Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

CANARIE - What Do I Need to Connect with eduroam and Shibboleth

4,287 views

Published on

A brief discussion about what it means to connect with eduroam and Shibboleth. Technical slides are at the end of the slide deck

Published in: Technology
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y3nhqquc } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

CANARIE - What Do I Need to Connect with eduroam and Shibboleth

  1. 1. Canadian Access Federation<br />What Do I need to do on my campus to enable eduroam & Shibboleth?<br />July 5,2011<br />Chris Phillips –chris.phillips@canarie.ca<br />
  2. 2. Agenda<br />Per Service<br />Value proposition<br />Technical profile<br />Skills required<br />Time required<br />Eduroam<br />detailed tech slides at the end<br />Shibboleth<br />Also detailed tech slides at the end<br />More to be found at: http://bit.ly/fedapps (link to prezi)<br />2<br />
  3. 3. Use Case – Wireless Access<br />Without eduRoam<br />User arrives, needs to get onto wireless<br />Needs to talk to IT staff to get credential in system created and a password set<br />User waits for account<br />User uses known password, signs into wireless<br />When user is complete, IT should be notified to delete account and terminate access (right?)<br />IT deletes account(right?)<br />Done<br />With eduRoam<br />User arrives, needs to get onto wireless, has eduRoam enabled ID<br />Open laptop<br />User is authenticated to home system and is online<br />Done<br />3<br />
  4. 4. Eduroam impact<br />Reduces <br />effort supporting guest network ids<br />Support calls…How do I…? <br />Guest account footprint in your systems<br />Only available on wireless systems, not others<br />4<br />
  5. 5. eduRoam @ CANHEIT2011 - McMaster<br />5<br />
  6. 6. Canadian eduRoamCoverage<br />6<br />
  7. 7. How does eduroam work?<br />802.1X - to authenticate clients before allowing access to the network<br />EAP framework – with secure EAP methods to protect user credentials<br />RADIUS - authentication server infrastructure<br />RADIUS proxying – to route authentication requests to a users home institution<br />Separate IP address space – treated as external to institution (compliance with service agreements, etc)<br />End Users have standard internet access with as few filters as possible (if any at all).<br />
  8. 8. Sample Deployment: Queen’s<br />8<br />
  9. 9. Cisco ACS Config<br />9<br />
  10. 10. Reciprocity<br />Eduroam is about you treating guest credentials how you would like to be treated:<br />Just think about what you would like when you travel:<br />No filtered connections<br />No traffic shaping<br />Public IP address (where possible)<br />NAT is not necessarily appropriate, but if you already private IP folks now, probably works out ok.<br />10<br />
  11. 11. Onboarding Process<br />Canada has ~28 of 92 universities on eduroam.<br />US has slightly less in number (25) but 3,000 plus insitutions<br />Eduroam operator:<br />Standard template for connecting new sites<br />Policy sign-off followed by technical implementation<br />Estimated time for Canada federation-level RADIUS server personnel:<br />on-board a new member site: a few hours to two person-days, depending on member site expertise<br />general maintenance: ~one person-day per month<br />Eduroam site:<br />Local implementation from 4 hours to 4 weeks depending on capabilities<br />Skill: operate/install RADIUS on your choice of platform (Cisco ACS, Microsoft NPS, FreeRADIUS) <br />Operational maintenance: same as your AuthN server now<br />11<br />
  12. 12. Rapid Growth<br />12<br />
  13. 13. Eduroam Questions?<br />13<br />
  14. 14. Shibboleth Federations Worldwide<br />14<br />
  15. 15. Past Presentations<br />This presentation builds on CANHEIT 2010:<br />Prezi on Building federated applications:<br />http://bit.ly/fedapps<br />15<br />
  16. 16. Use Case – New Employee Access to Online Resources<br />Without Shibboleth<br />User arrives, needs to have access to web resource for <br />Active Directory<br />Twiki.canarie.ca<br />Staff.canarie.ca<br />Collaborate.canarie.ca<br />Shared online resources in 3rd party wiki<br />Needs to talk to staff for each service to get credential in each system created and a password set<br />User waits for account for each service<br />User uses known password, signs into each service and sets a password<br />When user leaves the organization, each service should be notified to delete account and terminate access everywhere (right?)<br />Each service deletes account(right?)<br />Done<br />With Shibboleth <br />User arrives, needs to have access to web resource for <br />Active Directory<br />Twiki.canarie.ca<br />Staff.canarie.ca<br />Collaborate.canarie.ca<br />Shared online resources in 3rd party wiki<br />IT staff creates central account and assigns privileges to access resources centrally.<br />User waits for account<br />User changes password and all services rely on this password.<br />When user leaves the organization, this one account should be notified for deletion (right?)<br />Done<br />16<br />
