Shibboleth Eduroam and some of the key discussion points as it rolls out in Canada

1. Canadian Access Federation Federated Application Building & eduroamlessons learned May 2011 Chris Phillips –chris.phillips@canarie.ca

2. Agenda Eduroam Less content than Shib (less complexity) Shibboleth See my previous presentation! http://bit.ly/fedapps(link to prezi) There will be a test at the end….really! 2

3. Canadian eduRoam Participants 3

4. How does eduroam work? 802.1X - to authenticate clients before allowing access to the network EAP framework – with secure EAP methods to protect user credentials RADIUS - authentication server infrastructure RADIUS proxying – to route authentication requests to a users home institution Separate IP address space – treated as external to institution (compliance with service agreements, etc) End Users have standard internet access with as few filters as possible (if any at all).

5. Sample Deployment: Queen’s 5

6. Cisco ACS Config 6

7. What NOT to do… Invisibly allow your users to drop the scope of the sign in Punishes everyone. The mobile user can’t login. Support is called and invoked. Mitigation: use <netid>@homeinst.ca Filter connections Reciprocity is a great thing. Treat eduroam mobile users on your infrastructure as you would want to be treated at their institution Constrain/shape bandwidth Again, the reciprocity principal holds here. If abuse is ocuring your netflow info should reveal or trigger alarms 7

8. Known Concerns NAT NATing is frowned upon centrally but is known to be a tenuous position given ipv4 conditions and wireless Recommendations Continue to treat users how you would like to be treated. 8

9. Stats & Some Thoughts Day 1 eduRoam Stats first 6hrs for CANHEIT # authN Domain 1 mcgill.ca 1 polymtl.ca 1 ryerson.ca 2 mtroyal.ca 2 ucalgary.ca 2 unb.ca 3 bcnet.ca 3 cunet.carleton.ca 3 dal.ca 4 sfu.ca 4 ubc.ca 4 uvic.ca 6 brocku.ca 6 canarie.ca 6 mun.ca 6 queensu.ca 6 ualberta.ca 6 uottawa.ca 6 utoronto.ca 8 usask.ca 10 uwo.ca 17 uoguelph.ca 28 uwaterloo.ca Average day @ Queen’s sees ~ 50 ppl on eduroam with about 5 from outside domains Posit that institutions can broadcast only eduroam SSID Still have chicken and egg problem how to get on, but same problem as WPA2… Communication is key captive portal SSID and show the one page could work, but ideas welcome 9

10. eduRoam @ McMaster 10

11. Onboarding Process Standard template for connecting new sites Policy sign-off followed by technical implementation Estimated time for Canada federation-level RADIUS server personnel: on-board a new member site: a few hours to two person-days, depending on member site expertise general maintenance: ~one person-day per month Local implementation from 4 hours to 4 weeks 11

12. Rapid Growth 12

13. More Stats Canada has ~28 of 92 universities on eduroam. US has slightly less in number (25) but 3,000 plus insitutions Hooray! We are leading the way in North America! 13

14. Eduroam Questions? 14

15. Shibboleth Federations Worldwide 15

16. Past Presentations This presentation builds on CANHEIT 2011: Prezi on Building federated applications: http://bit.ly/fedapps 16

17. Rightsize Your Information Sharing Log in, share NetID+attr. Log in, share Opaque ID Log in, share NetID Log in, share nothing Wireless External Website personal- ization is desired Internal Website personal- ization is desired linkage elsewhere desired Internal Website personal- ization is desired linkage elsewhere desired Data needed (ghosted)‏ SAML as conduit for Information release

18. Dispelling Some Myths 18

19. My App Can’t Be Federated in CAF Because… It is limited to regionally/specific identities Reply: No problem! This is a Virtual Organization A Virtual Organization (VO) is any collective group that operates in a coordinated way to enable shared activities on one or more topics with common tools or governance. VOs can exist within institutional boundaries but are most effective when constituted to operate across and to unify participants in different physical or institutional limits. Primary purpose is to pursue the shared topic or topics. 19

20. Virtual Organization pt 2 CAF is an environment where VO’s flourish: Virtual Organizations typically form around Service Provider(s) with IdPs providing consumers & complying to attribute profiles to participate Autonomy is retained by the VO & it’s members to focus on the topic -CAF focus is on the ‘dialtone’ infrastructure for collaboration – IdP & Sp management practices and operations and middleware elements –Examples in Canada are: •Regional Learning Management Systems •Transcript or Application management Research 'desktops' that aggregate tools for researchers Techniques to implement on SP end: Use the Shib2.xml & other configurations to whitelist participants[1] Consider using eduPersonEntitlement to express fine grain filtering at the application level: eduPersonEntitlement: urn:mace:washington.edu:confocalMicroscope eduPersonEntitlement: http://publisher.example.com/contract/GL12 [1] https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataFilter 20

