Transcript NAS-SAML
Deploying Authorization Mechanisms for
Federated Services in the EDUROAM
Architecture (DAME)
-Technical Project ProposalÓscar Cánovas (UM)
Antonio G. Skármeta (UM)
Diego R. Lopez (RedIRIS)
Klaas Wierenga (SURFnet)
TF-EMC2
February 2006, Zagreb
Overview
Introduction
Motivation of this project
Background and previous work: NAS-SAML
Main goals
TF-EMC2
Introduction
DAME is a project that builds upon previous TERENA, GN2,
Internet2, and University of Murcia work:
EDUROAM, a result of TERENA Mobility Task Force, which defines
an inter-NREN roaming architecture,
eduGAIN, the AAI interoperation infrastructure designed by GN2
JRA5
Documentation available on the Shibboleth web site.
NAS-SAML, a network access control approach for AAA
environments, developed by the University of Murcia (Spain),
based on the SAML and the XACML standards,
TF-EMC2
Documentation available at the GÉANT2 web site
Shibboleth, a widely deployed federation mechanism developed by
Internet2 and the NSF Middleware Initiative.
Reports available on the EDUROAM web site
Documentation available on the http://pki.dif.um.es web site
Overview
Introduction
Motivation of this project
Background and previous work: NAS-SAML
Main goals
TF-EMC2
Motivation
We have experienced the emergence of federated approaches to
resource sharing.
Access to shared resources with a single identity
Examples of these approaches: the establishment of academic federations
worldwide and the concepts around Grid Computing.
Some aspects generally related with integral identity management are
still open, especially those related to user authorization.
One of the main resources to share is the network, for mobility
purposes.
TF-EMC2
Only allowed users are able to perform the set of allowed actions over each
resource.
The TERENA Mobility Task Force defined and tested an inter-NREN
roaming architecture, called EDUROAM, proposed after identifying the
most suitable techniques currently deployed in the NRENs.
Motivation
EDUROAM allows users of participating institutions to access the
Internet at other participants using their home institution's credentials.
It would be desirable to extend the EDUROAM architecture with
authentication and authorization mechanisms.
NAS-SAML is an access control proposal for AAA environments which can
be used to extend EDUROAM to exchange existing credentials.
Credentials can be expressed in several forms, ranging from
eduGAIN/Shibboleth statements to X.509 Attribute certificates
Additionally, this authorization mechanism might be used at servicelevel, for example for Grid Computing purposes.
EDUROAM constitutes an exceptional starting point to offer a full and
integrated network access experience to the users.
TF-EMC2
Overview
Introduction
Motivation of this project
Background and previous work: NAS-SAML
Main goals
TF-EMC2
NAS-SAML
Main objectives:
TF-EMC2
To define a network access control approach based on:
X.509 PKC authentication
User attributes (roles)
Authorization policies. Rules stating the permissions give to each
system role.
Use of XML to express:
access control policies (XACML)
authorization statements (SAML)
authorization protocols (SAML)
The scenario should be integrated in the AAA architecture.
NAS-SAML
TF-EMC2
Architectural elements
NAS-SAML
End User:
Entity requesting access to the network
Authentication based on (X.509 PKC or login/passwd pairs)
AAA Server:
TF-EMC2
Source Authority (SA)
Policy Decision Point (PDP)
Source Authority (SA):
Requires two ASM modules:
Manages the Role Assignment Policy (roles to users)
Role Assignment Policy:
“in the source domain Source, the set of roles R1, R2.. Rn can be
assigned to the users contained in the o=org,c=ES X.500 sub-tree for
the period V”
Based on XACML
NAS-SAML
Policy Decision Point (PDP):
Generates the statements related to authorization decisions
Manages the Resource Access Policy
Policy Administration Point (PAP):
TF-EMC2
Defines, signs and publishes the Resource Access Policy
Resource Access Policy:
“the users pertaining to the source domain Source, and playing the role
R1, will get access to the network N1 with a QoS1”
Based on XACML
Network Access Point (NAP):
forwards the client requests to the appropriate AAA server of the target
domain
obtains and enforces the properties of the network connection
NAS-SAML
TF-EMC2
Example: Inter-domain pull model
NAS-SAML
Current status:
TF-EMC2
Architectural elements, protocols, integration with DIAMETER
G. López, O. Cánovas, A. F. Gómez-Skarmeta, R. Marín. “A Network Access
Control Approach based on the AAA Architecture and Authorization
Attributes”. Journal of Network and Computer Applications
Implemented and tested.
Security policies (access control, role assignment, conversion):
G. López, O. Cánovas, A. F. Gómez-Skarmeta. “Use of XACML Policies for
a Network Access Control Service”. 4th International Workshop of Applied
PKI, IWAP’2005.
Implemented and tested.
Integration with PERMIS (in collaboration with D. W. Chadwick):
G. López, O. Cánovas, A. F. Gómez-Skarmeta, O. Otenko, D.W. Chadwick.
“A Heterogeneous Network Access Service based on PERMIS and SAML”.
2nd European PKI Workshop, EuroPKI’2005.
Implemented and tested.
Overview
Introduction
Motivation of this project
Background and previous work: NAS-SAML
Main goals and summary of activities
TF-EMC2
Main goals
First Goal: Extension of EDUROAM using NAS-SAML
User mobility controlled by assertions and policies expressed in SAML
and XACML.