  17. 17. Shib Value Proposition<br />Game changer for integration effort with shib ready services<br />Reduces integration from customization to configuration<br />Avoid weeks of custom project integration and then maintenance until, well, forever <br />Lowers cost of doing business – do better with less.<br />Establishes a centralized policy enforcement point and easier auditability<br />For new work, establishes publicly accepted framework to implement to & not your own homegrown framework<br />17<br />
  18. 18. Rightsize Your Information Sharing<br />Log in, share NetID+attr.<br />Log in, share Opaque ID<br />Log in, share NetID<br />Log in, share nothing<br />Wireless<br />External<br />Website<br />personal-<br />ization<br />is desired<br />Internal<br />Website<br />personal-<br />ization<br />is desired<br />linkage<br />elsewhere<br />desired<br />Internal<br />Website<br />personal-<br />ization<br />is desired<br />linkage<br />elsewhere<br />desired<br />Data <br />needed<br />(ghosted)‏<br />SAML as conduit for Information release<br />
  19. 19. Infrastructure & Skills<br />Infrastructure is a single server for Identity provider (IdP) (preferably 2 for redundancy) <br />IdP is java & runs in it’s own servlet container on Jetty, Tomcat, or JBOSS<br />Can cohabitate with existing SSO or be the SSO service itself entirely<br />Skills/Type of Person<br />The same person managing your SSO environment would be be beneficial.<br />Operational effort is log watching and XML configuration<br />19<br />
  20. 20. Where would you like to go next?<br />20<br />
  21. 21. Extra Slides<br />21<br />
  22. 22. Secure Wireless – 802.1X<br />April 27th 2010<br />Canada eduroam<br />Slide 22<br />Wireless Encryption Established<br />secure.wireless.ubc.ca<br />ssid:ubcsecure<br />id:jdoe<br />1)Negotiate Authentication Method<br />EAP-PEAPv0-MSCHAPv2<br />2)Certificate Validation<br />Prevents “man-in-the-middle” attack<br />3)Establish Secure Tunnel<br />Prevents eavesdropping<br />Using MSCHAPv2<br />4)Perform authentication through tunnel<br />5)Authentication successful<br />Establish encryption, connect to net<br />6)Client acquires IP address (DHCP)<br />
  23. 23. Eduroam - Roaming User<br />April 27th 2010<br />Canada eduroam<br />Slide 23<br />Federation Server<br />realm: ca<br />ssid:eduroam<br />Cert: eduroam.sfu.ca<br />Institution Servers<br />id: joe@sfu.ca<br />realm: ubc.ca<br />realm: sfu.ca<br />1) Negotiate EAP type<br />EAP-TTLS-PAP<br />2) Outer Request<br />Validate cert.<br />Establish TLS tunnel<br />PAP – through tunnel – secure!<br />3) Inner Request<br />4) Success<br />Connect to network<br />Establish encryption.<br />
  24. 24. Eduroam – International Roaming<br />April 27th 2010<br />Canada eduroam<br />Slide 24<br />Confederation Server<br />Federation Server<br />realm: ca<br />realm: edu<br />id: pam@mit.edu<br />realm: ubc.ca<br />realm: sfu.ca<br />realm: mit.edu<br />realm: ucla.edu<br />
  25. 25. Dispelling Some Shibboleth Myths<br />25<br />
  26. 26. My App Can’t Be Federated in CAF Because…<br />It is limited to regionally/specific identities<br />Reply: No problem! This is a Virtual Organization<br />A Virtual Organization (VO) is any collective group that operates in a coordinated way to enable shared activities on one or more topics with common tools or governance.<br />VOs can exist within institutional boundaries but are most effective when constituted to operate across and to unify participants in different physical or institutional limits.<br />Primary purpose is to pursue the shared topic or topics.<br />26<br />
