The document discusses the implementation and benefits of eduroam and Shibboleth on Canadian campuses, highlighting the technical requirements and impacts on user access to wireless networks and resources. It outlines the streamlined authentication processes that these systems enable, minimizing administrative efforts and improving user experience. Additionally, it addresses common misconceptions and encourages collaboration among institutions to enhance identity management and resource sharing.

1. Canadian Access FederationWhat Do I need to do on my campus to enable eduroam & Shibboleth?July 5,2011Chris Phillips –chris.phillips@canarie.ca

2. AgendaPer ServiceValue propositionTechnical profileSkills requiredTime requiredEduroamdetailed tech slides at the endShibbolethAlso detailed tech slides at the endMore to be found at: http://bit.ly/fedapps (link to prezi)2

3. Use Case – Wireless AccessWithout eduRoamUser arrives, needs to get onto wirelessNeeds to talk to IT staff to get credential in system created and a password setUser waits for accountUser uses known password, signs into wirelessWhen user is complete, IT should be notified to delete account and terminate access (right?)IT deletes account(right?)DoneWith eduRoamUser arrives, needs to get onto wireless, has eduRoam enabled IDOpen laptopUser is authenticated to home system and is onlineDone3

4. Eduroam impactReduces effort supporting guest network idsSupport calls…How do I…? Guest account footprint in your systemsOnly available on wireless systems, not others4

5. eduRoam @ CANHEIT2011 - McMaster5

6. Canadian eduRoamCoverage6

7. How does eduroam work?802.1X - to authenticate clients before allowing access to the networkEAP framework – with secure EAP methods to protect user credentialsRADIUS - authentication server infrastructureRADIUS proxying – to route authentication requests to a users home institutionSeparate IP address space – treated as external to institution (compliance with service agreements, etc)End Users have standard internet access with as few filters as possible (if any at all).

8. Sample Deployment: Queen’s8

9. Cisco ACS Config9

10. ReciprocityEduroam is about you treating guest credentials how you would like to be treated:Just think about what you would like when you travel:No filtered connectionsNo traffic shapingPublic IP address (where possible)NAT is not necessarily appropriate, but if you already private IP folks now, probably works out ok.10

11. Onboarding ProcessCanada has ~28 of 92 universities on eduroam.US has slightly less in number (25) but 3,000 plus insitutionsEduroam operator:Standard template for connecting new sitesPolicy sign-off followed by technical implementationEstimated time for Canada federation-level RADIUS server personnel:on-board a new member site: a few hours to two person-days, depending on member site expertisegeneral maintenance: ~one person-day per monthEduroam site:Local implementation from 4 hours to 4 weeks depending on capabilitiesSkill: operate/install RADIUS on your choice of platform (Cisco ACS, Microsoft NPS, FreeRADIUS) Operational maintenance: same as your AuthN server now11

12. Rapid Growth12

13. Eduroam Questions?13

14. Shibboleth Federations Worldwide14

15. Past PresentationsThis presentation builds on CANHEIT 2010:Prezi on Building federated applications:http://bit.ly/fedapps15

16. Use Case – New Employee Access to Online ResourcesWithout ShibbolethUser arrives, needs to have access to web resource for Active DirectoryTwiki.canarie.caStaff.canarie.caCollaborate.canarie.caShared online resources in 3rd party wikiNeeds to talk to staff for each service to get credential in each system created and a password setUser waits for account for each serviceUser uses known password, signs into each service and sets a passwordWhen user leaves the organization, each service should be notified to delete account and terminate access everywhere (right?)Each service deletes account(right?)DoneWith Shibboleth User arrives, needs to have access to web resource for Active DirectoryTwiki.canarie.caStaff.canarie.caCollaborate.canarie.caShared online resources in 3rd party wikiIT staff creates central account and assigns privileges to access resources centrally.User waits for accountUser changes password and all services rely on this password.When user leaves the organization, this one account should be notified for deletion (right?)Done16

17. Shib Value PropositionGame changer for integration effort with shib ready servicesReduces integration from customization to configurationAvoid weeks of custom project integration and then maintenance until, well, forever Lowers cost of doing business – do better with less.Establishes a centralized policy enforcement point and easier auditabilityFor new work, establishes publicly accepted framework to implement to & not your own homegrown framework17

18. Rightsize Your Information SharingLog in, share NetID+attr.Log in, share Opaque IDLog in, share NetIDLog in, share nothingWirelessExternalWebsitepersonal-izationis desiredInternalWebsitepersonal-izationis desiredlinkageelsewheredesiredInternalWebsitepersonal-izationis desiredlinkageelsewheredesiredData needed(ghosted)‏SAML as conduit for Information release

19. Infrastructure & SkillsInfrastructure is a single server for Identity provider (IdP) (preferably 2 for redundancy) IdP is java & runs in it’s own servlet container on Jetty, Tomcat, or JBOSSCan cohabitate with existing SSO or be the SSO service itself entirelySkills/Type of PersonThe same person managing your SSO environment would be be beneficial.Operational effort is log watching and XML configuration19

20. Where would you like to go next?20

21. Extra Slides21

22. Secure Wireless – 802.1XApril 27th 2010Canada eduroamSlide 22Wireless Encryption Establishedsecure.wireless.ubc.cassid:ubcsecureid:jdoe1)Negotiate Authentication MethodEAP-PEAPv0-MSCHAPv22)Certificate ValidationPrevents “man-in-the-middle” attack3)Establish Secure TunnelPrevents eavesdroppingUsing MSCHAPv24)Perform authentication through tunnel5)Authentication successfulEstablish encryption, connect to net6)Client acquires IP address (DHCP)

23. Eduroam - Roaming UserApril 27th 2010Canada eduroamSlide 23Federation Serverrealm: cassid:eduroamCert: eduroam.sfu.caInstitution Serversid: joe@sfu.carealm: ubc.carealm: sfu.ca1) Negotiate EAP typeEAP-TTLS-PAP2) Outer RequestValidate cert.Establish TLS tunnelPAP – through tunnel – secure!3) Inner Request4) SuccessConnect to networkEstablish encryption.