Enhanced interoperability among organizations (common language)
XACML
Policies
Policy Decision
Point
RADIUS + SAML
TF-EMC2
Source Attribute
Authority
Main goals
First Goal: Extension of EDUROAM using NAS-SAML
RELATED ACTIVITIES:
TF-EMC2
Activity 1. Integration of the NAS-SAML architecture in the EDUROAM
network.
Task 1. Analysis of the current status of the EDUROAM network.
Task 2. Analysis of the required user attributes and policies for roaming.
Task 3. Development of the Source Authority and Policy Decision Points.
Task 4. Development a custom SAML module for RADIUS and DIAMETER servers.
Task 5. Create a translator to convert RADIUS messages into DIAMETER and vice versa.
Task 6. Validate the resulting architecture for mobility purposes.
Activity 2. Development of a user-friendly management interface for
authorization policies.
Task 1. Analysis of the different existing proposals for privilege administration.
Task 2. Development of a high level interface able to be integrated with common office
applications.
Task 3. Creation of interpreters and translators able to convert policies into XACML.
Task 4. Validate the resulting interface.
Main goals
Second Goal: Use of eduGAIN/Shibboleth as AuthN and AuthZ
backend
NAS-SAML has been already integrated with other proposals (X.509 AC)
Link between the AAA servers (now acting as Service Providers) and the
Identity Providers of the federation.
XACML
Policies
Policy Decision
Point
(SAML)
Authentication Statement
Attribute Statements
Access point
Shibboleth
Federation
Network Access Service
(RADIUS/DIAMETER
Acting as Service Provider)
TF-EMC2
Identity Provider
(Shibboleth)
Main goals
Second Goal: Preliminary design.
Home SD
Attr
Auth
EU
Target SD
SP
IP
NAP
AAA
SA
Login/Pass
Login/Pass
authenticate
user
SAMLRes.
AuthNSt or
Artifact
EAP-SUCCESS
SAMLRes.
AuthNSt or
Artifact
Authorization
process
attributes
SAMLRes.
AuthNSt or
Artifact
SAMLRes
.
artifact
SAMLRes
.
AuthNSt
HTTP 200OK
EAP-PEAP
PI
HTTPS
SOAP
HTTPS
TF-EMC2
HTTPS
PDP
Main goals
Second Goal: Use of eduGAIN/Shibboleth as AuthN and AuthZ
backend
RELATED ACTIVITIES:
TF-EMC2
Activity 3. Use of eduGAIN/Shibboleth as authentication back-end for
NAS-SAML
Task 1. Analysis of the proposed profiles for SSO. Identification of the possible
modifications that would require some of those profiles.
Task 2. Development of a Shibboleth Service Provider module responsible for
the creation and exchange of Shibboleth data exchange
Task 3. Development of an eduGAIN BE to provide direct access to the confederation infrastructure
Task 4. Definition of the authentication methods to be used by the end users in
order to demonstrate their digital identity.
Task 5. Extension of the existing XACML context manager in order to interpret
the eduGAIN/Shibboleth SAML credentials.
Task 6. Validate the resulting architecture.
Main goals
Third Goal: Global Single Sign On (SSO)
Users will be authenticated once, during the network access control phase
The eduGAIN/Shibboleth authentication would be bootstrapped from the
NAS-SAML
New PEAP method for delivering authentication credentials and new
security middleware
XACML
Policies
Policy Decision
Point
(SAML)
Authentication Statement
Attribute Statements
Identity Provider
(Shibboleth)
Shibboleth
Federation
(SAML)
Authentication Statement or
Artifact
Network Access Service
(RADIUS/DIAMETER)
(SAML)
Authentication Statement or
Artifact
Service Provider
Assertion Consumer
TF-EMC2
Target Resource
Additional SAML
Attributes
Main goals
Third Goal: Global Single Sign On (SSO)
RELATED ACTIVITIES:
Activity 4. Development of a global SSO
Task 1. Analysis of the requirements of a new PEAP authentication method
able to exchange the necessary eduGAIN/Shibboleth signed tokens.
Task 2. Development of the client and server software modules
implementing the specified PEAP method..
Task 3. Design and develop the middleware able to manage the signed
Shibboleth tokens that will be then provided to the resource providers
Task 4. Modify the existing service providers in order to include a custom
SSO profile based on a push method, that is, a method where the end users
are able to provide the required authentication credentials.
TF-EMC2
Task 5. Validate the resulting system.
Main goals
Fourth Goal: Authorization mechanisms for application-level services
Mainly focused on Grid Computing
Grid Services have specific components for authorization purposes
We plan to link that components with the existing authorization infrastructure, using
standard extension points:
OGSA-Authz
MyProxy
GridShib
RELATED ACTIVITIES:
TF-EMC2
Activity 5. Deployment of an authorization mechanism for an application-level
service: Grid Computing.
Task 1. Analysis of the different Grid platforms that are being currently used in the different
European initiatives.
Task 2. Analysis of the GridShib tool as starting point to provide authorization services to
Grids.
Task 3. Definition of the set of attributes used to describe grid-relevant properties.
Task 4. Modify the existing network of AAA servers in order to add the Grid-related policies
and attributes.
Task 5. Validate the resulting authorization services.