CANARIE - What Do I Need to Connect with eduroam and Shibboleth


Published on

A brief discussion about what it means to connect with eduroam and Shibboleth. Technical slides are at the end of the slide deck

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Current as of May 2011
  • Key to our success- developing a streamlined, standardized approach for connecting schools. Additional ongoing support from participating institutions as part of Community of Practice.
  • Conscription of users
  • Conscription of users
  • CANARIE - What Do I Need to Connect with eduroam and Shibboleth

    1. 1. Canadian Access Federation<br />What Do I need to do on my campus to enable eduroam & Shibboleth?<br />July 5,2011<br />Chris Phillips –<br />
    2. 2. Agenda<br />Per Service<br />Value proposition<br />Technical profile<br />Skills required<br />Time required<br />Eduroam<br />detailed tech slides at the end<br />Shibboleth<br />Also detailed tech slides at the end<br />More to be found at: (link to prezi)<br />2<br />
    3. 3. Use Case – Wireless Access<br />Without eduRoam<br />User arrives, needs to get onto wireless<br />Needs to talk to IT staff to get credential in system created and a password set<br />User waits for account<br />User uses known password, signs into wireless<br />When user is complete, IT should be notified to delete account and terminate access (right?)<br />IT deletes account(right?)<br />Done<br />With eduRoam<br />User arrives, needs to get onto wireless, has eduRoam enabled ID<br />Open laptop<br />User is authenticated to home system and is online<br />Done<br />3<br />
    4. 4. Eduroam impact<br />Reduces <br />effort supporting guest network ids<br />Support calls…How do I…? <br />Guest account footprint in your systems<br />Only available on wireless systems, not others<br />4<br />
    5. 5. eduRoam @ CANHEIT2011 - McMaster<br />5<br />
    6. 6. Canadian eduRoamCoverage<br />6<br />
    7. 7. How does eduroam work?<br />802.1X - to authenticate clients before allowing access to the network<br />EAP framework – with secure EAP methods to protect user credentials<br />RADIUS - authentication server infrastructure<br />RADIUS proxying – to route authentication requests to a users home institution<br />Separate IP address space – treated as external to institution (compliance with service agreements, etc)<br />End Users have standard internet access with as few filters as possible (if any at all).<br />
    8. 8. Sample Deployment: Queen’s<br />8<br />
    9. 9. Cisco ACS Config<br />9<br />
    10. 10. Reciprocity<br />Eduroam is about you treating guest credentials how you would like to be treated:<br />Just think about what you would like when you travel:<br />No filtered connections<br />No traffic shaping<br />Public IP address (where possible)<br />NAT is not necessarily appropriate, but if you already private IP folks now, probably works out ok.<br />10<br />
    11. 11. Onboarding Process<br />Canada has ~28 of 92 universities on eduroam.<br />US has slightly less in number (25) but 3,000 plus insitutions<br />Eduroam operator:<br />Standard template for connecting new sites<br />Policy sign-off followed by technical implementation<br />Estimated time for Canada federation-level RADIUS server personnel:<br />on-board a new member site: a few hours to two person-days, depending on member site expertise<br />general maintenance: ~one person-day per month<br />Eduroam site:<br />Local implementation from 4 hours to 4 weeks depending on capabilities<br />Skill: operate/install RADIUS on your choice of platform (Cisco ACS, Microsoft NPS, FreeRADIUS) <br />Operational maintenance: same as your AuthN server now<br />11<br />
    12. 12. Rapid Growth<br />12<br />
    13. 13. Eduroam Questions?<br />13<br />
    14. 14. Shibboleth Federations Worldwide<br />14<br />
    15. 15. Past Presentations<br />This presentation builds on CANHEIT 2010:<br />Prezi on Building federated applications:<br /><br />15<br />
