TF-Mobility. Rome, October 2009

A Few Ideas on eduroam Service Composition

TF-Mobility. Rome, October 2009

In Brief

• Take advantage of the eduroam data exchange to provide additional information useful to other services Opaque identity Attributes used for admission Location Postures (NEA/NAC/…)

• Possible use cases Delegated authorization Location-aware services Security assessment

TF-Mobility. Rome, October 2009

Applying DAMe Home Institution

Remote Insitution

SAMLResp.

AttributeStat.attributes

Access-Accept (with handle)

translateobligations

ACCESS-ACCEPT+ propertiesEAP-SUCCESS

eduroam

SearchRequest(uid:handle, action,

resource)

SearchResult(obligations)

Network authentication

RADIUSRADIUS

End User

NAPeduGAIN

BE

PDP(AuthZEngine)

eduGAINBE

idPAuthn

Attrib.

SAMLRequest

AttributeQueryhandle

EAPOL

EAP

RADIUS

Federation specific

RADIUS / EAP

SOAP

LDAP SOAP

XACMLResourceAccessPolicy

SAMLResponse

XACMLAuthZDecSt.XACMLResponse

result obligs.

SAMLRequest

XACMLAuthZDecisionQXACMLRequest

handle

res. action

evidenceattrs.

TF-Mobility. Rome, October 2009

Some Possible Procedures

• The user knows their opaque identity In advance (EPPN / EPTID) Interactively (CUI) By means of an artifact (eduToken InfoCard)

• And can be applied to Services controlling firewalls by a local user Queries to establish location and origin at portals or

service gateways STS as enabler for other composed services Enhanced log correlation and analysis Any other consumer of the exchanged data

TF-Mobility. Rome, October 2009

A Path to Start Exploring

• Accessible data Minimum impact on protocols

• Access procedures Requirements for additional components

• Humans in the loop Management Privacy

• eduroam as consumer Any use case?

• Let it happen™