carsi: federated identity and resource sharing over cernet

CARSI: Federated Identity and Resource Sharing over CERNETDr. PING CHEN

Peking University(北京大学 )

Jan, 24th, 2008

Agenda

Current AAI Situation over CERNET Our Plan: CARSI CARSI Elements

CARSI Infrastructure CARSI Federation Contract Negotiation & Audit CARSI Federation Provider Registry CARSI Virtual Resource Directory CARSI OpenIdP CARSI Services

Current Deployment Current Focuses

Current AAI situation over CERNET Most Univ. have campus-wide IDM Univ. web applications run in two ways:

accessed publicly without protection only be visited by a closed set of users

Cross-univ. AAI is important to sharing Sharing object can be user identity resource Sharing object can also be web applications

Cross-univ. AAI and resource sharing is still in the experimental stage

Our Plan: CARSI Cernet Authentication and Resource Sharing Infrastructure Goals:

To integrate university IDMs to a CERNET AAI To share univ. user account resources over CERNET To share existing protected web application resources from a

closed set of users to CERNET users To protect existing unprotected web applications To provide a basic AAI middleware for CERNET applications To standardize and simplify application’s upgrade to AAI- pro

tected To push new applications cross universities

CARSI Elements:

1. CARSI infrastructure Based on SAML/shibboleth

2. CARSI FCNA Federation Contract Negotiation & Audit

3. CARSI FPR Federation Provider Registry

4. CARSI OpenIdP An IdP providing free registered fed account for test users

5. CARSI Services SP-protected web applications for fed users

6. Others

1. CARSI infrastructure

CARSI-Fed: cross-domain federation CARSI-portal

A web portal for fed user login A web portal providing resource list for fed users

CARSI-WAYF: where are you from CARSI-VRD: Virtual Resource Directory CARSI-Person: CARSI User Attribute Specification

CARSI-Uid(Universal user identity): localid@domainid CARSI-IdP: shibboleth IdP + CARSI-SP: shibboleth SP +

Infrastructure Workflow

Way 1: 1. Portal login -> 2. select application from resource list -> 3. visit web application

Way 2: 1. request to visit web application-> 2. redirected to portal to login-> 3. visit application

CARSI-Portal

Infrastructure WorkflowWay 1 Demo

Web browser

CARSI

IdP

CARSI

SP

Application

CARSI

WAYF

CARSI

VRD

CARSI

Portal

CARSI SP

Web browser

CARSI

IdP

CARSI

SP

1. login with CARSI-Uid

Application

Infrastructure WorkflowWay 1 Demo

CARSI

WAYF

CARSI

VRD

CARSI

Portal

CARSI SP

Web browser

CARSI

IdP

CARSI

SP

2. Redirect to IdP3.Pass auth, redirect to VRD

4. Resource list returned to user

Application

Infrastructure WorkflowWay 1 Demo

CARSI

WAYF

CARSI

VRD

CARSI

Portal

CARSI SP

Web browser

CARSI

IdP

CARSI

SP

5. Select an application to visit

6. Visit SP-protected application7. First time visit the resource, redirect to WAYF8. Redirect to visiting user’s IdP

9. The user has passwd auth, redirect to SP

Application

Infrastructure WorkflowWay 1 Demo

CARSI

WAYF

CARSI

VRD

CARSI

Portal

CARSI SP

Web browser

CARSI

IdP

CARSI

SPCARSI

WAYF

CARSI

VRD

CARSI

Portal

CARSI SP

Application

10. Pass authorization, user accesses application

Infrastructure WorkflowWay 1 Demo

2. CARSI FCNAFederation Contract

Negotiation & Audit Goal: How many and what kind of influences does cross-domain AAI bring to users

(IdP) and applications(SP)? How can cross-domain AAI running in a controllable way? Contract? Negotia

tion? The economic model? How is cross-domain AAI being used? What’s user’s using habit?

Methods: Federation log record, aggregation and analysis: IdP log, SP log, Portal log,

WAYF log, etc. Resource sharing statistics

Based on IdP, how many IdP users visit other-domain applications, their using habit, etc

Based on SP, which domain and what kind of users visit it, what is the peak visiting time, etc

User’s behavior and action tracking Tracing user’s visiting sequence Which visiting sequence is more adopted? How cross-domain AAI benefit them?

CARSI FCNA interfaces

3. CARSI FPR: Federation Provider Registry A system for federation members to manage domai

n/IdP/SP by themselves Administrators are required to register accounts dep

ending on administrative object Administrator account management is role-based

Role: FedAdmin, OrgAdmin, IdPAdmin, SPAdmin IdP/SP register and management

Followed with corresponding management policy IdP/SP/Admin policy

3. CARSI FPR: Federation Provider Registry

FedAdmin To manage member administrator accounts and member IdP/SPs

OrgAdmin To manage Admins of a domain/organization Activated by paper documents stamped with organization seal 1 domain may have multiple admins with OrgAdmin role

IdPAdmin To manage 1 IdP Activated by OrgAdmin or other IdPAdmin for the same IdP 1 IdP may have multiple admins with IdPAdmin role

SPAdmin To manage 1/n SPs Activated by OrgAdmin or other SPAdmin for the same SP 1 SP may have multiple admins with SPAdmin role

4. CARSI VRD: Virtual Resource Directory A list of sharing web applications One part of CARSI-Portal Synchronized with FPR-registered SPs SP protected Classified and exhibited for user access

5. CARSI-OpenIdP

An open identity provider

Freely registered

Mainly for test purpose

6. CARSI-Services

Online served: Black Board System PKU Exquisite Courses Campus IP gateway Content Management System Network Management Systems

On-going: CARSI vConf: Video Conference CARSI library others

Current Deployment

Members: 5 of 10 CERNET regional nodes: Peking Univ.,

Tsinghua Univ., BUPT, SCUT, UESTC 1 research institute: Research Institute of

Telecommunication Transmission

Applications: about 10

Current Deployment

CARSI-Portal

PKU SP-NMS

PKU SP-EC

PKU SP-CMS

PKU SP-BBS

BUPT IdP

Local AAI

BUPT SP-IPGW

Local IPGW

UESTC IdP UESTC SP-IPGW

THU IdP

THU SP-BBS

SCUT IdP

SCUT SP-BBSRITT IdP RITT SP-BBS

CARSI-FCNA

Local AAI

PKU IdPLocal AAI

PKU SP-IPGWLocal IPGW

Local IPGW

PKU

RITT

SCUT

BUPT UESTC

THUCARSI

-OpenIdPCARSI-FPR

Current Focuses:

Complete the above key functions Extend the federation to more universities. Attract more applications. Find out an easy way to make applications sh

ibbolethed

Thank You!

CARSI: http://www.carsi.edu.cnEmail: carsi@pku.edu.cn