Upload
eliseo-ervin
View
221
Download
2
Embed Size (px)
Citation preview
SURFfederatie - eduGAINOpt-in Metadata Management for a Hub & Spoke Federation
SURFnet - We make innovation work2
Content
- History of SURFfederatie- Federation models- Functional view- Consequences of hub & spoke- eduGAIN- Future changes
SURFnet - We make innovation work3
Once upon a time…
Studen
t Chip
card
: auth
entic
ation
A-Sele
ct: i
ntra-o
rgan
isatio
nal web
-SSO
1996 2001 2004 2006 2007 2008
DigiD
: gov
ernm
ent e
ID b
ased
on A
-Sele
ct
Feder
ative
AAI,
A-Sele
ct (o
pen so
urce)
FIdM se
rvice
(gat
eway
) in p
roduct
ion
Elsevie
r, EBSCO, G
oogle
Apps
SURFnet - We make innovation work4
Federation models (communication/login, not metadata)
- 1-1- Business VS: SAML 1.x- de-facto
- NxN- Shared trust, pt2pt- Education VS/Europa
- 2xN- Central gateway (CFC)- protocol translation- SURFfederatie
= CFC, IDP, SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SP
IDP SPCFC
SURFnet - We make innovation work5
Functional view(Since August 2008)
CentralFederation
Components
A-Select Cross
A-Select Cross
Shibboleth
SAML 2.0
WS-Fed / ADFS
SAML 2.0
WS-Fed / ADFS
Identity Providers
Service ProvidersSURFfederatie CORE
ApplicationsCredentials
6
Metadata & proxying
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
A-1
A-2
A-3
B-1
B-2
B-3
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
7
WAYF/WAYF-less operation
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
SURFnet - We make innovation work8
hub & spoke pros/cons
Pros
- 1 connection for IDP/SP- Minimal overhead for IDPs- Centralized (technical)
management- Specialist knowledge @ SN
- Less needed for IDP/SP- Scales well at national level- Extra features easier to do
- Web services- Group support
Cons
- Procedures- release consent per SP- Key/cert/metadata
changes- Lack of knowledge @ IDP
- Double-edged sword…- Scalability European level- Can only support common
denominator
9
Importing eduGAIN SPs
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=ddd
SPy=eee
SPz=fff
eduGAIN
SPz
A-1A-2A-3
A-z
B-1
B-2
B-3
10
Exporting IDPs
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=ddd
SPy=eee
SPz=fff
IDP3=B-3
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
11
Exporting SPs to eduGAIN
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=ddd
SPy=eee
SPz=fff
SP3=SP3
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
IDPz
12
SP auth list (optional)
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fffSP3=SP3IDPxIDPyIDPz
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
IDPz
Per SP auth list
SP3: - IDP1 - IDP2 - IDPz
13
SP auth list (optional)
SURFnet - We make innovation work
IDP1
IDP2
IDP3
SP1
SP2
SP3
WAYF
WAYF
IDP1=B-1
IDP2=B-2
IDP3=B-3
SP1=A-1 {IDP1, IDP2}
SP2=A-2 {IDP2, IDP3}
SP3=A-3 {all}
SPz=A-z {IDP2, IDP3}
SPx=dddSPy=eeeSPz=fffSP3=SP3IDPxIDPyIDPz
eduGAIN
A-1A-2A-3
A-z
B-1
B-2
B-3
IDPz
Per SP auth list
SP3: - IDP1 - IDP2 - IDPz
SURFnet - We make innovation work14
Future plans
- Integrate with SURFconext- Procedural/organisational- Technical (level of integration TBD)
- Change of consent model- Opt-in Opt-out- Addition of User Consent
- Web Service support- Needed for (scientific) workflows
- Rich client/beyond web SSO/mobile support- Rethink procedures/management
SURFnet - We make innovation work15
Remco Poortinga – van [email protected]@surfnet.nl
www.surfnet.nl
Presentation released under Creative Commonshttp://creativecommons.org/licenses/by/3.0/
SURFnet - We make innovation work16
SURFnet - We make innovation work17
Backup slides
(C) 2011 SURFnet B.V.18
URLs
SP die wil meedoen moet SAML doen (want daarvoor zijn we geen proxy zoals normaal)
https://wayf.surfnet.nl/federate/surfnet/edugain2 IDPS: SN & TERENA1 SP: TERENA
(MDS laat ook zien: TERENA IDP via gateway met URL encoded ipv SAML scoped (zoals WAYF) -> niet iedereen implementeert dat, dus vanwege interop. Doen we het zo.
Ook mogelijk om SP specifiek metadata te genereren (per SP uit onze fed) die niet zelf auth lijst willen bijhouden. Bevat SF IDPs + ‘approved’ eduGAIN IDPs
(C) 2011 SURFnet B.V.19
Metadata
https://aai-viewer.switch.ch/interfederation-test/test/Wij nu niet saml2int compliant.(behandelen attribs als ‘format unspecified’, moet ‘uri’
zijn volgens spec)