CAF Technology Overview for Federated Non-Web Sign-on<br />Aug 2011<br />Chris Phillips –chris.phillips@canarie.ca<br />
Agenda<br />Review understanding of Canada Lightsource& challenges<br />Background about CAF<br />Overview of available Te...
Canada’s Digital Infrastructure: CANARIE<br />Why CANARIE?<br />To improve the effectiveness of research in Canada<br />
What is the Access Federation?<br />A collection of trust frameworks for the Canadian electronic identity ecosystem <br />...
 Access Federation Services<br />eduRoam<br />a wireless access authentication trust framework based on the RADIUS protoco...
Eligibility for Access Federation<br />Must be CANARIE member to use service<br />Currently over 32 participants, includin...
What about outside the web?<br />7<br />
The Challenge (as we hear it…)<br />How can I leverage a federated identity ecosystem safely, securely, and reliably to de...
The Who & The What<br />Who is your audience or client and how diverse a group are they?<br />What are you trying to deliv...
Worksheet to help Answer the Q.<br />10<br />
Federated Identity Approaches<br />Shibboleth + ECP (Enhanced Client Proxy)<br />Examples:<br />Microsoft Live@EDU<br />Op...
Contrasting the Approaches<br />12<br />
Live@edu Federated Identity<br />Configure & Manage <br />Federated Identity<br />Live@edu<br />Service Management Portal<...
OpenJump<br />14<br />
15<br />
ABFAB/Moonshot<br />16<br />
Proposed Deployment<br />Can be any computing infrastructure, looking for candidates<br />Proposed requirements to partici...
Logical View<br />18<br />
Sequence Diagram <br />19<br />EditableWebSequence Diagram: http://bit.ly/CAF-Moonshot-WSD<br />
Implementation Questions<br />How does the local environment interact with Moonshot?<br />GSS exposes the data via attribu...
Implementation Questions<br />How do the central components interact with Moonshot?<br />See a need for a formalized schem...
Total Cost of Ownership<br />How will the account provisioning and maintenance work?<br />Representing a federated cred in...
Possible Limitations<br />RADIUS attribute passing is limited to 253 bytes per attribute <br />My understanding is that Mo...
Technical Slides<br />24<br />
eduroam<br />25<br />
Use Case – Wireless Access<br />Without eduRoam<br />User arrives, needs to get onto wireless<br />Needs to talk to IT sta...
How does eduroam work?<br />802.1X - to authenticate clients before allowing access to the network<br />EAP framework – wi...
Secure Wireless – 802.1X<br />April 27th 2010<br />Canada eduroam<br />Slide 28<br />Wireless Encryption Established<br />...
Eduroam - Roaming User<br />April 27th 2010<br />Canada eduroam<br />Slide 29<br />Federation Server<br />realm: ca<br />s...
Eduroam – International Roaming<br />April 27th 2010<br />Canada eduroam<br />Slide 30<br />Confederation Server<br />Fede...
Reciprocity - Hallmark of eduroam<br />Eduroam is about you treating guest credentials how you would like to be treated:<b...
Shibboleth<br />32<br />
Material <br />Past Presentations:<br />This presentation builds on CANHEIT 2010:<br />Prezi on Building federated applica...
Use Case – New Employee Access to  Online Resources<br />Without Shibboleth<br />User arrives, needs to have access to web...
Shib Value Proposition<br />Game changer for integration effort with shib ready services<br />Reduces integration from cus...
Rightsize Your Information Sharing<br />Log in, share NetID+attr.<br />Log in, share Opaque ID<br />Log in, share NetID<br...
Upcoming SlideShare
Loading in …5
×

Canarie Federated Non Web Signon

836 views

Published on

Published in: Education, Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
836
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • CANARIE is part of Canada’s national digital infrastructure that drives improved research effectiveness in Canada– a tremendous Canadian asset that supports knowledge creation and innovation CANARIE staff provide the network expertise and programs to enhance the effectiveness of research in CanadaThis expertise ensures connectivity to Canadian hubs of innovation and research – over 1000 institutions are connected and over 140,000 researchers rely on CANARIEIt is made up of 19,000 km of fibre optic cable – about half the circumference of the earthIt links Canadian researchers to their peers in 80 countriesCANARIE offers state-of-the-art speed – 100 G – on our core corridors. You could download every single iTunes movie – 2500 of them – in 7 seconds on our 100G networkCANARIE receives funding from Industry Canada in five year “tranches” – our current mandate expires in March 2012 – since CANARIE’s creation in 1993, $470M has been invested
  • Currently over 30 participants, including all of the larger universities in Canada.
