DAMe project

Presentation

DAMe is a project that builds upon previous TERENA, GN2, Internet2 and University of Murcia work:

eduroam, a result of TERENA Mobility Task Force, which defines an inter-NREN roaming architecture.
eduGAIN, the AAI interoperation infrastructure designed by GN2 JRA5.
Shibboleth, a widely deployed federation mechanism developed by Internet2 and the NSF Middleware Initiative.
NAS-SAML, a network access control approach for AAA environments, developed by the University of Murcia, based on the SAML and XACML standards.

This project is motivated by the emergence of federated approaches to resource sharing to provide access to shared resources whith a single identity. Some examples of these approaches are the establishment of academic federations worldwide and the concepts around Grid Computing. Some aspects generally related with integral indentity management are still open, especially those related to user authorization. That is, only allowed users are able to perform the set of allowed actions over each resource.

When talking about mobility, one of the main resources to share is the network. Therefore, the TERENA Mobility Task Force definded and tested an inter-NREN roaming architecture, called eduroam, proposed after identifying the most suitable techniques currently deployed in the NRENs. eduroam allows users of participating institutions to access the Internet at other participants using their home institution's credential. But it would be desirable to extend the eduroam architecture with authorization mechanisms. NAS-SAML is an access control proposal for AAA environments which can be used to extend eduroam to exchange the existing credentials. These credentials can be expresed in several forms, ranging from eduGAIN/Shibboleth statements to X.509 Attribute certificates. Additionally, this authorization mechanism might be used at service level, for example for Grid Computing purposes.

eduroam constitutes an exceptional starting point to offer a full and integrated network access experience to users.

Objectives

The main goal of this project is to define a unified authentication and authorisation system for federated services hosted in the eduroam network. Those federated services can range from network access control to distributed services like Grid computing. Most of the proposals rely upon a global SSO mechanism based on already-deployed mechanisms and architectures.

The general architecture of DAMe is shown in Figure 1, illustrating that eduroam and eduGAIN are the two central initiatives of this project. The former will provide an infrastructure for supporting roaming and eduGAIN will be used as the main AAI (Authentication and Authorisation Infrastructure) in order to exchange credentials during the SSO and other authorisation processes. As is shown in Figure 1, any user of DAMe will be first authenticated using eduroam, obtaining a SSO token that will be used later to gain access to protected resources contained in the federation. In this way, the SSO process is directly bootstrapped from the network access, avoiding a further re-authentication at the application level. Then an authorisation process is performed to determine which kind of network access should be provided according to the user’s attributes. Finally, when a protected resource is requested in any institution belonging to the federation, eduGAIN will be used to validate the SSO token and to obtain additional attributes if necessary. In order to achieve this general objective, the project is divided into the following four main activities.

Figure 1. Overview of the DAMe architecture

The first step in DAMe is the extension of the eduroam infrastructure using the NAS-SAML architecture, so that user mobility can be controlled by security assertions and policies expressed in standard and extensible languages, such as SAML and XACML. In this way, we provide a mechanism to enhance the interoperability among different organisations by establishing a common language for credentials and access control conditions. Moreover, this approach provides mechanisms to establish fine-grained access control. Depending on the attributes assigned to the users, based on existing schemas like SCHAC, they will obtain network connections with different capabilities, such as quality of service (QoS) and security options.

The second phase takes advantage of federation mechanisms such as those defined by eduGAIN. We are aware that some organisations have already deployed authentication and authorisation solutions based on different schemas for user attributes, or even based both on SAML and non-SAML assertions, and therefore the development of integration solutions might be involved allowing different authorisation domains to interoperate. In fact, the NAS-SAML architecture has been successfully merged with other proposals based on X.509 Attribute Certificates, specifically the PERMIS project. Following a similar approach, we plan to use the eduGAIN system as the authorisation back-end of the network access control system. That is, the SAML attribute assertions establishing the user’s credentials will be managed by the elements of an already existing eduGAIN-enabled network. Therefore, we will have to provide a new profile to include NAS-SAML as part of the eduGAIN-enabled back ends.

