Roaming network access using Shibboleth in University of Helsinki

1
Roaming network access using Shibbolethin
University of Helsinki

• Fall 2004 Internet2 Member Meeting
• 29th of September, 2004
• Mikael Linden, mikael.linden_at_csc.fi
• CSC, the Finnish IT Center for Science, Finland

2
Isnt it a little bit exotic
Shibboleth
Application layer
TCP
Transport layer
IP
Network layer
WLAN (802.11)
Link layer
to use application layer technology for access
control in the network layer?
3
CSC, the Finnish IT center for Science

• Non-profit company owned by the ministry of
  education in Finland
• to provide national IT infrastructure for
  research and education
• expertise in scientific computing
• supercomputing
• Funet (Finnish university and research network)
• Federated identity a new way for CSC to support
  higher education
• national HAKA federation on Shibboleth
• currently in pilot phase (3 IdPs, 4 SPs)
• to be in production in 2004

4
Background AA issues in European higher education

• Roaming network access technologies
• 802.1X RADIUS proxy hierarchy
• VPN complete list of VPN gateways
• web redirection RADIUS proxy hierarchy
• ROAMNODE RADIUS proxy hierarchy
• more information TERENA TF-Mobility, deliverable
  G
• Application level access technologies
• several federating softwares being used, some of
  them national
• Shibboleth, PAPI, FEIDE, A-select

5
Background University of Helsinki (UH)

• The largest university in Finland
• A campus in downtown of Helsinki
• University of Helsinki deliberate to join WLAN
  roaming
• would not be fair for UH probably considerably
  more visitors coming in than going out?
• costs would accumulate for UH
• UH could allow roaming access for some smaller
  subgroup (e.g. stafffaculty in other
  universities)
• authentication not enough, role based
  authorisation needed
• role attributes need to be passed from the home
  institution
• thats what Shibboleth is made for

6
How it works
Internet
WAYF 193.166.0.69
SSL Port 443 open to WAYF 193.166.0.69 UTa
153.1.6.41
University of Tampere (UTa)
Access control device (ACD) (shibboleth target)
Shibboleth origin 153.1.6.41
Docking network (HUPnet)
University of Helsinki
Bob, a researcher at UTa
5. ACD decides, if the user may access (the rest
of) the Internet
7
Benefits

• Makes role based authorisation easy
• visiting institution makes access control
  decision based on the users role provided by the
  her home institution
• Preserves privacy
• users identity need not to be revealed to the
  visited institution (only her role and home
  institution is revealed)
• Single sign-on
• to shibbolized network and application level
  services
• Brings together network and application level
  access architecture
• no need for overlapping architecture

8
Downsides

• In Europe, cross-organisational and
  cross-national AAI infrastructure in not so
  mature as RADIUS based hierarchy
• Shibboleth used in Switzerland, Finland, UK
• To allow user enter her uidpwd to her shibboleth
  origin site, the access controller needs to
  maintain extensive list of shibboleth origin
  sites in the federation
• new list have to be updated regularly
• however, the list have to be maintained by the
  federation anyway
• CASG (see Terena TF-Mobility deliverable E) can
  make the maintenance easier

9
Practical experiment HUPnet

• HUPnet (Helsinki University Public network) has
  been available for UH staffstudents since 2001
• for WLAN and wired (ethernet) public access in UH
  premises
• ACD is a Linux box with web end-user UI
• UH has started piloting shibbolized Access
  control device (ACD)
• previously AA was based on RADIUS
• now Shibboleth
• implementation to be publicly available
• http//www.helsinki.fi/atk/english/network/HUPnet.
  html

10
More information

• Mikael Linden, Viljo Viitanen. Roaming network
  access using Shibboleth, an article in Terena
  Networking Conference 2004
• http//www.terena.nl/conferences/tnc2004/programme
  /presentations/show.php?pres_id165