  • A common security model could be leveraged as well, but this would be very difficult due the differences in the requirements. Some work could progress. “Science Studio” will hook into a centralized security solution when that security solution becomes available.
  • One service is good, but many using the same ‘infrastructure’ is better:Common approach to governance &amp; oversightGenerally coordinating with with same point of contactsBuild both for traversal up and downwards
  • Canarie Federated Non Web Signon

    1. 1. CAF Technology Overview for Federated Non-Web Sign-on<br />Aug 2011<br />Chris Phillips –chris.phillips@canarie.ca<br />
    2. 2. Agenda<br />Review understanding of Canada Lightsource& challenges<br />Background about CAF<br />Overview of available Technologies<br />Demo?<br />Review various deployment scenarios<br />2<br />
    3. 3. Canada’s Digital Infrastructure: CANARIE<br />Why CANARIE?<br />To improve the effectiveness of research in Canada<br />
    4. 4. What is the Access Federation?<br />A collection of trust frameworks for the Canadian electronic identity ecosystem <br />Targets the challenge of secure accessto the network and to online resources<br />Home for different flavours of trust frameworks<br />Recognizes autonomy of its participants<br />Participants in the ecosystem<br />The Federation Operator (CANARIE)<br />Identity Providers (IdP) <br />offer authentication/authorization of their identities<br />Service Provider (SP) who offer services . <br />End Users<br />4<br />
    5. 5. Access Federation Services<br />eduRoam<br />a wireless access authentication trust framework based on the RADIUS protocol and 802.1x.<br />Shibboleth<br /> an online authentication and authorization trust framework based on the SAML protocol<br />Services are implementations of a specific trust framework<br />5<br />
    6. 6. Eligibility for Access Federation<br />Must be CANARIE member to use service<br />Currently over 32 participants, including all of the larger universities in Canada.<br />Eligible participants include:<br />higher education institutions<br />public research institutions<br />sponsored service providers<br />Participation for other CANARIE members being examined. <br />Entitlement will be on service by service requirements due to different needs per service.<br />6<br />
    7. 7. What about outside the web?<br />7<br />
    8. 8. The Challenge (as we hear it…)<br />How can I leverage a federated identity ecosystem safely, securely, and reliably to deliver my services, even if my services are not delivered via the web?<br />8<br />
    9. 9. The Who & The What<br />Who is your audience or client and how diverse a group are they?<br />What are you trying to deliver or improve?<br />9<br />
    10. 10. Worksheet to help Answer the Q.<br />10<br />
    11. 11. Federated Identity Approaches<br />Shibboleth + ECP (Enhanced Client Proxy)<br />Examples:<br />Microsoft Live@EDU<br />OpenJump GIS <br />Moonshot/ABFAB(Application Bridging for Federated Access Beyond web)<br />No live examples yet (Oct 2012 installfest in London, England)<br />An emerging IETF standard<br />Blend of RADIUS+Shib<br />11<br />
    12. 12. Contrasting the Approaches<br />12<br />
    13. 13. Live@edu Federated Identity<br />Configure & Manage <br />Federated Identity<br />Live@edu<br />Service Management Portal<br />Outlook Live<br />Windows Live Services<br />(e.g. SkyDrive)<br />Microsoft Federation Gateway<br />(Windows Live ID)<br />Windows Live ID<br />Login to Windows Live ID<br />Web Clients<br />Web Clients<br />& SAML 2.0 Enhanced Client/Proxy (ECP)<br />SAML 2.0<br />WS-Federation/WS-Trust<br />Fabrikam.edu<br />Contoso.edu<br />Email Rich Clients<br />Email Rich Clients<br />Active Directory<br />Non-AD Directory<br />ADFS 2.0<br />Shibboleth 2.x<br />Email rich client support requires the Shibboleth IdP ECP Extension<br />Other Rich Clients<br />
    14. 14. OpenJump<br />14<br />
    15. 15. 15<br />
    16. 16. ABFAB/Moonshot<br />16<br />
    17. 17. Proposed Deployment<br />Can be any computing infrastructure, looking for candidates<br />Proposed requirements to participate<br />Member of one or more federations trust fabrics (RADIUS &/or SAML)<br />Canada manages both eduroamand Shibso these would be our choices<br />On the target site:<br />Has administrative control over the target to log into (unix box)<br />Has deployed local Moonshot enhancements to said unit (a patched SSHd and Moonshot enhanced GSS libraries)<br />Manages a RADIUS server for their site that<br /> is connected to eduroam and is a SAML SP in the Shib Fed.<br />runs Moonshot enhancements<br />Has made necessary configurations in each of the pieces to allow access<br />Has provisioned the necessary information to an acount to permit sign in<br />17<br />