The third step is to provide a real Single Sign On, from a global point of view. That is, users will be authenticated once, during the network access control phase. Next, having authenticated to get onto the network using 802.1X, that authentication will automatically fetch the necessary eduGAIN-signed tokens so that there will be no need to repeat the login at the application layer. In this way, the eduGAIN authentication will be bootstrapped from the NAS-SAML one. This involves a generation of SAML-signed tokens that will be obtained by the users, using for example, a new PEAP (Protected Extensible Authentication Protocol) method able to deliver the appropriate authentication credentials. Then, users will contact the eduGAIN service providers and there will no need to re-authenticate the user.

Finally, we plan to use the AAA network and the related authorisation information to provide authorisation mechanisms to application-level services. Most of the existing distributed services, for example, Grid services, have a security component responsible for determining whether a particular user can perform the requested action. Therefore, we propose the development of a mechanism able to link that authorisation process to the architecture previously defined in order to obtain the user credentials from the existing federation. This integration will be accomplished, when possible, using standard extension points, for example the OGSA-Authz authorisation interface for OGSA Grid computing platforms, or other extension points.

Documents

Project deliverables.

DAMe project. Deliverable 1: DAMe State of the Art and Requirement Analysis. February 2007.

DAMe project. Deliverable 2: DAMe Overall Concept Specification. October 2007.

DAMe project. Deliverable 3: DAMe Architecture. December 2007.

Description and Status of the DAMe Testbed. December 2007

DAMe Testbed Deployment Guide. December 2007

LDAP Server Installation and Configuration Guide. December 2007

phpLDAPadmin Tool Installation and Configuration Guide. December 2007

Xsupplicant Installation and Configuration Guide. December 2007

DAMe project. Deliverable DJ5.3.2: Architecture for Unified SSO. May 2008.

DAMe project. Deliverable DJ5.3.4: Evaluation of a Prototype for Unified SSO. November 2008.

DAMe description.

DAMe project. Technical Project Proposal. Deploying Authorization Mechanisms for Federated Services in the eduroam Architecure (DAMe). Technical project proposal. September 2006.

University of Murcia. Design alternatives for the DAMe project: A proposal for extending the eduroam infrastructure with authorization mechanisms. June 2007.

University of Murcia. Bootstrapping a global SSO from network access control mechanisms. May 2007.

University of Murcia. DAMe conversions. From Shibboleth and PAPI authentication to eduGAIN SSO token. June 2007.

University of Stuttgart. Web authentication with the eduToken. July 2007.

University of Murcia. Levels of Assurance (LoA) in DAMe. October 2008.

University of Murcia. Credential Conversion Service (CCS) for DAMe/eduGAIN. October 2008.

U. Stuttgart & U. Murcia Integration of RadSec in DAMe. April 2009.

NAS-SAML infrastructure description.

G. López, A.F. Gómez-Skarmeta, R. Marín, O. Cánovas. A Network Access Control Approach Based on the AAA infrastructure and Authorization Attributes. Journal of Network and Computer Applications, JNCA. Elsevier. 2005.

G. López, A.F. Gómez-Skarmeta, R. Marín, O. Cánovas. A Network Access Control Approach Based on the AAA Infrastructure and Authorization Attributes. International Workshop on Security in Systems and Networks. SSN05. Denver, Colorado, USA. April 2005.

XACML policies definition.

G. López, O. Cánovas, A.F. Gómez-Skarmeta. Use of XACML policies for a Network Access Control Service. 4th International Workshop for Applied PKI, IWAP 05. Singapure. September 2005.

Heterogeneous systems.

G. López, O. Cánovas, A.F. Gómez-Skarmeta, S. Otenko, D. Chadwich. A Heterogeneous Network Access Service Based on PERMIS and SAML. 2nd European PKI Workshop. Kent, England. June 2005. LNCS 3545/2005.

O. Cánovas, G. López, A.F. Gómez-Skarmeta. A Credential Conversion Service for SAML-based Scenarios. 1st European PKI Workshop Research and Applications. Samos Island, Greece. June 2004. LNCS 3093.

