Authentication and Authorisation Infrastructure AAI Christoph Graf grafswitch
- Slides: 26
Authentication and Authorisation Infrastructure - AAI Christoph Graf <graf@switch. ch> Project Leader AAI SWITCH 2003 © SWITCH
The Foundation SWITCH Set up 1987 with the purpose: “. . . to create, promote and maintain the necessary fundamental means for efficient use of modern telecommunication methods for the benefit of education and research in Switzerland to participate in such fundamental activities. . ” … amazingly enough, it still holds true without tweaking 2003 © SWITCH 2
Business Areas of SWITCH Network Security Internet Identifiers Net. Services Network Operation Incident Handling Domain Name Registration Middleware Incl. AAI • Invoicing Engineering IP, Qo. S, Routing, . . . Help Desk Consulting • Administration SWITCHmobile • Help Desk Laboratory • Online-Queries • Consulting User Registrations • Invoicing • Administration SWITCHvconf Content Delivery and Tools Service Monitoring • Help Desk • Online-Queries • Consulting Diverse Applications incl. News Consulting 2003 © SWITCH 3
How it all began… Call for participation in the Swiss Virtual Campus (SVC) in 1999 – – Fair amount of federal funds for the creation of e-learning course contents Applying teams need to build consortia Courses must be offered to consortia member organisations for free Consortia members should put those courses into their curricula Problems – How to deal with user authentication and authorisation in this crossorganisational context? – Should every team solve the same problem individually? – The SVC is about contents, not tools SWITCH’s answer – This is an opportunity to drive and co-ordinate efforts in our community – The AAI activity (Authentication and Authorisation Infrastructure) was outlined – It aims at establishing a cross-organisational infrastructure offering authentication and authorisation services (in a wider context than just covering the needs of the SVC) 2003 © SWITCH 4
e-Academia / AAI Concept Vision of e-Academia “We want a virtual community across our institutions in which all persons associated with the Swiss Higher Education System are able to gain access to its electronic resources, independent of the accrediting organization and independent of the place where they happen to be working. ” AAI as the foundation of e-Academia “… let’s develop e-Academia, let us build the foundations in the form of a uniform authentication and authorization infrastructure (AAI) for the higher education system in Switzerland…” Roadmap 2000 2001 Concept 2003 © SWITCH 2002 Study 2003 Pilot 2004 Realization V 1. 0 2005 Realization V 2. 0 5
The AA Problem (1) + Resource Owner Swiss Passport University of Zurich Info about user Resource User ID, Credentials 1 user - 1 resource - 1 organization: NO PROBLEM 2003 © SWITCH 6
The AA Problem (2) User ID, Credentials Info about user Resource C University Hospital of Geneva Info about user ID, Credentials Resource B ID, Credentials User University of Lausanne Info about user Resource A University of Zurich Many users - many resources - many organizations: A PROBLEM 2003 © SWITCH 7
The AA Model (1) User‘s Home Org Resource Owner Access Control Definition User DB Registration 1 Access Control Manager Resource Registration Legend: data Info (name, address, …. ) system Pre-processing User 2003 © SWITCH 8
The AA Model (2) Resource Owner User‘s Home Org 3 Authorization Information Delivery Authorization Information User DB Authentication AAI 1 Authentication 2 Access Request of an authenticated user Access Control Definition Access Control Manager Resource Legend: data system AAI-interaction User 2003 © SWITCH 9
The AA Model (3) Resource Owner User‘s Home Org Authentication AAI Log Access Control Manager Log Other Applications (Accounting, Billing, Statistics) Input to Accounting or Billing systems: • AAI provides Identity of User and/or Name of Home Organization • Resource measures the interactions between a user and the resource 2003 © SWITCH 10
Scope of the AAI Unix/Windows login PKI Integrated Systems WEB Single Sign-on Smart. Cards Authentication systems AAI User Directories Interorganizational user authentication Secure transfer of authorization attributes WEB resources WEB Portals Accounting Billing Document encryption Legacy Applications Secure e-mail 2003 © SWITCH 11
