Upload
theodora-diana-nash
View
222
Download
0
Embed Size (px)
DESCRIPTION
SURFnet. We make innovation work2 Federation Models Business: SAML 1.x -de-facto -NxN -Shared trust, pt2pt -Education VS/Europe -Shibboleth -2xN -Central gateway (CFC) -Protocol translation -SURFfederation SURFnet = CFC, IDP, SP IDPSP IDPSP IDPSP IDPSP IDPSP IDPSP IDPSP CFC
Citation preview
June 9, 2009
SURFfederatie: implementing a multi-protocol federationHans Zandbelt & Joost van Dijk, SURFnet
SURFnet. We make innovation work2
Overview- Identity Federation Models- SURFfederatie gateway- Implementation/Deployment- Features/Experiences- SURFnet Service Provider- Conclusion
SURFnet. We make innovation work3
Federation Models- 1-1
- Business: SAML 1.x- de-facto
- NxN- Shared trust, pt2pt- Education VS/Europe- Shibboleth
- 2xN- Central gateway (CFC)- Protocol translation- SURFfederation SURFnet =
CFC, IDP, SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SPCFC
SURFnet. We make innovation work4
Functional View
CentralFederation
Components
A-Select Cross
A-Select Cross
Shibboleth
SAML 2.0
WS-Fed / ADFS
SAML 2.0
WS-Fed / ADFS
Identity Providers Service ProvidersSURFfederatie CORE
ApplicationsCredentials
SURFnet. We make innovation work5
Authentication Redirect Flow
SP SFS IDPweb service authenticationbackend
browser requestauth request
SSO1 request
SSO22 request
LDAP/Radius/..
access & attributes
SSO1 response
SSO22 response
auth response
SURFnet. We make innovation work6
Deployment View
server1 server2 server3
phpFederate phpFederate phpFederate
PingFederate PingFederate PingFederate
management
failover
PingFed/Mgmt
wayf.surfnet.nl
sfs.surfnet.nl
round-robin DNS
phpFederate
PingFederate
PingFed/Mgmt
SURFnet. We make innovation work7
Server Node
apache2
mod_fcgid
php5_cgi
phpFederate
memcached(state sharing)
mysql(logging)
sendmail(error reporting)
heartbeat2(failover)
pingFederate
SURFnet. We make innovation work8
Connections- Federation Protocols
- IDP:- SAML 2.0 (5), ADFS (15) , A-Select (10)
- SP:- SAML 2.0 (5), Shibboleth 1.3 (5), A-Select (3)
- Federation Products- Microsoft ADFS, Shibboleth (1/2), A-Select,
Novell Access Manager, simpleSAMLphp, Oracle IdM, PingFederate
SURFnet. We make innovation work9
Implementation- PHP:
- implementation programming language- metadata/configuration store- configuration and processing language- provisioning tool
- Provision connections to PingFederate- Federate connections transparency across
protocols (!= simpleSAMLphp); caveat: identifiers- IDPs “see” 1 SP; SPs “see” 1 or all IDPs
- IDP ARPs: (configured) filter by SURFfederatie gateway
SURFnet. We make innovation work10
Features- Pure stateless switch vs. stateful processing
gateway- Transparent vs. single-point-of-entry- Detailed and accurate logging/statistics- ARP and ACLs implemented in PHP
- TBD: attribute processing/enrichment…- SP “personalized” IDP discovery and authorisation
- Limited SP access for IDPs- EduGAIN, OpenID, InfoCard- Optional: management APIs for members (IaaS)
- Metadata/configuration- ARP, IDP/SP authorisation
SURFnet. We make innovation work11
Experiences- Multi-protocol abilities speed up institutional
deployment: fits in their home ICT environment (!= JAVA, = Microsoft)
- Identity-As-A-Service: service provider issues (metadata updates, attribute release policies) are handled for IDPs
- SAML 2.0 implementations are hard (specs/products/knowledge) -> slow SP take-up
- Scalability is ok: up to national level- Trust model of centralized federation is functionally
equivalent to distributed federations: federation-operator is TTP (signed responses vs. signed metadata)
SURFnet. We make innovation work12
Future Developments- Web-services (gateway as WS-Trust STS!)- Cross-layer identity (unified SSO)- Identity-as-a-Service extensions- User Centric privacy extensions: user consent- Geneva- SURFnet services: OpenID- Confederations: Kennisnet, EduGAIN
SURFnet. We make innovation work13
SURFnet Service Provider- SURFnet plays three roles in the SURFfederatie:
- Federation operator, gateway- IDP, for SURFnet employees- SP, for services offered by SURFnet to federation
members- Services are connected via a proxy- Proxy is running phpFederate
SURFnet. We make innovation work14
SURFnet Service Provider
SURFnetService Provider
SURFfederatiegateway
IDP
SURFmedia
SURFmailfilter
SURFdomeinen
SP
SP IDP
IDP
Proxy benefits- Protocol translation:
- Hook up any service using A-Select/Shibboleth/SAML/WS-Federation
- Centralize features needed for all services:- Access Control- Attribute enrichment- Guest access to selected services- Migrating user data when users switch identity
SURFnet. We make innovation work15
SURFnet. We make innovation work16
Guest access
SURFnetService Provider
Guest IDP
SURFfederatieIDP
IDPIDP
SURFmedia
SURFmailfilter
SURFdomeinen
SURFnet. We make innovation work17
Attribute enrichment
SURFnetService Provider
SURFmedia
SURFmailfilter
SURFdomeinen
SURFfederatieIDP
IDPIDP
attributedatabase
Attributes
Current developments- OpenID Gateway:
- SURFnet SP as OpenID RP (guest access)- SURFfederatie as OpenID Provider (requires user
consent)- Federated Groups
- Join people from multiple IDPs into groups- Centrally managed- Across multiple services
- Federated directory- Step-up authentication (introduce second factor)
- OTP per SMS- Mobile PKI (authN using private key on SIM)
SURFnet. We make innovation work18
SURFnet. We make innovation work19
OpenID protocol handler
SURFnetService Provider
OpenID Provider
SURFfederatieIDP
IDPIDP
SURFmedia
SURFmailfilter
SURFdomeinen
OpenIDRP
SURFnet. We make innovation work20
Mobile PKIMobile PKI web page accessMobile PKI web page access
You are accessing a web service using Mobile PKI
Signing access code: 52745
SURFnet. We make innovation work21
Conclusions- Rapid deployment: 500.000 users
- From gateway towards Identity-as-a-Service
- Outlook: from use-once-a-month content towards every-day use hosted web applications