21. My App Can’t Be Federated in CAF Because… I need to exchange special attributes Reply: No Problem! CAF’s default is shared nothing eduPerson is the default attributes set Where insufficient, the SP should work out the details with it’s partners on what extra elements it needs CAF recommends that the SP have proper OIDs (can be registered with IANA for free) for their attributes OIDs provide uniqueness, but us humans like text names that are unique too. 21

22. Enhancing Attribute Exchanges Shared nothing today, but uses eduPerson schema Finding that this may be paradox of choice Very interesting space to explore, but keep in mind principles: Low friction to participate (ie, simplicity is good) Scalable and high degree of relevancy and utility Don’t punish the end user or IdP owner. Interop across Canada and internationally Many areas to explore Use SHAC[1] technique for attributes? "urn:schac:dom.ain:Attribute:value” UseAustralian[2] approach for precise control and strong typing and vocabulary? Require full participation in various attribute sets (ie MUST populate all fields) but in different categories of SPs (category 1, 2,3 etc)? Hybrid?? [1] http://www.terena.org/mail-archives/schac/msg00371.html [2] http://www.aaf.edu.au/technical/aaf-core-attributes/ 22

23. My App Can’t Be Federated in CAF Because… I need a Higher Level of Assurance for a user Reply: OK, we want this too, what are your requirements? Challenge is how do you want to express it and what are your criteria for the higher level of assurance? Part of a larger conversation What is the yardstick? NIST 800-63? NSTIC, OIX, KANTARA audit requirements Audit of SP against their own statements? If you want to be part of this conversation see Chris Phillips & or join mailing list. 23

24. My App Can’t Be Federated in CAF Because… I need to sign in on the command line Reply: Ok, we want this too. Already participating internationally with UK-JISC on project moonshot. Combo environment of eduroam RADIUS and SAML attribute assertions Live CD’s of the sample dev environment available from Chris. Again, if you want to be part of this conversation see Chris Phillips & or join mailing list. 24

25. My App Can’t Be Federated in CAF Because… I need to sign in Social identities (Google, OpenID) Reply: No problem, it can be done Already participating internationally with REFEDS & inCommon on Social Identity risk assessment and gateway designs[1] Certain gateways exist from uPenn & Sweden [2] Many unquantified risks at this time, but does work User behind keyboard is unknown Attributes are self asserted No knowledge of value of the account to the person This is an active area of conversation. [1] https://spaces.internet2.edu/display/socialid/Using+SAML+and+Social+Identities--Guidelines+and+Considerations+for+Managers+and+Developers [2] https://tnc2011.terena.org/getfile/558 25

26. My App Can’t Be Federated in CAF Because… I don’t think the CAF has as highly available as I want them to be Reply: OK, did you know the following? CAF services reside in 3 provinces (Ontario, BC, and Quebec), and have redundant DNS entrieswith live failover What are your service criteria so we may understand them better? 26

27. FYI about availability 27

28. Your Turn… Poll: What would be your priority ranking of the following activities? http://twtpoll.com/amdcc6 Looking for more conversation and discussion? Join the CAF-Shib technical list to discuss the topics: CAF-SHIBBOLETH-TECHNICAL-L-request@LISTSERV.UWINDSOR.CA 28

29. Extra Slides 29

30. 30

31. Secure Wireless – 802.1X April 27th 2010 Canada eduroam Slide 31 Wireless Encryption Established secure.wireless.ubc.ca ssid:ubcsecure id:jdoe 1)Negotiate Authentication Method EAP-PEAPv0-MSCHAPv2 2)Certificate Validation Prevents “man-in-the-middle” attack 3)Establish Secure Tunnel Prevents eavesdropping Using MSCHAPv2 4)Perform authentication through tunnel 5)Authentication successful Establish encryption, connect to net 6)Client acquires IP address (DHCP)

32. Eduroam - Roaming User April 27th 2010 Canada eduroam Slide 32 Federation Server realm: ca ssid:eduroam Cert: eduroam.sfu.ca Institution Servers id: joe@sfu.ca realm: ubc.ca realm: sfu.ca 1) Negotiate EAP type EAP-TTLS-PAP 2) Outer Request Validate cert. Establish TLS tunnel PAP – through tunnel – secure! 3) Inner Request 4) Success Connect to network Establish encryption.

33. Eduroam – International Roaming April 27th 2010 Canada eduroam Slide 33 Confederation Server Federation Server realm: ca realm: edu id: pam@mit.edu realm: ubc.ca realm: sfu.ca realm: mit.edu realm: ucla.edu