Advantages of an AAI Virtual Mobility AAI is a requirement if students of different universities wish to use common resources, and it is the basis for initiatives such as the Swiss Virtual Campus. Information protection AAI simplifies the protection of information by applying standardized mechanisms. Resource owners can concentrate on the protection of their resources without having to implement an entire system including registration and authentication. Remote access AAI makes it possible to authorize users based on personal attributes of a user instead of IP addresses. User authorization thus becomes location-independent. User friendliness After a single registration a user can access a number of resources. Only one authentication technology is applied. IT efficiency Standardized AA systems and cooperation among IT organizations improve the efficiency in the implementation and operation of security solutions. Administration overhead Without AAI, a user has to register with various organizations. It is feared that the administrative overhead of individual organizations will increase dramatically. AAI counteracts this tendency. Image 2003 © SWITCH Complicated and inconsistent AA mechanisms, or isolation of resources and user groups, respectively, is no longer state of the art. Not having an AAI will damage the image in the long run. 12
Project Planning: Roadmap 2001 2002 Study 2003 2004 Realization V 1. 0 Pilot 2005 Realization V 2. 0 Decision: Building up of infrastructure (June 2003) Jul - Sept 02 Oct - Dec 02 Jan - March 03 Apr - Jun 03 Pilot projects Selection of architecture Policy Attribute specification 2003 © SWITCH Tech. & org. concept Legal basis Service description Budgeting the implementation of Release 1. 0 13
Authorisation Attributes Personal attributes Group membership • Unique Identifier (anonymous) • Surname • Given name • Date of birth • Gender • E-mail • Address(es) • Phone number(s) • Preferred language • Name of Home Organization • Type of Home Organization • Affiliation (student, staff, faculty, …) • Study branch • Study level • Staff category • Organization Path • Organization Unit Path • Group membership 2003 © SWITCH User attributes for AAI • are based on standards (LDAP: edu. Person, SHIS/SIUS) • have to be available in real-time • have to be handled as required by federal and cantonal data protection laws: • attributes have to be accurate • attributes have to be stored securely • attributes should only be transferred to resources with a valid case to use it. • will be revised in the future in a standardised change process, depending on the requirements of Resource Owners and Home Organizations 14
Shibboleth AAOK, Process I redirect your Please tell me where you come from request now to the Handle Service of your home org. I don’t know you. Not even which home org you are from. I redirect your request to the WAYF I don’t know you. Please authenticate yourself 4 5 6 Users Home Org 2 3 1 Resource Owner 7 Credentials HS Handle 8 SHIRE 2003 © SWITCH AA Attributes Handle SHAR Resource 9 OK, I know you now. I redirect your request to the target, together with a handle Resource Manager Handle User DB 10 Attributes Let’s pass over the attributes the user has allowed me to release I don’t know the attributes of this user. Let’s ask the Attribute Authority OK, based on the attributes, I grant access to the resource 15
Preconditions for Home Organizations User‘s Home Org Registration User DB Registration Info (name, address, …. ) Authentication Registration • A Home Organization must be able to • register its users and store information about them in a user directory (database) • provide a minimal set of such user attributes to the AAI • The registration and administration processes have to guarantee that these attributes are kept accurate Authentication ID Passwd Authentication • A Home Organization has to offer secure authentication over the network to its users • It is up to the Home Organization which authentication technology it chooses. User 2003 © SWITCH 16
AAI-enabling of Home Organizations AAI integration between • authentication system and AAI • user DB / directory and AAI User‘s Home Org User DB DB AAI Dir Attributes AAI Authentication 2003 © SWITCH Yes/No Data consolidation • Make sure that all the attributes needed are online available in the appropriate AAI format AAI • If necessary, create a specific AAI user directory (read-only, periodically updated from master databases) 17
