Introduction of Identity & Access Management Federation. Motonori Nakamura, NII Japan

Transcription

1 Introduction of Identity & Access Management Federation Motonori Nakamura, NII Japan

2 } IP networking } The network enables a variety type of attractive applications } Communication Video conferencing } Information (Data/Content) sharing Web services } E-learning } Many research activities can be made on the network E-Sciences } Nation-Wide Network for Research & Education has been constructed by each NRENs } Cutting edge technologies/researches require broader bandwidth 10G, 100G, 2

3 } Research on more advanced network architecture to support advanced applications is still important } Generic application services will be provided from the cloud as infrastructure with low cost } Management of content is still important } Information, Knowledge, data } Most applications require user authentication } Identity management per each service is much costy } Identity Management is the key 3

4 } Unification of Identity Management in an organization } To reduce management cost } The unified Identity can be used to access outside cloud services } Using standardized protocol (SAML) to share cloud services among organizations Federation Distributed IDM Previous Univ. A Univ. B Univ. C ID/Pass Organization IDM System ID1/Pass1 ID2/Pass2 ID3/Pass3 elearning System Web Mail E-Journal elearning System Web Mail E-Journal 4 Inside of Univ. outside

5 1. Login by Fed 2. Select Home Org 3. Input ID & Pass 4. Complete Login SP (Service Provider) DS (Discovery Service) SP SAML (Attribute) IdP SP (Identity Provider) (Service Provider) 5

6 TARO SUZUKI 08/07 Want to DL PPV Paper In CiNii Redirect to IdP ID & Password Personal Info DB Please DL He/She is a member of our University IdP University User Want to DL from Science Direct as well You have authned. Please Want to update RefWorks record Once she/he has logged in then Single Sign On You have authned. Please 6 6

7 Search Paper Read Paper Mange Paper SSO SSO } Facilitate Remote Access } Improve Usability by SSO etc. 7

8 } The Federation is } Secure, scalable and easy login architecture by standard protocol: SAML Authentication Authorization IdP SP } } } } } Organization Name Affiliation Opaque ID Mail Address etc. 8

9 } Based on web single-sign-on (SSO) technology } Easy access to authenticated web services } Lower management cost } For users } For identity managers } For service providers } Safe (privacy-preserving) } Secure (eliminate insecure servers) } Scalable (distributed identity management) 9

10 } Reliable } Based on trusted database (to avoid pretension) } For cheaper contract } Based on granular access control instead of IP range based access control (department, etc.) } Location (IP address) free access control 10

11 11 Source:

12 12 InCommon serves almost 6 million end-users through federated identity management.

13 Current Services Portfolio 36 Services Infrastructure-as-a-Service! Software-as-a-Service! Communications-as-a-Service! Other Services! + 13 Many services requires InCommon membership

14 } Global NREN CEO Forum } Geneva, 2012 } 13 NRENs:AARNet, CANARIE, CERNET, CUDI, DFN, Internet2, Janet, NORDUnet, REANNZ, RedCLARA, RENATER, RNP, SURFnet } Initial Steps 1. Global Network Architecture 2. Global Federated Identity Management 3. Global Realtime Communications Exchange 4. Global Service Delivery 14 RBUCH+NORDUnet+Challenges+Towards+2020+DEIC+version.pdf

15 15

16 16

17 17 Interfederation by

18 18 GakuNin is also a member of edugain

19 19

20 20

21 } } Standard that allows secure web domains to exchange user authn and authz data Standardized by OASIS } Open Source project launched by EDUCAUSE/Internet2 in 2000 } } } De facto standard in academic access management federation } Widely utilizes by European federations in addition to US simplesamlphp mainly utilizes by Nordic countries, will be the other choice User Info LDAP Shibboleth IdP SAML Standard Shibboleth SP 21 Something like a Filter which mediates SAML message

22 IdP (Home Org) 9 SP (Resource Provider) 6 7 属性情報 8 Access Approved HTTPS DS (Discovery Service) User 1

23 23 Name (abbreviation) Description OrganizationName (o) English name of the organization jaorganizationname (jao) OrganizationalUnit (ou) jaorganizationalunit (jaou) edupersonprincipalname (eppn) edupersontargetedid edupersonaffiliation edupersonscopedaffiliation edupersonentitlement SurName (sn) jasurname (jasn) givenname jagivenname displayname jadisplayname mail gakuninscopedpersonaluniquecode Japanese name of the organization English name of a unit in the organization Japanese name of a unit in the organization Uniquely identifies an entity in GakuNin A pseudonym of an entity in GakuNin Staff, Faculty, Student, Member Staff, Faculty, Student, Member with scope Qualification to use a specific application Surname in English Surname in Japanese Given name in English Given name in Japanese Displayed name in English Displayed name in Japanese address Student or faculty, staff number with scope Static Not much used Not much used Generate from ID Generate LDAP tree Not so difficult to map the Shib Attr and LDAP

24 Register Meta data Register Distribute (download) Distribute (download) IdP (Home Org) SP (Resource Provider) 24 DS (Discovery Service) User

25 Federation Metadata Signed Info IdP Info SP Info IdP 1 Info IdP 2 Info SP 1 Info SP 2 Info Entity Metadata (IdP) ID of IdP 1=entityID Certificate Protocol Organization Info Entity Metadata (SP) ID of SP 1=entityID Certificate Protocol Organization Info 25

26 SP B SP C SP A Federation DS (Discovery Service) Repository Federation Metadata Entity Metadata 26 IdP A IdP B IdP C Reliability of the relying party is confirmed by the singed metadata. Participants comply policies defined by the federation.

27 } Deploy IAM federation in your NREN 27