  27. 27. Virtual Organization pt 2<br />CAF is an environment where VO’s flourish:<br />Virtual Organizations typically form around Service Provider(s) with IdPs providing consumers & complying to attribute profiles to participate<br />Autonomy is retained by the VO & it’s members to focus on the topic <br />-CAF focus is on the  ‘dialtone’ infrastructure for collaboration – IdP & Sp management practices and operations and middleware elements<br />–Examples in Canada are:<br />•Regional Learning Management Systems<br />•Transcript or Application management<br />Research 'desktops' that aggregate tools for researchers<br />Techniques to implement on SP end:<br />Use the Shib2.xml & other configurations to whitelist participants[1]<br />Consider using eduPersonEntitlement to express fine grain filtering at the application level:<br />eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscope<br />eduPersonEntitlement: http://publisher.example.com/contract/GL12<br />[1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter<br />27<br />
  28. 28. My App Can’t Be Federated in CAF Because…<br />I need to exchange special attributes<br />Reply: No Problem!<br />CAF’s default is shared nothing<br />eduPerson is the default attributes set<br />Where insufficient, the SP should work out the details with it’s partners on what extra elements it needs<br />CAF recommends that the SP have proper OIDs (can be registered with IANA for free) for their attributes<br />OIDs provide uniqueness, but us humans like text names that are unique too.<br />28<br />
  29. 29. Enhancing Attribute Exchanges<br />Shared nothing today, but uses eduPerson schema<br />Finding that this may be paradox of choice<br />Very interesting space to explore, but keep in mind principles:<br />Low friction to participate (ie, simplicity is good)<br />Scalable and high degree of relevancy and utility<br />Don’t punish the end user or IdP owner.<br />Interop across Canada and internationally<br />Many areas to explore<br />Use SHAC[1] technique for attributes?<br />"urn:schac:dom.ain:Attribute:value”<br />UseAustralian[2] approach for precise control and strong typing and vocabulary?<br />Require full participation in various attribute sets (ie MUST populate all fields) but in different categories of SPs (category 1, 2,3 etc)?<br />Hybrid??<br />[1] http://www.terena.org/mail-archives/schac/msg00371.html<br />[2] http://www.aaf.edu.au/technical/aaf-core-attributes/<br />29<br />
  30. 30. My App Can’t Be Federated in CAF Because…<br />I need a Higher Level of Assurance for a user<br />Reply: OK, we want this too, what are your requirements?<br />Challenge is how do you want to express it and what are your criteria for the higher level of assurance?<br />Part of a larger conversation<br />What is the yardstick? <br />NIST 800-63?<br />NSTIC, OIX, KANTARA audit requirements<br />Audit of SP against their own statements?<br />If you want to be part of this conversation see Chris Phillips & or join mailing list.<br />30<br />
  31. 31. My App Can’t Be Federated in CAF Because…<br />I need to sign in on the command line<br />Reply: Ok, we want this too.<br />Already participating internationally with UK-JISC on project moonshot. Combo environment of eduroam RADIUS and SAML attribute assertions<br />Live CD’s of the sample dev environment available from Chris.<br />Again, if you want to be part of this conversation see Chris Phillips & or join mailing list.<br />31<br />
  32. 32. My App Can’t Be Federated in CAF Because…<br />I need to sign in Social identities (Google, OpenID)<br />Reply: No problem, it can be done<br />Already participating internationally with REFEDS & inCommon on Social Identity risk assessment and gateway designs[1]<br />Certain gateways exist from uPenn & Sweden [2]<br />Many unquantified risks at this time, but does work<br />User behind keyboard is unknown<br />Attributes are self asserted<br />No knowledge of value of the account to the person<br />This is an active area of conversation.<br />[1] https://spaces.internet2.edu/display/socialid/Using+SAML+and+Social+Identities--Guidelines+and+Considerations+for+Managers+and+Developers<br />[2] https://tnc2011.terena.org/getfile/558<br />32<br />
  33. 33. My App Can’t Be Federated in CAF Because…<br />I don’t think the CAF has as highly available as I want them to be<br />Reply: OK, did you know the following?<br />CAF services reside in 3 provinces (Ontario, BC, and Quebec), and have redundant DNS entrieswith live failover<br />What are your service criteria so we may understand them better?<br />33<br />
  34. 34. FYI about availability<br />34<br />
  35. 35. Your Turn…<br />Looking for more conversation and discussion?<br />Join the CAF-Shib technical list to discuss the topics:<br />CAF-SHIBBOLETH-TECHNICAL-L-request@LISTSERV.UWINDSOR.CA<br />35<br />
  36. 36. 36<br />

×