    16. 16. Use Case – New Employee Access to Online Resources<br />Without Shibboleth<br />User arrives, needs to have access to web resource for <br />Active Directory<br /><br /><br /><br />Shared online resources in 3rd party wiki<br />Needs to talk to staff for each service to get credential in each system created and a password set<br />User waits for account for each service<br />User uses known password, signs into each service and sets a password<br />When user leaves the organization, each service should be notified to delete account and terminate access everywhere (right?)<br />Each service deletes account(right?)<br />Done<br />With Shibboleth <br />User arrives, needs to have access to web resource for <br />Active Directory<br /><br /><br /><br />Shared online resources in 3rd party wiki<br />IT staff creates central account and assigns privileges to access resources centrally.<br />User waits for account<br />User changes password and all services rely on this password.<br />When user leaves the organization, this one account should be notified for deletion (right?)<br />Done<br />16<br />
    17. 17. Shib Value Proposition<br />Game changer for integration effort with shib ready services<br />Reduces integration from customization to configuration<br />Avoid weeks of custom project integration and then maintenance until, well, forever <br />Lowers cost of doing business – do better with less.<br />Establishes a centralized policy enforcement point and easier auditability<br />For new work, establishes publicly accepted framework to implement to & not your own homegrown framework<br />17<br />
    18. 18. Rightsize Your Information Sharing<br />Log in, share NetID+attr.<br />Log in, share Opaque ID<br />Log in, share NetID<br />Log in, share nothing<br />Wireless<br />External<br />Website<br />personal-<br />ization<br />is desired<br />Internal<br />Website<br />personal-<br />ization<br />is desired<br />linkage<br />elsewhere<br />desired<br />Internal<br />Website<br />personal-<br />ization<br />is desired<br />linkage<br />elsewhere<br />desired<br />Data <br />needed<br />(ghosted)‏<br />SAML as conduit for Information release<br />
    19. 19. Infrastructure & Skills<br />Infrastructure is a single server for Identity provider (IdP) (preferably 2 for redundancy) <br />IdP is java & runs in it’s own servlet container on Jetty, Tomcat, or JBOSS<br />Can cohabitate with existing SSO or be the SSO service itself entirely<br />Skills/Type of Person<br />The same person managing your SSO environment would be be beneficial.<br />Operational effort is log watching and XML configuration<br />19<br />
    20. 20. Where would you like to go next?<br />20<br />
    21. 21. Extra Slides<br />21<br />
    22. 22. Secure Wireless – 802.1X<br />April 27th 2010<br />Canada eduroam<br />Slide 22<br />Wireless Encryption Established<br /><br />ssid:ubcsecure<br />id:jdoe<br />1)Negotiate Authentication Method<br />EAP-PEAPv0-MSCHAPv2<br />2)Certificate Validation<br />Prevents “man-in-the-middle” attack<br />3)Establish Secure Tunnel<br />Prevents eavesdropping<br />Using MSCHAPv2<br />4)Perform authentication through tunnel<br />5)Authentication successful<br />Establish encryption, connect to net<br />6)Client acquires IP address (DHCP)<br />
    23. 23. Eduroam - Roaming User<br />April 27th 2010<br />Canada eduroam<br />Slide 23<br />Federation Server<br />realm: ca<br />ssid:eduroam<br />Cert:<br />Institution Servers<br />id:<br />realm:<br />realm:<br />1) Negotiate EAP type<br />EAP-TTLS-PAP<br />2) Outer Request<br />Validate cert.<br />Establish TLS tunnel<br />PAP – through tunnel – secure!<br />3) Inner Request<br />4) Success<br />Connect to network<br />Establish encryption.<br />
    24. 24. Eduroam – International Roaming<br />April 27th 2010<br />Canada eduroam<br />Slide 24<br />Confederation Server<br />Federation Server<br />realm: ca<br />realm: edu<br />id:<br />realm:<br />realm:<br />realm:<br />realm:<br />
    25. 25. Dispelling Some Shibboleth Myths<br />25<br />
    26. 26. My App Can’t Be Federated in CAF Because…<br />It is limited to regionally/specific identities<br />Reply: No problem! This is a Virtual Organization<br />A Virtual Organization (VO) is any collective group that operates in a coordinated way to enable shared activities on one or more topics with common tools or governance.<br />VOs can exist within institutional boundaries but are most effective when constituted to operate across and to unify participants in different physical or institutional limits.<br />Primary purpose is to pursue the shared topic or topics.<br />26<br />