    18. 18. Logical View<br />18<br />
    19. 19. Sequence Diagram <br />19<br />EditableWebSequence Diagram: http://bit.ly/CAF-Moonshot-WSD<br />
    20. 20. Implementation Questions<br />How does the local environment interact with Moonshot?<br />GSS exposes the data via attribute release from querying it:<br />How does this map to local environment variables?<br />implicit trust that the attributes in those variables are trustworthy & immutable via GSS API call – is this ok? <br />How is the GSS API call secured against a multi-homed multi-user environment?<br />If on same system, can I query for various GSS sessions and walk the users on the system? (doubtful, but want to ask to verify)<br />Assumption is GSS takes care of partitioning users.<br />20<br />
    21. 21. Implementation Questions<br />How do the central components interact with Moonshot?<br />See a need for a formalized schema map to benefit 80% and let 20% extend.<br />Most cost effective is set one standard (based on input) ‘internationally’ with ability to extend<br />Does this style of schema exist elsewhere (e.g. GridShib toolkit?)<br />Various origin datasources are in play so centralized schema in different formats (e.g. 3NF tables for SQL, ldapobjectclass definitions, and SAML profiles would be great to level the playing field.<br />Thoughts on how long/big/worthwhile this is and how repetitive it will be?<br />Thoughts on how elements go from ‘core’ from the extensions? (aka Governance?)<br />21<br />
    22. 22. Total Cost of Ownership<br />How will the account provisioning and maintenance work?<br />Representing a federated cred in a remote environment…how?<br />How will the policy decision on access work?<br />If at the ‘edge’ or end points, need a way to manage mass deployment (>1000’s of systems – think EC2)<br />OR centralize this somehow<br />Need to harmonize the way to deal with schema and consistent view of data across RADIUS & SAML & DB & LDAP…thoughts?<br />Complex is ok, as long as automation can prevail, but what skills will be required to keep the lights on for this software ecosystem?<br />22<br />
    23. 23. Possible Limitations<br />RADIUS attribute passing is limited to 253 bytes per attribute <br />My understanding is that Moonshot takes care of packing/unpacking long attributes over RADIUS protocol<br />Not an issue, but as a more rich attribute definition is built out, there could be large profiles (think XML & x509 certs BASE64’d into this) which may suffer over RADIUS’ UDP. Should we be concerned?<br />Updated: RADIUS attributes cannot exceed 4096 in their entirety. Could pose some challenges…<br />23<br />
    24. 24. Technical Slides<br />24<br />
    25. 25. eduroam<br />25<br />
    26. 26. Use Case – Wireless Access<br />Without eduRoam<br />User arrives, needs to get onto wireless<br />Needs to talk to IT staff to get credential in system created and a password set<br />User waits for account<br />User uses known password, signs into wireless<br />When user is complete, IT should be notified to delete account and terminate access (right?)<br />IT deletes account(right?)<br />Done<br />With eduRoam<br />User arrives, needs to get onto wireless, has eduRoam enabled ID<br />Open laptop<br />User is authenticated to home system and is online<br />Done<br />26<br />
    27. 27. How does eduroam work?<br />802.1X - to authenticate clients before allowing access to the network<br />EAP framework – with secure EAP methods to protect user credentials<br />RADIUS - authentication server infrastructure<br />RADIUS proxying – to route authentication requests to a users home institution<br />Separate IP address space – treated as external to institution (compliance with service agreements, etc)<br />End Users have standard internet access with as few filters as possible (if any at all).<br />
    28. 28. Secure Wireless – 802.1X<br />April 27th 2010<br />Canada eduroam<br />Slide 28<br />Wireless Encryption Established<br />secure.wireless.ubc.ca<br />ssid:ubcsecure<br />id:jdoe<br />1)Negotiate Authentication Method<br />EAP-PEAPv0-MSCHAPv2<br />2)Certificate Validation<br />Prevents “man-in-the-middle” attack<br />3)Establish Secure Tunnel<br />Prevents eavesdropping<br />Using MSCHAPv2<br />4)Perform authentication through tunnel<br />5)Authentication successful<br />Establish encryption, connect to net<br />6)Client acquires IP address (DHCP)<br />
