eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming...
Transcript of eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming...
![Page 1: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/1.jpg)
Connect. Communicate. Collaborate
eduroam und andere Themen inGN2-JRA5
DFNRoaming WorkshopStuttgart30 November 2006Jürgen Rauschenbach, DFN-Verein, [email protected]
![Page 2: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/2.jpg)
Connect. Communicate. CollaborateInhalt• Das GÉANT2 Projekt• JRA5 Visionen• Was sind Föderationen?• eduroam• eduGAIN• uSSO/DAMe
![Page 3: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/3.jpg)
Connect. Communicate. CollaborateGÉANT2 Bestandteile• Die Infrastruktur: www.geant.2.net (Mediacenter, maps)• Das Management: Policy Committee (30 NRENs, Dante, TERENA);
Executive Committee (6 NREN Direktoren); Projektleiter RobertoSabatini (Dante); Technical Committee (AL Leiter, RS, MK)
• Network Activities (1-8)• Service Activities (1-3)• Joint Research Activities
JRA1 – Performance monitoring (perfSONAR)JRA2 – SecurityJRA3 – Bandwidth on DemandJRA4 – Testbed and CBFJRA5 – Roaming and Authorisation
![Page 4: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/4.jpg)
Connect. Communicate. CollaborateInhalt• Das GÉANT2 Projekt• JRA5 Visionen• Was sind Föderationen?• eduroam• eduGAIN• uSSO/DAMe
![Page 5: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/5.jpg)
Connect. Communicate. CollaborateProblem and JRA5 vision• How to organise access to resources in the research and
education area (networks, digital documents, computerpower etc) in a sufficiently safe and easy to handle way?
• JRA5 Vision:• To build a roaming infrastructure enabling full mobility of members
of the scientific community in Europe across institutionalcampuses. “open your laptop and be online”
• To build an interoperable authentication and authorisationinfrastructure that will be used all over Europe enabling seamlesssharing of e-science resources.
• To develop and pilot a single sign-on system enabling a log inonce experience for network and application access, even beyondorganisational boundaries.
![Page 6: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/6.jpg)
Connect. Communicate. CollaborateJRA5 participants• Number of partners is 16 (NRENs), Number of participants has grown
to 111 (mailing list), with contributions from around 30 active persons
• Partners are ARNES, CARNet/Srce, CESNET, Dante, DFN, FCCN,GRNET, HEANET, HUNGARNET, ISTF, NORDUnet (CSC, UNI-C,UNINETT, University of Umea), RedIRIS, RESTENA, SURFnet,SWITCH (different involvement in project parts)
• Collaboration/liaison with– many groups: TF-Mobility, TF-EMC2, GN2 activities (JRA1, SA3,
JRA3), international groups like eduroam gwg, SALSA FWNA(Internet2), MACE, TF-NGN, DICE, GGF, eConcertation
– and projects: Akogrimo, EGEE2, Lobster
![Page 7: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/7.jpg)
Connect. Communicate. CollaborateInhalt• Das GÉANT2 Projekt• JRA5 Visionen• Was sind Föderationen?• eduroam• eduGAIN• uSSO/DAMe
![Page 8: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/8.jpg)
Connect. Communicate. CollaborateFederations – why?• Federated access to resources is one of the drivers• Synergy effects, joining a federation instead of many
bilateral agreements, purpose based
• Different communities, different needs– Not even talking about international collaboration– Different technical and organisational solutions– Digital libraries, e-learning, Grids as current examples– More to come: Governments, professional associations,
commercial operators,…
• Don’t hold your breath waiting for the Real And Only GlobalFederation
![Page 9: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/9.jpg)
Connect. Communicate. CollaborateFederation ingredients
• Identity management is key!• Agreeing on trust mechanisms (PK technologies,
component Ids)• Aligning on schemas (eduPerson, SCHAC, …)• Reaching applications• Coordinating metadata• SAML for identity data exchange (moving to SAML2)• Policy
![Page 10: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/10.jpg)
Connect. Communicate. Collaborate
Confederations:Federate Federations• Same federating principles applied to federations themselves
– Own policies and technologies applied locally
• Independent management– Identity management, authentication/authorization must be properly
handled by the participating federations and federation participants
• Confederation policy– Linking individual federation policies– Coarser than the linked federation policies
• Trust fabric entangling participants– Through each federation’s fabric– P2P trust must be built dynamically
![Page 11: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/11.jpg)
Connect. Communicate. CollaborateInhalt• Das GÉANT2 Projekt• JRA5 Visionen• Was sind Föderationen?• eduroam• eduGAIN• uSSO/DAMe
![Page 12: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/12.jpg)
Connect. Communicate. CollaborateJRA5 current work• eduroam.:
– Preparation of the eduroam service (organisational)– Technical enhancement of the current infrastructure
• eduGAIN:– Implementation of the components of the AAI architecture
according to the specification and creation of test cases– Development of a profile for the specific requirements of GN2
activities (JRA1 based right now)
• uSSO:– Definition of uSSO requirements and provision of SSO concepts
that match these requirements
![Page 13: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/13.jpg)
Connect. Communicate. Collaborate
European eduroamconfederation principles
• Mutual access – no fees
• Authentication at home - Authorisation at visited institution
• Home institutions are/remain responsible for their users abroad
• Members are European NRENs
• Members guarantee required security levels by their participants
• Members promote eduroam in their countries
• European eduroam may peer with other regions (confederation level)
![Page 14: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/14.jpg)
Connect. Communicate. CollaborateNational Policies
• Mutual access• Members are connected institutions• Home institution is/remains responsible for its users
behaviour.• Home institution is responsible for proper user
management• Home and visited institution must keep sufficient logdata• Appropriate security levels
![Page 15: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/15.jpg)
Connect. Communicate. Collaborateeduroam Hierarchy Connect. Communicate. Collaborate
(virtual) eduroam root
APAN rootEuropean root (America’s root). . . .
