 3 bcnet.ca 3 cunet.carleton.ca 3 dal.ca 4 sfu.ca 4 ubc.ca 4 uvic.ca 6 brocku.ca 6 canarie.ca 6 mun.ca 6 queensu.ca 6 ualberta.ca 6 uottawa.ca 6 utoronto.ca 8 usask.ca 10 uwo.ca 17 uoguelph.ca 28 uwaterloo.caAverage day @ Queen’s sees ~ 50 ppl on eduroam with about 5 from outside domainsPosit that institutions can broadcast only eduroam SSIDStill have chicken and egg problem how to get on, but same problem as WPA2…Communication is key captive portal SSID and show the one page could work, but ideas welcome9

10. eduRoam @ McMaster10

11. Onboarding ProcessStandard template for connecting new sitesPolicy sign-off followed by technical implementationEstimated time for Canada federation-level RADIUS server personnel:on-board a new member site: a few hours to two person-days, depending on member site expertisegeneral maintenance: ~one person-day per monthLocal implementation from 4 hours to 4 weeks11

12. Rapid Growth12

13. More StatsCanada has ~28 of 92 universities on eduroam.US has slightly less in number (25) but 3,000 plus insitutionsHooray! We are leading the way in North America!13

14. Eduroam Questions?14

15. Shibboleth Federations Worldwide15

16. Past PresentationsThis presentation builds on CANHEIT 2011:Prezi on Building federated applications:http://bit.ly/fedapps16

17. Rightsize Your Information SharingLog in, share NetID+attr.Log in, share Opaque IDLog in, share NetIDLog in, share nothingWirelessExternalWebsitepersonal-izationis desiredInternalWebsitepersonal-izationis desiredlinkageelsewheredesiredInternalWebsitepersonal-izationis desiredlinkageelsewheredesiredData needed(ghosted)‏SAML as conduit for Information release

18. Dispelling Some Myths18

19. My App Can’t Be Federated in CAF Because…It is limited to regionally/specific identitiesReply: No problem! This is a Virtual OrganizationA Virtual Organization (VO) is any collective group that operates in a coordinated way to enable shared activities on one or more topics with common tools or governance.VOs can exist within institutional boundaries but are most effective when constituted to operate across and to unify participants in different physical or institutional limits.Primary purpose is to pursue the shared topic or topics.19

20. Virtual Organization pt 2CAF is an environment where VO’s flourish:Virtual Organizations typically form around Service Provider(s) with IdPs providing consumers & complying to attribute profiles to participateAutonomy is retained by the VO & it’s members to focus on the topic -CAF focus is on the ‘dialtone’ infrastructure for collaboration – IdP & Sp management practices and operations and middleware elements–Examples in Canada are:•Regional Learning Management Systems•Transcript or Application managementResearch 'desktops' that aggregate tools for researchersTechniques to implement on SP end:Use the Shib2.xml & other configurations to whitelist participants[1]Consider using eduPersonEntitlement to express fine grain filtering at the application level:eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscopeeduPersonEntitlement: http://publisher.example.com/contract/GL12[1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter20

21. My App Can’t Be Federated in CAF Because…I need to exchange special attributesReply: No Problem!CAF’s default is shared nothingeduPerson is the default attributes setWhere insufficient, the SP should work out the details with it’s partners on what extra elements it needsCAF recommends that the SP have proper OIDs (can be registered with IANA for free) for their attributesOIDs provide uniqueness, but us humans like text names that are unique too.21

22. Enhancing Attribute ExchangesShared nothing today, but uses eduPerson schemaFinding that this may be paradox of choiceVery interesting space to explore, but keep in mind principles:Low friction to participate (ie, simplicity is good)Scalable and high degree of relevancy and utilityDon’t punish the end user or IdP owner.Interop across Canada and internationallyMany areas to exploreUse SHAC[1] technique for attributes?"urn:schac:dom.ain:Attribute:value”UseAustralian[2] approach for precise control and strong typing and vocabulary?Require full participation in various attribute sets (ie MUST populate all fields) but in different categories of SPs (category 1, 2,3 etc)?Hybrid??[1] http://www.terena.org/mail-archives/schac/msg00371.html[2] http://www.aaf.edu.au/technical/aaf-core-attributes/22

23. My App Can’t Be Federated in CAF Because…I need a Higher Level of Assurance for a userReply: OK, we want this too, what are your requirements?Challenge is how do you want to express it and what are your criteria for the higher level of assurance?Part of a larger conversationWhat is the yardstick? NIST 800-63?NSTIC, OIX, KANTARA audit requirementsAudit of SP against their own statements?If you want to be part of this conversation see Chris Phillips & or join mailing list.23

24. My App Can’t Be Federated in CAF Because…I need to sign in on the command lineReply: Ok, we want this too.Already participating internationally with UK-JISC on project moonshot. Combo environment of eduroam RADIUS and SAML attribute assertionsLive CD’s of the sample dev environment available from Chris.Again, if you want to be part of this conversation see Chris Phillips & or join mailing list.24

25. My App Can’t Be Federated in CAF Because…I need to sign in Social identities (Google, OpenID)Reply: No problem, it can be doneAlready participating internationally with REFEDS & inCommon on Social Identity risk assessment and gateway designs[1]Certain gateways exist from uPenn & Sweden [2]Many unquantified risks at this time, but does workUser behind keyboard is unknownAttributes are self assertedNo knowledge of value of the account to the personThis is an active area of conversation.[1] https://spaces.internet2.edu/display/socialid/Using+SAML+and+Social+Identities--Guidelines+and+Considerations+for+Managers+and+Developers[2] https://tnc2011.terena.org/getfile/55825

26. My App Can’t Be Federated in CAF Because…I don’t think the CAF has as highly available as I want them to beReply: OK, did you know the following?CAF services reside in 3 provinces (Ontario, BC, and Quebec), and have redundant DNS entrieswith live failoverWhat are your service criteria so we may understand them better?26

27. FYI about availability27

28. Your Turn…Poll: What would be your priority ranking of the following activities? http://twtpoll.com/amdcc6Looking for more conversation and discussion?Join the CAF-Shib technical list to discuss the topics:CAF-SHIBBOLETH-TECHNICAL-L-request@LISTSERV.UWINDSOR.CA28

29. Extra Slides29

30. 30

31. Secure Wireless – 802.1XApril 27th 2010Canada eduroamSlide 31Wireless Encryption Establishedsecure.wireless.ubc.cassid:ubcsecureid:jdoe1)Negotiate Authentication MethodEAP-PEAPv0-MSCHAPv22)Certificate ValidationPrevents “man-in-the-middle” attack3)Establish Secure TunnelPrevents eavesdroppingUsing MSCHAPv24)Perform authentication through tunnel5)Authentication successfulEstablish encryption, connect to net6)Client acquires IP address (DHCP)

32. Eduroam - Roaming UserApril 27th 2010Canada eduroamSlide 32Federation Serverrealm: cassid:eduroamCert: eduroam.sfu.caInstitution Serversid: joe@sfu.carealm: ubc.carealm: sfu.ca1) Negotiate EAP typeEAP-TTLS-PAP2) Outer RequestValidate cert.Establish TLS tunnelPAP – through tunnel – secure!3) Inner Request4) SuccessConnect to networkEstablish encryption.

33. Eduroam – International RoamingApril 27th 2010Canada eduroamSlide 33Confederation ServerFederation Serverrealm: carealm: eduid: pam@mit.edurealm: ubc.carealm: sfu.carealm: mit.edurealm: ucla.edu