    29. 29. Eduroam - Roaming User<br />April 27th 2010<br />Canada eduroam<br />Slide 29<br />Federation Server<br />realm: ca<br />ssid:eduroam<br />Cert: eduroam.sfu.ca<br />Institution Servers<br />id: joe@sfu.ca<br />realm: ubc.ca<br />realm: sfu.ca<br />1) Negotiate EAP type<br />EAP-TTLS-PAP<br />2) Outer Request<br />Validate cert.<br />Establish TLS tunnel<br />PAP – through tunnel – secure!<br />3) Inner Request<br />4) Success<br />Connect to network<br />Establish encryption.<br />
    30. 30. Eduroam – International Roaming<br />April 27th 2010<br />Canada eduroam<br />Slide 30<br />Confederation Server<br />Federation Server<br />realm: ca<br />realm: edu<br />id: pam@mit.edu<br />realm: ubc.ca<br />realm: sfu.ca<br />realm: mit.edu<br />realm: ucla.edu<br />
    31. 31. Reciprocity - Hallmark of eduroam<br />Eduroam is about you treating guest credentials how you would like to be treated:<br />Just think about what you would like when you travel:<br />No filtered connections<br />No traffic shaping<br />Public IP address (where possible)<br />NAT is not necessarily appropriate, but if you already private IP folks now, probably works out ok.<br />31<br />
    32. 32. Shibboleth<br />32<br />
    33. 33. Material <br />Past Presentations:<br />This presentation builds on CANHEIT 2010:<br />Prezi on Building federated applications:<br />http://bit.ly/fedapps<br />33<br />
    34. 34. Use Case – New Employee Access to Online Resources<br />Without Shibboleth<br />User arrives, needs to have access to web resource for <br />Active Directory<br />Twiki.canarie.ca<br />Staff.canarie.ca<br />Collaborate.canarie.ca<br />Shared online resources in 3rd party wiki<br />Needs to talk to staff for each service to get credential in each system created and a password set<br />User waits for account for each service<br />User uses known password, signs into each service and sets a password<br />When user leaves the organization, each service should be notified to delete account and terminate access everywhere (right?)<br />Each service deletes account(right?)<br />Done<br />With Shibboleth <br />User arrives, needs to have access to web resource for <br />Active Directory<br />Twiki.canarie.ca<br />Staff.canarie.ca<br />Collaborate.canarie.ca<br />Shared online resources in 3rd party wiki<br />IT staff creates central account and assigns privileges to access resources centrally.<br />User waits for account<br />User changes password and all services rely on this password.<br />When user leaves the organization, this one account should be notified for deletion (right?)<br />Done<br />34<br />
    35. 35. Shib Value Proposition<br />Game changer for integration effort with shib ready services<br />Reduces integration from customization to configuration<br />Avoid weeks of custom project integration and then maintenance until, well, forever <br />Lowers cost of doing business – do better with less.<br />Establishes a centralized policy enforcement point and easier auditability<br />For new work, establishes publicly accepted framework to implement to & not your own homegrown framework<br />35<br />
    36. 36. Rightsize Your Information Sharing<br />Log in, share NetID+attr.<br />Log in, share Opaque ID<br />Log in, share NetID<br />Log in, share nothing<br />Wireless<br />External<br />Website<br />personal-<br />ization<br />is desired<br />Internal<br />Website<br />personal-<br />ization<br />is desired<br />linkage<br />elsewhere<br />desired<br />Internal<br />Website<br />personal-<br />ization<br />is desired<br />linkage<br />elsewhere<br />desired<br />Data <br />needed<br />(ghosted)‏<br />SAML as conduit for Information release<br />
    37. 37. Unified View Leverages Infrastructure(aka internal/nested/layered trust groups)<br />The ‘Federation’<br />SP<br />Idp<br />Idp<br />SP<br />Idp<br />SP<br />Special Interest Trust Groups<br />SP<br /><ul><li>The Federation. sets POP/FOP requirements.
    38. 38. Serves as the base inherited elements for local or SITG activity to enhance or build upon
    39. 39. Most efficient way to insure least effort for SP/IdP to participate any way they want, including promotion to eduGain
    40. 40. Local Fed. can haveneed their own isolated SP/IdPs
    41. 41. Encourages organic growth on path to full Federation involvement.
    42. 42. The Federation enables SITG to form their own special metadata sourced from the core metadata</li></ul>SP<br />Idp<br />Higher Assurance <br />Local Fed<br />Local Fed<br />Idp<br />SP<br />Idp<br />SP<br />SP<br />SP<br />Idp<br />
    43. 43. For more info, please contact<br />Chris.phillips@canarie.ca<br />Twitter: @teamktown<br />38<br />

    ×