Publications

Journals.

Manuel Sánchez, Gabriel López, Óscar Cánovas, Antonio F. Gómez-Skarmeta. Performance analysis of a cross-layer SSO mechanism for a roaming infrastructure. To be published in the Journal of Network and Computer Applications, 2009.

Gabriel López, Óscar Cánovas, Antonio F. Gómez-Skarmeta, Manuel Sánchez. A proposal for extending the eduroam infrastructure with authorization mechanisms. Computer Standards & Interfaces, 2008.

Óscar Cánovas, Antonio F. Gómez-Skarmeta, Gabriel López, Manuel Sánchez. Deploying authorisation mechanisms for federated services in eduroam (DAMe). Internet Research: Selected papers from the TERENA Networking Conference 2007, ISSN 1066-2273, Volume 17, Number 5, pages 479 to 494, 2007.

Conferences.

Manuel Sánchez, Óscar Cánovas, Gabriel López, Antonio F. Gómez-Skarmeta. Managing the lifecycle of XACML delegation policies in federated environments. 23rd International Information Security Conference (SEC 2008) - Milan, Italy, September 2008.

Manuel Sánchez, Óscar Cánovas, Gabriel López, Antonio F. Gómez-Skarmeta. Levels of Assurance and Reauthentication in Federated Environments. Fifth European PKI Workshop (EuroPKI'08) - Trondheim, Norway, June 2008.

Manuel Sánchez, Óscar Cánovas, Gabriel López. Support for multiple federation technologies in a Single Sign On architecture. The 2008 International Conference on Security and Management (SAM'08) - Las Vegas, Nevada, USA, July 2008.

Lutz, D.; Mandic, P.; Neinert, S.; del Campo, R.; Jähnert, J. Harmonizing Service and Network Provisioning for Federative Access in a Mobile Environment. 11th IEEE/IFIP Network Operations and Management Symposium (NOMS 2008), 2008.

Manuel Sánchez, Gabriel López, Óscar Cánovas y Antonio F. Gómez-Skarmeta. Bootstrapping a global SSO from network access control mechanisms. Fourth European PKI Workshop: Theory and Practice (EuroPKI'07) - Mallorca, España, June 2007.

Manuel Sánchez, Gabriel López, Óscar Cánovas y Antonio F. Gómez-Skarmeta. A proposal for extending the eduroam infrastructure with authorization mechanisms. The 5th International Workshop on Security in Information Systems (WOSIS 2007) - Funchal, Madeira, Portugal, June 2007.

Neinert, S. A Federated Authorization and Authentication Infrastructure for Unified Single Sign On. 21. DFN-Arbeitstagung über Kommunikationsnetze, 2007.

Downloads

If you are interested in obtaining the DAMe software send an e-mail to:

contact.dame@dif.um.es

Partners

DFN - Germany

RedIris - Spain

University of Stuttgart - Germany

University of Murcia - Spain

Events

DAMe meeting in Murcia. April 26, 2007.

Links

Diameter description.

P. Calhoun, J. Loughney, E. Guttman, G. Zorn, J. Arkko. Diameter Base Protocol. IETF RFC 3588. September 2003.

P. Calhoun, G. Zorn, D. Spence, D. Mitton. Diameter Network Access Server Application. IETF RFC 4005. August 2005.

AAA description.

C. de Laat, G. Gross, L. Gommans, J. Vollbrecht, D. Spence. Generic AAA Architecture. IRTF RFC 2903. August 2000.

RADIUS description.

C. Rigney, S. Willens, A Rubens, W. Simpson. Remote Authentication Dial In User Service (RADIUS). IRTF RFC 2865. June 2000.

XACML description.

OASIS Consortium. OASIS eXtensible Access Control Markup Language (XACML). OASIS standard.

SAML description.

OASIS Consortium. OASIS Security Assertion Markup Language (SAML). OASIS standard.

Shibboleth description.

Internet2. Shibboleth project web page.

Contact Us

For any comment or question, you can send an e-mail to: