tf-mobility. rome, october 2009 a few ideas on eduroam service composition
TRANSCRIPT
TF-Mobility. Rome, October 2009
A Few Ideas on eduroam Service Composition
TF-Mobility. Rome, October 2009
In Brief
• Take advantage of the eduroam data exchange to provide additional information useful to other services Opaque identity Attributes used for admission Location Postures (NEA/NAC/…)
• Possible use cases Delegated authorization Location-aware services Security assessment
TF-Mobility. Rome, October 2009
Applying DAMe Home Institution
Remote Insitution
SAMLResp.
AttributeStat.attributes
Access-Accept (with handle)
translateobligations
ACCESS-ACCEPT+ propertiesEAP-SUCCESS
eduroam
SearchRequest(uid:handle, action,
resource)
SearchResult(obligations)
Network authentication
RADIUSRADIUS
End User
NAPeduGAIN
BE
PDP(AuthZEngine)
eduGAINBE
idPAuthn
Attrib.
SAMLRequest
AttributeQueryhandle
EAPOL
EAP
RADIUS
Federation specific
RADIUS / EAP
SOAP
LDAP SOAP
XACMLResourceAccessPolicy
SAMLResponse
XACMLAuthZDecSt.XACMLResponse
result obligs.
SAMLRequest
XACMLAuthZDecisionQXACMLRequest
handle
res. action
evidenceattrs.
TF-Mobility. Rome, October 2009
Some Possible Procedures
• The user knows their opaque identity In advance (EPPN / EPTID) Interactively (CUI) By means of an artifact (eduToken InfoCard)
• And can be applied to Services controlling firewalls by a local user Queries to establish location and origin at portals or
service gateways STS as enabler for other composed services Enhanced log correlation and analysis Any other consumer of the exchanged data
TF-Mobility. Rome, October 2009
A Path to Start Exploring
• Accessible data Minimum impact on protocols
• Access procedures Requirements for additional components
• Humans in the loop Management Privacy
• eduroam as consumer Any use case?
• Let it happen™