.nl
.ac.uk
.dk
. . .
.au
.cn
. . ..edu
.us
. . .
.hr
.es
. . .
![Page 16: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/16.jpg)
Connect. Communicate. CollaborateLimitations• Authentication = authorisation• Hierarchical trust establishment AND hierarchical routing of
access requests• Transitive trust• No dynamic trust establishment• Use of UDP• Use of shared secrets
![Page 17: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/17.jpg)
Connect. Communicate. Collaborateeduroam-ng
• After evaluating Diameter, RadSec and DNSROAM:
• Introduction of RadSec (if possible)– TCP instead of UDP– TLS between RADIUS-servers instead of shared secrets
• Possibly at later stage introduction of DNSROAM– Support for direct peer interaction– How about firewalls / access lists?
• Eventually Diameter?
![Page 18: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/18.jpg)
Connect. Communicate. Collaborate
European eduroamparticipants Connect. Communicate. Collaborate
![Page 19: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/19.jpg)
Connect. Communicate. CollaborateJRA5 Transition to Service
• First JRA5 service: European eduroam confederation service(eduGAIN is planned to follow later on)
• Roadmap: service will start in April 2007; the eduroam confederationpolicy document is ready for signing by the NRENs
• “Users” will be the NREN based eduroam federations, providing theservice to end users associated with their member institutions
• The service will be conducted by the eduroamSA, that will establish theeduroam operational team (3-4 persons) for daily service handling.
![Page 20: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/20.jpg)
Connect. Communicate. CollaborateEduroam RADIUS hierarchy Connect. Communicate. Collaborate
.DK .PT
inst-1 inst-2 inst-3 inst-4
confederation level servers(resilient)
federation (NREN) levelservers
institutional levelservers
![Page 21: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/21.jpg)
Connect. Communicate. CollaborateInhalt• Das GÉANT2 Projekt• JRA5 Visionen• Was sind Föderationen?• eduroam• eduGAIN• uSSO/DAMe
![Page 22: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/22.jpg)
Connect. Communicate. CollaborateeduGAIN related work done• AAI achievements – exercising the confederation concepts
– Specification of the AAI architecture (DJ5.2.2) – new version end ofNovember
– Implementation of the AAI basic components– Start of implementation of bridging elements (Shibboleth, Liberty
Alliance/FEIDE, PAPI)– Development of the initial 2 profiles (web services, automated
clients)– Support of the GÉANT Identity Provider (GIdP) project– Guidelines for connecting to eduGAIN document “AAI cookbook”
DJ5.2.3,1 available http://www.geant2.net• JRA5 currently focuses on the following AA systems : Shibboleth,
Liberty Alliance, PAPI, A-Select
![Page 23: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/23.jpg)
Connect. Communicate. CollaborateThe eduGAIN Components• Bridging Elements (BE)
– Interconnection points– Federation-wide (LFA) or distributed (LA)
• Federation Peering Point (FPP)– Able to announce BE metadata
• The Metadata Service (MDS)– Centralised metadata storage, distributed publishing and trust– Publishing interface (for FPPs and authorised BEs)– Querying interface (for BEs)
![Page 24: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/24.jpg)
Connect. Communicate. Collaborate
��
The eduGAIN Model Connect. Communicate. Collaborate
Id Repository(ies)Resource(s)
MDS
R-FPP
MetadataPublish
R-BE
MetadataQuery
AAInteraction
H-FPP
MetadataPublish
H-BE
AAInteraction
AA Interaction
![Page 25: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/25.jpg)
Connect. Communicate. CollaborateComponent Identifiers
• eduGAIN operations strongly depend on havingunique, structured and well-defined componentidentifiers
• Based on URNs delegated by the eduGAINregistry to the participating federation
• Identifiers establish the kind of component theyapply to by means of normalized prefixes
• Identifiers follow the hierarchy of the trustestablishing process
![Page 26: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/26.jpg)
Connect. Communicate. CollaborateThe (X.509) Trust Fabric• Validation procedures include
– Normal certificate validation• Trust path evaluation, signatures, revocation,…
– Peer identification• Certificates hold the component identifier• It must match the appropriate metadata
• Applicable to– TLS connections between components
• Two-way validation is mandatory– Verification of signed XML assertions
![Page 27: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/27.jpg)
Connect. Communicate. Collaborate
A general model foreduGAIN interactions Connect. Communicate. Collaborate
Requester Responder
Id RepositoryResource
TLS Channel(s)
MDS
TLS Channel
https://mds.geant.net/ ?cid=someURN <EntityDescriptor . . .