Resource Types (1) Type A • Unpersonalized web resources • Access control policy based on group membership attributes • AAI extensions for web server Example • Intranet web servers Resource Owner Access Control Definition AAI Type B • Personalized web resources • Access control policy based on individual and group membership attributes • AAI extensions for web server Examples • Discussion forum • Web mail • Student administration 2003 © SWITCH Access Control Manager Resource Owner Access Control Definition AAI Access Control Manager User DB Resource 18
Resource Types (2) Resource Owner Type C • Unpersonalized “black box” web resources with proprietary access control • AAI proxy Example • 3 rd party content providers (libraries) Access Control Definition AAI Type D • Personalized “black box” web resources with proprietary access control and user administration • AAI portal or AAI proxy Examples • E-learning platforms • Standard applications 2003 © SWITCH Access Control Manager AAIProxy Resource Owner Access Control Definition AAI Access Control Manager User DB AAIPortal or AAIProxy Resource 19
Preconditions for Resources Access Control • Access Control Policy can be expressed and implemented as rules based on authorization attributes • Received attributes have to be appraised as trustworthy • Resource is of type A-D (detailed technical requirements will follow); if not, technical feasibility has to be verified. Resource Owner Access Control Definition Access Control Manager Resource Legal Basis • A Resource belongs to an Organization bound to the AAI Policy • A Resource Owner agrees to handle received attributes as required by the AAI Policy an the Federal and Cantonal Data Protection Law 2003 © SWITCH 20
AAI-enabling Resources Resource Owner For Resources of Type A and B • Install AAI on Resource • Configure (implement) Access Control Definition • For personalized resources: implement interaction with User DB For Resources of Type C and D • Implement Portal/Proxy • Install AAI on Portal/Proxy • Configure (implement) Access Control Definition on Portal/Proxy • For personalized resources: implement interaction with User DB 2003 © SWITCH Access Control Definition AAI Access Control Manager User DB Resource or Portal 21
The Legal Basis of an AAI Service Provider AAI Policy Service Agreement Org A Org B Org C Org. . . “Club rules” User Regulations 2003 © SWITCH 22
AAI Programme Management Jan – Jun 2003 Home Organizations Jul – Dec 2003 Jan – Jun 2004 Jul – Dec 2004 UNI E UNI A UNI C UNI B UNI D SWITCH Pilot RE 1 Resource Owners RE 2 Res 5 Res 4 Res 1 Res 3 Res 6 Res 2 Res 3 Res 1 Res 2 2003 © SWITCH Res 2 23
AAI Programme Management Jan – Jun 2003 Home Organizations Jul – Dec 2003 Jan – Jun 2004 Jul – Dec 2004 UNI E UNI A UNI C UNI B UNI D SWITCH Pilot RE 1 Resource Owners RE 2 Res 7 Res 4 Res 1 Res 6 Res 3 Res 2 Res 9 Res 5 Res 8 2003 © SWITCH Res 24
Simple Identity Management Classification simple MS Passport – Trust model: One external trust broker, trust monopoly – One central user database – One single Home Organisation for all users Shibboleth – Trust model: “Club” of organisations trusting each other (but not necessarily their users!) – Decentralised user database at “Club” member sites – “Club” members acting as Home Organisation – Users are registered with exactly one Home Organisation, maintaining their electronic identity (otherwise, they end up owning multiple electronic identities) Liberty Alliance – Same as Shibboleth except: – Users may register with multiple “Club” members – Each Club member is maintaining a part of their user’s electronic identity complex 2003 © SWITCH 25
Questions? 2003 © SWITCH ? 26
Work authorisation adalah
Peer entity authentication and data origin authentication
Iff
Grid security infrastructure
Silogismo 1 figura
Aai pacing
Ambivalentti kiintymyssuhde
Aai tenders on cpp portal
Infn-aai
Dael maselli
Aai student portal
Onap vs osm
Aai aspire
Christoph luthy
Christoph dobraunig
Christoph hertrich
Nestler helmut
Margrit kodalle
Dr. christoph weiss
Christoph eick
Christoph draxler
Christoph stengel
Christoph gort
Szintillationsmessungen
Christoph f eick
Prof. dr. christoph gröpl
Christoph hessler