24. Eduroam – International RoamingApril 27th 2010Canada eduroamSlide 24Confederation ServerFederation Serverrealm: carealm: eduid: pam@mit.edurealm: ubc.carealm: sfu.carealm: mit.edurealm: ucla.edu

25. Dispelling Some Shibboleth Myths25

26. My App Can’t Be Federated in CAF Because…It is limited to regionally/specific identitiesReply: No problem! This is a Virtual OrganizationA Virtual Organization (VO) is any collective group that operates in a coordinated way to enable shared activities on one or more topics with common tools or governance.VOs can exist within institutional boundaries but are most effective when constituted to operate across and to unify participants in different physical or institutional limits.Primary purpose is to pursue the shared topic or topics.26

27. Virtual Organization pt 2CAF is an environment where VO’s flourish:Virtual Organizations typically form around Service Provider(s) with IdPs providing consumers & complying to attribute profiles to participateAutonomy is retained by the VO & it’s members to focus on the topic -CAF focus is on the ‘dialtone’ infrastructure for collaboration – IdP & Sp management practices and operations and middleware elements–Examples in Canada are:•Regional Learning Management Systems•Transcript or Application managementResearch 'desktops' that aggregate tools for researchersTechniques to implement on SP end:Use the Shib2.xml & other configurations to whitelist participants[1]Consider using eduPersonEntitlement to express fine grain filtering at the application level:eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscopeeduPersonEntitlement: http://publisher.example.com/contract/GL12[1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter27

28. My App Can’t Be Federated in CAF Because…I need to exchange special attributesReply: No Problem!CAF’s default is shared nothingeduPerson is the default attributes setWhere insufficient, the SP should work out the details with it’s partners on what extra elements it needsCAF recommends that the SP have proper OIDs (can be registered with IANA for free) for their attributesOIDs provide uniqueness, but us humans like text names that are unique too.28

29. Enhancing Attribute ExchangesShared nothing today, but uses eduPerson schemaFinding that this may be paradox of choiceVery interesting space to explore, but keep in mind principles:Low friction to participate (ie, simplicity is good)Scalable and high degree of relevancy and utilityDon’t punish the end user or IdP owner.Interop across Canada and internationallyMany areas to exploreUse SHAC[1] technique for attributes?"urn:schac:dom.ain:Attribute:value”UseAustralian[2] approach for precise control and strong typing and vocabulary?Require full participation in various attribute sets (ie MUST populate all fields) but in different categories of SPs (category 1, 2,3 etc)?Hybrid??[1] http://www.terena.org/mail-archives/schac/msg00371.html[2] http://www.aaf.edu.au/technical/aaf-core-attributes/29

30. My App Can’t Be Federated in CAF Because…I need a Higher Level of Assurance for a userReply: OK, we want this too, what are your requirements?Challenge is how do you want to express it and what are your criteria for the higher level of assurance?Part of a larger conversationWhat is the yardstick? NIST 800-63?NSTIC, OIX, KANTARA audit requirementsAudit of SP against their own statements?If you want to be part of this conversation see Chris Phillips & or join mailing list.30

31. My App Can’t Be Federated in CAF Because…I need to sign in on the command lineReply: Ok, we want this too.Already participating internationally with UK-JISC on project moonshot. Combo environment of eduroam RADIUS and SAML attribute assertionsLive CD’s of the sample dev environment available from Chris.Again, if you want to be part of this conversation see Chris Phillips & or join mailing list.31

32. My App Can’t Be Federated in CAF Because…I need to sign in Social identities (Google, OpenID)Reply: No problem, it can be doneAlready participating internationally with REFEDS & inCommon on Social Identity risk assessment and gateway designs[1]Certain gateways exist from uPenn & Sweden [2]Many unquantified risks at this time, but does workUser behind keyboard is unknownAttributes are self assertedNo knowledge of value of the account to the personThis is an active area of conversation.[1] https://spaces.internet2.edu/display/socialid/Using+SAML+and+Social+Identities--Guidelines+and+Considerations+for+Managers+and+Developers[2] https://tnc2011.terena.org/getfile/55832

33. My App Can’t Be Federated in CAF Because…I don’t think the CAF has as highly available as I want them to beReply: OK, did you know the following?CAF services reside in 3 provinces (Ontario, BC, and Quebec), and have redundant DNS entrieswith live failoverWhat are your service criteria so we may understand them better?33

34. FYI about availability34

35. Your Turn…Looking for more conversation and discussion?Join the CAF-Shib technical list to discuss the topics:CAF-SHIBBOLETH-TECHNICAL-L-request@LISTSERV.UWINDSOR.CA35

36. 36