    27. 27. Virtual Organization pt 2<br />CAF is an environment where VO’s flourish:<br />Virtual Organizations typically form around Service Provider(s) with IdPs providing consumers & complying to attribute profiles to participate<br />Autonomy is retained by the VO & it’s members to focus on the topic <br />-CAF focus is on the  ‘dialtone’ infrastructure for collaboration – IdP & Sp management practices and operations and middleware elements<br />–Examples in Canada are:<br />•Regional Learning Management Systems<br />•Transcript or Application management<br />Research 'desktops' that aggregate tools for researchers<br />Techniques to implement on SP end:<br />Use the Shib2.xml & other configurations to whitelist participants[1]<br />Consider using eduPersonEntitlement to express fine grain filtering at the application level:<br />eduPersonEntitlement:<br />eduPersonEntitlement:<br />[1]<br />27<br />
    28. 28. My App Can’t Be Federated in CAF Because…<br />I need to exchange special attributes<br />Reply: No Problem!<br />CAF’s default is shared nothing<br />eduPerson is the default attributes set<br />Where insufficient, the SP should work out the details with it’s partners on what extra elements it needs<br />CAF recommends that the SP have proper OIDs (can be registered with IANA for free) for their attributes<br />OIDs provide uniqueness, but us humans like text names that are unique too.<br />28<br />
    29. 29. Enhancing Attribute Exchanges<br />Shared nothing today, but uses eduPerson schema<br />Finding that this may be paradox of choice<br />Very interesting space to explore, but keep in mind principles:<br />Low friction to participate (ie, simplicity is good)<br />Scalable and high degree of relevancy and utility<br />Don’t punish the end user or IdP owner.<br />Interop across Canada and internationally<br />Many areas to explore<br />Use SHAC[1] technique for attributes?<br />"urn:schac:dom.ain:Attribute:value”<br />UseAustralian[2] approach for precise control and strong typing and vocabulary?<br />Require full participation in various attribute sets (ie MUST populate all fields) but in different categories of SPs (category 1, 2,3 etc)?<br />Hybrid??<br />[1]<br />[2]<br />29<br />
    30. 30. My App Can’t Be Federated in CAF Because…<br />I need a Higher Level of Assurance for a user<br />Reply: OK, we want this too, what are your requirements?<br />Challenge is how do you want to express it and what are your criteria for the higher level of assurance?<br />Part of a larger conversation<br />What is the yardstick? <br />NIST 800-63?<br />NSTIC, OIX, KANTARA audit requirements<br />Audit of SP against their own statements?<br />If you want to be part of this conversation see Chris Phillips & or join mailing list.<br />30<br />
    31. 31. My App Can’t Be Federated in CAF Because…<br />I need to sign in on the command line<br />Reply: Ok, we want this too.<br />Already participating internationally with UK-JISC on project moonshot. Combo environment of eduroam RADIUS and SAML attribute assertions<br />Live CD’s of the sample dev environment available from Chris.<br />Again, if you want to be part of this conversation see Chris Phillips & or join mailing list.<br />31<br />
    32. 32. My App Can’t Be Federated in CAF Because…<br />I need to sign in Social identities (Google, OpenID)<br />Reply: No problem, it can be done<br />Already participating internationally with REFEDS & inCommon on Social Identity risk assessment and gateway designs[1]<br />Certain gateways exist from uPenn & Sweden [2]<br />Many unquantified risks at this time, but does work<br />User behind keyboard is unknown<br />Attributes are self asserted<br />No knowledge of value of the account to the person<br />This is an active area of conversation.<br />[1]<br />[2]<br />32<br />
    33. 33. My App Can’t Be Federated in CAF Because…<br />I don’t think the CAF has as highly available as I want them to be<br />Reply: OK, did you know the following?<br />CAF services reside in 3 provinces (Ontario, BC, and Quebec), and have redundant DNS entrieswith live failover<br />What are your service criteria so we may understand them better?<br />33<br />
    34. 34. FYI about availability<br />34<br />
    35. 35. Your Turn…<br />Looking for more conversation and discussion?<br />Join the CAF-Shib technical list to discuss the topics:<br />CAF-SHIBBOLETH-TECHNICAL-L-request@LISTSERV.UWINDSOR.CA<br />35<br />
    36. 36. 36<br />