entityID= ”urn:geant2:..:responder">. . .<SingleSignOnService . . . Location= “https://responder.dom/” /> . . .
<samlp:Request . . . RequestID=”e70c3e9e6…” IssueInstant=“2006-06…”> . . .</samlp:Request>
<samlp:Response . . . ResponseID=”092e50a08…” InResponseTo=“e70c3e9e…”> . . .</samlp:Response>
←urn:geant2:...:responder
urn:geant2:...:requester→
![Page 28: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/28.jpg)
Connect. Communicate. CollaborateOperation Mapping• Maps the abstract service definition into actual protocols
• Current version is based on SAML 1.1– Profiling the standard to fit abstract parameters
• A SAML 2.0 implementation will be available along thelifetime of the project– The abstract service specification protects components and
applications from these changes
• Authentication assertions and attribute exchangemechanisms are designed to be Shibboleth 1.3 compatible(and Shibboleth 2 in the future)
![Page 29: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/29.jpg)
Connect. Communicate. CollaborateMetadata Service• Based on REST interfaces transporting SAML 2.0 metadata• Metadata are published through POST operations• Metadata are retrieved through GET operations• URLs are built as MDSBaseURL/FederationID/entityID?queryString
– Using component names– The query string transports data intended to locate the appropriate
home BE (Home Locators)• Hints provided by the user• Contents of certificate extensions
(SubjectInformationAccess)
![Page 30: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/30.jpg)
Connect. Communicate. CollaborateeduGAIN Profiles• Three profiles defined so far
– Web SSO (Shibboleth compatible)– Automated client (no human interaction)– Non-web client (use of SASL-CA)
• Others envisaged– Extended Web SSO (allowing the send of POST data)– eduGAIN usage from roaming clients (DAMe)
• Based on SAML 1.1– Mapping to SAML 2.0 profiles along the transition period
![Page 31: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/31.jpg)
Connect. Communicate. CollaborateInhalt• Das GÉANT2 Projekt• JRA5 Visionen• Was sind Föderationen?• eduroam• eduGAIN• uSSO/DAMe
![Page 32: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/32.jpg)
Connect. Communicate. Collaborateeduroam-ng• After evaluating Diameter, RadSec and DNSROAM:
• Introduction of RadSec (if possible)– TCP instead of UDP– TLS between RADIUS-servers instead of shared
secrets– I-D IETF radext wg planned
• Possibly at later stage introduction of DNSROAM– Support for direct peer interaction– How about firewalls / access lists?
• Eventually Diameter?
![Page 33: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/33.jpg)
Connect. Communicate. CollaborateFirst Goal: extNAFirst Goal: Extension ofeduroam Using NAS-SAML Connect. Communicate. Collaborate
Gast
piet@university_b.nl
RADIUS server
University B
RADIUS server
University A
SURFnet
Central RADIUS
Proxy server
Authenticator
(AP or switch) UserDB
UserDB
Supplicant
data
• User mobility controlled byassertions and policies expressedin SAML and XACML
XACML
Policy Decision Point
SAML
Source Attribute Authority
Signaling
![Page 34: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/34.jpg)
Connect. Communicate. CollaborateFirst Goal: extNASecond Goal: eduGAIN asAuthN and AuthR Backend Connect. Communicate. Collaborate
• Link between the AAA servers (now acting as Service Providers) and eduGAIN
![Page 35: eduroam und andere Themen in GN2-JRA5 - DFN · eduroam und andere Themen in GN2-JRA5 DFNRoaming Workshop Stuttgart 30 November 2006 Jürgen Rauschenbach, DFN-Verein, jrau@dfn.de ...](https://reader034.fdocument.pub/reader034/viewer/2022042106/5e84b65735b404425d331606/html5/thumbnails/35.jpg)
Connect. Communicate. CollaborateConclusions/Summary
• eduroam transition to service progressing
• Rollout needs support by participating NRENs
• AAI component implementation almost complete (eduGAIN)
• Initial profiles defined
• Tests with real federations soon
• Forming an eduGAIN confederation by adding a policy to theinfrastructure is on our agenda
• SSO requirements and model under discussion